AHHHHH! Certicate Services
From: Edward Ray (nobody_at_dufus.net)
Date: 03/17/04
- Previous message: Bill Grant: "Re: Kristin Thomas, MCSE, MCP"
- In reply to: Kristin Thomas [MSFT]: "Re: Kerberos errors in event log, authentication, IPSec transport mode on port 445 issues"
- Next in thread: Kristin Thomas [MSFT]: "RE: AHHHHH! Certicate Services"
- Reply: Kristin Thomas [MSFT]: "RE: AHHHHH! Certicate Services"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 17 Mar 2004 15:55:09 -0800
Kristin:
I figure somehow it would come back to this. Last summer, while trying to
get Certificate Services to work properly, I installed and uninstalled Cert
Services on both my domain controllers plus this file server. I did not
uninstall correctly; as a result I am unable to reinstall Certificate
Services on any of the three machines. the executable is there; just grayed
out.
Tried playing with the certutil command to clean things up but I did not get
very far.
I knew a while ago this was going to require a support call and $245 to walk
me through the procedure of cleaning up my AD and ridding all certificate
entries. I was just hoping to get everything else working, including IPSec
with Kerberos authentication.
So I do not have to go through half a dozen "I forgot my password" support
people, could you direct me to a person within the MSDN support structure
who is familiar with IPSec/Certificate Services interaction and how to use
certutil properly to clean up my AD?
Thanks in advance!
Edward W. Ray
"Kristin Thomas [MSFT]" <kthomas@online.microsoft.com> wrote in message
news:8PcIC%23CDEHA.616@cpmsftngxa06.phx.gbl...
> Edward,
>
> That error looks like it can't find a valid Security Cert, try following
> this article to see if it helps:
>
> 323342 HOW TO: Install a Certificate for Use with IP Security in Windows
> Server
> http://support.microsoft.com/?id=323342
>
> Also have you used IPSec Monitor to try to troubleshoot this?
>
> 324269 HOW TO: Use IPSec Monitor in Windows Server 2003
> http://support.microsoft.com/?id=324269
>
>
> Best Regards,
>
> Kristin Thomas, MCSE, MCP
> Microsoft Enterprise Network Support
>
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> When responding to posts, please "Reply to Group" via
> your newsreader so that others may learn and benefit
> from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> | From: "Edward W. Ray \(502974\)" <homeboy@greekgod.net>
> | References: <Obev50ECEHA.684@tk2msftngp13.phx.gbl>
> <TRZahNFCEHA.1672@cpmsftngxa06.phx.gbl>
> <#oE48quCEHA.3064@tk2msftngp13.phx.gbl>
> <coNHA32CEHA.564@cpmsftngxa06.phx.gbl>
> | Subject: Re: Kerberos errors in event log, authentication, IPSec
> transport mode on port 445 issues
> | Date: Tue, 16 Mar 2004 20:09:39 -0800
>
> |
> | Kristin:
> |
> | I made the change you suggested, the Kerberos errors subsided a little.
> I
> | was able to make the change to all but one of the XP clients, so it may
> be
> | coming from that one, I am not sure and will be unable to make the
> change
> to
> | that machine because the user is performing detailed simulations.
> |
> | IPSec is still a mystery. The link is established between the Windows
> 2003
> | File server and the Windows 2003 DC, then fails. I get the following
> error
> | message (deletion by peer seems to be the issues, why it is deleted I do
> not
> | know):
> |
> | Event Type: Failure Audit
> | Event Source: Security
> | Event Category: Logon/Logoff
> | Event ID: 547
> | Date: 3/16/2004
> | Time: 7:58:00 PM
> | User: NT AUTHORITY\NETWORK SERVICE
> | Computer: BLACKDOG
> | Description:
> | IKE security association negotiation failed.
> | Mode:
> | Key Exchange Mode (Main Mode)
> |
> | Filter:
> | Source IP Address 192.168.1.99
> | Source IP Address Mask 255.255.255.255
> | Destination IP Address 192.168.1.102
> | Destination IP Address Mask 255.255.255.255
> | Protocol 0
> | Source Port 0
> | Destination Port 0
> | IKE Local Addr 192.168.1.99
> | IKE Peer Addr 192.168.1.102
> | IKE Source Port 500
> | IKE Destination Port 500
> | Peer Private Addr
> |
> | Peer Identity:
> | Kerberos based Identity: bigdogmedina$@MMICMANHOMENET.LOCAL
> | Peer IP Address: 192.168.1.102
> |
> | Failure Point:
> | Me
> |
> | Failure Reason:
> | IKE SA deleted by peer before establishment completed
> |
> | Extra Status:
> | Processed first (SA) payload
> | Initiator. Delta Time 49
> | 0x0 0x0
> |
> |
> | For more information, see Help and Support Center at
> | http://go.microsoft.com/fwlink/events.asp.
> |
> |
> |
> |
> |
> | "Kristin Thomas [MSFT]" <kthomas@online.microsoft.com> wrote in message
> | news:coNHA32CEHA.564@cpmsftngxa06.phx.gbl...
> | > Edward,
> | >
> | > It sounds like you are having Kerberos over UDP issues, the packet is
> too
> | > big for UDP so it ends up fragmented and failing. Try forcing Kerberos
> | over
> | > TCP by following this article:
> | >
> | > 244474 How to Force Kerberos to Use TCP Instead of UDP
> | > http://support.microsoft.com/?id=244474
> | >
> | > Best Regards,
> | >
> | > Kristin Thomas, MCSE, MCP
> | > Microsoft Enterprise Network Support
> | >
> | > Get Secure! - www.microsoft.com/security
> | >
> | > =====================================================
> | > When responding to posts, please "Reply to Group" via
> | > your newsreader so that others may learn and benefit
> | > from your issue.
> | > =====================================================
> | > This posting is provided "AS IS" with no warranties, and confers no
> | rights.
> | >
> | > --------------------
> | > | From: "Edward W. Ray \(502974\)" <homeboy@greekgod.net>
> | > | References: <Obev50ECEHA.684@tk2msftngp13.phx.gbl>
> | > <TRZahNFCEHA.1672@cpmsftngxa06.phx.gbl>
> | > | Subject: Re: Kerberos errors in event log, authentication, IPSec
> | > transport mode on port 445 issues
> | > | Date: Mon, 15 Mar 2004 16:07:56 -0800
> | >
> | > |
> | > | No netdiag errors until I enable IPSec transport mode on port 445
> | between
> | > | file server and DC. Then secure channel fails. No netdiag errors
> when
> | > | IPSec "Permit" is used. Kerberos errors persist:
> | > |
> | > | Event Type: Error
> | > | Event Source: Kerberos
> | > | Event Category: None
> | > | Event ID: 3
> | > | Date: 3/15/2004
> | > | Time: 3:55:12 PM
> | > | User: N/A
> | > | Computer: BLACKDOG
> | > | Description:
> | > | A Kerberos Error Message was received:
> | > | on logon session
> | > | Client Time:
> | > | Server Time: 23:55:11.0000 3/15/2004 Z
> | > | Error Code: 0x34 KRB_ERR_RESPONSE_TOO_BIG
> | > | Extended Error:
> | > | Client Realm:
> | > | Client Name:
> | > | Server Realm: MMICMANHOMENET.LOCAL
> | > | Server Name:
> | ldap/bigdogmedina.mmicmanhomenet.local/mmicmanhomenet.local
> | > | Target Name:
> | > |
> | >
> |
> ldap/bigdogmedina.mmicmanhomenet.local/mmicmanhomenet.local@MMICMANHOMENET.L
> | > | OCAL
> | > | Error Text:
> | > | File: 9
> | > | Line: ac0
> | > | Error Data is in record data.
> | > |
> | > | For more information, see Help and Support Center at
> | > | http://go.microsoft.com/fwlink/events.asp.
> | > |
> | > |
> | > | Event Type: Error
> | > | Event Source: Kerberos
> | > | Event Category: None
> | > | Event ID: 3
> | > | Date: 3/15/2004
> | > | Time: 3:46:05 PM
> | > | User: N/A
> | > | Computer: BLACKDOG
> | > | Description:
> | > | A Kerberos Error Message was received:
> | > | on logon session
> | > | Client Time:
> | > | Server Time: 23:46:4.0000 3/15/2004 Z
> | > | Error Code: 0xd KDC_ERR_BADOPTION
> | > | Extended Error: 0xc00000bb KLIN(0)
> | > | Client Realm:
> | > | Client Name:
> | > | Server Realm: MMICMANHOMENET.LOCAL
> | > | Server Name: host/blackdog.mmicmanhomenet.local
> | > | Target Name:
> host/blackdog.mmicmanhomenet.local@MMICMANHOMENET.LOCAL
> | > | Error Text:
> | > | File: 9
> | > | Line: ac0
> | > | Error Data is in record data.
> | > |
> | > | For more information, see Help and Support Center at
> | > | http://go.microsoft.com/fwlink/events.asp.
> | > | Data:
> | > | 0000: 03a11530 a2030102 bb0c040e 00c00000
> | > | 0010: 03000000 000000
> | > |
> | > |
> | > |
> | > |
> | > |
> | >
> |
> |
> |
>
- Previous message: Bill Grant: "Re: Kristin Thomas, MCSE, MCP"
- In reply to: Kristin Thomas [MSFT]: "Re: Kerberos errors in event log, authentication, IPSec transport mode on port 445 issues"
- Next in thread: Kristin Thomas [MSFT]: "RE: AHHHHH! Certicate Services"
- Reply: Kristin Thomas [MSFT]: "RE: AHHHHH! Certicate Services"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
