active directory / kerberos / LSA

[wuboy]

This is a question for the microsoft administrators.

I'm having a problem with my current setup. I am not too proficient in microsoft server administration, so please bear with me.

I am putting a firewalled server, and trying to allow and control external workstations to access the 2k server running active directory. I have a separate DNS server that contains the SRV records that point to the 2k server. Now, with this setup, I have added machines to the domain, and I am able to log in to the directory, with some small problems.

First, the length of time it takes to login is extremely long, maybe 10-15 minutes. In the end, the user is logged in and running "set" at the command prompt shows that it is logged into the 2k server. However, the group policies that I have applied do not show up, whereas putting a machine on the same side of the server, the group policy would show up.

If I run a packet sniffer on the firewall, I see that the kerberos authentication does not go through, as it has some KRB ERROR. Additionally, the LSA (Loca Security Authenitcation) don't seem to work. This is probably the reason why the group policies are not working either.

I am just wondering whether there are anyone out there who has previous experience setting up Active Directory and had similar problems. Even if you never had problems like these (I have an extremely unique setup here which is unavoidable), I would appreciate the help.

Thanks in advance!

 

[Woodie]

Running a full authentication to an AD through a firewall requires about a dozen ports open, and some special configuration on the server (for RPC).

Off the top of my head, you need to have: 53 (dns), 88 (kerberos), 135 (rpc), 1026(configurable for RPC), 389 (LDAP), and some others. If you need the detail, MS does have something in their knowledge base, or LMK and I'll try and dig up the doc.

 

[wuboy]

Originally posted by: Woodie
Running a full authentication to an AD through a firewall requires about a dozen ports open, and some special configuration on the server (for RPC).

Off the top of my head, you need to have: 53 (dns), 88 (kerberos), 135 (rpc), 1026(configurable for RPC), 389 (LDAP), and some others. If you need the detail, MS does have something in their knowledge base, or LMK and I'll try and dig up the doc.

Woodie:

Have you done something like this before?

I already have these ports open. off the top of my head also, 53, 88, 135, 389, 445, 464, 3268, 3269... i'm not sure about 1026 though, maybe that could be it?

The speed issue is still my biggest concern, and I havent figured out how to speed up the login process.

Any help would be beneficial! THANKS!

 

[Woodie]

I'll have to dig up the doc on Monday.

The 1026 is a special deal. When the client passes the RPC request on 135, the server responds and randomly assigns a high port (starting at 1026) for the session. There's a reg poke on the DC, that limits what ports can be used for the RPC sessions, so that you can configure your firewall to match. Basically, you tune down the number of open ports, based on your expected volume of logins.

 

[Saltin]

It's a very risky situation you've set up there. You might as well have no firewall at all, with those ports open.
If all these remote clients are located in a central area, you should really install a DC there.
If not, you should consider a VPN.

 

[wuboy]

woodie - thanks, the doc would be helpful. i am still stuck in the mud with this situation.

saltin - i wish i could abandon this setup, but it is out of my control as the "higher-ups" of my department are not allowing some stuff to exist on our network.

to sum up, i'm having extremely long login times, and i am not sure what this is a function of, the DNS or the active directory configuration itself. after login, the workstation is logged into the domain, but the group policies are not applied.

thank you all!

 

[Woodie]

See M$ Article