2008 DC refusing to participate in IPSEC (NAP)
hi all. have set nap ipsec enforcement network (lab environment). wanted add domain controller secure zone ensure things worked ok gets lots of audit failures in server01's security log main mode, follows.
ipsec main mode negotiation failed.
local endpoint:
local principal name: -
network address:
keying module port: 500
remote endpoint:
principal name: -
network address:
keying module port: 500
additional information:
keying module name: authip
authentication method: unknown authentication
role: responder
impersonation state: not enabled
main mode filter id: 69824
failure information:
failure point: local computer
failure reason: received invalid authentication offers.
state: no state
initiator cookie: ce57abef24a21be6
responder cookie: 5922e54a3539db49
server01: forest root dc, ca enterprise, 2008-32bit, 5 fsmo roles, wsus
server02: dc, 2008-64bit
nps1: subordinate standalone 2008-64bit, hra, nap policies, etc.
sql: sql server 2008, win 2008-64bit
nap appears working fine. vista non-compliant cannot access sql/server02. vista compliant can access them.
server01 , server02 have got health certificates forest root ca via auto-enrolment. have checked certificates valid.
connection rules used via windows firewall.
when apply firewall connection rule of require inbound/outbound, server1 not talk else. other computers talk fine
server02 shows:
ipsec main mode negotiation failed.
local endpoint:
local principal name: -
network address:
keying module port: 500
remote endpoint:
principal name: -
network address:
keying module port: 500
additional information:
keying module name: authip
authentication method: unknown authentication
role: initiator
impersonation state: not enabled
main mode filter id: 69799
failure information:
failure point: remote computer
failure reason: received invalid authentication offers.
state: sent first (sa) payload
initiator cookie: 81a8153dea46a6f1
responder cookie: 0000000000000000
on appreciated.
ipsec main mode negotiation failed.
local endpoint:
local principal name: -
network address:
keying module port: 500
remote endpoint:
principal name: -
network address:
keying module port: 500
additional information:
keying module name: authip
authentication method: unknown authentication
role: responder
impersonation state: not enabled
main mode filter id: 69824
failure information:
failure point: local computer
failure reason: received invalid authentication offers.
state: no state
initiator cookie: ce57abef24a21be6
responder cookie: 5922e54a3539db49
server01: forest root dc, ca enterprise, 2008-32bit, 5 fsmo roles, wsus
server02: dc, 2008-64bit
nps1: subordinate standalone 2008-64bit, hra, nap policies, etc.
sql: sql server 2008, win 2008-64bit
nap appears working fine. vista non-compliant cannot access sql/server02. vista compliant can access them.
server01 , server02 have got health certificates forest root ca via auto-enrolment. have checked certificates valid.
connection rules used via windows firewall.
when apply firewall connection rule of require inbound/outbound, server1 not talk else. other computers talk fine
server02 shows:
ipsec main mode negotiation failed.
local endpoint:
local principal name: -
network address:
keying module port: 500
remote endpoint:
principal name: -
network address:
keying module port: 500
additional information:
keying module name: authip
authentication method: unknown authentication
role: initiator
impersonation state: not enabled
main mode filter id: 69799
failure information:
failure point: remote computer
failure reason: received invalid authentication offers.
state: sent first (sa) payload
initiator cookie: 81a8153dea46a6f1
responder cookie: 0000000000000000
on appreciated.
hmmmmmmmmmm....... disabled gp produced firewall rules, created them manually, left authentication on default (didnt work), changed health certificates, ran ipsec diagnostic tool , started working.....
:)
now.
:)
now.
Windows Server > Network Access Protection
Comments
Post a Comment