locked
RODC - Authentication failing RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Good afternoon,

    I have a certificate file (pfx) that is protected by using users/groups in AD. In this case the group used to allow access to the certificate is Domain Admins. Now because of the number of servers we want to push the certs via release management. Which works fine for servers that can access a RWDC. Now the servers in a DMZ that can only access a RODC fail every single time.

    If I Log onto a DMZ server. Copy the PFX file. Launch an admin powershell script and ran Import-PfxCertificate. Result:

    Import-PfxCertificate : The specified network password is not correct. 0x80070056 (WIN32: 86 ERROR_INVALID_PASSWORD)
At line:1 char:1
+ Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My .\star2016.instre ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Import-PfxCertificate], Exception
    + FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.Commands.ImportPfxCertificate

    Question is:

    * How do I fix the RODC so that this kind of scripts actually works ?

    As a side note, if it helps, logging onto the server works fine, it just takes a hell of a long time. But I always attributed that to the DMZ server sending the request to the RODC, the RODC sending it to the RWDC and then coming back the way it bounce. Seems I might be wrong.

    Thanks

    Monday, July 11, 2016 7:15 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    FyI, after opening a ticket to Microsoft they confirmed that this setup does not work. A server needs to be able to talk to an RWDC to be able to use groups / users to protect a certificate.

    • Marked as answer by O.Ragain Monday, October 17, 2016 7:49 PM
    Monday, October 17, 2016 7:49 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi,
    Please have a try to specify the password via the -Password parameter and see if it works.
    In addition, you could copied certificate to DMZ server and import it from the certificate snap-in directly on server.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 12, 2016 5:35 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    I cannot specifiy a password as the file is not protected by a password but by users/groups only. When I try via the mmc snapin:

    ----

    The PFX file is protected such as no password is required to import it, but you do not have access.

    ----

    Which means that for some reasons the DMZ servers are unable to validate the creds against the RODC in this scenario.

    Tuesday, July 12, 2016 12:07 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    As a side note, if it helps, logging onto the server works fine, it just takes a hell of a long time. But I always attributed that to the DMZ server sending the request to the RODC, the RODC sending it to the RWDC and then coming back the way it bounce. Seems I might be wrong.

    Thanks

    Hi,
    Please make sure that the DMZ server is authenticated to RODC correctly, not other DC.
    Regarding RODC authentication, when a client authenticates to an RODC a check is performed to see if the password is cached. If the password is cached, the RODC will authenticate the user account locally. If the user’s password is not cached, then the RODC forwards the authentication request to a writable Domain Controller which in turn authenticates the account and passes the authenticated request back to the RODC. Once the user account is authenticated, the RODC makes another request for the replication of the user’s password in a unidirectional replication providing the account has been configured to allow replication. Please see details from:
    Understanding “Read Only Domain Controller” authentication
    https://blogs.technet.microsoft.com/askds/2008/01/18/understanding-read-only-domain-controller-authentication/
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 15, 2016 1:41 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Wendy,

    I know about this and the dmz servers authenticate against the RODC. it however does not explain why my issue happens with certificate files and trying to open them. There must be something else going on.

    Also, may I point out that in netlogon I get critical errors because the RODC can't ping the domain... nowhere in the documentation is there anything about having to open ICMP between RODC and RWDC.

    Best regards,

    Friday, July 15, 2016 11:54 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    If it helps, I did a trace when doing the import.

    The sequence of event looks like:

    • The DMZ server connects to the RODC on DCERPC port.
    • The DMZ server makes an KDAO request for <ROOT> baseObject
    • The DMZ server makes a DNS request for the domain and it gets all the RWDC in the domain whatever the site
    • The DMZ server makes a DNS request on guid.domain and it gets all the RWDC in the domain whatever the site
    • The DMZ server makes a DNS request for the DMZ zone and gets the RODC as a response
    • The DMZ server makes a DNS request for the domain and it gets all the RWDC in the domain whatever the site
    • The DMZ server makes a DNS request on guid.domain .....
    • The RPC session closes

    And it loops on that and then the DMZ server fails on importing the PFX file.

    Friday, July 15, 2016 12:30 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Also, may I point out that in netlogon I get critical errors because the RODC can't ping the domain... nowhere in the documentation is there anything about having to open ICMP between RODC and RWDC.

    Best regards,

    Hi,
    Please run the following tools on RODC to check if any errors appear:
    ipconfig /all >c:\ipconfig.log
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.log
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.log 
    dnslint /ad /s "DCipaddress"
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Wendy Jiang Tuesday, July 26, 2016 8:46 AM
    • Marked as answer by Wendy Jiang Thursday, July 28, 2016 8:47 AM
    • Unmarked as answer by O.Ragain Monday, October 17, 2016 7:48 PM
    Tuesday, July 19, 2016 2:23 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    FyI, after opening a ticket to Microsoft they confirmed that this setup does not work. A server needs to be able to talk to an RWDC to be able to use groups / users to protect a certificate.

    • Marked as answer by O.Ragain Monday, October 17, 2016 7:49 PM
    Monday, October 17, 2016 7:49 PM