• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 761
  • Last Modified:

VPN 3000 Concentrator

I have run into an issue with our VPN concentrator.  Users connect to our VPN concentrator using Cisco VPN client.  The concentrator authenticates via Windows Server 2008 AD.  Currently, when I test the authentication server, I receive the following: Authentication Error: No response from server.  On the DC, I see the following in the security log:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/5/2010 3:48:50 PM
Event ID:      4768
Task Category: Kerberos Authentication Service
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      DC01.domain.local
Description:
A Kerberos authentication ticket (TGT) was requested.

Account Information:
      Account Name:            username
      Supplied Realm Name:      domain
      User ID:                  domain\username

Service Information:
      Service Name:            krbtgt
      Service ID:            domain\krbtgt

Network Information:
      Client Address:            192.168.2.2
      Client Port:            1146

Additional Information:
      Ticket Options:            0x40800010
      Result Code:            0x0
      Ticket Encryption Type:      0x3
      Pre-Authentication Type:      0

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:      
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
0
andrewg96
Asked:
andrewg96
  • 3
  • 3
1 Solution
 
Justin OwensITIL Problem ManagerCommented:
If you are getting a success audit on your DC, I would look at your concentrator.  A few questions:  Has this ever worked?  If so, was anything changed before it stopped working?  What method is your concentrator using for AD authentication?

Justin
0
 
andrewg96Author Commented:
This is a new domain, so it has not worked on this exact domain.  The concentrator is using Kerberos for AD.
0
 
Justin OwensITIL Problem ManagerCommented:
Do you see anything odd in the syslog on the concentrator?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
andrewg96Author Commented:
Here is the log from the concentrator

59733 01/05/2010 16:50:31.040 SEV=8 AUTHDBG/1 RPT=9866
AUTH_Open() returns 769

59734 01/05/2010 16:50:31.040 SEV=7 AUTH/12 RPT=9866
Authentication session opened: handle = 769

59735 01/05/2010 16:50:31.040 SEV=8 AUTHDBG/3 RPT=14160
AUTH_PutAttrTable(769, b062bc)

59736 01/05/2010 16:50:31.040 SEV=8 AUTHDBG/5 RPT=2658
AUTH_Authenticate(769, 1c4b6bc, 515184)

59737 01/05/2010 16:50:31.040 SEV=8 AUTHDBG/59 RPT=14176
AUTH_BindServer(1ecd3bc, 0, 0)

59738 01/05/2010 16:50:31.040 SEV=9 AUTHDBG/69 RPT=14155
Auth Server e81be0 has been bound to ACB 1ecd3bc, sessions = 1

59739 01/05/2010 16:50:31.040 SEV=8 AUTHDBG/65 RPT=14155
AUTH_CreateTimer(1ecd3bc, 0, 0)

59740 01/05/2010 16:50:31.040 SEV=9 AUTHDBG/72 RPT=14155
Reply timer created: handle = 36640029

59741 01/05/2010 16:50:31.040 SEV=8 AUTHDBG/179 RPT=14155
AUTH_SyncToServer(1ecd3bc, 0, 0)

59742 01/05/2010 16:50:31.040 SEV=8 AUTHDBG/180 RPT=14155
AUTH_SendLockReq(1ecd3bc, 0, 0)

59743 01/05/2010 16:50:31.040 SEV=8 AUTHDBG/61 RPT=14441
AUTH_BuildMsg(1ecd3bc, 0, 0)

59744 01/05/2010 16:50:31.040 SEV=8 AUTHDBG/188 RPT=2939
Kerberos_Build(1ecd3bc)

59745 01/05/2010 16:50:31.050 SEV=8 AUTHDBG/64 RPT=14474
AUTH_StartTimer(1ecd3bc, 0, 0)

59746 01/05/2010 16:50:31.050 SEV=9 AUTHDBG/73 RPT=14474
Reply timer started: handle = 36640029, timestamp = -262799840, timeout = 4000

59747 01/05/2010 16:50:31.050 SEV=8 AUTHDBG/62 RPT=14474
AUTH_SndRequest(1ecd3bc, 0, 0)

59748 01/05/2010 16:50:31.050 SEV=8 AUTHDBG/192 RPT=5877
Kerberos_Decode(1c69938, 0)

59749 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/31 RPT=8172
Kerberos: Message type KRB_AS_REQ

59750 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/42 RPT=8914
Kerberos: Option forwardable

59751 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/42 RPT=8915
Kerberos: Option renewable

59752 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/42 RPT=8916
Kerberos: Option renewable accepted

59753 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/33 RPT=5421
Kerberos: Client Realm DOMAINNAME

59754 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/32 RPT=5421
Kerberos: Client Name username

59755 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/35 RPT=5267
Kerberos: Server Realm DOMAINNAME

59756 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/34 RPT=10533
Kerberos: Server Name krbtgt

59757 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/34 RPT=10534
Kerberos: Server Name DOMAINNAME

59758 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/36 RPT=2972
Kerberos: Start time 0

59759 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/37 RPT=2972
Kerberos: End time 0

59760 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/38 RPT=2972
Kerberos: Renew until time 0

59761 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/39 RPT=5267
Kerberos: Nonce 1262731831

59762 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/40 RPT=20798
Kerberos: Encryption type des-cbc-md5

59763 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/40 RPT=20799
Kerberos: Encryption type des-cbc-crc

59764 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/40 RPT=20800
Kerberos: Encryption type des-cbc-md4

59765 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/40 RPT=20801
Kerberos: Encryption type des3-cbc-sha1

59766 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/40 RPT=20802
Kerberos: Encryption type des-hmac-sha1

59767 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/40 RPT=20803
Kerberos: Encryption type rc4-hmac

59768 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/40 RPT=20804
Kerberos: Encryption type null

59769 01/05/2010 16:50:31.050 SEV=8 AUTHDBG/189 RPT=5943
Kerberos_Xmt(1ecd3bc)

59770 01/05/2010 16:50:31.050 SEV=8 AUTHDBG/189 RPT=5944
Kerberos_Xmt(1ecd3bc)

59771 01/05/2010 16:50:31.050 SEV=9 AUTHDBG/71 RPT=14474
xmit_cnt = 1

59772 01/05/2010 16:50:31.150 SEV=8 AUTHDBG/191 RPT=2959
Kerberos_Match(1ecd3bc, 1f00fdc), id = 0x00, rcvd = 0x82

59773 01/05/2010 16:50:31.150 SEV=7 AUTHDBG/76 RPT=51
Unable to correlate received message with authentication session
0
 
Justin OwensITIL Problem ManagerCommented:

 "CSCea24328  
 When using Kerberos/Active Directory authentication, if a user types a username with the "@" symbol and Realm using all lowercase for the realm (that is, usernam@mycompany.com instead of username@MYCOMPANY.COM), the following error occurs on the VPN Concentrator, and the Kerberos server status changes to "Not-in-service".  
 78 02/19/2003 16:59:49.250 SEV=7 AUTHDBG/76 RPT=8
Unable to correlate received message with authentication session  
 83 02/19/2003 16:59:53.150 SEV=4 AUTH/15 RPT=76
Server name = 100.136.50.2, type = KERBEROS,
group = KerberosGroup, status = Not-in-service  
When using Kerberos/Active directory for authenticating, users should enter only their username, username@REALM.COM with Realm all in UPPERCASE letters, or use the Strip Realm setting for the Group on the Concentrator.

Source: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_release_note09186a0080220d96.html
0
 
andrewg96Author Commented:
You are a Genius!!  My life is sooo much better now.  Thank you for your prompt response.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now