Re: IPSec doesn't work in an AD Forest
From: Kill Bill (unknown_be_at_hotmail.com)
Date: 06/22/04
- Next message: Lehman's Old-time Hardware - System Administrator: "Re: MMC.exe stops responding for up to 5 minutes during AD GPO browse / edit"
- Previous message: Paul Bergson: "Re: Demote and Restore AD"
- In reply to: Eric Chamberlain, CISSP: "Re: IPSec doesn't work in an AD Forest"
- Next in thread: Eric: "Re: IPSec doesn't work in an AD Forest"
- Reply: Eric: "Re: IPSec doesn't work in an AD Forest"
- Messages sorted by: [ date ] [ thread ]
Date: 22 Jun 2004 06:33:36 -0700
hi eric
very interesting. i have an official answer from the microsoft
support, that kerberos in a ad forest is not supported (what ever that
means...). the supporter told me, that he has this information from an
internal document.
a question: do you have more than two domains in your forest and you
secure all these dc's with ipsec. because when i use ipsec between
only two domains in my forest, it works. but when i secure ip with
more than two domains it stopps working.
thank you
andrew
"Eric Chamberlain, CISSP" <eric.chamberlain@newsgroups.nospam> wrote in message news:<u$I6mRAWEHA.1340@TK2MSFTNGP10.phx.gbl>...
> I don't think you are correct, we use IPSec with Kerberos authentication to
> secure replication traffic between our domain controllers in different
> domains.
>
>
> --
> Eric Chamberlain, CISSP
>
>
> "Kill Bill" <unknown_be@hotmail.com> wrote in message
> news:281a302f.0406210614.3d844e77@posting.google.com...
> > ...and here is the solution from Microsoft:
> > Kerberos authentication is not supported in an active directory
> > forest, between different domains! So in my scenario i have to work
> > with a CA or with preshared key.
> >
> > Regards Andrew
> >
> > unknown_be@hotmail.com (Kill Bill) wrote in message
> news:<281a302f.0406202212.36780386@posting.google.com>...
> > > Hi
> > >
> > > Thank you for the input. The problem is, that all your hints should be
> > > implemented correctly in our forest. We make the time synchronisation
> > > over the forest and we have dns delegation. I checked all this and
> > > everything should be correct.
> > > I will open a call by MS...
> > >
> > > Regards Andrew
> > >
> > >
> > > "Ace Fekay [MVP]"
> <PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
> message news:<#E9whHzVEHA.3024@TK2MSFTNGP09.phx.gbl>...
> > > > In news:281a302f.0406172359.569e9df1@posting.google.com,
> > > > Kill Bill <unknown_be@hotmail.com> posted their thoughts, then I
> offered
> > > > mine
> > > > > Hi
> > > > > I tried to apply IPSec with Kerberos authentication in an Active
> > > > > Directory Forest. When I applied, the communication between the
> > > > > different domains fails. That means exactly, I have the root and two
> > > > > different child domains. After assigning the policies, the
> > > > > communication between the two child domains doesn't work any more!
> > > > > When I do all this with a preshared key (instead of kerberos),
> > > > > everything works fine. Why? I didn't found any information, that it
> > > > > should not work with kerberos.
> > > > >
> > > > > Thx a lot
> > > > > Andrew
> > > >
> > > >
> > > > Some things to check with using Kerberos are:
> > > >
> > > > 1. Time settings on all machines. They need to be within 5 minutes and
> > > > relative Time zones.
> > > >
> > > > 2. DNS resolution throughout the infrastructure, whether they all
> point to
> > > > one DNS or using a delegation. Kerberos uses SPNs (service principal
> names),
> > > > the SPNs are FQDN based and they need to be resolvable.
> > > >
> > > >
> > > > Now if this is for an L2TP/IPSec VPN, Kerberos isn't supported for
> this sort
> > > > of authentication, otherwise it should work. :-)
> > > >
> > > > Mutual Authentication Methods Supported for L2TP/IPSec:
> > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;248711
> > > >
> > > > --
> > > > Regards,
> > > > Ace
> > > >
> > > > Please direct all replies to the newsgroup so all can benefit.
> > > > This posting is provided "AS-IS" with no warranties and confers no
> > > > rights.
> > > >
> > > > Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> > > > Microsoft Windows MVP - Active Directory
> > > >
> > > > HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
> > > > pig. --
> > > > =================================
- Next message: Lehman's Old-time Hardware - System Administrator: "Re: MMC.exe stops responding for up to 5 minutes during AD GPO browse / edit"
- Previous message: Paul Bergson: "Re: Demote and Restore AD"
- In reply to: Eric Chamberlain, CISSP: "Re: IPSec doesn't work in an AD Forest"
- Next in thread: Eric: "Re: IPSec doesn't work in an AD Forest"
- Reply: Eric: "Re: IPSec doesn't work in an AD Forest"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
