asked on Authentication shows incorrect ip address in Event viewer
We have a Windows 2012 R2 domain with 2 domain controllers. Users authenticate to the domain with no problems.
We have 2 subnets
LAN: 192.168.0.0/24
WLAN: 192.168.4.0/24
The WLAN traffic is routed through our Sophos XG230 Firewall/Router 192.168.0.1
Any user authenticating against one of the domain controllers (from the WLAN) shows the ip address of the Firewall/Router, not its correct ip address of hte host they are on.
I can see this in the kerberos TGT in Event Viewer 4768.
This is only happening on 1 of the domain controllers.
Any ideas on how troubleshoot would be greatly appreciated.
We have 2 subnets
LAN: 192.168.0.0/24
WLAN: 192.168.4.0/24
The WLAN traffic is routed through our Sophos XG230 Firewall/Router 192.168.0.1
Any user authenticating against one of the domain controllers (from the WLAN) shows the ip address of the Firewall/Router, not its correct ip address of hte host they are on.
I can see this in the kerberos TGT in Event Viewer 4768.
This is only happening on 1 of the domain controllers.
Any ideas on how troubleshoot would be greatly appreciated.
SophosWindows OSWindows Server 2012* kerberos
Last Comment
matedwards
do you mean the other DC can see the WAN IP addresses of those users authenticated from the WAN subnet? are the two DCs located on the same subnet on 0.0/24?
ASKER
Thanks bbao.
Both DCs are on subnet 192.168.0.0/24
One of the DCs displays the correct ip address of the host (for example 192.168.4.121)
The other DC only sees the ip address of the firewall/router 192.168.0.1 (not the host 192.168.4.121) that the traffic has come through.
I hope that helps?
Both DCs are on subnet 192.168.0.0/24
One of the DCs displays the correct ip address of the host (for example 192.168.4.121)
The other DC only sees the ip address of the firewall/router 192.168.0.1 (not the host 192.168.4.121) that the traffic has come through.
I hope that helps?
you may try use TREACERT command on both DCs against thr same IP address on the WAN such as 4.121, it will the difference how each DC reaches the target. i speculate one of them is via NAT hence the internal router’s IP is logged (shown).
ASKER
doing now.. many thanks, bbao..
ASKER
Tracert and nslookup from the DC to the host display the correct ip address of the host 192.168.4.121
It is only the authentication (kerberos) event 4768 in the Event Viewer log that is showing the wrong ip address
It is only the authentication (kerberos) event 4768 in the Event Viewer log that is showing the wrong ip address
Sure it's not some form of SNAT rule on your XG?
ASKER
Thanks TechTop,
But why is it only effecting one DC not both?
But why is it only effecting one DC not both?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Great.. thanks Dirk.. will check..
ASKER
BOOM.. Dirk nailed it!!
The 2nd domain controller was newly added. It had not been joined to the 'server group' in the XG.
The 'server group' in the XG has a rule allowing traffic with masquerading turned off.
Because the server was not in the group the rule was not applied and any traffic was masqueraded.
I added it to the server group in the XG and now the correct ip address in Event 4768 is showing.
Many thanks for all your help.
The 2nd domain controller was newly added. It had not been joined to the 'server group' in the XG.
The 'server group' in the XG has a rule allowing traffic with masquerading turned off.
Because the server was not in the group the rule was not applied and any traffic was masqueraded.
I added it to the server group in the XG and now the correct ip address in Event 4768 is showing.
Many thanks for all your help.