I have a 2003 DC and a 2003 member server separated by a
firewall that is not doing NAT. I have created an IPSec
transport policy on both servers using source ANY and
destination ANY and mirrored packets is checked and
Kerberos authentication.
I am able to create the tunnel from the DC to the member
server and create an IPSec connection. All traffic flows
fine and I am able to access everything I need to from
both servers.
When I try to create the tunnel from the the member
server to the DC, it states in the Security Log that "no
authority could be contacted for authentication".
If I change the authentication to pre-shared keys I can
create the tunnel in both directions. I have IPSec and
ISAKMP open in both directions as well as trying DNS and
Kerberos, both TCP and UDP in both directions.
When I analyze the traffic, I see the member server
queries the DNS server during boot for an LDAP server,
and the DC never responds. I believe this is the issue
because the member server does not know what server to
query for Kerberos authentication.
Any input will be greatly appreciated.
Thanks,
RJ
|
Similar Threads
Linear Mode
