Hi David
We had similar issues caused by the clients not being able to "find"
a domain controller. We ended up creating an LMHosts file entry to find the
domain controller, and it works 99% of the time. Check out
http://support.microsoft.com/kb/314108/EN-US/
Having domain authentication issues happen even if your name
resolution is fine (pinging, etc)
I don't believe this is necessary if you're using Office Mode, but I
could be mistaken.
My tidbid for the day. Let us know. Thanks
-----Original Message-----
From: Herlaar, D.B. [mailto:d.herlaar AT DLV DOT NL]
Sent: Thursday, March 24, 2005 2:34 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] SDL and Cached Credentials WinXP/SecClient R56 HFA-03
Hello,
can someone give me a definitive answer about my problem?
In our company we have about 150 VPN users (all WINXP SP1), some of
those users have a problem.
When logging on with cached credentials outside the office, and
connected through VPN they cannot browse on the network.
If a client was logged on the Local LAN in the office and NOT reboot the
machine before reconnecting outside the office and setting up a VPN
session they have no problem!
It seems to be some kind of Kerberos authentication issue. see related
articles, but can anyone help me solving this??
Can anybody explain why only some users have this problem and not all
users.
- Ping [DC_Hostname] will revolve its IP-address and correct answer
- Net View \\[DC_Hostname] results in a System Error 5
When (re)starting the laptop and using Secure Domain Logon (SDL) it
takes about 25 minutes (!!!) after entering the credentials, before a
user can work.
(using a Compaq Armada E500 PIII-900Mhz,128MB)
But still no network browsing, no logon script run and no (re-)connected
networkmappings.
When starting the Logonscript manually a message box appears asking for
usercredentials, when giving the logged on user credentials an error
occurs.
When using another set of usercredentials the script will start.The
logged on user privalege are set to GUEST
Some eventlogs from the client :
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 18-3-2005
Time: 11:21:04
User: N/A
Computer: DLVPPC1032
Description:
The Security System could not establish a secured connection with the
server cifs/[DC_FILE_SERVER]. No authentication protocol was available.
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 18-3-2005
Time: 11:21:04
User: N/A
Computer: DLVPPC1032
Description:
The Security System detected an attempted downgrade attack for server
cifs/[DC_FILE_SERVER]. The failure code from authentication protocol
Kerberos was "Currently no authentication server available." (translated
from Dutch)
(0xc000005e)".
related articles :
http://groups-beta.google.com/group/cp.products.vpn-1/browse_frm/thread/
86d1aaf10503b53f/9a6ef4d37e5058a2?tvc=1#9a6ef4d37e5058a2
http://support.microsoft.com/default.aspx/kb/q297278/
http://www.howtonetworking.com/VPN/browsingovervpne1.htm
more information:
ActiveDirectory Win2003
Clients : Win XP SP1 (No SP2) VPN SecureClient R56 HFA-03
IPSO 3.8 Build 045 CheckPoint R55
Met vriendelijke groeten,
David Herlaar
Systeembeheerder
DLV Adviesgroep nv
Afdeling Informatievoorziening
Tel: (0317) 491 524
Fax: (0317) 460 400
Mob: (06) 20 13 12 09
mailto:DHerlaar AT dlv DOT nl
=======================================================================
Informatie verzonden met dit e-mailbericht kan vertrouwelijk zijn en is
uitsluitend bestemd voor geadresseerde(n). Openbaarmaking, vermenigvuldiging
en/of verspreiding is, behoudens voorafgaande schriftelijke toestemming van
DLV Adviesgroep nv, niet toegestaan. Indien deze informatie niet voor u
bestemd is, wilt u dan de afzender berichten en dit document uit uw
bestanden verwijderen. DLV Adviesgroep nv sluit het gebruik van e-mail
uitdrukkelijk uit voor het aangaan van verplichtingen of rechtsbetrekkingen.
=======================================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
