Kerberos authentication

Printable View

07-02-2007
Jorge Azcuy

Kerberos authentication

This issue is occuring in a Windows 2003 R2 AD environment with Windows XP
SP2 workstations. We have a NAC device that acts as a firewall before a user
is authenticated and the pc passes a security check. Before authentication,
the following ports are open to the 2 Domain Controllers:

TCP: 53,88,123,135,139,389,445,636,1025,1600,1601,3268,3269

UDP: 53,88,135,137,138,389,445,636,3268

TCP 1600 and 1601 are the ports we have limited RPC traffic to according to
http://support.microsoft.com/kb/154596/

Everything works fine, until we set a user's home directory to a mapped
drive on a file server. The following traffic is allowed to the File Server
pre-authentication:

TCP: 135,139,445

UDP: 135,137,138,445

The issue occurs with about 30% of users. The 'Applying Personal Settings'
screen goes on for over 5 minutes, and the following event log errors are
logged:

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 2/7/2007
Time: 8:26:59 AM
User: N/A
Computer: xxxxxxx
Description:
The Security System detected an attempted downgrade attack for server
LDAP/Axxxxxxxx.com. The failure code from authentication protocol Kerberos
was "There are currently no logon servers available to service the logon
request.
(0xc000005e)".

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 2/7/2007
Time: 8:26:59 AM
User: N/A
Computer: xxxxxxx
Description:
The Security System could not establish a secured connection with the server
LDAP/xxxxxxxxxx.com. No authentication protocol was available.

When this first occured, I followed the steps on
http://support.microsoft.com/kb/244474 to force Kerberos authentication to
use TCP instead of UDP. For this particular user, this issue was resolved, so
I pushed the registry changes throughout the network.

However, this morning, multiple users reported the same logon issue and
generated the same event log errors even with Kerberos using TCP.

If I remove the Home Directory mapping from the user's profile, everyone can
logon without any problems.

Any help would be greatly appreciated.
07-02-2007
Paul Williams [MVP]

RE: Kerberos authentication

You probably need RPC access to the file server. Do a network sniff and
you'll see there's RPC traffic as well as SMB. You've only catered for the
end-point mapper, not the dynamic ports.

Also, you need to pass Kerberos tickets to the file server. So I would
imagine you need at least 88, unless this all happens over NETLOGON. I'll
have to check and get back to you. Can't you see what's being droped?

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
07-02-2007
Paul Williams [MVP]

RE: Kerberos authentication

Actually, I'm mistaken. I think I was thinking about something else (been
looking at nothing but network traces of the trust creation process for
days). You don't need RPC or Kerberos ports. Which suggests that this issue
is something else. The main culprits, based on a quick search, seem to
suggest SP2 firewall and/ or Dodgy NIC drivers. Take a look at the following
for some suggestions:

--
http://www.eventid.net/display.asp?e...LsaSrv&phase=1
--
http://www.eventid.net/display.asp?e...LsaSrv&phase=1

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
07-02-2007
Jorge Azcuy

RE: Kerberos authentication

Originally, that's what I thought. But the issue is ocurring on a per-user,
not per-workstation basis. Different users logging on to the same PC give
different results.

One of the articles I cited says that users with too many group memberships
may lead to these symptoms, and that may be the case in this environment.

"Paul Williams [MVP]" wrote:

> Actually, I'm mistaken. I think I was thinking about something else (been
> looking at nothing but network traces of the trust creation process for
> days). You don't need RPC or Kerberos ports. Which suggests that this issue
> is something else. The main culprits, based on a quick search, seem to
> suggest SP2 firewall and/ or Dodgy NIC drivers. Take a look at the following
> for some suggestions:
>
> --
> http://www.eventid.net/display.asp?e...LsaSrv&phase=1
> --
> http://www.eventid.net/display.asp?e...LsaSrv&phase=1
>
> --
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>
07-02-2007
Paul Williams [MVP]

RE: Kerberos authentication

Take a peek at %systemroot%\debug\usermode\userenv.log for some additional
info. You might need to enable verbose logging for the best amount of info.

Also, logon as one of the users and list all the groups in their token
(whoami /groups or gpresult /scope user /v) and respond with the number of
groups.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
07-02-2007
Jorge Azcuy

RE: Kerberos authentication

42 groups

From userenv.log when the errors were occuring:

USERENV(284.e54) 08:29:00:437 MyGetUserName: GetUserNameEx failed with 1359.
USERENV(284.e54) 08:32:01:703 MyGetUserName: GetUserNameEx failed with 1359.
USERENV(284.e54) 08:34:06:671 MyGetUserName: GetUserNameEx failed with 10065.
USERENV(284.e54) 08:34:07:203 MyGetUserName: GetUserNameEx failed with 1355.
USERENV(284.e54) 08:34:07:203 ProcessGPOs: MyGetUserName failed with 1355.

And I should have mentioned before that ICMP is enabled to both DC's as well.
12-02-2007
Paul Williams [MVP]

Re: Kerberos authentication

C:\WINNT\ADAM>net helpmsg 1359

An internal error occurred.

C:\WINNT\ADAM>net helpmsg 1355

The specified domain either does not exist or could not be contacted.

C:\WINNT\ADAM>net helpmsg 10065

A socket operation was attempted to an unreachable host.

Looks like name resolution, but could be something weird with the token
size. Have a look at this, and see if you can test whether or not this is
the case.
-- http://support.microsoft.com/?id=327825

Note. This isn't token bloat, but some stupid default in XP:

Normally, you'd jump on DNS or firewall issues, but as this is working for
some but not all users, we have to consider the MaxTokenSize key.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
12-02-2007
Jorge Azcuy

Re: Kerberos authentication

This article says that this situaiton does not apply to Windows XP/2003 -
only 2000.

"Paul Williams [MVP]" wrote:

> C:\WINNT\ADAM>net helpmsg 1359
>
> An internal error occurred.
>
>
> C:\WINNT\ADAM>net helpmsg 1355
>
> The specified domain either does not exist or could not be contacted.
>
>
> C:\WINNT\ADAM>net helpmsg 10065
>
> A socket operation was attempted to an unreachable host.
>
>
> Looks like name resolution, but could be something weird with the token
> size. Have a look at this, and see if you can test whether or not this is
> the case.
> -- http://support.microsoft.com/?id=327825
>
>
> Note. This isn't token bloat, but some stupid default in XP:
>
>
> Normally, you'd jump on DNS or firewall issues, but as this is working for
> some but not all users, we have to consider the MaxTokenSize key.
>
> --
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>
>
>
14-02-2007
Paul Williams [MVP]

Re: Kerberos authentication

The default value is larger in XP but can still be too small. Try it.
Here's another one:
-- http://support.microsoft.com/?id=263693

Again, earlier versions of 2k are mentioned because their default was even
smaller.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net