Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Windows 2000 domain Authentication over PIX VPN tunnel

Hi,

I set up a IPSEC VPN tunnel between corporate network using checkpoint NG FP1 and a branch office running PIX 501(6.1 Ver). The client machines behind PIX are not natted when passing through the tunnel but natted when accessing the internet. The tunnel seems to work fine except for users trying to authenticate from win2k pro machines which are behind PIX 501 to domain controillers which are behind checkpoint firewall. When I try to login form one of the win2k client machines it takes for ever for me to login. I checked on the domain controller secuity event logs and it shows that my login was validated.

I tried disconnecting PIX and try accessing the servers and domain authentication is working fine.

Any suggestions in this regard is greatly appreciated

thanks

KSK

5 REPLIES
Community Member

Re: Windows 2000 domain Authentication over PIX VPN tunnel

One thing to check is that you letting protocol 50 (esp) through the PIX.. Just a thought

access-list acl_out permit 50 any any

or what ever your rules are.

Scaggs

Community Member

Re: Windows 2000 domain Authentication over PIX VPN tunnel

I have no ACL on the outside to allow ESP protocol. I followed the cisco documentation and it does not mention anything about letting ESP protocol on the outside interface.

Community Member

Re: Windows 2000 domain Authentication over PIX VPN tunnel

Community Member

Re: Windows 2000 domain Authentication over PIX VPN tunnel

Windows Authentication is done by kerberos as the PC's are in a trusted domain. Is there a way not to encrypt kerberos traffic in PIX to checkpoint Ipsec tunnel so that authentication is done much quicker way than the way it is happening now.

All suggestions are welcome

Community Member

Re: Windows 2000 domain Authentication over PIX VPN tunnel

I had a customer with a similar problem. The users in his AD with lots of rights and/or that was members of lots of groups did not authenticate correctly over VPN. The reason for this was that the Kerberos packet became to big and had to get fragmented.

As Kerberos by default use UDP there can be problems when fragmenting the packets, all routers and other devices between the client and the server may no allow UDP fragmentation.

I got a tip from Microsoft to use TCP for Kerberos authentication instead. This was done by the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Value Name: MaxPacketSize

Data Type: REG_DWORD

Value: 1

A similar change has to be done on the client, but I do not have that key (MS probably do...)

Pls let me know if this worked as my customer did not try the tip from Microsoft...:(

//Tomas

129
Views
0
Helpful
5
Replies
CreatePlease to create content