DA/UAG up, but not reliable
-
Wednesday, April 25, 2012 5:47 PM
All,
Have set DA/UAG up, but am having problems with a few things.
1) On the client side, I intermittently cannot ping or RDP to a few machines, including both workstations and servers, from XP to 2008R2, and the DCA also intermittently shows "Corporate network names cannot be resolved". Most annoying is that I cannot connect to our Lync 2010 server (running on Win2k8R2), although I *can* ping and RDP to it. In the client's event logs, I see many failure audits in the Security event log (4653 IPSec Main Mode, trying to connect to the UAG server) and somewhat fewer warnings in the System event log (1014 DNS Client Events and 131 Time-Server, both relating to timeouts on name resolution).
2) On the server side I see many failure audits in the Security event log (4653 IPSec Main Mode), trying to connect to DNS servers on the public network - which I find very strange - why on Earth would these be happening? The only DNS servers listed on the UAG server are those in the domain.
3) I cannot RDP to the UAG server - for some reason it stopped, and I don't know why. I know I could manually make an adjustment to the firewall settings on the machine, but that doesn't solve the root problem, so I'd like to see if I can figure it out.
I have done my testing from our guest wireless network (which transits our corporate firewall) and from a public IP address in the same subnet as the UAG server, and get the same results either way.
The UAG server has two NICs, with a public address in our public address space (that is, its connection terminates on the same switch as our corporate firewall and our router), and the private address in a subnet between our firewall and our Layer3 switch (again, they connect to the same switch). Below is a sanitized log file from the DCA.
Lastly, we have three offices. The HQ has two Win2k8R2 DCs, which is where the UAG server is set up, and the overseas offices each have a Win2k3R2 DC. I have removed the Win2k3R2 DCs from the list of infrastructure servers as a troubleshooting measure, based on a couple of pages I found, but that seems not to have made a difference.
I have a sanitized DCA log available should someone want to see it - I can't seem to post it, as the page times out when I try to do so.
Thanks,
Kurt
All Replies
-
Wednesday, April 25, 2012 7:30 PM
Hi
Strange situation. Si seems that your client computers are able to establish the IPSEC tunnel but may have problem to generate new security associations. I've seen that with virtualization plateform such as VMWARE that changed the time on the UAG virtual machine. A 5 minutes clock screw is enought to break Kerberos protocol and by extension user IPSEC tunnel.
You can post DCA logs, this might be helpfull, just like the full 4653 IPSec Main Mode error message cause it include a failure reason.
Best regards.
BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
-
Wednesday, April 25, 2012 8:00 PM
Benoit,
Thanks for the quick response. I'll post the log here, and see if it takes, then a copy of one of the 4653 IPSec Main Mode audit failures. Just so you have more info, the UAG server is a Dell PE 1950 with a single dual-core processor and 16gb of RAM, and is not virtualized. The log looks to be too large - I'm getting an error message trying to post the whole thing, so I've chopped the log and will post consecutive parts in my replies to you.
Kurt
Part One
DirectAccess Connectivity Assistant Logs
RED: Corporate connectivity is not working.
Corporate network names cannot be resolved. If the problem persists, contact your administrator.
24/4/2012 22:30:27 (UTC)
Probes List
PASS - PING: 2002:4332:7627::4332:7627
FAIL - HTTP: https://inside.example.com
DTE List
PASS - PING: 2002:4332:7627::4332:7627
PASS - PING: 2002:4332:7626::4332:7626
***************************************************************************
ipconfig /all
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : it-kbuff7
Primary Dns Suffix . . . . . . . : example.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : example.com
guest.example.com
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : example.com
Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
Physical Address. . . . . . . . . : D4-BE-D9-22-09-B6
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . : guest.example.com
Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6205
Physical Address. . . . . . . . . : 8C-70-5A-03-84-24
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::483f:894:5771:3fa2%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.20.222(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, April 24, 2012 3:28:47 PM
Lease Expires . . . . . . . . . . : Tuesday, April 24, 2012 4:28:47 PM
Default Gateway . . . . . . . . . : 192.168.20.1
DHCP Server . . . . . . . . . . . : 192.168.20.11
DHCPv6 IAID . . . . . . . . . . . : 294416474
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-19-14-C0-8C-70-5A-03-84-24
DNS Servers . . . . . . . . . . . : 8.8.8.8
74.118.212.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : 7C-E9-D3-C0-3E-4C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.example.com:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.guest.example.com:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : guest.example.com
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter iphttpsinterface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : iphttpsinterface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4332:7626:3c3a:d9b2:bccd:89a5(Preferred)
Link-local IPv6 Address . . . . . : fe80::3c3a:d9b2:bccd:89a5%15(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter isatap.{1CE3B0C4-475D-4D09-BD7D-33E729293D3C}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>netsh int teredo show state
***************************************************************************
netsh int teredo show state
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh int teredo show state
Teredo Parameters
---------------------------------------------
Type : client
Server Name : xx.yy.zz.38 (Group Policy)
Client Refresh Interval : 30 seconds
Client Port : unspecified
State : qualified
Client Type : teredo client
Network : unmanaged
NAT : symmetric (port)
NAT Special Behaviour : UPNP: No, PortPreserving: No
Local Mapping : 192.168.20.222:56546
External NAT Mapping : xx.yy.zz.90:9805
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh int httpstunnel show interfaces
***************************************************************************
netsh int httpstunnel show interfaces
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh int httpstunnel show interfaces
Interface IPHTTPSInterface (Group Policy) Parameters
------------------------------------------------------------
Role : client
URL : https://outside.example.com:443/IPHTTPS
Last Error Code : 0x0
Interface Status : IPHTTPS interface deactivated
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh dns show state
***************************************************************************
netsh dns show state
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>netsh dns show state
Name Resolution Policy Table Options
--------------------------------------------------------------------
Query Failure Behavior : Always fall back to LLMNR and NetBIOS
if the name does not exist in DNS or
if the DNS servers are unreachable
when on a private network
Query Resolution Behavior : Resolve only IPv6 addresses for names
Network Location Behavior : Let Network ID determine when Direct
Access settings are to be used
Machine Location : Outside corporate network
Direct Access Settings : Configured and Enabled
DNSSEC Settings : Not Configured
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh name show policy
***************************************************************************
netsh name show policy
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>netsh name show policy
DNS Name Resolution Policy Table Settings
Settings for inside.example.com
----------------------------------------------------------------------
Certification authority : DC=com, DC=example, CN=example-Issuing-CA-1
DNSSEC (Validation) : disabled
DNSSEC (IPsec) : disabled
DirectAccess (DNS Servers) :
DirectAccess (IPsec) : disabled
DirectAccess (Proxy Settings) : Use default browser settings
Settings for outside.example.com
----------------------------------------------------------------------
Certification authority : DC=com, DC=example, CN=example-Issuing-CA-1
DNSSEC (Validation) : disabled
DNSSEC (IPsec) : disabled
DirectAccess (DNS Servers) :
DirectAccess (IPsec) : disabled
DirectAccess (Proxy Settings) : Use default browser settings
Settings for .example.com
----------------------------------------------------------------------
Certification authority : DC=com, DC=example, CN=example-Issuing-CA-1
DNSSEC (Validation) : disabled
DNSSEC (IPsec) : disabled
DirectAccess (DNS Servers) : 2002:4332:7627::4332:7627
DirectAccess (IPsec) : disabled
DirectAccess (Proxy Settings) : Bypass proxy
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh name show effective
***************************************************************************
netsh name show effective
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>netsh name show effective
DNS Effective Name Resolution Policy Table Settings
Settings for inside.example.com
----------------------------------------------------------------------
Certification authority : DC=com, DC=example, CN=example-Issuing-CA-1
DNSSEC (Validation) : disabled
IPsec settings : disabled
DirectAccess (DNS Servers) :
DirectAccess (Proxy Settings) : Use default browser settings
Settings for outside.example.com
----------------------------------------------------------------------
Certification authority : DC=com, DC=example, CN=example-Issuing-CA-1
DNSSEC (Validation) : disabled
IPsec settings : disabled
DirectAccess (DNS Servers) :
DirectAccess (Proxy Settings) : Use default browser settings
Settings for .example.com
----------------------------------------------------------------------
Certification authority : DC=com, DC=example, CN=example-Issuing-CA-1
DNSSEC (Validation) : disabled
IPsec settings : disabled
DirectAccess (DNS Servers) : 2002:4332:7627::4332:7627
DirectAccess (Proxy Settings) : Bypass proxy
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh adv mon show mmsa
***************************************************************************
netsh adv mon show mmsa
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>netsh adv mon show mmsa
Main Mode SA at 04/24/2012 15:30:29
----------------------------------------------------------------------
Local IP Address: 2001:0:4332:7626:3c3a:d9b2:bccd:89a5
Remote IP Address: 2002:4332:7627::4332:7627
Auth1: ComputerCert
Auth2: UserNTLM
MM Offer: None-AES128-SHA256
Cookie Pair: 90fa390ac14321d0:cd357eacfcfb8e1e
Health Cert: No
Main Mode SA at 04/24/2012 15:30:29
----------------------------------------------------------------------
Local IP Address: 2001:0:4332:7626:3c3a:d9b2:bccd:89a5
Remote IP Address: 2002:4332:7626::4332:7626
Auth2 Local ID: example\kurt-work
Auth2 Remote ID: host/G1.example.com
Auth1: ComputerCert
Auth2: UserKerb
MM Offer: None-AES128-SHA256
Cookie Pair: c2cea33a3ad63552:899e3b512fa8ccca
Health Cert: No
Main Mode SA at 04/24/2012 15:30:29
----------------------------------------------------------------------
Local IP Address: 2001:0:4332:7626:3c3a:d9b2:bccd:89a5
Remote IP Address: 2002:4332:7626::4332:7626
Auth2 Local ID: example\kbuff
Auth2 Remote ID: host/G1.example.com
Auth1: ComputerCert
Auth2: UserKerb
MM Offer: None-AES128-SHA256
Cookie Pair: 1786fc6ca04cb0fd:cf1ecea2a6372180
Health Cert: No
Ok.
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh nap client show state
***************************************************************************
netsh nap client show state
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>netsh nap client show state
The "Network Access Protection Agent" service is not running.
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> wevtutil query-events Microsoft-Windows-NetworkAccessProtection/Operational /count:20 /format:text /rd:true
***************************************************************************
wevtutil query-events Microsoft-Windows-NetworkAccessProtection/Operational /count:20 /format:text /rd:true
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>wevtutil query-events Microsoft-Windows-NetworkAccessProtection/Operational /count:20 /format:text /rd:true
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh int ipv6 show int level=verbose
***************************************************************************
netsh int ipv6 show int level=verbose
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
-
Wednesday, April 25, 2012 8:02 PM
Log, Part 2
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>netsh int ipv6 show int level=verbose
Interface Loopback Pseudo-Interface 1 Parameters
----------------------------------------------
IfLuid : loopback_0
IfIndex : 1
State : connected
Metric : 50
Link MTU : 4294967295 bytes
Reachable Time : 34500 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : disabled
Neighbor Unreachability Detection : disabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface Wireless Network Connection Parameters
----------------------------------------------
IfLuid : wireless_0
IfIndex : 13
State : connected
Metric : 25
Link MTU : 1500 bytes
Reachable Time : 40000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : enabled
Other Stateful Configuration : enabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface isatap.example.com Parameters
----------------------------------------------
IfLuid : tunnel_4
IfIndex : 18
State : disconnected
Metric : 50
Link MTU : 1280 bytes
Reachable Time : 35000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : disabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface isatap.guest.example.com Parameters
----------------------------------------------
IfLuid : tunnel_5
IfIndex : 19
State : disconnected
Metric : 50
Link MTU : 1280 bytes
Reachable Time : 16500 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : disabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface Bluetooth Network Connection Parameters
----------------------------------------------
IfLuid : ethernet_6
IfIndex : 12
State : disconnected
Metric : 50
Link MTU : 1477 bytes
Reachable Time : 20000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface iphttpsinterface Parameters
----------------------------------------------
IfLuid : tunnel_6
IfIndex : 17
State : disconnected
Metric : 50
Link MTU : 1280 bytes
Reachable Time : 30000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface Local Area Connection Parameters
----------------------------------------------
IfLuid : ethernet_7
IfIndex : 14
State : disconnected
Metric : 5
Link MTU : 1500 bytes
Reachable Time : 17000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : enabled
Other Stateful Configuration : enabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface Teredo Tunneling Pseudo-Interface Parameters
----------------------------------------------
IfLuid : tunnel_7
IfIndex : 15
State : connected
Metric : 50
Link MTU : 1280 bytes
Reachable Time : 21000 ms
Base Reachable Time : 15000 ms
Retransmission Interval : 2000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
Interface isatap.{1CE3B0C4-475D-4D09-BD7D-33E729293D3C} Parameters
----------------------------------------------
IfLuid : tunnel_8
IfIndex : 21
State : disconnected
Metric : 50
Link MTU : 1280 bytes
Reachable Time : 43000 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 0
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : disabled
Router Discovery : enabled
Managed Address Configuration : disabled
Other Stateful Configuration : disabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : disabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 0
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh advf show currentprofile
***************************************************************************
netsh advf show currentprofile
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>netsh advf show currentprofile
Public Profile Settings:
----------------------------------------------------------------------
State ON
Firewall Policy BlockInbound,AllowOutbound
LocalFirewallRules N/A (GPO-store only)
LocalConSecRules N/A (GPO-store only)
InboundUserNotification Enable
RemoteManagement Disable
UnicastResponseToMulticast Enable
Logging:
LogAllowedConnections Disable
LogDroppedConnections Disable
FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log
MaxFileSize 4096
Ok.
-
Wednesday, April 25, 2012 8:04 PM
Hi
Strange, there is no netsh adv mon show QMSA results?
BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
-
Wednesday, April 25, 2012 8:05 PM
Log, Part 3
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> netsh advfirewall monitor show consec
***************************************************************************
netsh advfirewall monitor show consec
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>netsh advfirewall monitor show consec
Global Settings:
----------------------------------------------------------------------
IPsec:
StrongCRLCheck 0:Disabled
SAIdleTimeMin 5min
DefaultExemptions ICMP
IPsecThroughNAT Never
AuthzUserGrp None
AuthzComputerGrp None
StatefulFTP Enable
StatefulPPTP Enable
Main Mode:
KeyLifetime 60min,0sess
SecMethods DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
ForceDH No
Categories:
BootTimeRuleCategory Windows Firewall
FirewallRuleCategory Windows Firewall
StealthRuleCategory Windows Firewall
ConSecRuleRuleCategory Windows Firewall
Quick Mode:
QuickModeSecMethods ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3DES
+60min+100000kb,AH:SHA1+60min+100000kb
QuickModePFS None
Security Associations:
Main Mode SA at 04/24/2012 15:30:29
----------------------------------------------------------------------
Local IP Address: 2001:0:4332:7626:3c3a:d9b2:bccd:89a5
Remote IP Address: 2002:4332:7627::4332:7627
Auth1: ComputerCert
Auth2: UserNTLM
MM Offer: None-AES128-SHA256
Cookie Pair: 90fa390ac14321d0:cd357eacfcfb8e1e
Health Cert: No
Main Mode SA at 04/24/2012 15:30:29
----------------------------------------------------------------------
Local IP Address: 2001:0:4332:7626:3c3a:d9b2:bccd:89a5
Remote IP Address: 2002:4332:7626::4332:7626
Auth2 Local ID: example\kurt-work
Auth2 Remote ID: host/G1.example.com
Auth1: ComputerCert
Auth2: UserKerb
MM Offer: None-AES128-SHA256
Cookie Pair: c2cea33a3ad63552:899e3b512fa8ccca
Health Cert: No
Main Mode SA at 04/24/2012 15:30:29
----------------------------------------------------------------------
Local IP Address: 2001:0:4332:7626:3c3a:d9b2:bccd:89a5
Remote IP Address: 2002:4332:7626::4332:7626
Auth2 Local ID: example\kbuff
Auth2 Remote ID: host/G1.example.com
Auth1: ComputerCert
Auth2: UserKerb
MM Offer: None-AES128-SHA256
Cookie Pair: 1786fc6ca04cb0fd:cf1ecea2a6372180
Health Cert: No
Quick Mode SA at 04/24/2012 15:30:29
----------------------------------------------------------------------
Local IP Address: 2001:0:4332:7626:3c3a:d9b2:bccd:89a5
Remote IP Address: 2002:4332:7627::4332:7627
Local Port: Any
Remote Port: Any
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
Quick Mode SA at 04/24/2012 15:30:29
----------------------------------------------------------------------
Local IP Address: 2001:0:4332:7626:3c3a:d9b2:bccd:89a5
Remote IP Address: 2002:4332:7627::4332:7627
Local Port: Any
Remote Port: Any
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
Quick Mode SA at 04/24/2012 15:30:29
----------------------------------------------------------------------
Local IP Address: 2001:0:4332:7626:3c3a:d9b2:bccd:89a5
Remote IP Address: 2002:4332:7626::4332:7626
Local Port: Any
Remote Port: Any
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
Quick Mode SA at 04/24/2012 15:30:29
----------------------------------------------------------------------
Local IP Address: 2001:0:4332:7626:3c3a:d9b2:bccd:89a5
Remote IP Address: 2002:4332:7626::4332:7626
Local Port: Any
Remote Port: Any
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
Quick Mode SA at 04/24/2012 15:30:29
----------------------------------------------------------------------
Local IP Address: 2001:0:4332:7626:3c3a:d9b2:bccd:89a5
Remote IP Address: 2002:4332:7627::4332:7627
Local Port: Any
Remote Port: Any
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
IPsec Statistics
----------------
Active Assoc : 5
Offload SAs : 0
Pending Key : 0
Key Adds : 21
Key Deletes : 17
ReKeys : 0
Active Tunnels : 5
Bad SPI Pkts : 0
Pkts not Decrypted : 0
Pkts not Authenticated : 0
Pkts with Replay Detection : 0
Confidential Bytes Sent : 1,067,744
Confidential Bytes Received : 1,166,120
Authenticated Bytes Sent : 1,136,240
Authenticated Bytes Received: 1,166,120
Transport Bytes Sent : 0
Transport Bytes Received : 0
Bytes Sent In Tunnels : 1,136,240
Bytes Received In Tunnels : 1,166,120
Offloaded Bytes Sent : 0
Offloaded Bytes Received : 0
Ok.
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> Certutil -store my
***************************************************************************
Certutil -store my
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>Certutil -store my
my
================ Certificate 0 ================
Serial Number: 184387d3000000000140
Issuer: CN=example-Issuing-CA-1, DC=example, DC=com
NotBefore: 4/12/2012 4:32 PM
NotAfter: 4/12/2013 4:32 PM
Subject: EMPTY (DNS Name=IT-KBUFF7.example.com)
Non-root Certificate
Template: exampleWorkstationAuthentication, example Workstation Authentication
Cert Hash(sha1): cd 48 65 93 3c 93 7a ed 2a 3c ae b2 f3 52 65 55 34 3e 09 ac
Key Container = le-exampleWorkstationAuthentication-480b72d9-b2c3-407f-b748-fbb9b5e8a9d7
Unique container name: a992cfe7f97619297c4a14eb899a00e3_f330131e-0b2e-4b73-8b3d-1126da8ecac3
Provider = Microsoft Software Key Storage Provider
Private key is NOT exportable
Encryption test passed
CertUtil: -store command completed successfully.
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> Systeminfo
***************************************************************************
Systeminfo
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>Systeminfo
Host Name: IT-KBUFF7
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered Owner: example-it
Registered Organization:
Product ID: 55041-011-2696075-86440
Original Install Date: 4/12/2012, 3:41:12 PM
System Boot Time: 4/24/2012, 2:53:13 PM
System Manufacturer: Dell Inc.
System Model: Latitude E6520
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 42 Stepping 7 GenuineIntel ~2601 Mhz
BIOS Version: Dell Inc. A12, 2/28/2012
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 8,073 MB
Available Physical Memory: 3,261 MB
Virtual Memory: Max Size: 16,263 MB
Virtual Memory: Available: 11,368 MB
Virtual Memory: In Use: 4,895 MB
Page File Location(s): C:\pagefile.sys
Domain: example.com
Logon Server: N/A
Hotfix(s): 68 Hotfix(s) Installed.
[01]: 982861
[02]: KB958830
[03]: KB2425227
[04]: KB2479943
[05]: KB2484033
[06]: KB2488113
[07]: KB2491683
[08]: KB2492386
[09]: KB2505438
[10]: KB2506014
[11]: KB2506212
[12]: KB2506928
[13]: KB2507618
[14]: KB2509553
[15]: KB2511250
[16]: KB2511455
[17]: KB2512715
[18]: KB2515325
[19]: KB2518869
[20]: KB2522422
[21]: KB2529073
[22]: KB2532531
[23]: KB2533552
[24]: KB2534111
[25]: KB2536275
[26]: KB2536276
[27]: KB2541014
[28]: KB2544893
[29]: KB2545698
[30]: KB2547666
[31]: KB2552343
[32]: KB2556532
[33]: KB2560656
[34]: KB2563227
[35]: KB2564958
[36]: KB2567680
[37]: KB2570947
[38]: KB2572077
[39]: KB2579686
[40]: KB2584146
[41]: KB2585542
[42]: KB2588516
[43]: KB2603229
[44]: KB2607047
[45]: KB2619339
[46]: KB2620704
[47]: KB2620712
[48]: KB2621440
[49]: KB2631813
[50]: KB2633873
[51]: KB2633952
[52]: KB2640148
[53]: KB2641653
[54]: KB2641690
[55]: KB2644615
[56]: KB2645640
[57]: KB2647518
[58]: KB2653956
[59]: KB2654428
[60]: KB2656356
[61]: KB2656373
[62]: KB2660075
[63]: KB2665364
[64]: KB2667402
[65]: KB2675157
[66]: KB2679255
[67]: KB976902
[68]: KB982018
Network Card(s): 4 NIC(s) Installed.
[01]: Bluetooth Device (Personal Area Network)
Connection Name: Bluetooth Network Connection
Status: Media disconnected
[02]: Intel(R) Centrino(R) Advanced-N 6205
Connection Name: Wireless Network Connection
DHCP Enabled: Yes
DHCP Server: 192.168.20.11
IP address(es)
[01]: 192.168.20.222
[02]: fe80::483f:894:5771:3fa2
[03]: Intel(R) 82579LM Gigabit Network Connection
Connection Name: Local Area Connection
Status: Media disconnected
[04]: Aventail VPN Adapter
Connection Name: Local Area Connection 2
DHCP Enabled: No
IP address(es)
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> whoami /groups
***************************************************************************
whoami /groups
***************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}>whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============
==================================================
BUILTIN\Administrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group
owner
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled
group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled
group
Mandatory Label\System Mandatory Level Label S-1-16-16384
C:\Windows\system32\LogSpace\{369CBE62-3F99-4E5A-AB1A-A7B72560C3EC}> -
Wednesday, April 25, 2012 8:09 PM
Now the text of the event two log entries - 4653 IPSec Main Mode audit failure, each slightly different than the other:
**********Begin Event 1**********
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2012-04-25 08:44:24
Event ID: 4653
Task Category: IPsec Main Mode
Level: Information
Keywords: Audit Failure
User: N/A
Computer: it-kbuff7.example.com
Description:
An IPsec main mode negotiation failed.
Local Endpoint:
Local Principal Name: -
Network Address: 2002:4332:7626:8000:0:5efe:192.168.15.83
Keying Module Port: 500
Remote Endpoint:
Principal Name: -
Network Address: 2002:4332:7627::4332:7627
Keying Module Port: 500
Additional Information:
Keying Module Name: IKEv1
Authentication Method: Unknown authentication
Role: Initiator
Impersonation State: Not enabled
Main Mode Filter ID: 0
Failure Information:
Failure Point: Local computer
Failure Reason: No policy configured
State: No state
Initiator Cookie: c5881fbfb763e896
Responder Cookie: 0000000000000000
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4653</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12547</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2012-04-25T15:44:24.617178300Z" />
<EventRecordID>19793</EventRecordID>
<Correlation />
<Execution ProcessID="656" ThreadID="728" />
<Channel>Security</Channel>
<Computer>it-kbuff7.example.com</Computer>
<Security />
</System>
<EventData>
<Data Name="LocalMMPrincipalName">-</Data>
<Data Name="RemoteMMPrincipalName">-</Data>
<Data Name="LocalAddress">2002:4332:7626:8000:0:5efe:192.168.15.83</Data>
<Data Name="LocalKeyModPort">500</Data>
<Data Name="RemoteAddress">2002:4332:7627::4332:7627</Data>
<Data Name="RemoteKeyModPort">500</Data>
<Data Name="KeyModName">%%8222</Data>
<Data Name="FailurePoint">%%8199</Data>
<Data Name="FailureReason">No policy configured
</Data>
<Data Name="MMAuthMethod">%%8194</Data>
<Data Name="State">%%8201</Data>
<Data Name="Role">%%8205</Data>
<Data Name="MMImpersonationState">%%8217</Data>
<Data Name="MMFilterID">0</Data>
<Data Name="InitiatorCookie">c5881fbfb763e896</Data>
<Data Name="ResponderCookie">0000000000000000</Data>
</EventData>
</Event>
**********End Event 1**********
**********Begin Event 2**********
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2012-04-25 08:48:01
Event ID: 4653
Task Category: IPsec Main Mode
Level: Information
Keywords: Audit Failure
User: N/A
Computer: it-kbuff7.example.com
Description:
An IPsec main mode negotiation failed.
Local Endpoint:
Local Principal Name: -
Network Address: 2002:4332:7626:8100:9d5:77c5:8dfa:2017
Keying Module Port: 500
Remote Endpoint:
Principal Name: -
Network Address: 2002:4332:7627::4332:7627
Keying Module Port: 500
Additional Information:
Keying Module Name: IKEv1
Authentication Method: Unknown authentication
Role: Initiator
Impersonation State: Not enabled
Main Mode Filter ID: 0
Failure Information:
Failure Point: Local computer
Failure Reason: No policy configured
State: No state
Initiator Cookie: 3aa1e756733bd98e
Responder Cookie: 0000000000000000
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4653</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12547</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2012-04-25T15:48:01.130862400Z" />
<EventRecordID>19837</EventRecordID>
<Correlation />
<Execution ProcessID="656" ThreadID="3812" />
<Channel>Security</Channel>
<Computer>it-kbuff7.example.com</Computer>
<Security />
</System>
<EventData>
<Data Name="LocalMMPrincipalName">-</Data>
<Data Name="RemoteMMPrincipalName">-</Data>
<Data Name="LocalAddress">2002:4332:7626:8100:9d5:77c5:8dfa:2017</Data>
<Data Name="LocalKeyModPort">500</Data>
<Data Name="RemoteAddress">2002:4332:7627::4332:7627</Data>
<Data Name="RemoteKeyModPort">500</Data>
<Data Name="KeyModName">%%8222</Data>
<Data Name="FailurePoint">%%8199</Data>
<Data Name="FailureReason">No policy configured
</Data>
<Data Name="MMAuthMethod">%%8194</Data>
<Data Name="State">%%8201</Data>
<Data Name="Role">%%8205</Data>
<Data Name="MMImpersonationState">%%8217</Data>
<Data Name="MMFilterID">0</Data>
<Data Name="InitiatorCookie">3aa1e756733bd98e</Data>
<Data Name="ResponderCookie">0000000000000000</Data>
</EventData>
</Event>
**********End Event 2**********
-
Wednesday, April 25, 2012 8:21 PM
Benoit,
Nope, not present in log. I can put the machine outside again and try the log again after failure if you wish.
Kurt
-
Wednesday, April 25, 2012 10:19 PM
Benoit,
I set up my machine again on the guest wireless network, and let the DCA show failure, then ran manually ran " netsh adv mon show QMSA" in an elevated prompt, with the following output:
C:\temp>netsh adv mon show QMSA
Quick Mode SA at 04/25/2012 15:16:53
----------------------------------------------------------------------
Local IP Address: 2001:0:4332:7626:387b:dc21:bccd:89a5
Remote IP Address: 2002:4332:7627::4332:7627
Local Port: Any
Remote Port: Any
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
Quick Mode SA at 04/25/2012 15:16:53
----------------------------------------------------------------------
Local IP Address: 2001:0:4332:7626:387b:dc21:bccd:89a5
Remote IP Address: 2002:4332:7627::4332:7627
Local Port: Any
Remote Port: Any
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
Quick Mode SA at 04/25/2012 15:16:53
----------------------------------------------------------------------
Local IP Address: 2001:0:4332:7626:387b:dc21:bccd:89a5
Remote IP Address: 2002:4332:7627::4332:7627
Local Port: Any
Remote Port: Any
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
Quick Mode SA at 04/25/2012 15:16:53
----------------------------------------------------------------------
Local IP Address: 2001:0:4332:7626:387b:dc21:bccd:89a5
Remote IP Address: 2002:4332:7626::4332:7626
Local Port: Any
Remote Port: Any
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
Quick Mode SA at 04/25/2012 15:16:53
----------------------------------------------------------------------
Local IP Address: 2001:0:4332:7626:387b:dc21:bccd:89a5
Remote IP Address: 2002:4332:7627::4332:7627
Local Port: Any
Remote Port: Any
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
Quick Mode SA at 04/25/2012 15:16:53
----------------------------------------------------------------------
Local IP Address: 2001:0:4332:7626:387b:dc21:bccd:89a5
Remote IP Address: 2002:4332:7627::4332:7627
Local Port: Any
Remote Port: Any
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
Ok. -
Friday, April 27, 2012 3:57 PM
Does anyone have further input on this?
Thanks,
Kurt
-
Monday, April 30, 2012 7:37 PMI would try replacing your machine certificates (the certs issued to the server and the clients by your internal CA server) with certificates that are based off of the default "Computer" template. I see in your log file that the Subject line of the client certificate is EMPTY and this could definitely cause you some problems. If you want to use a custom template instead of the default Computer template, make sure that it is marked for the intended purposes of Server Authentication and Client Authentication, and also make sure that both the Subject field and the SAN field are populated with the FQDN of the client machine.
-
Monday, April 30, 2012 8:06 PM
That makes sense. I am not very familiar with CA stuff, having just implemented this recently and not having fiddled with it much after getting it up and running.
I'll do a bit of research on how to fix the custom template and reissue the certs and get back with results ASAP.
Thanks for the info.
Kurt
-
Monday, April 30, 2012 10:32 PM
OK - I've fixed that issue, as you can see from the output of 'certutil -store my' below.
However, I still see problems in the Security event log.
Specifically, I performed a test as follows (my laptop is configured to shut off WiFi when it gets a wired connection, and the wired NIC is configured with one of my public IP addresses)
I was on WiFi on the production LAN during bootup and logging in. I started Wireshark capturing on the wired NIC, then inserted an Ethernet cable into my machine's NIC. I then see two failure audits of 4653 IPSec Main Mode that have a failure reason of "No policy configured". This time, I then saw a different entry in the Security event log - 4984 IPSec Extended Mode, with a failure reason of "IKE authentication credentials are unacceptable" - and finally another 4653 IPSec Main Mode.
The only Application Policies for the issued machine certs are Server and Client Authentication. Do I need anything else?
================ Certificate 1 ================
Serial Number: 5bef62a7000000000166
Issuer: CN=example-Issuing-CA-1, DC=example, DC=com
NotBefore: 2012-04-30 14:17
NotAfter: 2013-04-30 14:17
Subject: CN=IT-KBUFF7.example.com
Non-root Certificate
Template: exampleWorkstationAuthentication, example Workstation Authentication
Cert Hash(sha1): 7c ec 00 5d ed d7 27 da 1c 31 eb cc 65 91 61 98 79 d0 24 04
Key Container = le-exampleWorkstationAuthentication-b72b0035-b39a-4c19-9aeb-f67d1248447c
Unique container name: 8eb8b507517037e00a9116daff0c1139_f330131e-0b2e-4b73-8b3d-1126da8ecac3
Provider = Microsoft Software Key Storage Provider
Private key is NOT exportable
Encryption test passed
CertUtil: -store command completed successfully. -
Tuesday, May 01, 2012 1:03 PMIntended purposes of Client Authentication and Server Authentication are the two that you need. I do see that your Subject is now the FQDN of the machine which is perfect. How about the SAN? Do you have the SAN also set to use "DNS Name" which will then issue the FQDN into that field as well?
-
Tuesday, May 01, 2012 5:21 PM
Yes - Subject Alternate Name field value is "DNS Name=it-kbuff.example.com".
I revoked the old cert after updating the CA template and rebooted my machine to make it pick up the new cert - the old cert now shows as archived on my laptop.
Kurt
-
Tuesday, May 01, 2012 7:30 PM
BTW - at the same time I rebooted my laptop, I also revoked the cert on the UAG server, and rebooted it so that it would get an updated cert as well.
I then manually installed the root and intermediate certs from our CA onto my laptop this morning and tried it again. with the same results.
I also have mined the event logs on the UAG server for this morning's attempt, and see the reciprocal audit failure "4984 IPSec Extended Mode":
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2012-05-01 11:41:19
Event ID: 4984
Task Category: IPsec Extended Mode
Level: Information
Keywords: Audit Failure
User: N/A
Computer: G1.example.com
Description:
An IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.
Local Endpoint:
Principal Name: host/G1.example.com
Network Address: 2002:4332:7627::4332:7627
Keying Module Port: 500
Remote Endpoint:
Principal Name: -
Network Address: 2002:4332:7632::4332:7632
Keying Module Port: 500
Additional Information:
Keying Module Name: AuthIP
Authentication Method: NTLM V2
Role: Responder
Impersonation State: Enabled
Quick Mode Filter ID: 95750
Failure Information:
Failure Point: Remote computer
Failure Reason: IKE authentication credentials are unacceptable
State: Sent second (SSPI) payload
-
Friday, May 04, 2012 5:26 PM
Any more hints here, or should I be opening a case with MSFT?
Kurt
-
Thursday, May 10, 2012 1:45 PMHey Kurt, sorry for the delay. I know you have made changes so that your machine certificates now seem to align with the requirements DA is looking for, but ultimately you are still using a custom template correct? The next thing I would try is replacing your machine certificates again, this time using the default "Computer" template to issue them. I have experienced "strange" issues a few times when custom templates are used, including intermittent connectivity, or infrastructure tunnels establishing but intranet tunnels not, that kind of thing. I have been able to resolve these issues more than once by replacing the certs with certs issued from that default template.
-
Thursday, May 10, 2012 4:15 PM
Yes, I have been using a custom template.
I'm out of the office until Tuesday, and will try it then.
Can I use a copy of the default Computer template, in case we need to modify it later, or should I just use it as provided?
Thanks,
Kurt
-
Thursday, May 10, 2012 5:24 PMYou can certainly try it out with a copy of the template, but if you still have problems after that to be able to completely rule this out as a potential problem spot you will need to try the real template.
-
Thursday, May 10, 2012 5:46 PM
Thanks again. I'll try with the default, and see what that gets me.
Kurt
-
Tuesday, May 15, 2012 11:36 PM
OK - I'm back in the office, and trying this out, but having difficulties.
I have a two-tier architecture, with the Issuing CA running on Win2k8 R2 Enterprise as a member of the domain.
In Sever Manager, I have drilled down to Roles\ADCS\{computername}\Certificate Templates, and have the Computer template, and can view the properties for it, or delete it, but can't seem to do anything with it.
If instead I drill down to Roles\ADCS\CertificateTemplates(DC-Name)\ I see the template there, but again can view properties or delete it, but can't seem to do anything with it.
So I've made a copy of the Computer template, and when prompted I made it a 2008 CA template, and set it for RSA 2048, and selected to publish it in AD. I otherwise left it untouched.
I then deleted the custom template from Roles\ADCS\{computername}\Certificate Templates and imported the new duplicate into that container, and revoked the certs issued under the old template.
I'm now trying to get a test machine to get a new cert, and am so far unsuccessful.
Any thoughts on this?
-
Wednesday, May 16, 2012 12:29 PMYou shouldn't have to create a duplicate off of the Computer template, you should be able to use that default template to issue certs. Probably all you have to do is adjust permissions on the template to allow the enrollment to happen. It sounds like you might be in the same boat with the new template you just created, did you set enroll permissions?
-
Wednesday, May 16, 2012 4:23 PM
Good call.
On the duplicate of the Computer template there are two permission: Enroll and Autoenroll. For Domain Computers, the Autoenroll permission was not checked, so I've updated that and I'm now seeing issued certs.
However, on the original Computer template, there is no Autoenroll permission - just Enroll, and that is checked. And, all fields on all tabs that would allow me to adjust things (such as the "Publish certificate in Active Directory" checkbox) are grayed out - whereas the duplicate that I created has all of them available.
-
Wednesday, May 16, 2012 6:00 PM
For the built-in template, all you should have to do is enable autoenrollment like so:
http://technet.microsoft.com/en-us/library/ee649166(WS.10).aspx
-
Wednesday, May 16, 2012 7:02 PM
OK - I don't know how I missed this document.
I've done what needs to be done in the page you pointed out. I'm going to work through the rest of the document to make sure I haven't missed some other things as well.
Perhaps the most annoying thing is that I can't RDP to the UAG server. I've checked the firewall rules, and they seem to be correct.
More on this tomorrow - heading into a meeting on a *completely* unrelated subject just now.
Thanks!
Kurt
-
Wednesday, May 16, 2012 7:25 PM
On a UAG server, you have to define inside TMG who you want to be able to RDP into it. Open up TMG Management, click on Firewall Policy, and then over on the right find your Remote Management Computers group. Go into the properties of that group and add your IP address, that should let you in.
-
Friday, May 18, 2012 8:51 PMBeen tied up in a Rightfax installation, and am just now getting back to this. Finding the Remote Management Computers group was momentarily frustrating. I figured out why I lost the ability though - the IP address on my laptop had changed from when I was installing the system. So, I gave a reservation to my laptop for my current address, added that address in, and that problem is now fixed. However, I have started working through the document to which you linked, and don't see any other issues after a quick read through it. So, now that the Computers cert template is active and certs from it have been issued to both the UAG server and my laptop (along with all of the other machines in the domain, I've done a couple of test connections, and I'm still seeing the problems with IPSec Main Mode audit failures.
.png)
