|
Question : IPSEC
|
|
My Enterprise has one 2000 AD Server and one XP Client. Both operate normally and can logon and off the domain without any problems.
I Applied the Server (Request Security) IPSEC Policy to the Domain Controller in my Enterprise using Kerberos authentication. Its the default template I havent modified it at all.
I applied the Client (Respond Only) policy to the Local Computer, (The XP Client).
I rebooted both the server and the client. Both machines will logon without any problems. The XP event log reports :
Successful Network Logon:
User Name: Administrator
Domain: RUGBYDOM
Logon ID: (0x0,0x44041)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {64f2712e-f629-9edb-e037-5bf9625434d2}
But when I try to get the client to ping the server I get request timed out or when I browse for the server in network neighbourhood it dosent find it. The XP client event log reports :
The Security System detected an attempted downgrade attack for server ldap/SERVER.rugbydom.hamanaptra.co.uk/rugbydom.hamanaptra.co.uk@rugbydom.hamanaptra.co.uk. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
(0xc000005e)".
AND
The Security System could not establish a secured connection with the server ldap/server.rugbydom.hamanaptra.co.uk. No authentication protocol was available.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
So, basically applying the IPSEC policy to the server is stopping the communication but why isnt the client negotiating IPSEC keys ?
But, if I use the server to ping the XP client its fine, and if I use the server to browse the network to find the client its fine.
If I remove the IPSEC policies from both its fine.
What have I done wrong ?
|
|
|
Answer : IPSEC
|
|
|
|
|
|
|
|
