Re: IPSEC Failing (Secure Server)

From: microsoft (not_at_home.com)
Date: 11/17/04 

Date: Wed, 17 Nov 2004 16:27:11 -0600

I can see why having a 'Secure Server' policy would prevent Server A from
being able to communicate with the DC. Can you tell me why it works when I
configure the client to use the Server(Request Security) Setting?

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uh$30APzEHA.260@TK2MSFTNGP11.phx.gbl...
> You must exempt domain controller from your ipsec policy as domain
> controllers can not use ipsec to communicate with domain members because
> they are the kerberos distribution centers. Modify your ipsec policy by
> adding a new rule to it with a permit filter action and a filter with a
> mirrored entry for all traffic for domain controllers listed by their IP
> addresses . Reboot your server after configuring the ipsec policy and use
> the ipsecmon mmc snapin to verify that the new policy is in effect that
> exempts domain controllers. --- Steve
>
>
>
> "Aaron" <Aaron@discussions.microsoft.com> wrote in message
> news:4DEDBBBE-DA95-4CBB-9803-AFDDE7452CE2@microsoft.com...
> > Server A has local policy configured as Secure Server(Require Security).
> > Client B has local policy configured as Client(Respond Only). Both A
and
> > B
> > are members of the same W2K3 AD domain. Event log error on Server A:
IKE
> > security ssociation failed: Key Exchange Mode (Main Mode). Further
down
> > it
> > says, Failure Point: Me, Failure Reason: Failed to authenticate using
> > kerberos.
> >
> > Doing some trouble shooting, I found that if I changed the policy on
> > Server
> > A to Server(Request Security) the communication did occur and was
> > encapsulated (verified using NetMon). I also could get this to work if,
> > leaving the policy on Server A on Secure Server, I changed the policy on
> > Client B to Server(Request Security).
> >
> >
>
>

Relevant Pages

  • Re: How to allow users to create groups and shares
    ... Add the user/group to the Computer configuration, windows settings, security settings, Local policies, "Allow logon locally" in the Default domain controllers policy and on a existing or new created policy for the member servers. ... Filtering: Not Applied ... check with GPMC on the server or from a client the policy settings. ...
    (microsoft.public.windows.server.active_directory)
  • Domain Controller Security Policy errors
    ... Security Policy or the Domain Controller Security Policy. ... The DC is also a print and file server. ... The domain controller for Group Policy operations is not available. ...
    (microsoft.public.win2000.active_directory)
  • RE: Cant set Local Security policies. They fail to save
    ... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ...
    (microsoft.public.windows.server.sbs)
  • Re: How to allow users to create groups and shares
    ... policy and on a existing or new created policy for the member servers. ... Filtering: Not Applied ... Allow remote desktop connections ... check with GPMC on the server or from a client the policy settings. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Security Logon/Logoff Events
    ... I haven't yet set password policy or configured account lockout policy so I ... will do that in due course to fully secure the server. ...
    (microsoft.public.windows.server.sbs)