Hello,
can someone give me a definitive answer about my problem?
In our company we have about 150 VPN users (all WINXP SP1), some of
those users have a problem.
When logging on with cached credentials outside the office, and
connected through VPN they cannot browse on the network.
If a client was logged on the Local LAN in the office and NOT reboot the
machine before reconnecting outside the office and setting up a VPN
session they have no problem!
It seems to be some kind of Kerberos authentication issue. see related
articles, but can anyone help me solving this??
Can anybody explain why only some users have this problem and not all
users.
- Ping [DC_Hostname] will revolve its IP-address and correct answer
- Net View \\[DC_Hostname] results in a System Error 5
When (re)starting the laptop and using Secure Domain Logon (SDL) it
takes about 25 minutes (!!!) after entering the credentials, before a
user can work.
(using a Compaq Armada E500 PIII-900Mhz,128MB)
But still no network browsing, no logon script run and no (re-)connected
networkmappings.
When starting the Logonscript manually a message box appears asking for
usercredentials, when giving the logged on user credentials an error
occurs.
When using another set of usercredentials the script will start.The
logged on user privalege are set to GUEST
Some eventlogs from the client :
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 18-3-2005
Time: 11:21:04
User: N/A
Computer: DLVPPC1032
Description:
The Security System could not establish a secured connection with the
server cifs/[DC_FILE_SERVER]. No authentication protocol was available.
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 18-3-2005
Time: 11:21:04
User: N/A
Computer: DLVPPC1032
Description:
The Security System detected an attempted downgrade attack for server
cifs/[DC_FILE_SERVER]. The failure code from authentication protocol
Kerberos was "Currently no authentication server available." (translated
from Dutch)
(0xc000005e)".
related articles :
http://groups-beta.google.com/group/cp.products.vpn-1/browse_frm/thread/
86d1aaf10503b53f/9a6ef4d37e5058a2?tvc=1#9a6ef4d37e5058a2
http://support.microsoft.com/default.aspx/kb/q297278/
http://www.howtonetworking.com/VPN/browsingovervpne1.htm
more information:
ActiveDirectory Win2003
Clients : Win XP SP1 (No SP2) VPN SecureClient R56 HFA-03
IPSO 3.8 Build 045 CheckPoint R55
Met vriendelijke groeten,
David Herlaar
Systeembeheerder
DLV Adviesgroep nv
Afdeling Informatievoorziening
Tel: (0317) 491 524
Fax: (0317) 460 400
Mob: (06) 20 13 12 09
mailto:DHerlaar AT dlv DOT nl
=======================================================================
Informatie verzonden met dit e-mailbericht kan vertrouwelijk zijn en is
uitsluitend bestemd voor geadresseerde(n). Openbaarmaking, vermenigvuldiging
en/of verspreiding is, behoudens voorafgaande schriftelijke toestemming van DLV
Adviesgroep nv, niet toegestaan. Indien deze informatie niet voor u bestemd is,
wilt u dan de afzender berichten en dit document uit uw bestanden verwijderen.
DLV Adviesgroep nv sluit het gebruik van e-mail uitdrukkelijk uit voor het
aangaan van verplichtingen of rechtsbetrekkingen.
=======================================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
