Re: authentication problem
From: Steven L Umbach (sumbach_at_N0spam.ameritech.net)
Date: 03/17/04
- Next message: Phillip Windell: "Re: Permission Nightmares"
- Previous message: Alice: "Re: Prohibit multiple users from logging on"
- In reply to: William Wang[MSFT]: "Re: authentication problem"
- Next in thread: Andrew Mitchell: "Re: authentication problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Mar 2004 09:47:08 -0600
My computers are W2K SP3 and XP Pro SP1 with a W2K SP3 domain controller. If
I my domain computers already have the client/repond policy assigned to them
via Domain Security Policy and that has been confirmed running netdiag on
them and I then enable the server/require ipsec policy in the Domain
Controller Security Policy I can not logon to the domain after I reboot a
domain computer. I can enter the credentials for the users for the domain,
but the logon just hangs. Are you saying that if the domain members have a
client/repond policy and the domain controllers have a server require policy
as is without any modifications it should work?? Thanks. --- Steve
"William Wang[MSFT]" <v-rxwang@online.microsoft.com> wrote in message
news:Bj5J0WBDEHA.612@cpmsftngxa06.phx.gbl...
> Hi Steven,
>
> Thanks for your posting. If I understand correctly,
> the problem is that you can only log on to the client
> computer using cached credentials after assigning the
> IPSec policies when the DC is available, you failed
> to log on to the domain and the policies are not
> assigned.
>
> Before we go further would you please post the exact
> steps to reproduce this issue as I cannot reproduce
> the exact result on my side? Please also include the
> following information:
>
> 1. Is it a Win2K domain or a Win2k3 domain?
> 2. What's the OS of the server you are logging on?
> 3. Please also send the NT event logs (save them as
> sys.evt and app.evt) to me at v-rxwang@microsoft.com.
>
> I'm looking forward to hearing from you.
>
> Sincerely,
>
> William Wang
> Microsoft Online Support Engineer
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via
> your newsreader so that others may learn and benefit
> from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties,
> and confers no rights.
> --------------------
> >From: "Steven L Umbach"
> <sumbach@N0spam.ameritech.net>
> >References: <b30d01c40b6d$973b4040$a601280a@phx.gbl>
> >Subject: Re: authentication problem
> >Date: Tue, 16 Mar 2004 12:11:23 -0600
> >Lines: 80
> >X-Priority: 3
> >X-MSMail-Priority: Normal
> >X-Newsreader: Microsoft Outlook Express
> 6.00.2800.1158
> >X-MimeOLE: Produced By Microsoft MimeOLE
> V6.00.2800.1165
> >Message-ID: <#UR2xG4CEHA.1452@TK2MSFTNGP09.phx.gbl>
> >Newsgroups: microsoft.public.win2000.security
> >NNTP-Posting-Host:
> adsl-68-78-77-197.dsl.emhril.ameritech.net
> 68.78.77.197
> >Path:
> cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
> phx.gbl
> >Xref: cpmsftngxa06.phx.gbl
> microsoft.public.win2000.security:23779
> >X-Tomcat-NG: microsoft.public.win2000.security
> >
> >I have tried a number of various policy
> configurations in the past with
> >regards to ipsec negotiation between domain members
> and domain controllers.
> >I could never get it to work without a problem.
> Microsoft officially does
> >not support ipsec negotiation communications between
> domain members and
> >domain controllers for either W2K or Windows 2003.
> The only way I get it to
> >work is to exempt all traffic between domain
> controllers and doman members
> >which is not explained in very much documentation.
> See the links blow for
> >more info. --- Steve
> >
> >http://support.microsoft.com/?kbid=254949
> >http://www.microsoft.com/resources/documentation/Wind
> owsServ/2003/all/deployguide/en-us/Default.asp?url=/re
> sources/documentation/WindowsServ/2003/all/deployguide
> /en-us/DNSBJ_IPS_OVERVIEW.asp
> >http://tinyurl.com/2v8na --- same as above, shorter
> in case of wrap
> >
> >"kjelle" <kjell.ritter@kemi.se> wrote in message
> >news:b30d01c40b6d$973b4040$a601280a@phx.gbl...
> >Cenario:
> >Mixed environment with Windows 2000 and 2003 servers
> and
> >clients.
> >IPSEC policys is distributed to clients and servers
> on
> >the network through group policys to protect
> >the "IPSEC_Users" OUīs communication on all
> IPtraffic.
> >Secured users and clients using ipsec is placed in a
> OU
> >called "IPSEC_users".
> >Domain controllers are placed in default OU "Domain
> >Controllers".
> >Secured servers are placed in a OU called
> "IPSEC_servers".
> >
> >Using the default ipsec policy filters in Windows the
> >computers in "IPSEC_users" OU is assigned the
> "Request
> >security" filter with certificate authentication on
> all
> >IPtraffic.
> >The "Domain Controller" OU is assigned "Respond only"
> >filter with certificate authentication on all
> IPtraffic.
> >The "IPSEC_servers" OU is assigned "Require security"
> >filter with certificate authentication on all
> IPtraffic.
> >
> >
> >Problem:
> >The problem arrise when the clients and domain
> >controllers are using these settings. The ipsec
> >kommunication works after a cashed login but the big
> >thing is that the client cannot locate the domain
> >controller in the domain for authentication at logon
> >witch result in group policy not beeing assigned. The
> >error message in event viewer is:
> >
> >Event id 1054: Canīt read the domain controller name
> on
> >the network. The specified domain is not available or
> >could not be contacted.............
> >
> >AND
> >
> >Event id 5719: This computer could not establish a
> secure
> >session with a domain controller in this domain LABB
> >because of following error:
> >There are no logon servers available to handle the
> login
> >request.........
> >
> >I doesnīt matter what kind of authentication method
> is
> >used, kerberos, pre-shared key or certificate
> >authentication.
> >I have been running a packet capture program on the
> >domain controller and analyzed what kind of traffic
> is
> >sent when the client is trying to login. I can
> clearly
> >see that the client is trying to do a DNS loockup of
> the
> >SRV record for the domain controller although there
> is no
> >reply sent from the server.
> >Although I manually add a filter action to send DNS
> >traffic in clear text between client and server, the
> >server doesnīt reply. I think this is the reason to
> why
> >the client canīt login correctly and maintain the
> policy
> >settings.
> >
> >The question is why this occur?
> >
> >
> >Best regards
> >Kjelle
> >
> >
> >
>
- Next message: Phillip Windell: "Re: Permission Nightmares"
- Previous message: Alice: "Re: Prohibit multiple users from logging on"
- In reply to: William Wang[MSFT]: "Re: authentication problem"
- Next in thread: Andrew Mitchell: "Re: authentication problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
