RE: [ActiveDir] VPN & Authentication

Wed, 04 Aug 2004 08:28:48 -0700 

Hello  Devan, 

I've seen slow authentiaction when clients authenticate over a firewall and not all 
ports needed are availablr. If the W2k+ Client takes about 15 minutes then ist that 
issue. The client tries to log on, receives a message from the DC which also tells him 
that  he�s in a AD-Domain. Then he tries to authenticate against the AD but is unable 
to b/c ports needed are not available. After 15 about minutes he falls bach to the 
NT-Logon and succeeded.

If you would have issues with the MTU-Size the first thing affected would be 
replication, so I doubt this.

Gruesse - Sincerely,

Ulf B. Simon-Weidner

----- Urspr�ngliche Nachricht -----
    Von: "Devan Pala"<[EMAIL PROTECTED]>
    Gesendet: 02.08.04 16:41:33
    An: "[EMAIL PROTECTED]"<[EMAIL PROTECTED]>
    Betreff: [ActiveDir] VPN & Authentication
      Hi all,
    
    We have a remote (satellite) office that does not have any local DC's as its 
    only temporary.
    
    The office is setup to connect to one of the other main offices (which is a 
    spoke) in the overall scheme of things. 2 Nortel VPN appliances on either 
    end of the network provides connectivity and are configured to provide DHCP 
    and other client options such as DNS (DC's in the main site) through DHCP. 
    There is also a Netscreen firewall behind these VPN appliances.
    
    We have been successful in replicating the issue from where I am situated 
    but unfortunately cannot make any changes on the AD servers until we have 
    another test site up in the event we need to make registry changes etc . on 
    them.
    
    The issue is very very slow authentication, GPO's may or may not execute. 
    Searching on Google I have only been able to find very minimal information 
    related to Kerberos and packet sizes (MTU) etc. Has anyone run into a 
    similar issue of knows of a work around?
    
    P.S> The remote network has been configured in sites and services pointing 
    to the main office site.
    Interestingly enough though the DC's may or may not authenticate clients, at 
    times they would end up being authenticated by the central hub site!
        

[Nachricht abgeschnitten. Tippen Sie auf Bearb.->Zum Downloaden markieren, um den Rest 
der Nachricht abzurufen.]

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to