ISA 2006 EE VPN for users from trusted domain
- Hi,
is it possible to authenticate PPTP VPN users from Windows Server 2008 R2 RC Domain A which is trusted by Windows Server 2003 R2 Domain B (validated ONE way trust) on NLB of ISA Servers 2006 Enterprise SP1? Please, give me some hints or helpful links 'cos I'm desperate.
Thanx,
Dawid
Answers
Well,
after an exhausting testing we figured out: ONE WAY TRUST ISN'T APPLICABLE in this (and many other) situations. If someone knows the answer why, please, enlighten me.
Finally I've used TWO WAY trust with forest-wide authentication in DomainB forest and selective authentication in DomainA forest. It’s very similar to one way trust but without any problems querying trusting LDAP even on Windows Server 2008 R2 domain controller.
And one more security setting is mandatory for successful trusted domain VPN users login: Allowed to authenticate permission for ISA Server(s) on DC object(s).
Have a nice day and be aware of using one way trust,
Dawid
- Marked As Answer byDawid G. Kovacs Monday, August 24, 2009 3:21 PM
All Replies
- I forgot to mention, that I need LDAP authentication (RADIUS is more complex and increases admin overhead) and ISA Servers are member servers of Domain B.
Thanks Please, help, I've tried everything (including KB955113) and the result is always the same: Error 691.
IASSAM.LOG:
NT-SAM Names handler received request with user identity DomainA\Administrator.
Username is already an NT4 account name.
SAM-Account-Name is "DomainA\Administrator".
NT-SAM Authentication handler received request for DomainA\Administrator.
Processing MS-CHAP v2 authentication.
LogonUser succeeded.
NT-SAM User Authorization handler received request for DomainA\Administrator.
Opening LDAP connection to DC1.DomainA.
The registry value DisableLdapEncryption does not exist. Using default 0
Trying to set LDAP encryption = 1
LDAP ERROR in ldap_search_ext_sW. Code = 1
Extended error string: 000004DC: LdapErr: DSID-0C0906DC, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1bbc
LDAP connect failed: The system cannot open the device or file specified.
Failed to connect to the DC discovered by DC locator, try DC enumerator ...
DC dc1.DomainA is in the avoidance table.
Using downlevel dial-in parameters.
Could not open an LDAP connection to domain DomainA.
NTDomain::getConnection failed: No more data is available.
Retrying LDAP search.
Could not open an LDAP connection to domain DomainA.
NTDomain::getConnection failed: No more data is available.
Per-user attribute retrieval failed: No more data is available.
Application log:
Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 5052
Date: 20. 7. 2009
Time: 19:06:24
User: N/A
Computer: ISA01
Description:There is no domain controller available for domain DomainA.I figured it out it has nothing to do with ISA LDAP authentication itself. Looks like it's more about ISA Server trying to connect DomainA DC and unsuccessfully querying VPN logged user properties. It's a one way trust (DomainA is trusted by ISA Server's DomainB) so maybe the right question is:
How to enable ISA Server from DomainB one way trusting DomainA to successfully authenticate VPN user from DomainA?Please help, I have no clues and I'm getting really desperate...
As you can see in IASSAM.LOG in my previous post: LogonUser succeeded. So the user IS authenticated, but when ISA is trying to query user object properties, the bind is failing. But there is no problem LDAP connecting and querying AD of DomainA from ISA Server using LDP.EXE of course with Administrator credentials. I was not able to successfully sniff the communication between ISA and DomainA to find out which credentials is actually ISA using.
Does anybody know which credentials is ISA Server using when LDAP binding to DC?Thanks in advance,
Dawid
Hi,
Thank you for your post.
Before going any further, I’d like to confirm the following question:
1.How do you configure the VPN settings on ISA Server?
2.Which user do you use to connect VPN? (belong to DomainA or DomainB)
3.What do you mean ”enable ISA Server from DomainB authenticate VPN user from DomainA”
Regards,
Nick Gu - MSFTHi Nick,
thanks for your interest. I'll try to answer your questions:
1. It's a simple standard PPTP VPN for 50 connections with enabled User mapping which is operating without problems for DomainB users (ISA Servers are member servers of DomainB).
2. I used user DomainA\Administrator as you can see in previos post IASSAM.LOG.
3. Sorry for strange formulation. The main problem is that the ISA Server can not LDAP query (according to IASSAM.LOG) DomainA (one way trusted by DomainB) user properties to determine dial-in allow access (I think) and the whole authentication process fails. Anyway, I did some testing lately and discovered that in case of TWO WAY trust (only 2003 domains, I excluded original 2008 domains to eliminate version differences) everything worked perfectly:
IASSAM.LOG:
[1236] 07-29 18:09:10:902: NT-SAM Names handler received request with user identity DomainA2k3\Administrator.
[1236] 07-29 18:09:10:902: Username is already an NT4 account name.
[1236] 07-29 18:09:10:902: SAM-Account-Name is "DomainA2k3\Administrator".
[1236] 07-29 18:09:10:902: NT-SAM Authentication handler received request for DomainA2k3\Administrator.
[1236] 07-29 18:09:10:902: Processing MS-CHAP v2 authentication.
[1236] 07-29 18:09:10:902: LogonUser succeeded.
[1236] 07-29 18:09:10:902: NT-SAM User Authorization handler received request for DomainA2k3\Administrator.
[1236] 07-29 18:09:11:042: Opening LDAP connection to DC.DomainA2k3.
[1236] 07-29 18:09:11:042: The registry value DisableLdapEncryption does not exist. Using default 0
[1236] 07-29 18:09:11:042: Trying to set LDAP encryption = 1
[1236] 07-29 18:09:11:058: LDAP connect succeeded.
[1236] 07-29 18:09:11:058: Using native-mode dial-in parameters.
[1236] 07-29 18:09:11:058: Sending LDAP search to DC.DomainA2k3.
[1236] 07-29 18:09:11:058: Inserting attribute msNPAllowDialin.
[1236] 07-29 18:09:11:058: Successfully retrieved per-user attributes.
As you can see, the only difference between this IASSAM.LOG and in my previous post is that the LDAP query to DomainA was successful.
I also found successful ISA logon on DomainA2k3 DC:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 29. 7. 2009
Time: 18:09:11
User: DomainB\ISA02$
Computer: DC
Description:
Successful Network Logon:
User Name: ISA02$
Domain: DomainB
Logon ID: (0x0,0x1E6B090)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {28dd19c0-a705-7b06-f0b5-050178d952e5}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: ISA02 IP
Source Port: 20693
So it's definitely a ONE WAY trust security issue of non domain ISA server querying VPN user domain through LDAP (according to IASSAM.LOG). But how to resolve it?
Thanks,
DawidWell,
after an exhausting testing we figured out: ONE WAY TRUST ISN'T APPLICABLE in this (and many other) situations. If someone knows the answer why, please, enlighten me.
Finally I've used TWO WAY trust with forest-wide authentication in DomainB forest and selective authentication in DomainA forest. It’s very similar to one way trust but without any problems querying trusting LDAP even on Windows Server 2008 R2 domain controller.
And one more security setting is mandatory for successful trusted domain VPN users login: Allowed to authenticate permission for ISA Server(s) on DC object(s).
Have a nice day and be aware of using one way trust,
Dawid
- Marked As Answer byDawid G. Kovacs Monday, August 24, 2009 3:21 PM
