Here is the error that is apparently generated: "cannot generate sspi context"
Everything we have read says this is a DNS issue and that when DNS is misconfigured, Kerberos fails with this message. We did a test that I think provided us with a possible solution. I had an XP user change their DNS to the domain controller, which is also the WINS server and has internal DNS entries for a .local zone. That system in turn points to the ISPs DNS server. When the XP user points their DNS at the PDC, everything works, except name resolution for their public sites like web and email, because they resolve to external addresses that are not accessible from the internal network (due to the routing on pfSense). My proposed solution, which I have not had time to thoroughly test, is to point everyone's DNS at the pfSense appliance, and have it point to the domain controller first and the ISP DNS second. That allows us to use the firewall's DNS forwarder service to override DNS entries for public sites with their internal addresses, and still use the PDC for internal name resolution. Going back to the basic problem, Windows 2K users are not affected, so it seems like something changed in the trust relationship subsystem between Win2K and XP, and XP isn't able to cope with whatever Win2K is trying to do. I should know tomorrow whether it works. On Wed, Mar 18, 2009 at 5:21 PM, Dana <[email protected]> wrote: > > ok. I will try to give the matter a little brainpower and see if that > helps. How long does it stay connected before it drops? Does it vary? > or is it consistently 3-4 seconds, as if (for example) it connects but > then fails some sort of authentication? > > On Wed, Mar 18, 2009 at 12:32 AM, Robert Munn <[email protected]> wrote: > > > > Connects but then drops. The weird thing is that only users on Windows XP > > are affected. > > > > Jim, it's definitely working. To be more specific, everything is inside > the > > firewall on the LAN subnet, so firewall port blocking does not seem to be > a > > possible cause. I say possible because one previous issue was solved by > > turning off NAT reflection. > > > > I am going to try and get more details tomorrow and will share what I > learn. > > > > On Tue, Mar 17, 2009 at 9:53 PM, Dana <[email protected]> wrote: > > > >> > >> what is connectivity issues? Does not connect or the connection is bad? > >> > >> On Tue, Mar 17, 2009 at 8:38 PM, Jim Davis <[email protected] > > > >> wrote: > >> > > >> >> -----Original Message----- > >> >> From: Robert Munn [mailto:[email protected]] > >> >> Sent: Tuesday, March 17, 2009 7:45 PM > >> >> To: cf-community > >> >> Subject: XP connection error > >> >> > >> >> > >> >> I have a client that we just helped convert some of their network > >> >> infrastructure for. We switched out a Netgear VPN Firewall router for > a > >> >> Soekris Net5501 running pfSense firewall. Previously, the internal > >> >> Windows > >> >> Domain Controller was providing WINS and DHCP services, and DNS > >> >> services > >> >> were all pointing to their ISP addresses. Now, the pfSense appliance > is > >> >> providing DNS and DHCP services, and it is pointing to the company's > >> >> internal DNS server first and the ISP servers second. > >> >> > >> >> Mostly this setup work fine, but users who are running Windows XP are > >> >> experiencing a connectivity issues with some legacy software apps - > an > >> >> Access database that is linked to an internal SQL Server 2000 > instance, > >> > > >> > Are you sure it's not something simpler - SQL Server usually runs over > >> port > >> > 1433, has that port been opened in the new firewall? > >> > > >> > Jim Davis > >> > > >> > > >> > > >> > > >> > >> > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-community/message.cfm/messageid:292248 Subscription: http://www.houseoffusion.com/groups/cf-community/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.5
