| Author | Messages | |
y2k
Posts:41
 | | 11/04/2009 9:40 PM |
| Hi all
We've got 2 domain joined machines (XP SP2) located at a remove
office. The remote office only has 2 machines, a switch, a printer
and a firewall. Access to all resources is over a site-to-site IPSEC
VPN.
Recently, we had a case where both machines uninstalled all apps which
had been deployed with GPSI. Restarting the machines resolve the
problem and the apps re-installed themselves. But then a week later
it happened again - this time restarting didn't resolve the problem.
Both times we had the "KERBEROS encountered a PAC error" in the event
log. After some searching, we found the link below:
http://support.microsoft.com/kb/929624
This seems to indicate that the computers are not authenticating
correctly over the VPN. What's really strange is that when the users
logon to the PC's, they authenticate just fine, their logon script
runs, and they can access all shared resources over the VPN as normal.
I thought this might be something to do with the MTU size, but
decreasing it didn't seem to have a definite effect (worked on one PC,
but a few restarts later, the apps were removed again). The only
thing that eventually worked was:
1. Decrease the MTU to 1350
2. Force KERBEROS to use TCP instead of UDP
Restart the machine, then remove both of the settings above - this
caused the apps to reinstall again (and then I applied the hotfix
above !!). But I'm a little stumped as to what exactly we need to do
to make this work. when we set this up a month ago, it worked
absolute fine ... it was only about 2 weeks later that we started to
see any problems.
One thing I've noticed is that when I changed the MTU to 1350, if I do
a ping to the default gateway (firewall) with the -f option, the
highest size packet I can send is app. 1323, yet the MTU on the
firewall (I beleive) is 1500.
Can anybody provide any guidance on what I need to do to start
troubleshooting this issue ? Any help would be really greatly
appreciated
Thanks in advance
M
| | | |
| rwilper
Posts:37
| | 11/05/2009 4:21 PM |
| One thing to look at is the size of the PAC in your Kerberos tickets. My guess is that the total packet sizes for some of your users are in a range between 1500 and 1323. Since the VPN encapsulation takes up some packet size, the effective MTU becomes smaller and your tickets are getting fragmented/corrupted/dropped.
In general, I would think that forcing Kerberos to use TCP would be the way to go.
-Ross
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of martin
Sent: Wednesday, November 04, 2009 1:39 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] [OT] KERBEROS over IPSEC VPN
Hi all
We've got 2 domain joined machines (XP SP2) located at a remove
office. The remote office only has 2 machines, a switch, a printer
and a firewall. Access to all resources is over a site-to-site IPSEC
VPN.
Recently, we had a case where both machines uninstalled all apps which
had been deployed with GPSI. Restarting the machines resolve the
problem and the apps re-installed themselves. But then a week later
it happened again - this time restarting didn't resolve the problem.
Both times we had the "KERBEROS encountered a PAC error" in the event
log. After some searching, we found the link below:
http://support.microsoft.com/kb/929624
This seems to indicate that the computers are not authenticating
correctly over the VPN. What's really strange is that when the users
logon to the PC's, they authenticate just fine, their logon script
runs, and they can access all shared resources over the VPN as normal.
I thought this might be something to do with the MTU size, but
decreasing it didn't seem to have a definite effect (worked on one PC,
but a few restarts later, the apps were removed again). The only
thing that eventually worked was:
1. Decrease the MTU to 1350
2. Force KERBEROS to use TCP instead of UDP
Restart the machine, then remove both of the settings above - this
caused the apps to reinstall again (and then I applied the hotfix
above !!). But I'm a little stumped as to what exactly we need to do
to make this work. when we set this up a month ago, it worked
absolute fine ... it was only about 2 weeks later that we started to
see any problems.
One thing I've noticed is that when I changed the MTU to 1350, if I do
a ping to the default gateway (firewall) with the -f option, the
highest size packet I can send is app. 1323, yet the MTU on the
firewall (I beleive) is 1500.
Can anybody provide any guidance on what I need to do to start
troubleshooting this issue ? Any help would be really greatly
appreciated
Thanks in advance
M
| | | |
| AD
Posts:11
| | 11/05/2009 6:48 PM |
| Who initiates the VPN connection?
You mentioned that the user logs in with no problems. Probably because VPN connection has been established and then user can now see domain.
The PC also needs to login into AD. This happens on boot up. If VPN connection only happens after user logs in then the PC never got to update info back to AD.
Have you tried a gpupdate /force after the user has logged in?
Y
________________________________
From: activedir-owner@mail.activedir.org on behalf of Wilper, Ross A
Sent: Thu 05/11/2009 11:20 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] KERBEROS over IPSEC VPN
One thing to look at is the size of the PAC in your Kerberos tickets. My guess is that the total packet sizes for some of your users are in a range between 1500 and 1323. Since the VPN encapsulation takes up some packet size, the effective MTU becomes smaller and your tickets are getting fragmented/corrupted/dropped.
In general, I would think that forcing Kerberos to use TCP would be the way to go.
-Ross
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of martin
Sent: Wednesday, November 04, 2009 1:39 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] [OT] KERBEROS over IPSEC VPN
Hi all
We've got 2 domain joined machines (XP SP2) located at a remove
office. The remote office only has 2 machines, a switch, a printer
and a firewall. Access to all resources is over a site-to-site IPSEC
VPN.
Recently, we had a case where both machines uninstalled all apps which
had been deployed with GPSI. Restarting the machines resolve the
problem and the apps re-installed themselves. But then a week later
it happened again - this time restarting didn't resolve the problem.
Both times we had the "KERBEROS encountered a PAC error" in the event
log. After some searching, we found the link below:
http://support.microsoft.com/kb/929624
This seems to indicate that the computers are not authenticating
correctly over the VPN. What's really strange is that when the users
logon to the PC's, they authenticate just fine, their logon script
runs, and they can access all shared resources over the VPN as normal.
I thought this might be something to do with the MTU size, but
decreasing it didn't seem to have a definite effect (worked on one PC,
but a few restarts later, the apps were removed again). The only
thing that eventually worked was:
1. Decrease the MTU to 1350
2. Force KERBEROS to use TCP instead of UDP
Restart the machine, then remove both of the settings above - this
caused the apps to reinstall again (and then I applied the hotfix
above !!). But I'm a little stumped as to what exactly we need to do
to make this work. when we set this up a month ago, it worked
absolute fine ... it was only about 2 weeks later that we started to
see any problems.
One thing I've noticed is that when I changed the MTU to 1350, if I do
a ping to the default gateway (firewall) with the -f option, the
highest size packet I can send is app. 1323, yet the MTU on the
firewall (I beleive) is 1500.
Can anybody provide any guidance on what I need to do to start
troubleshooting this issue ? Any help would be really greatly
appreciated
Thanks in advance
M
| | | |
| y2k
Posts:41
| | 11/05/2009 8:20 PM |
| Hi Guys
Thanks for the replies. The VPN is site to site and can be initiated
from either side (ie branch office site or head office site), however
the VPN is configured to re-key itself when the phase 1 lifetime
expires. Also, from looking at the firewall logs, the VPN has never
been down for the past 3 weeks. So unfortunately the issue isn't as
straight forward as that (i wish it were !!)
To answer your question about gpupdate /force ... the first time we
had this problem, it worked. However, the second time it happened it
didn't.
Ross
We already tried forcing KERBEROS to use TCP as I beleived this was
the most likely solution also. After tryint it on one PC, doing
gpupdate /force and restarting, the apps were all installed again.
Then we done another restart and the apps were removed again and we
were getting the same PAC errors.
On the second PC, the way we fixed this was to reduce the MTU, force
KERBEROS to use TCP, restart (for changes to take effect) - we still
got PAC errors and also got w32time errors. We removed those 2
settings, restarted again and VOILA ... apps were installed.
I'm sure this has something to do with fragmentation, but I don't know
how else to proceed other than reducing the MTU or forcing KERBEROS to
use TCP. How do I go about finding out the size of the PAC in the
KERBEROS ticket (as Ross suggested) ?
I'm also going to look at the NIC drivers incase there are any bugs
there that might be causing giant packets etc. But I'm willing to try
anything that anybody suggests
Thanks in advance for any replies
Cheers !
M
| | | |
|
|