Re: Mapping drives and Encryption
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 10/25/05
- Next message: freetobeme0307: "HJT Log"
- Previous message: Kerry Brown: "Re: Mapping drives and Encryption"
- In reply to: Kerry Brown: "Re: Mapping drives and Encryption"
- Next in thread: Kerry Brown: "Re: Mapping drives and Encryption"
- Reply: Kerry Brown: "Re: Mapping drives and Encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 24 Oct 2005 22:14:14 -0500
I ran into problems when I first started testing ipsec. Anytime I tried to
use ipsec where domain controllers were involved the domain user could not
logon to the domain computer after rebooting [cached logons were disabled].
The reason is that the domain controllers are also the KDC and the computer
could not authenticate with the domain controller because the domain
controller insisted on authentication before allowing communications which
made authentication impossible. So then I tried using a request ipsec policy
for the domain controller and it still would not work. Creating exemptions
for the ports/protocols used for authentication did not work and even if
they did you would make the ipsec policy almost useless for any degree of
protection by creating that many exemptions as ports 139/445 TCP are used
also during authentication. This all happened when Windows 2000 was fairly
new and there was no documentation that warned about this configuration.
That has since changed and Microsoft considers using ipsec to secure
communications between domain controllers and domain members to not being
recommended and not being supported which means they will not help you with
problems resulting with such. The links below explain more. The same
behavior has been seen in Windows 2003 even if you try to use certificate
authentication for traffic between domain members and domain controllers
though the KB article does not mention that and I see the same results
whether the ipsec policy is local configured or by Group Policy. If you can
get it to work and can confirm that ipsec is being used [ESP] for traffic
between domain computers and domain controllers without any problems
including after computer reboots with cached logons disable be sure to let
me know! --- Steve
http://tinyurl.com/7q3bz -- link to newsgroup discussion about ipsec with
domain controllers.
http://support.microsoft.com/default.aspx?scid=kb;en-us;q254949
We support the use of IPSec to encrypt network traffic in end-to-end
client-to-client, client-to-server, and server-to-server implementations
when you use either Kerberos computer authentication or when you use
certificate-based computer authentication. Currently, we do not support
using IPSec to encrypt network traffic from a domain member server to a
domain controller when you apply the IPSec policies by using Group Policy or
when you use the Kerberos authentication method.
>From another Microsoft Source - the Windows 2003 Servers Deployment Kit
******
IPSec is based on the authentication of computers on a network;
therefore, before a computer can send IPSec-protected data, it must be
authenticated. The Active Directory security domain provides this
authentication using the Kerberos protocol. Accordingly, when IKE uses
Kerberos to authenticate, the Kerberos protocol and other dependent
protocols (DNS, UDP LDAP and ICMP) are used for communication with domain
controllers. Additionally, Active Directory-based IPSec policy settings
are typically applied to domain members through Group Policy. As a
result, if IPSec is required from domain members to the domain
controllers, authentication traffic will be blocked and IPSec
communications will fail. In addition, no other authenticated connections
can be made using other protocols, and no IPSec other policy settings can
be applied to that domain member through Group Policy. For these reasons,
using IPSec for communications between domain members and domain
controllers is not supported.
"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:e8%23lzlQ2FHA.636@TK2MSFTNGP10.phx.gbl...
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:tZadnU7cCoG-9cDenZ2dnUVZ_sudnZ2d@comcast.com...
>> You would nee to use ipsec and have an ipsec require policy on the
>> servers and an ipsec client/respond policy on the workstations. This is
>> fairly easy to set up in a domain via Group Policy but DANGER WILL
>> ROBINSON -- ipsec can not be used to protect traffic with ESP/AH for
>> network traffic between domain controllers and domain computers for any
>> traffic involved in authentication which would include ports/protocols
>> used for file and print sharing. So if these servers are domain
>> controllers ipsec is out of the question. If they are not them your ipsec
>> require policy on the servers would need to have a mirrored rule with a
>> filter set that includes the IP addresses of the domain controllers with
>> a permit filter action. Never ever assign an ipsec require policy to the
>> domain or the domain controllers container no matter what you read
>> anywhere. Failure to heed such can cause your domain to have lots of
>> problems that would be a huge Excedrin headache. --- Steve
>>
>
> What problems have you encountered with IPSec on domain controllers? I
> have only set it up a few times in 2000 domains and didn't have any
> problems. I haven't set it up in 2003 domain. Also most of the setups only
> had one domain controller. In a 2000 domain with two domain controllers on
> one subnet with all traffic using IPSec it worked fine. I can see with
> routers and firewalls involved where it might get tricky.
>
> Kerry
>
>
- Next message: freetobeme0307: "HJT Log"
- Previous message: Kerry Brown: "Re: Mapping drives and Encryption"
- In reply to: Kerry Brown: "Re: Mapping drives and Encryption"
- Next in thread: Kerry Brown: "Re: Mapping drives and Encryption"
- Reply: Kerry Brown: "Re: Mapping drives and Encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
