Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

IAS windows 2003 authentication issues

8 views

Skip to first unread message

Justin Almli

unread,

Jul 29, 2010, 12:02:00 PM7/29/10

We currently are running IAS on a win2k box handling radius a couple
of policies for VPN access. We were wanting to migrate off win2k to
win2k3 or win2k8. We figured this would be a simple IP swap on the
new machine after NPS was setup on win2k8 or IAS was setup on win2k3.

I first started with win2k8 and could not authenticate. NPS logs were
being written so radius was working. Failure events were written to
the DC's. I was getting unknown username / password. My account
would even be locked out after X amount of attempts. So this tells me
that radius itself was working, but credentials were not passed. I
compared realms and syntax changes with our win2k box and everything
was default. Event logs and NPS logs showed domain/user so
everything seemed normal and inline with the working radius server.
Funny part is that testing a radius client within our network to the
win2k8 box posed no problem.

So, I decided, well, maybe a win2k8 problem, so scrap that build out a
win2k3 box. I first try to import the config with Netsh, but that
errors out. Not sure why. The win2k IAS db version is 0 and the
win2k3 is 7, so it is supposed to work. All my export / import syntax
was correct. But anyway, setup the win2k3 box, and same results. So
I throw down wireshark, and here is basically what I am seeing.

On the win2k box (working) LDAP calls are made after radius
authentication for directory lookup, etc, credentials are passed and
DC's authenticate, and send back the accept request to the SSL vpn
provider. Everything is good. Win2k3 seems to use CLDAP which I have
only seen come up on one trace for some reason

The only difference between the two boxes and what I think is causeing
failure is this: (context ID2 near bottom)
"Ack reason: Abstract syntax not supported (1)"

Anybody have anyyy ideas at all??????? I am out of them.

Frame 37 (158 bytes on wire, 158 bytes captured)
Arrival Time: Jul 29, 2010 09:00:18.763007000
[Time delta from previous captured frame: 0.001184000 seconds]
[Time delta from previous displayed frame: 11.704028000 seconds]
[Time since reference or first frame: 11.704028000 seconds]
Frame Number: 37
Frame Length: 158 bytes
Capture Length: 158 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:dcerpc]
[Coloring Rule Name: DCERPC]
[Coloring Rule String: dcerpc]
Ethernet II, Src: HewlettP_a1:bd:26 (00:08:02:a1:bd:26), Dst:
Vmware_ba:36:b3 (00:50:56:ba:36:b3)
Destination: Vmware_ba:36:b3 (00:50:56:ba:36:b3)
Address: Vmware_ba:36:b3 (00:50:56:ba:36:b3)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Source: HewlettP_a1:bd:26 (00:08:02:a1:bd:26)
Address: HewlettP_a1:bd:26 (00:08:02:a1:bd:26)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 172.19.0.7 (172.19.0.7), Dst: 172.19.0.32
(172.19.0.32)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 144
Identification: 0x1bd1 (7121)
Flags: 0x02 (Don't Fragment)
0.. = Reserved bit: Not Set
.1. = Don't fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x8649 [correct]
[Good: True]
[Bad : False]
Source: 172.19.0.7 (172.19.0.7)
Destination: 172.19.0.32 (172.19.0.32)
Transmission Control Protocol, Src Port: blackjack (1025), Dst Port:
sgi-storman (1178), Seq: 1, Ack: 184, Len: 104
Source port: blackjack (1025)
Destination port: sgi-storman (1178)
[Stream index: 7]
Sequence number: 1 (relative sequence number)
[Next sequence number: 105 (relative sequence number)]
Acknowledgement number: 184 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65352
Checksum: 0x1025 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 36]
[The RTT to ACK the segment was: 0.001184000 seconds]
[Number of bytes in flight: 104]
DCE RPC Bind_ack, Fragment: Single, FragLen: 104, Call: 2
Version: 5
Version (minor): 0
Packet type: Bind_ack (12)
Packet Flags: 0x07
0... .... = Object: Not set
.0.. .... = Maybe: Not set
..0. .... = Did Not Execute: Not set
...0 .... = Multiplex: Not set
.... 0... = Reserved: Not set
.... .1.. = Cancel Pending: Set
.... ..1. = Last Frag: Set
.... ...1 = First Frag: Set
Data Representation: 10000000
Byte order: Little-endian (1)
Character: ASCII (0)
Floating-point: IEEE (0)
Frag Length: 104
Auth Length: 12
Call ID: 2
Max Xmit Frag: 5840
Max Recv Frag: 5840
Assoc Group: 0x0034e3d2
Scndry Addr len: 5
Scndry Addr: 1025
Num results: 2
Context ID[1]
Ack result: Acceptance (0)
Transfer Syntax: 8a885d04-1ceb-11c9-9fe8-08002b104860
Syntax ver: 2
Context ID[2]
Ack result: Unknown (3)
Ack reason: Abstract syntax not supported (1)
Transfer Syntax: 00000000-0000-0000-0000-000000000000
Syntax ver: 0
Auth type: NETLOGON Secure Channel (68)
Auth level: Packet privacy (6)
Auth pad len: 0
Auth Rsrvd: 0
Auth Context ID: 0
Secure Channel Bind ACK Credentials
Unknown1: 0x00000001
Unknown2: 0x00000000
Unknown3: 0x00001000

0 new messages