• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1060
  • Last Modified:

Network issues when implemented IPSEC on Windows 2003 Network with XP Clients

Hello,

I'm trying to implement IPSEC on a Windows 2003 (SP2) Domain with Windows XP Clients (SP2) and having issues.  What I've done is to create a new group policy in the top OU named IPSEC Security and have set the IP Security Policy to Server (Request Security).  I've updated group policy and then restarted the server.  That seems fine.  I've then gone to restart the Windows XP Clients and they are coming up with errors trying to access that server - in the event viewer under Applications I'm getting the following errors:

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1054
Date:            05/08/2007
Time:            15:28:00
User:            NT AUTHORITY\SYSTEM
Computer:      PC1
Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1521
Date:            05/08/2007
Time:            15:27:02
User:            STREETLY\user7
Computer:      PC1
Description:
Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.  

 DETAIL - The network path was not found.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1054
Date:            05/08/2007
Time:            15:25:29
User:            NT AUTHORITY\SYSTEM
Computer:      PC1
Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

If I unassign the IPSEC Server policy and then restart the computers then the computer is fine again.

I've tried this on both my production network and also a simple testing environment setup (DC and XP Client) .

Thanks
0
robknowles
Asked:
robknowles
  • 4
  • 2
1 Solution
 
Brian PiercePhotographerCommented:
Are you sure you have set Server (Request Security) and not Secure Server (Require Security)?
What happens if you apply a Client (Respond Only) to the XP Machines?
0
 
robknowlesAuthor Commented:
Hello,

It's definitely Server (Request Security).  If I set to Client (Respond Only) then that's fine.

Thanks
0
 
Brian PiercePhotographerCommented:
It you want to find out what is going on then you can use the IP Security Monitor.
First you will need to add the MMC Console http://technet2.microsoft.com/windowsserver/en/library/bf9f9265-922b-46b8-bd9f-32dd4e981be51033.mspx?mfr=true

and then you can use it to investigate the problem http://support.microsoft.com/kb/324269
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
robknowlesAuthor Commented:
Hello,

When I said if I set it to Client (Respond only) then it's fine if set for all computers
and servers.  If the servers are set to Server (Request Security) and the clients are not assigned IPSEC Policy then that's also fine but I do get logged events see below...

Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40961
Date:            06/08/2007
Time:            10:08:11
User:            N/A
Computer:      PC1
Description:
The Security System could not establish a secured connection with the server
DNS/chia.arin.net.  No authentication protocol was available.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type:      Error
Event Source:      NetBT
Event Category:      None
Event ID:      4321
Date:            06/08/2007
Time:            10:12:42
User:            N/A
Computer:      PC1
Description:
The name "STREETLY       :1d" could not be registered on the Interface with IP address
192.168.100.21. The machine with the IP address 192.168.100.20 did not allow the name to be
claimed by this machine.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type:      Information
Event Source:      LGTO_Sync
Event Category:      None
Event ID:      1
Date:            06/08/2007
Time:            10:19:46
User:            N/A
Computer:      PC1
Description:
The description for Event ID ( 1 ) in Source ( LGTO_Sync ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: , The Driver was loaded successfully.

Now if I enable the Client (Respond Only) on the XP Clients and then gpupdate on an already logged in client then it receives the security policy and seems to still communicate with the server fine - I can see the record for it in IP Security Monitors under Main Mode and then Security Associations.  When restarted though that's when it stops working where it can't connect to the servers.  Then what I need to do is to Disable the IPSEC Server, restart it and then change unassign the Policy.  I've also tried assign the Server Policy to the XP Clients and unassign/Client (Respond only) to the Servers and that still presents the same problem on the XP Machines.

Also it's not just XP Machines, it can happens on Windows 2003 Member Servers (non DC) as well.

Thanks
0
 
robknowlesAuthor Commented:
Hello,

I've also noticed that if I disable the IP Security Policies on the server(s) and instead assign Server (Request Security) on the clients - then that also works to communicate to the server.

In addition I've noticed by testing that if I assign just one machine a security policy and try to connect to any other machine without an assigned policy then that works - I can communicate no problem.  If I setup another machine regardless of whether it's a server or workstation and try and get two machines with Security Policies - Server (Request Security) to talk then that's when the issues arise.  

I've deleted and recreated the GPO to see if that was an issue - still the same problem.  I've also tried setting a Local Security Policy rather than a Domain one and still have the same issue.

Thanks
0
 
robknowlesAuthor Commented:
Also have noticed this...

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      547
Date:            06/08/2007
Time:            16:45:06
User:            NT AUTHORITY\NETWORK SERVICE
Computer:      PC1
Description:
IKE security association negotiation failed.
 Mode:
Key Exchange Mode (Main Mode)

 Filter:
Source IP Address 192.168.100.21
Source IP Address Mask 255.255.255.255
Destination IP Address 192.168.100.20
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 192.168.100.21
IKE Peer Addr 192.168.100.20

 Peer Identity:
Kerberos based Identity: cfs-01$@STREETLY.LOCAL
Peer IP Address: 192.168.100.20

  Failure Point:
Me

 Failure Reason:
No authority could be contacted for authentication.

 Extra Status:
0x0 0x0


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now