Now,I already realize that configure Redhat5.5 as PDC(primary domain controller), and the clients(windows xp and windows2003) can join the realm. The realm name of Redhat5.5. is EXAMPLE.COM.
Currently, when the time the client(eg: windows 2003) join the EXAMPLE.COM, from the packet captured by the wireshark, we learn that there is only NTLM packet in the dcerpc protocol, there is no kerberos packet. The conclusion is that the client is not execute kerberos authentication.
Next, I want the execute the kerberos authentication when the client join the PDC, how can I realize it?
The material of keys “kerberos, PDC, samba” is very little of china. Any help would be appreciate sincerely! Thank you very much in advance!
Related
We are in the process of turning off NTLM in our environment for both inbound and outbound traffic via GPO. In our lab testing we have encountered the following when blocking inbound NTLM on a remote host:
RDP'ing to the remote host with inbound NTLM blocked via cross-forest generated a CredSSP error message.
Setting Encryption Oracle Remediation to either Mitigated or Vulnerable as a workaround did not work.
Turning off NLA on the remote host as a workaround will allow cross-forest RDP
I have tried applying "Allow delegating fresh credentials" via policy on the remote host but it is still getting the CredSSP error
I have also tried setting the policy on the remote host to use SSL for "Require use of specific security layer for remote (RDP) connections", and I still got the same CredSSP error.
What did work is if I try to RDP from the same forest to the remote host, it will allow the connection and I can confirm it is using Kerberos for RDP instead of NTLM.
Another observation is once the same forest RDP worked on the remote host, cross-forest RDP connection on the remote host with the blocked inbound NTLM will now work.
Has anyone encountered something similar like this before?
If so, has anyone found a solution for cross-forest RDP to work on a remote host with blocked inbound NTLM without the need to pre-auth on the remote host in the same forest?
The Encryption Oracle Remediation error is a red herring because it uses the same error code as the NTLM is not available error. Unless you haven't patched in 3 years it'll likely never be the Encryption Oracle Remediation issue. It's really just that it tried to fallback to NTLM and policy said no.
In all likelihood the issue is that the client can't find or communicate with a domain controller to do NLA.
The client must find the user's domain first (domain A). From there it authenticates their password. It then asks to get a ticket to the machine. The machine isn't in the user's domain so it creates a referral ticket to where it thinks the machine is (domain B).
The referral is handed back to the client and the client tries to find a DC to where the referral is supposed to go (domain B). The client sends the referral to domain B and asks for a ticket to the machine. The domain controller either finds the machine and issues a ticket for it, or says it doesn't know and offers a referral to another domain (domain C) and you try again, or it just fails saying no machine can be found.
All of this occurs from the client's perspective, not the target machine's perspective. This happens before the client even pings the target machine (ish). This is why disabling NLA appears to resolve the issue.
So there are a handful of reasons why this happens:
You used an IP address -- this is a straight-to-NTLM scenario. Kerberos doens't do IP addresses by default. You can turn it on, but it won't scale.
Client can't communicate with a DC in user's domain (domain A). Networking issue, client needs line of sight to domain controller, plus DNS.
Client can't communicate a with DC in the target machine's domain (domain B). Still a networking issue, client needs line of sight to domain controller, plus DNS.
You're not providing a proper fully qualified name and the user's DC can't figure out what forest it should refer to. You can enable Forest Search Order and it'll maybe help, or you can type in the fully qualified machine name.
This isn't an exhaustive list but these are the most common causes.
References:
https://syfuhs.net/windows-and-domain-trusts
https://syfuhs.net/how-authentication-works-when-you-use-remote-desktop
I also had a similar issue when using the DOMAIN\username login ; using the UPN (username#domaine.com) worked for me.
My understanding is using the UPN allows the client to know the DNS domain name, which then allows it to discover the DC of the remote domain through DNS resolution.
NB : my setup was from a workgroup server so not exactly the same as yours; YMMV.
I am trying to make sense of the Global discovery mechanism observed in OPC UA.
1)Now, specification says, it is useful to find servers in an administrative domain. Just to clarify, here administrative domain means the top level of the automation pyramid? At the office level? Or does it mean that it can be used to find Servers across different networks?
2)I understand, GDS provides facilities for certificate management. Just ignoring the certificate manegement benefits of GDS for now, I would like to know how different of a discovery from multicast subnet discovery would it be?
because, according toGDS Overview, all of it is happening inside a single LAN.
In the same link, does it mean like there are 3 hosts existing? Where Host A has the LDS ME and the server which registers to its local LDS ME. Another host, Host B, has only a LDS ME running on it. So now Host A and Host B communicate via mDNS and each others cache is updated with records. Now GDS which is on Host C, is also on the same LAN. The LDS ME of host B registers to GDS. GDS, then calls for findServersOnNetwork with the LDSME, thus enabling to find details of all the servers.
How will an external client be able to see the records of the GDS? I understand specification says use of a service("Query Servers").
How will it be different from the LDS ME?
We get the same result from multicast subnet discovery as well.
Please let me know. Looking forward for any guidance.
Regards,
Rakshan
Ad 1. The administrative domain can be just about anything. It can be all the things you mentioned, or something else. It depends on the requirements there are for the system.
Ad 2. No, the GDS clients do not have to be on the same LAN.
Ad 3. In most general case, the picture you are referring to has 4 hosts (the 3 you have listed, plus the 4th one for the Client). Your description is otherwise correct except for this part: "Now GDS which is on Host C, is also on the same LAN." The GDS can be on a different LAN. There will be multiple "Host B"-s, one for each LAN that is "served" by the GDS.
Ad 4. An external client connects to a public endpoint of the GDS using normal OPC UA, and calls GDS and CM-related UA methods (not services) described in Part 12 of the UA specification, such as, yes, QueryServers, and more. The main difference from the LDS is that the client can get information about all servers in the administrative domain, not just those that are on its own LAN (or on the LAN it specifically connects to).
I am rapidly looking for solution to mess at my client. They have LAN network with some 50 computers and their main server is Windows Server 2008R2 under SBS 2011. They needed paid SSL renewal and we did it, using MultiDomain SSL with 4 Alternate DN, so to cover all SBS needs (autodiscover, mail, remote, www).
But previous SSL was SHA1 with SHA1 root, and new one is SHA2 with full SHA2 root. And SBS 2011 has problems with it, because it was screaming and fighting against it, but finally with all ROOT and INTERMEDIATE certs, with some help of Exchange PowerShell we did it. All working well.
BUT PROBLEM
During the 5-hours SSL install process we obviously messed up with some deep Windows authentication mechanism, because now none of LAN computers can access internet. Neither with FireFox, Chrome nor IE, any version, any OS, Windows 7 or Windows 10 - nobody can access any web page, neither HTTP nor HTTPS.
Errors are "Connection lost", "The page cannot be displayed" and such.
No proxy is in use.
BUT I can Ping "www.google.com" and I get proper IP.
Pinging www.google.com [216.58.211.132] with 32 bytes of data:
Reply from 216.58.211.132: bytes=32 time=46ms TTL=53
Reply from 216.58.211.132: bytes=32 time=46ms TTL=53
AND all Outlooks work fine (with internal Exchange), mail goes out and in, no problem.
Just no internet/web for anyone.
EDIT: Seems like just no HTTP access! But HTTPS sites are accessible.
Any idea?
Just like the problem being weird and never-heard-of, like was the solution: rebooting both SBS and the other local DNS server, alongside with router/firewall solved the problem.
I guess there was a conflict on TCP/IP encryption layer, either on DNS or more likely on firewall/router.
I want to use this as a proxy server to connect many different clients with servers. Here is what I'm looking to do:
The server software on a user's computer would connect to a proxy server that is running on a VPS. It would pass in some kind of Key or authentication info to identify itself and then would maintain a persistent TCP connection to the proxy server.
A client application running on a mobile device or other computer would connect to the proxy server and pass in some kind of Key or authentication info. The proxy server would match the connection between the client and server based on their authentication info, and then forward all data back and fourth between the connections.
The proxy server would need to be able to handle multiple clients and servers connecting to it at once and use the authentication info to pair them up. There could be multiple clients connecting to the same server at the same time too. The connection from the client and server would both be outbound so that they are not blocked by firewalls. I wrote the client and server software, so I can make them work with any specific proxy.
What is the name of this kind of proxy server? And can anyone recommend any?
Thanks!
I want to create a mail server, but my ISP does not allow reverse-IP record, so I ordered a VPS with such function. But I want use VPS only as a relaying server and my own server as an actual mail server (so it should have things like web-mail, and some other). I did not find any guides, but looks like VPS will be called a "smart-host". So I installed Axigen on my server, but it requires login and password for connecting to a smart-host. I tried to use postfix for relaying but I did non figure out how to properly configure it. What are my options?
Thank you!
To securely enable postfix as a mail forwarding server, you'll have to enable and configure SASL authentication. The postfix SASL README has all the details. I suggest dovecot as the backend, as it's the simplest to setup. After that, just create a new system user (adduser mail-forwarding) and configure Axigen to use that user for forwarding.
If I understand correctly, your goal is to forward outgoing mail from your local server to the VPS while incoming mail should be stored on the local server. This is possible, but not necessarily simple. Mail needs to be handled differently depending on how it reaches your local server, otherwise you might end up with a mail loop, with your servers playing pingping using mail sent back and forth.