Connection Security Rule communication lost
I have two Server 2008 R2 DCs at a main site, and a 2008 R2 RODC at a remote site behind a NAT firewall; they communicate using Connection Security Rules to require encrypted traffic between them. The NAT firewall is open to allow all traffic from
the main site DCs, and I've set the "AssumeUDPEncapsulationContextOnSendRule" registry key on the DCs.
This works, but after an indeterminate amount of time communication between the servers changes and fails. It looks like it's a Kerberos problem, as that's what I'm using to authenticate the encrypted sessions. I'm seeing a ton of these entries
when communication fails:
Audit Failure Microsoft Windows security auditing.
4769 Kerberos Service Ticket Operations
A Kerberos service ticket was requested.
Account Information:
Account Name:
RODC1@DOMAIN
Account Domain:
DOMAIN
Logon GUID:
{00000000-0000-0000-0000-000000000000}
Service Information:
Service Name:
host/DC1
Service ID:
NULL SID
Network Information:
Client Address:
::1
Client Port:
0
Additional Information:
Ticket Options:
0x40810000
Ticket Encryption Type:
0xffffffff
Failure Code:
0x1d
Transited Services:
-
There are no similar requests when communication is established/working.
While it's working, packets are showing up in Wireshark as ESP protocol "ESP (SPI=<octal number>)" and UPDPENCAP "NAT-keepalive'" packets, but when the problem occurs they change to ISAKMP protocol "Identity Protection (Main Mode)", "Unknown 243",
and "Unknown 246" packets, based on the Info field. The only way to get communication between them working again is to open a connection from the DCs at the main site. All traffic initiated at the RODC will fail.
Any suggestions as to what I should look at or settings to mangle?
October 31st, 2011 6:58pm
Hi,
The Failure Code 0x1d means "KDC_ERR_SVC_UNAVAILABLE: A service is not available". It may occur when RODC is trying to forward the request
to RWDC and RWDC is unreachable.
I suggest you verify that DNS is correctly set up, the KDC service is running and port 88 is in listening state in RODC.
Hope this helps.
Regards,
Bruce
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2011 11:30pm
Hi Bruce,
Thanks for responding. DNS entries and lookups are good, and port 88 is reachable from each of the hosts to the others, assuming the connection is working. At this point I think what's happening is the RODC's Kerb ticket for accessing the DCs
expires and it can't negotiate a new one because the connection requires encryption using said ticket. I've added certificates as another form of authentication and so far it seems that's working; I've also considered switching the authentication from
required to requested for inbound/outbound.
Best,
Austin
November 2nd, 2011 1:19pm
Hi Bruce,
Thanks for responding. DNS entries and lookups are good, and port 88 is reachable from each of the hosts to the others, assuming the connection is working. At this point I think what's happening is the RODC's Kerb ticket for accessing the DCs
expires and it can't negotiate a new one because the connection requires encryption using said ticket. I've added certificates as another form of authentication and so far it seems that's working; I've also considered switching the authentication from
required to requested for inbound/outbound.
Best,
Austin
Free Windows Admin Tool Kit Click here and download it now
November 2nd, 2011 8:17pm