[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 794
  • Last Modified:

Unable to hit web server from VPN

We have a web server running accounting software which suddenly is unable to be reached by VPN users.   We have recently moved over to Active Directory from NT4.0.   I am able to ping the server through the VPN, and nslookup works fine.    For some reason when I try to pull up the server in IE, I just get page not displayed.  I can access it without issue on site.  

VPN Concentrator is a 3000 series Cisco.
0
zreisman
Asked:
zreisman
  • 5
  • 3
2 Solutions
 
icsi_wizCommented:
What OS are your clients? Have you tried a win 2000 client?

From NT to  AD is the only change?

What OS is the webserver?

0
 
zreismanAuthor Commented:
Clients are XP.    I believe one of the few 2000 clients did complain that she couldnt get on.
NT to AD, there have been a lot of changes.  In the middle of major migration.
Web Server is 2003 R2.

I check the directory security tab on the IIS server to see if it was only accepting from the local subnet or something but it seems fine.  
0
 
zreismanAuthor Commented:
The following errors show up in the Event log on the client when connected to VPN.
NT5B is the webserver.


Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40961
Date:            3/29/2009
Time:            4:04:07 PM
User:            N/A
Computer:      DB1595
Description:
The Security System could not establish a secured connection with the server DNS/tempex.domain.local.  No authentication protocol was available.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
Date:            3/29/2009
Time:            4:04:07 PM
User:            N/A
Computer:      DB1595
Description:
The Security System detected an attempted downgrade attack for server DNS/tempex.domain.local.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40961
Date:            3/29/2009
Time:            3:57:26 PM
User:            N/A
Computer:      DB1595
Description:
The Security System could not establish a secured connection with the server HTTP/nt5b.  No authentication protocol was available.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
Date:            3/29/2009
Time:            3:57:26 PM
User:            N/A
Computer:      DB1595
Description:
The Security System detected an attempted downgrade attack for server HTTP/nt5b.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Warning
Event Source:      DnsApi
Event Category:      None
Event ID:      11194
Date:            3/29/2009
Time:            3:54:53 PM
User:            N/A
Computer:      DB1595
Description:
The system failed to update and remove host (A) resource records (RRs) for network adapter
with settings:

   Adapter Name : {B0CFC05B-07AF-4F67-9C4A-82FB1E0EEBCA}
   Host Name : db1595
   Primary Domain Suffix : DOMAIN.local
   DNS server list :
           192.168.3.1
   Sent update to server : 192.1.1.1
   IP Address(es) :
     192.168.5.10

 The reason for this failure is because the DNS server sent the update either (a) does not support the DNS dynamic update protocol, or (b) the authoritative zone for the DNS domain name specified in these A RRs does not currently accept DNS dynamic updates.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: b4 05 00 00               ยด...    
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
zreismanAuthor Commented:
Apparently it is not just the web services.   I cannot connect to network shares via VPN either.
0
 
zreismanAuthor Commented:
Comes up with the same Kerberos / No logon server available errors when trying to hit a share.
0
 
icsi_wizCommented:
That error message is pretty specific. You're having an issue communicating with your authentication servers, however that's a pretty vague answer.....

I would look at the following discussion, it reads like it could be relevant, and an easy thing to check:
http://x220.win2ktest.com/forum/post.asp?method=TopicQuote&TOPIC_ID=4417&FORUM_ID=8
0
 
zreismanAuthor Commented:
Resolved on own.    Remote sites could not authenticate properly due to fragmentation of Kerberos UDP packets.   Tested registry setting to force Kerberos over TCP on laptop.  

You can change MaxPacketSize to 1 to force the clients to use Kerberos traffic over TCP. To do this, follow these steps:

   1. Start Registry Editor.
   2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters
      Note If the Parameters key does not exist, create it now.
   3. On the Edit menu, point to New, and then click DWORD Value.
   4. Type MaxPacketSize, and then press ENTER.
   5. Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.
   6. Quit Registry Editor.
   7. Restart your computer.


 That worked out so I imported the ADM and added a group policy for remote computers.  

http://support.microsoft.com/default.aspx?scid=kb;en-us;244474
0
 
icsi_wizCommented:
sweet answer. I can't wait till I need to use it!
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now