Re: IPSEC Failing (Secure Server)
From: microsoft (not_at_home.com)
Date: 11/17/04
- Next message: Aaron: "Re: IPSEC Failing (Secure Server)"
- Previous message: Jéjé: "Re: cannot add a host in a NLB cluster"
- In reply to: Steven L Umbach: "Re: IPSEC Failing (Secure Server)"
- Next in thread: Aaron: "Re: IPSEC Failing (Secure Server)"
- Reply: Aaron: "Re: IPSEC Failing (Secure Server)"
- Reply: Steven L Umbach: "Re: IPSEC Failing (Secure Server)"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 17 Nov 2004 16:27:11 -0600
I can see why having a 'Secure Server' policy would prevent Server A from
being able to communicate with the DC. Can you tell me why it works when I
configure the client to use the Server(Request Security) Setting?
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uh$30APzEHA.260@TK2MSFTNGP11.phx.gbl...
> You must exempt domain controller from your ipsec policy as domain
> controllers can not use ipsec to communicate with domain members because
> they are the kerberos distribution centers. Modify your ipsec policy by
> adding a new rule to it with a permit filter action and a filter with a
> mirrored entry for all traffic for domain controllers listed by their IP
> addresses . Reboot your server after configuring the ipsec policy and use
> the ipsecmon mmc snapin to verify that the new policy is in effect that
> exempts domain controllers. --- Steve
>
>
>
> "Aaron" <Aaron@discussions.microsoft.com> wrote in message
> news:4DEDBBBE-DA95-4CBB-9803-AFDDE7452CE2@microsoft.com...
> > Server A has local policy configured as Secure Server(Require Security).
> > Client B has local policy configured as Client(Respond Only). Both A
and
> > B
> > are members of the same W2K3 AD domain. Event log error on Server A:
IKE
> > security ssociation failed: Key Exchange Mode (Main Mode). Further
down
> > it
> > says, Failure Point: Me, Failure Reason: Failed to authenticate using
> > kerberos.
> >
> > Doing some trouble shooting, I found that if I changed the policy on
> > Server
> > A to Server(Request Security) the communication did occur and was
> > encapsulated (verified using NetMon). I also could get this to work if,
> > leaving the policy on Server A on Secure Server, I changed the policy on
> > Client B to Server(Request Security).
> >
> >
>
>
- Next message: Aaron: "Re: IPSEC Failing (Secure Server)"
- Previous message: Jéjé: "Re: cannot add a host in a NLB cluster"
- In reply to: Steven L Umbach: "Re: IPSEC Failing (Secure Server)"
- Next in thread: Aaron: "Re: IPSEC Failing (Secure Server)"
- Reply: Aaron: "Re: IPSEC Failing (Secure Server)"
- Reply: Steven L Umbach: "Re: IPSEC Failing (Secure Server)"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|