none
The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you RRS feed

  • Question

  • Hello all,

    We have implemented DirectAccess in domain A.

    We have file shares that are in domain B and C.

    We have two-way trusts between domains A <-> B and A <-> C.

     

    When the Windows 7 clients are on the network, they can access these (Win 2003) file servers in domains B and C without issues. However, when they are outside the network and connect via DirectAccess, they get a credentials prompt that at the bottom says:

    The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.

     

    Accessing (Win 2003 & 2008) file shares in domain A work both, in the network and via DirectAccess.

     

    I've looked at the TMG and do not see anything related to this getting blocked although it seems that this is a kerberos issue as far as I can tell.

    Has anyone come across this or do you have any ideas of how to continue troubleshooting this?

    I've looked at this: http://support.microsoft.com/kb/938457 but I don't know how to build the TMG rule exactly.  Plus I'd think that this is already being allowed by default.

    Thanks

    Wednesday, May 18, 2011 2:12 AM

All replies

  • Did you configure the uag server with static routes into the subnets with B and C's domain controllers?

    http://blog.concurrency.com/infrastructure/uag-sp1-directaccess-ip-addressing-the-server/


    MrShannon | Concurrency Blogs | UAG SP1 DirectAccess Configuration Guide
    Thursday, May 19, 2011 5:10 AM
  • Hi,

     

    Yes, the server is configured with the correct routes.  The subnets for Domains B and C are the same for A.

     

    I'm thinking that perhaps, I need to add the Domain B and C in the:
    "Infrastructure Server Configuration > Authentication Domains" even though the users are not using their Domain B or C accounts to login to the Windows 7 clients?

    Thursday, May 19, 2011 1:59 PM
  • I tried setting the additional "Authentication Domains" but I still get the message.

     

    Any other ideas?

    Friday, May 20, 2011 12:54 AM
  • No one else have the same issue or any ideas? :-(
    Saturday, June 11, 2011 1:06 AM
  • following this guide, I was able to confirm that this is a Kerberos issue in which I'm not able to get a Kerberos ticket for domains B or C.

    http://blogs.technet.com/b/tomshinder/archive/2011/04/19/ipv6-and-directaccess-troubleshooting-cheat-sheets.aspx

    Anyone has any experience dealing with this?

     

    I get the following:

    C:\windows\system32>dir \\domabinB\sysvol

    The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.

    • Marked as answer by Erez Benari Friday, August 26, 2011 10:55 PM
    • Unmarked as answer by MacAddict1 Saturday, August 27, 2011 2:34 AM
    Tuesday, July 26, 2011 2:01 AM