User cannot authenticate to ISA 2006 with firewall client
I have a ISA 2006 server setup in single adapter mode, it's being used just as a proxy, it has web filtering software installed on it.
Many users have the firewall client installed. Starting a few days ago users have a red x in the firewall client. "Disabled: cannot authenticate to ISA server".
Any ideas? I'm not sure how to trouble shoot this or what logs to look at, thanks. I have rebooted the pc's and the server itself, no luck.
Thanks
Many users have the firewall client installed. Starting a few days ago users have a red x in the firewall client. "Disabled: cannot authenticate to ISA server".
Any ideas? I'm not sure how to trouble shoot this or what logs to look at, thanks. I have rebooted the pc's and the server itself, no luck.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Clients are also getting this kerberos error at the same time as the above error. I dont have any dup machine accounts, that I can find. I've researched this error and many people talk about duplicate SPN's. (I changed the server and domain name below)
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 1/14/2013
Time: 3:34:13 PM
User: N/A
Computer: BR05CSR1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/proxy1.mydomain.com.
This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server.
Commonly, this is due to identically named machine accounts in the target realm (MYDOMAIN.COM), and the client realm.
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 1/14/2013
Time: 3:34:13 PM
User: N/A
Computer: BR05CSR1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/proxy1.mydomain.com.
This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server.
Commonly, this is due to identically named machine accounts in the target realm (MYDOMAIN.COM), and the client realm.
Check this to solve the dublicate SPNs issue:
http://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
http://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
ASKER
I ran "setspn -L proxy1" on the actual proxy1 server and got the following. Doesnt look like I have any dup SPN's??
C:\Documents and Settings\bstrain\Desktop>s
Registered ServicePrincipalNames for CN=PROXY1,OU=Other Servers 2,DC=DOMAIN,DC=com:
MSSQLSvc/PROXY1.DOMAIN.COM
HOST/PROXY1
HOST/PROXY1.DOMAIN.COM
any other spn test or checks I can do?? Thanks.
C:\Documents and Settings\bstrain\Desktop>s
Registered ServicePrincipalNames for CN=PROXY1,OU=Other Servers 2,DC=DOMAIN,DC=com:
MSSQLSvc/PROXY1.DOMAIN.COM
HOST/PROXY1
HOST/PROXY1.DOMAIN.COM
any other spn test or checks I can do?? Thanks.
did you check the internal netowrk properties ?
Hi,
I suppose your ISA servers are members of an AD domain !?
In this case, in the IP settings of these ISA servers, what DNS servers do interrogates ?
If you use internal and external DNS servers in your DNS servers list you will randomly encounter that sort of problems.
The ISA server must resolve internal AND external DNS names, but to do that IT MUST NOT interrogate external and internal DNS servers.
Why ? Because of that :
If you ISA server have to locate DCs of the AD domain to authenticate users, and if the ISA server interrogate external DNS servers for that, these DNS servers wil ALWAYS answer "domain does not exist", which is an authoritative negative answer.
With this type of answers the DNS client on the ISA server will stop to try to resolve the name by any other way and will suppose the domain does not exists and is unreachable. So the authentication will fail.
What MUST be done:
Your ISA servers must ONLY interrogate internal DNS servers. The internal DNS servers host the DNS zone for the internal AD domain and must be configured with DNS forwarders that point to external DNS servers.
Doing like this the internal DNS servers will retransmit DNS request for any external name to external DNS servers.
Have a good day.
I suppose your ISA servers are members of an AD domain !?
In this case, in the IP settings of these ISA servers, what DNS servers do interrogates ?
If you use internal and external DNS servers in your DNS servers list you will randomly encounter that sort of problems.
The ISA server must resolve internal AND external DNS names, but to do that IT MUST NOT interrogate external and internal DNS servers.
Why ? Because of that :
If you ISA server have to locate DCs of the AD domain to authenticate users, and if the ISA server interrogate external DNS servers for that, these DNS servers wil ALWAYS answer "domain does not exist", which is an authoritative negative answer.
With this type of answers the DNS client on the ISA server will stop to try to resolve the name by any other way and will suppose the domain does not exists and is unreachable. So the authentication will fail.
What MUST be done:
Your ISA servers must ONLY interrogate internal DNS servers. The internal DNS servers host the DNS zone for the internal AD domain and must be configured with DNS forwarders that point to external DNS servers.
Doing like this the internal DNS servers will retransmit DNS request for any external name to external DNS servers.
Have a good day.
ASKER
Sulimanw - what would I check the internal network properties for? Nothing has changed. I'm the only one with access to make any changes.
As for the last comment, our ISA servers are not used as firewalls, they are just in a single adapter mode, they dont have any external DNS settings, they just point to our internal DNS server.
As for the last comment, our ISA servers are not used as firewalls, they are just in a single adapter mode, they dont have any external DNS settings, they just point to our internal DNS server.
Even if nothing changed, it worth's to check basices as a first troubleshooting step .
ASKER
I checked the internal network properties for both proxy1 and proxy2, they are the same and all settings seem OK.
I do have 'require all users to authenticate' turned on, this is needed for our web content filtering software on proxy1 to work properly. If I turn 'require all users to authenticate' off then all works well, so it seems more and more to point to some authentication problem on proxy1.
Any ideas??
I do have 'require all users to authenticate' turned on, this is needed for our web content filtering software on proxy1 to work properly. If I turn 'require all users to authenticate' off then all works well, so it seems more and more to point to some authentication problem on proxy1.
Any ideas??
ASKER
Anyone out there have ANY more ideas?? This error still keeps popping up on clients trying to authenticate to my ISA server.
I even tried removing the ISA server from the domain, deleting it's AD computer account, and rejoining to the domain. The problem persists!
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 1/14/2013
Time: 3:34:13 PM
User: N/A
Computer: BR05CSR1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/proxy1.mydomain.com.
This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server.
Commonly, this is due to identically named machine accounts in the target realm (MYDOMAIN.COM), and the client realm.
I even tried removing the ISA server from the domain, deleting it's AD computer account, and rejoining to the domain. The problem persists!
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 1/14/2013
Time: 3:34:13 PM
User: N/A
Computer: BR05CSR1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/proxy1.mydomain.com.
This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server.
Commonly, this is due to identically named machine accounts in the target realm (MYDOMAIN.COM), and the client realm.
ASKER
All users MS firewall client point to proxy1. If I point the fw client to proxy2 everything works as normal. Moving back to proxy1 and the problem returns. The red x will popup on the tray icon.
I'm the only IT person here and I have not made changes to the ISA server or anything else in the past couple days, that I can remeber!
I enabled logging on both servers and I can see on proxy1 the client "initiated connection" and then right away "closed connection". This shows port 1745.
Logging on proxy2 shows the initiated connection port 443 going out to the external ip address, rule is Allow ALL. This is good.
So it seems to be an authentication issue on proxy1 - any ideas?
I checked the event viewer on the client and found the following when the fw client points to proxy1. I'm logged in as a domain admin.
Event Type: Error
Event Source: Microsoft Firewall Client 2004
Event Category: None
Event ID: 2
Date: 1/14/2013
Time: 11:12:08 AM
User: N/A
Computer: BR05CSR1
Description:
Application [EZTellerENT.EXE]. Authentication failed.
Verify that the user account running this application has the required permissions.
If the application is running under a system account, you can apply different credentials for
this application via the client configuration and FwcCreds.exe.