Whadya find out?
On Wed, Mar 18, 2009 at 10:48 PM, Robert Munn <[email protected]> wrote: > > Here is the error that is apparently generated: > > "cannot generate sspi context" > > Everything we have read says this is a DNS issue and that when DNS is > misconfigured, Kerberos fails with this message. > > We did a test that I think provided us with a possible solution. I had an > XP > user change their DNS to the domain controller, which is also the WINS > server and has internal DNS entries for a .local zone. That system in turn > points to the ISPs DNS server. > > When the XP user points their DNS at the PDC, everything works, except name > resolution for their public sites like web and email, because they resolve > to external addresses that are not accessible from the internal network > (due > to the routing on pfSense). > > My proposed solution, which I have not had time to thoroughly test, is to > point everyone's DNS at the pfSense appliance, and have it point to the > domain controller first and the ISP DNS second. That allows us to use the > firewall's DNS forwarder service to override DNS entries for public sites > with their internal addresses, and still use the PDC for internal name > resolution. > > Going back to the basic problem, Windows 2K users are not affected, so it > seems like something changed in the trust relationship subsystem between > Win2K and XP, and XP isn't able to cope with whatever Win2K is trying to > do. > I should know tomorrow whether it works. > > > > > On Wed, Mar 18, 2009 at 5:21 PM, Dana <[email protected]> wrote: > > > > > ok. I will try to give the matter a little brainpower and see if that > > helps. How long does it stay connected before it drops? Does it vary? > > or is it consistently 3-4 seconds, as if (for example) it connects but > > then fails some sort of authentication? > > > > On Wed, Mar 18, 2009 at 12:32 AM, Robert Munn <[email protected]> > wrote: > > > > > > Connects but then drops. The weird thing is that only users on Windows > XP > > > are affected. > > > > > > Jim, it's definitely working. To be more specific, everything is inside > > the > > > firewall on the LAN subnet, so firewall port blocking does not seem to > be > > a > > > possible cause. I say possible because one previous issue was solved by > > > turning off NAT reflection. > > > > > > I am going to try and get more details tomorrow and will share what I > > learn. > > > > > > On Tue, Mar 17, 2009 at 9:53 PM, Dana <[email protected]> wrote: > > > > > >> > > >> what is connectivity issues? Does not connect or the connection is > bad? > > >> > > >> On Tue, Mar 17, 2009 at 8:38 PM, Jim Davis < > [email protected] > > > > > >> wrote: > > >> > > > >> >> -----Original Message----- > > >> >> From: Robert Munn [mailto:[email protected]] > > >> >> Sent: Tuesday, March 17, 2009 7:45 PM > > >> >> To: cf-community > > >> >> Subject: XP connection error > > >> >> > > >> >> > > >> >> I have a client that we just helped convert some of their network > > >> >> infrastructure for. We switched out a Netgear VPN Firewall router > for > > a > > >> >> Soekris Net5501 running pfSense firewall. Previously, the internal > > >> >> Windows > > >> >> Domain Controller was providing WINS and DHCP services, and DNS > > >> >> services > > >> >> were all pointing to their ISP addresses. Now, the pfSense > appliance > > is > > >> >> providing DNS and DHCP services, and it is pointing to the > company's > > >> >> internal DNS server first and the ISP servers second. > > >> >> > > >> >> Mostly this setup work fine, but users who are running Windows XP > are > > >> >> experiencing a connectivity issues with some legacy software apps - > > an > > >> >> Access database that is linked to an internal SQL Server 2000 > > instance, > > >> > > > >> > Are you sure it's not something simpler - SQL Server usually runs > over > > >> port > > >> > 1433, has that port been opened in the new firewall? > > >> > > > >> > Jim Davis > > >> > > > >> > > > >> > > > >> > > > >> > > >> > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-community/message.cfm/messageid:292369 Subscription: http://www.houseoffusion.com/groups/cf-community/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.5
