Re: authentication problem

From: Steven L Umbach (sumbach_at_N0spam.ameritech.net)
Date: 03/16/04

• Next message: Elias: "acesso mdb sabados"
• Previous message: Robert Moir: "Re: Exchange 2000 - Port 80"
• In reply to: kjelle: "authentication problem"
• Next in thread: William Wang[MSFT]: "Re: authentication problem"
• Reply: William Wang[MSFT]: "Re: authentication problem"
• Reply: Andrew Mitchell: "Re: authentication problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 16 Mar 2004 12:11:23 -0600

I have tried a number of various policy configurations in the past with
regards to ipsec negotiation between domain members and domain controllers.
I could never get it to work without a problem. Microsoft officially does
not support ipsec negotiation communications between domain members and
domain controllers for either W2K or Windows 2003. The only way I get it to
work is to exempt all traffic between domain controllers and doman members
which is not explained in very much documentation. See the links blow for
more info. --- Steve

http://support.microsoft.com/?kbid=254949
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/DNSBJ_IPS_OVERVIEW.asp
http://tinyurl.com/2v8na --- same as above, shorter in case of wrap

"kjelle" <kjell.ritter@kemi.se> wrote in message
news:b30d01c40b6d$973b4040$a601280a@phx.gbl...
Cenario:
Mixed environment with Windows 2000 and 2003 servers and
clients.
IPSEC policys is distributed to clients and servers on
the network through group policys to protect
the "IPSEC_Users" OUīs communication on all IPtraffic.
Secured users and clients using ipsec is placed in a OU
called "IPSEC_users".
Domain controllers are placed in default OU "Domain
Controllers".
Secured servers are placed in a OU called "IPSEC_servers".

Using the default ipsec policy filters in Windows the
computers in "IPSEC_users" OU is assigned the "Request
security" filter with certificate authentication on all
IPtraffic.
The "Domain Controller" OU is assigned "Respond only"
filter with certificate authentication on all IPtraffic.
The "IPSEC_servers" OU is assigned "Require security"
filter with certificate authentication on all IPtraffic.

Problem:
The problem arrise when the clients and domain
controllers are using these settings. The ipsec
kommunication works after a cashed login but the big
thing is that the client cannot locate the domain
controller in the domain for authentication at logon
witch result in group policy not beeing assigned. The
error message in event viewer is:

Event id 1054: Canīt read the domain controller name on
the network. The specified domain is not available or
could not be contacted.............

AND

Event id 5719: This computer could not establish a secure
session with a domain controller in this domain LABB
because of following error:
There are no logon servers available to handle the login
request.........

I doesnīt matter what kind of authentication method is
used, kerberos, pre-shared key or certificate
authentication.
I have been running a packet capture program on the
domain controller and analyzed what kind of traffic is
sent when the client is trying to login. I can clearly
see that the client is trying to do a DNS loockup of the
SRV record for the domain controller although there is no
reply sent from the server.
Although I manually add a filter action to send DNS
traffic in clear text between client and server, the
server doesnīt reply. I think this is the reason to why
the client canīt login correctly and maintain the policy
settings.

The question is why this occur?

Best regards
Kjelle

---

• Next message: Elias: "acesso mdb sabados"
• Previous message: Robert Moir: "Re: Exchange 2000 - Port 80"
• In reply to: kjelle: "authentication problem"
• Next in thread: William Wang[MSFT]: "Re: authentication problem"
• Reply: William Wang[MSFT]: "Re: authentication problem"
• Reply: Andrew Mitchell: "Re: authentication problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: GPO causing client security logs to fill? ... Enabled Small Business Server Remote Assistance Policy No ... Default Domain Controller policy should not be linked to the domain ... thread titled "Client Logon Failure". ... So basically, the Account lockout threshold, account lockout ... (microsoft.public.windows.server.sbs) Re: Microsoft IPSec via group policy ... I agree with Shawn, if you deploy a good passoword policy you can reduce any password crack problem, but this option, alone, is not enough. ... - Give more attention to your Host, moving you security focus to a client machine (the most of problems could be resolved if this machine are locked and secure, Ex. ... Microsoft IPSec via group policy ... the XP client can no longer contact the domain controller. ... (Security-Basics) Re: Microsoft IPSec via group policy ... if you deploy a good passoword policy you can reduce any ... Microsoft IPSec via group policy ... the XP client and domain controller. ... the XP client can no longer contact the domain controller. ... (Security-Basics) Re: Files are not disconnecting after closed by client ... use Group Policy settings to turn off SMB ... set the Default Domain Controller policy settings to ... Digitally sign client communication ... (microsoft.public.win2000.security) Re: authentication problem ... I my domain computers already have the client/repond policy assigned to them ... > the problem is that you can only log on to the client ... What's the OS of the server you are logging on? ... >>session with a domain controller in this domain LABB ... (microsoft.public.win2000.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)