Re: IPSEC Failing (Secure Server)

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Aaron (Aaron_at_discussions.microsoft.com)
Date: 11/17/04 

Date: Wed, 17 Nov 2004 14:44:08 -0800

This message was posted by me. Sorry for the 'generic' display name.

"microsoft" wrote:

> I can see why having a 'Secure Server' policy would prevent Server A from
> being able to communicate with the DC. Can you tell me why it works when I
> configure the client to use the Server(Request Security) Setting?
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:uh$30APzEHA.260@TK2MSFTNGP11.phx.gbl...
> > You must exempt domain controller from your ipsec policy as domain
> > controllers can not use ipsec to communicate with domain members because
> > they are the kerberos distribution centers. Modify your ipsec policy by
> > adding a new rule to it with a permit filter action and a filter with a
> > mirrored entry for all traffic for domain controllers listed by their IP
> > addresses . Reboot your server after configuring the ipsec policy and use
> > the ipsecmon mmc snapin to verify that the new policy is in effect that
> > exempts domain controllers. --- Steve
> >
> >
> >
> > "Aaron" <Aaron@discussions.microsoft.com> wrote in message
> > news:4DEDBBBE-DA95-4CBB-9803-AFDDE7452CE2@microsoft.com...
> > > Server A has local policy configured as Secure Server(Require Security).
> > > Client B has local policy configured as Client(Respond Only). Both A
> and
> > > B
> > > are members of the same W2K3 AD domain. Event log error on Server A:
> IKE
> > > security ssociation failed: Key Exchange Mode (Main Mode). Further
> down
> > > it
> > > says, Failure Point: Me, Failure Reason: Failed to authenticate using
> > > kerberos.
> > >
> > > Doing some trouble shooting, I found that if I changed the policy on
> > > Server
> > > A to Server(Request Security) the communication did occur and was
> > > encapsulated (verified using NetMon). I also could get this to work if,
> > > leaving the policy on Server A on Secure Server, I changed the policy on
> > > Client B to Server(Request Security).
> > >
> > >
> >
> >
>
>
>

Relevant Pages

  • Re: Floating Computer between domains
    ... Windows itself is generally weak in this area but with DCs it can get especially bad with DNS registrations and other issues. ... can I simply put a second network card into the domain ... communicate with eachother, all other machines in the respective ... networks would have to talk to the domain controller that is connected ...
    (microsoft.public.windows.server.active_directory)
  • Re: Floating Computer between domains
    ... can I simply put a second network card into the domain ... communicate with eachother, all other machines in the respective ... networks would have to talk to the domain controller that is connected ...
    (microsoft.public.windows.server.active_directory)
  • Re: DC through FireWall
    ... the directory service can be restricted to communicate on a static ... > port which can be set using the following registry entry: ... > causes the directory service to use the TCP port named in the ... The setting is a local registry setting on the domain controller, ...
    (microsoft.public.win2000.active_directory)
  • Re: Domain?
    ... So when your logon to the ... box as domain account, your box will communicate with Domain Controller to ...
    (microsoft.public.inetserver.iis.security)
  • Re: IPSec Policy
    ... The client computer needs a compatible ipsec policy such as the ... exempt the domain controller from the ipsec policy with a rule that has a ... but I can view the local server webpage from the server. ...
    (microsoft.public.windows.server.security)