+ Post New Thread
Results 1 to 13 of 13
Windows Thread, san wont authenticate against 2008 dc in Technical; Hi people we have a netapp fas 270 SAN, which has been doing fine authenticating to the 2003 domain controllers. ...
  1. #1
    bart21's Avatar
    Join Date
    Aug 2009
    Location
    peterborough
    Posts
    404
    Thank Post
    77
    Thanked 54 Times in 52 Posts
    Rep Power
    19

    san wont authenticate against 2008 dc

    Hi people

    we have a netapp fas 270 SAN, which has been doing fine authenticating to the 2003 domain controllers.

    We have upgraded all the dc's to 2008 except for one. We want to upgrade this one so switched it off to ensure everything runs smoothly, and it doesnt!

    When the 2k3 domain controller is switched off the san says it cannot connect to the 2k8 dc's. This is affecting file permissions.

    So is there any way to lower the authentication level to the same level as 2003.

    nick

  2. #2

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,698
    Thank Post
    143
    Thanked 542 Times in 486 Posts
    Rep Power
    148
    This may be a firmware issue for the SAN - check to see if an update is available.

  3. Thanks to 3s-gtech from:

    bart21 (20th October 2010)

  4. #3
    Azhibberd's Avatar
    Join Date
    May 2008
    Location
    Newbury,Berkshire
    Posts
    169
    Thank Post
    20
    Thanked 21 Times in 20 Posts
    Rep Power
    16
    Any chance you have maybe enabled LDAP server signing required? which maybe the san doesnt support, Although first port of call would be as gtech said... Firmware!

  5. Thanks to Azhibberd from:

    bart21 (20th October 2010)

  6. #4
    bart21's Avatar
    Join Date
    Aug 2009
    Location
    peterborough
    Posts
    404
    Thank Post
    77
    Thanked 54 Times in 52 Posts
    Rep Power
    19
    thanks for your replies, The san is 4 years old. We did, until 2 years ago have a netapp support contract which included firmware. The head then refused to pay for it, said it wasnt worth the amount being charged. To obtain firmware now we would have to go back on support, and its a no from the head.

    Surely the problem is that server 2008 has increased security, can that be set to 2003 level?

    If i get my way the SAN will be replaced at the age of 6 years.

    thanks

    nick

  7. #5

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,991
    Thank Post
    851
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    Try disabling all the good LDAP security bits from 2008 as follows:
    Server 2008 and NAS
    If the issue persists, please try to disable the following security policy for Domain to test:
    Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options
    Domain Controller: LDAP server signing requirements – NONE
    Domain member: Digitally encrypt or sign secure channel data (always) – DISABLED
    Domain member: Digitally encrypt secure channel data (when possible) – DISABLED
    Domain member: Digitally sign secure channel data (when possible) – DISABLED
    Domain member: Require strong (Windows 2000 or later) session key – DISABLED
    Microsoft network client: Digitally sign communications (always) – DISABLED
    Microsoft network client: Digitally sign communications (if server agrees) – DISABLED
    Microsoft network server: Digitally sign communications (always) – DISABLED
    Microsoft network server: Digitally sign communications (if client agrees) – DISABLED
    Network security: LAN Manager authentication level - Send LM & NTLM - use NTLMv2 if negotiated
    If no progress, try the steps below:
    Step 1: Enable the group policy Allow cryptography algorithms compatible with Windows NT 4.0 in the domain.
    1) Log on to a Windows Server 2008-based domain controller.
    2) Click Start, click Run, type gpmc.msc, and then click OK.
    3) In the Group Policy Management console, expand Forest: DomainName, expand DomainName, expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
    4) In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, click Net Logon, and then double-click Allow cryptography algorithms compatible with Windows NT 4.0.
    5) In the Properties dialog box, click the Enabled option, and then click OK.
    6) Apply the policy to all DCs.
    Or just tell the head that you need that "un-nessisary support contract" if he wants to see his documents ever again.

  8. Thanks to SYNACK from:

    bart21 (21st October 2010)

  9. #6
    bart21's Avatar
    Join Date
    Aug 2009
    Location
    peterborough
    Posts
    404
    Thank Post
    77
    Thanked 54 Times in 52 Posts
    Rep Power
    19
    hi

    i have tried the above, no luck. I have posted below the San admin interface error when trying to see the dc's.

    "..Not able to communicate with PDC 10.*.*.15
    trying 10.*.*.15...10.*.*.15 is alive
    found PDC EXCALIBUR at 10.*.*.12
    ..Not able to communicate with PDC 10.*.*.17
    trying 10.*.*.17...10.*.*.17 is alive
    ..Not able to communicate with PDC 10.*.*.18
    trying 10.*.*.18...10.*.*.18 is alive
    ..Not able to communicate with PDC 10.*.*.16
    trying 10.*.*.16...10.*.*.16 is alive"


    as you can see, it can see the 2k3 (excalibur) but can see the rest just not connest to them

    any ideas?

    nick

  10. #7

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,991
    Thank Post
    851
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    Is it using credentials to access the LDAP server or trying an annonomys connection and also have you checked out the traffic flow using wireshark to see exactly what it is asking for from the servers that are not responding. It could be trying to use a different port or different version of LDAP or something.

  11. Thanks to SYNACK from:

    bart21 (21st October 2010)

  12. #8
    Azhibberd's Avatar
    Join Date
    May 2008
    Location
    Newbury,Berkshire
    Posts
    169
    Thank Post
    20
    Thanked 21 Times in 20 Posts
    Rep Power
    16
    i'm guessing you have tried turning the firewall off on the dc just to test? also have you checked the time and date are right on the san but as it seems fine with the 2003.. im guessin thats fine

  13. Thanks to Azhibberd from:

    bart21 (21st October 2010)

  14. #9
    bart21's Avatar
    Join Date
    Aug 2009
    Location
    peterborough
    Posts
    404
    Thank Post
    77
    Thanked 54 Times in 52 Posts
    Rep Power
    19
    Thanks for your reply, firewall is off and time is fine

    nick

  15. #10
    bart21's Avatar
    Join Date
    Aug 2009
    Location
    peterborough
    Posts
    404
    Thank Post
    77
    Thanked 54 Times in 52 Posts
    Rep Power
    19
    Hi synack

    i think it is using credentials i will try wireshark now. Where can i get it?

  16. #11
    bart21's Avatar
    Join Date
    Aug 2009
    Location
    peterborough
    Posts
    404
    Thank Post
    77
    Thanked 54 Times in 52 Posts
    Rep Power
    19
    Have used wireshark on both dc's (the 2003 and a 2008)

    the problem appears to be a header checksum.

    The san makes a session request to the 2008, the 2008 replies with the wrong checksum. Wireshark shows an error, which says wrong checksum. This is obvioustly what is wrong.

    The 2k3 sends the correct checksum which is why it connects.

    see pics excalibur.JPGpeele-ad05.JPG

    anyone any ideas why 2008 is sending wrong checksum??

    thanks nick

  17. #12

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,991
    Thank Post
    851
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    I'm more interested in why its trying to use netbios to access the authentication information. How is the delegation setup on the SAN and can it be set to raw LDAP. It looks like it is trying to use older Windows protocols that are probably disabled or implemented differently. It should be hitting TCP port 389 to grab the information via LDAP.

    You could try re-enabling NTLMv1 stuff which may allow the current way to work: Allow Windows Vista, Server 2008 systems to interact with older Samba installations | Network Administrator | TechRepublic.com
    http://www.activedir.org/ListArchive...c/Default.aspx

    Keep a note of it though as all of this has got to be pokeing massive holes in the security of your network servers and you will want to reverse it when you get newer hardware.

  18. 2 Thanks to SYNACK:

    bart21 (21st October 2010), nephilim (21st October 2010)

  19. #13

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,668
    Thank Post
    1,614
    Thanked 1,867 Times in 1,385 Posts
    Blog Entries
    2
    Rep Power
    400
    Synack is almost BANG on as we did what he has stated and our SAN authenticated fine afterwards...we had to shove our ISA up a few notches to fill the gaps that the server had.

    only thing you need to do is you need to open TCP AND UDP port 389, so you can grab the LDAP info, and have it working properly.

  20. Thanks to nephilim from:

    bart21 (21st October 2010)

SHARE:
+ Post New Thread

Similar Threads

  1. Problems getting XP SP3 to Authenticate to NPS (Server 2008
    By andrewj in forum Windows Server 2008
    Replies: 5
    Last Post: 10th March 2011, 07:56 AM
  2. 2008 R2 Terminal Server (RDS) wont enable drive redirection
    By it-hell in forum Windows Server 2008 R2
    Replies: 1
    Last Post: 14th October 2010, 12:07 PM
  3. Has anyone got GLPI to authenticate to AD?
    By reggiep in forum Network and Classroom Management
    Replies: 10
    Last Post: 12th May 2010, 11:15 AM
  4. 2008 R2 and Smoothwall Corporate wont authenticate using NTLM
    By ChrisN-0123 in forum Windows Server 2008 R2
    Replies: 1
    Last Post: 1st November 2009, 03:49 PM
  5. 2008 GPO's wont apply (multiple domains)
    By kevgrey06 in forum Windows Server 2008
    Replies: 0
    Last Post: 19th February 2009, 11:45 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •