RE: Domain Auth Problems After Upgrade to ISA 2006?
- From: v-kzhao@xxxxxxxxxxxxxxxxxxxx ("Ken Zhao [MSFT]")
- Date: Fri, 17 Nov 2006 01:16:35 GMT
Hi Charlie,
Thanks for your response and let us know the current situation. At this
moment, I'd like to provide you with the following RPC Filter information
and a known issue for your reference:
RPC filter
http://www.microsoft.com/technet/isa/2004/help/FW_RPCFiilter.mspx?mfr=true
887222: The ISA Server RPC filter blocks RPC traffic after Windows Server
2003 Service Pack 1 is installed on a computer that is running ISA Server
2004 or ISA Server 2000
http://support.microsoft.com/kb/887222/en-us
Thanks & Regards,
Ken Zhao
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Domain Auth Problems After Upgrade to ISA 2006?
| thread-index: AccJtk8fRgcudL6CTrixkfKPfPuCVw==
| X-WBNR-Posting-Host: 207.46.199.61
| From: =?Utf-8?B?Q2hhcmxpZQ==?= <baboon@xxxxxxxxxxxxxx>
| References: <BCA4EC06-8803-429C-BE6E-E31743518FDE@xxxxxxxxxxxxx>
| Subject: RE: Domain Auth Problems After Upgrade to ISA 2006?
| Date: Thu, 16 Nov 2006 11:35:01 -0800
| Lines: 65
| Message-ID: <796C22B9-79D2-474F-BEEA-B6A3A8E1E763@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Newsgroups: microsoft.public.isa
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.isa:69573
| NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| X-Tomcat-NG: microsoft.public.isa
|
| OK, my mistake due to a misunderstanding of the RPC Filter.
|
| Here is what I said in my original post:
| "I have disabled Strict RPC Compliance on the Active Directory rule
| and disabled the RPC filter both at the Enterprise and Array levels."
|
| That apparently was what CAUSED the problem. (I'm surprised someone
didn't
| catch that, but I do tend to make long posts.) I am assuming that the
Strict
| RPC Compliance didn't cause the problem, but rather disabling the RPC
Filter.
|
| The reason I had done that is because in the past, the only way I could
get
| a certificate from the CA in the parent domain was to configure the child
| domain ISA server this way. When I did these new ISA 2006 installations,
I
| proactively configured ISA in that manner in order to avoid problems
(duhhh).
| Obviously, I need to learn more about what the RPC Filter does. In the
case
| of turning it off to fix the certificate problem, that should have been a
| temporary configuration I believe. (Again I need to find out more; I
think I
| may need to keep Strict RPC Compliance off on the child domain so it talk
to
| the parent domain CA.)
|
| Cheers.
|
| "Charlie" wrote:
|
| > Hi -
| >
| > I have recently upgraded 2 different offices from ISA 2004 Ent. to ISA
2006
| > Ent. Each one was and is installed as a separate enterprise, but they
| > connect via site-to-site VPN. This was not an upgrade per se, as I
just
| > installed ISA 2006 and configured everything manually. Before the
"upgrade"
| > everything was working fine, but here is the problem I am experiencing
on
| > both arrays/servers:
| >
| > No users can make a VPN connection (PPTP) to either ISA server. It
gets to
| > the point where authentication is attempted, but responds with "bad
user name
| > or password" or something similar.
| >
| > Also, I have published an Exchange Server on one of the ISA boxes, but
only
| > the Exchange Admin can get authenticated. Interestingly, a different
user
| > was able to change their password, which had expired, when prompted by
the
| > forms based authentication, but was then not able to access Exchange
itself.
| > The Exchange Server has not been changed since the ISA upgrade and FBA
was
| > the method used on the former ISA 2004 installation.
| >
| > All accounts that are being used are domain accounts from the domains
that
| > the ISA servers belong to. The site-to-site VPN connection DOES work
(also
| > PPTP), but I am using local accounts on the ISA boxes to authenticate
to each
| > other.
| >
| > When I check the live logs while a user attempts VPN authentication, I
keep
| > seeing denials of ports 1024, 1025 and 1026 from the ISA box to the
domain
| > controller. This seems consistent with the problem, which seems to be
that
| > domain users can't get authenticated.
| >
| > I checked the System Policy and found that the policy for Active
Directory
| > is enabled and also for publishing the CRL (both are on by default I
| > believe). I have disabled Strict RPC Compliance on the Active
Directory rule
| > and disabled the RPC filter both at the Enterprise and Array levels.
| >
| > Has something changed in the way ISA 2006 communicates with AD? Am I
| > missing something?
| >
| > Thanks in advance.
| >
| >
|
.
- References:
- RE: Domain Auth Problems After Upgrade to ISA 2006?
- From: Charlie
- RE: Domain Auth Problems After Upgrade to ISA 2006?
- Prev by Date: Re: https - Denied Connection - Default rule - anonymous
- Next by Date: RE: ISA 2006 and SSL
- Previous by thread: RE: Domain Auth Problems After Upgrade to ISA 2006?
- Next by thread: RE: A number of questions about ISA 2006 Trial
- Index(es):
Relevant Pages
|
Loading
