Re: IPSec doesn't work in an AD Forest

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Kill Bill (unknown_be_at_hotmail.com)
Date: 06/22/04

• Next message: Lehman's Old-time Hardware - System Administrator: "Re: MMC.exe stops responding for up to 5 minutes during AD GPO browse / edit"
• Previous message: Paul Bergson: "Re: Demote and Restore AD"
• In reply to: Eric Chamberlain, CISSP: "Re: IPSec doesn't work in an AD Forest"
• Next in thread: Eric: "Re: IPSec doesn't work in an AD Forest"
• Reply: Eric: "Re: IPSec doesn't work in an AD Forest"
• Messages sorted by: [ date ] [ thread ]

---

Date: 22 Jun 2004 06:33:36 -0700

hi eric

very interesting. i have an official answer from the microsoft
support, that kerberos in a ad forest is not supported (what ever that
means...). the supporter told me, that he has this information from an
internal document.
a question: do you have more than two domains in your forest and you
secure all these dc's with ipsec. because when i use ipsec between
only two domains in my forest, it works. but when i secure ip with
more than two domains it stopps working.

thank you
andrew

"Eric Chamberlain, CISSP" <eric.chamberlain@newsgroups.nospam> wrote in message news:<u$I6mRAWEHA.1340@TK2MSFTNGP10.phx.gbl>...
> I don't think you are correct, we use IPSec with Kerberos authentication to
> secure replication traffic between our domain controllers in different
> domains.
>
>
> --
> Eric Chamberlain, CISSP
>
>
> "Kill Bill" <unknown_be@hotmail.com> wrote in message
> news:281a302f.0406210614.3d844e77@posting.google.com...
> > ...and here is the solution from Microsoft:
> > Kerberos authentication is not supported in an active directory
> > forest, between different domains! So in my scenario i have to work
> > with a CA or with preshared key.
> >
> > Regards Andrew
> >
> > unknown_be@hotmail.com (Kill Bill) wrote in message
> news:<281a302f.0406202212.36780386@posting.google.com>...
> > > Hi
> > >
> > > Thank you for the input. The problem is, that all your hints should be
> > > implemented correctly in our forest. We make the time synchronisation
> > > over the forest and we have dns delegation. I checked all this and
> > > everything should be correct.
> > > I will open a call by MS...
> > >
> > > Regards Andrew
> > >
> > >
> > > "Ace Fekay [MVP]"
> <PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
> message news:<#E9whHzVEHA.3024@TK2MSFTNGP09.phx.gbl>...
> > > > In news:281a302f.0406172359.569e9df1@posting.google.com,
> > > > Kill Bill <unknown_be@hotmail.com> posted their thoughts, then I
> offered
> > > > mine
> > > > > Hi
> > > > > I tried to apply IPSec with Kerberos authentication in an Active
> > > > > Directory Forest. When I applied, the communication between the
> > > > > different domains fails. That means exactly, I have the root and two
> > > > > different child domains. After assigning the policies, the
> > > > > communication between the two child domains doesn't work any more!
> > > > > When I do all this with a preshared key (instead of kerberos),
> > > > > everything works fine. Why? I didn't found any information, that it
> > > > > should not work with kerberos.
> > > > >
> > > > > Thx a lot
> > > > > Andrew
> > > >
> > > >
> > > > Some things to check with using Kerberos are:
> > > >
> > > > 1. Time settings on all machines. They need to be within 5 minutes and
> > > > relative Time zones.
> > > >
> > > > 2. DNS resolution throughout the infrastructure, whether they all
> point to
> > > > one DNS or using a delegation. Kerberos uses SPNs (service principal
> names),
> > > > the SPNs are FQDN based and they need to be resolvable.
> > > >
> > > >
> > > > Now if this is for an L2TP/IPSec VPN, Kerberos isn't supported for
> this sort
> > > > of authentication, otherwise it should work. :-)
> > > >
> > > > Mutual Authentication Methods Supported for L2TP/IPSec:
> > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;248711
> > > >
> > > > --
> > > > Regards,
> > > > Ace
> > > >
> > > > Please direct all replies to the newsgroup so all can benefit.
> > > > This posting is provided "AS-IS" with no warranties and confers no
> > > > rights.
> > > >
> > > > Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> > > > Microsoft Windows MVP - Active Directory
> > > >
> > > > HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
> > > > pig. --
> > > > =================================

---

• Next message: Lehman's Old-time Hardware - System Administrator: "Re: MMC.exe stops responding for up to 5 minutes during AD GPO browse / edit"
• Previous message: Paul Bergson: "Re: Demote and Restore AD"
• In reply to: Eric Chamberlain, CISSP: "Re: IPSec doesn't work in an AD Forest"
• Next in thread: Eric: "Re: IPSec doesn't work in an AD Forest"
• Reply: Eric: "Re: IPSec doesn't work in an AD Forest"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages RE: Between Forest IPSec Implementation? ... Using Windows 2000, your design should work fine with Certificates and CA's, ... As far as using a CA, you can setup your IPSec policies in each forest to ... Kerberos cross-forest auth will not work in 2000. ... Subject: Between Forest IPSec Implementation? ... (Focus-Microsoft) Re: Between Forest IPSec Implementation? ... Quick way to do enforce IPSec usage: ... As far as authentication goes if you are 100% windows the kerberos stuff is ... Subject: Between Forest IPSec Implementation? ... solely the providence of the Enterprise CA and Subordinate Enterprise ... (Focus-Microsoft) Re: Cross Forest Authentication ... I think you need to dig around deeply in the big Kerberos delegation ... forest authentication is done with NTLM by default. ... multi-forest scenario either, so I'm not sure what happens there. ... (microsoft.public.windows.server.active_directory) Re: Cross Forest Authentication ... Protocol transition, also called Kerberos Service for User, is a new ... forest authentication is done with NTLM by default. ... multi-forest scenario either, so I'm not sure what happens there. ... (microsoft.public.windows.server.active_directory) Re: 4 forests-domains, roaming clients, no trusts, not Internet-Ba ... configuration should work, and would be supported, with communication between different Forest Primary Sites across forest boundaries without trusts, without IBCM and without Native Mode- PKI, although there is still a huge question mark in my opinion because Microsoft seems to have conflicting documentation on exactly what is supported when it comes to Forest to Forest communications. ... They also agreed with me that the best way to implement this is with IBCM, which my client is not agreeable to. ... distribution points are in that domain, and your clients are in Forest2/DomainB, you would create the network access account in DomainA. ... But you might have to do some global/local/universal group things to make sure the DomainA\network access account had permissions on the dps in X and Y. Note that having an additional distribution point in Forest2/DomainB is not supported, because we don't support distribution points across forest boundaries unless they are supporting Internet-based clients. ... (microsoft.public.sms.setup)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2004-06