IPSec transport mode with Kerberos authentication

Discussion in 'Server Networking' started by RJ, Jul 23, 2004.

  1. RJ

    RJ Guest

    I have a 2003 DC and a 2003 member server separated by a
    firewall that is not doing NAT. I have created an IPSec
    transport policy on both servers using source ANY and
    destination ANY and mirrored packets is checked and
    Kerberos authentication.

    I am able to create the tunnel from the DC to the member
    server and create an IPSec connection. All traffic flows
    fine and I am able to access everything I need to from
    both servers.

    When I try to create the tunnel from the the member
    server to the DC, it states in the Security Log that "no
    authority could be contacted for authentication".

    If I change the authentication to pre-shared keys I can
    create the tunnel in both directions. I have IPSec and
    ISAKMP open in both directions as well as trying DNS and
    Kerberos, both TCP and UDP in both directions.

    When I analyze the traffic, I see the member server
    queries the DNS server during boot for an LDAP server,
    and the DC never responds. I believe this is the issue
    because the member server does not know what server to
    query for Kerberos authentication.

    Any input will be greatly appreciated.

    RJ, Jul 23, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.