solved, finally. i'll post more details when i have something other than my phone to type on...
On 3/19/09, Michael Grant <[email protected]> wrote: > > Whadya find out? > > > > > On Wed, Mar 18, 2009 at 10:48 PM, Robert Munn <[email protected]> wrote: > >> >> Here is the error that is apparently generated: >> >> "cannot generate sspi context" >> >> Everything we have read says this is a DNS issue and that when DNS is >> misconfigured, Kerberos fails with this message. >> >> We did a test that I think provided us with a possible solution. I had an >> XP >> user change their DNS to the domain controller, which is also the WINS >> server and has internal DNS entries for a .local zone. That system in turn >> points to the ISPs DNS server. >> >> When the XP user points their DNS at the PDC, everything works, except >> name >> resolution for their public sites like web and email, because they resolve >> to external addresses that are not accessible from the internal network >> (due >> to the routing on pfSense). >> >> My proposed solution, which I have not had time to thoroughly test, is to >> point everyone's DNS at the pfSense appliance, and have it point to the >> domain controller first and the ISP DNS second. That allows us to use the >> firewall's DNS forwarder service to override DNS entries for public sites >> with their internal addresses, and still use the PDC for internal name >> resolution. >> >> Going back to the basic problem, Windows 2K users are not affected, so it >> seems like something changed in the trust relationship subsystem between >> Win2K and XP, and XP isn't able to cope with whatever Win2K is trying to >> do. >> I should know tomorrow whether it works. >> >> >> >> >> On Wed, Mar 18, 2009 at 5:21 PM, Dana <[email protected]> wrote: >> >> > >> > ok. I will try to give the matter a little brainpower and see if that >> > helps. How long does it stay connected before it drops? Does it vary? >> > or is it consistently 3-4 seconds, as if (for example) it connects but >> > then fails some sort of authentication? >> > >> > On Wed, Mar 18, 2009 at 12:32 AM, Robert Munn <[email protected]> >> wrote: >> > > >> > > Connects but then drops. The weird thing is that only users on Windows >> XP >> > > are affected. >> > > >> > > Jim, it's definitely working. To be more specific, everything is >> > > inside >> > the >> > > firewall on the LAN subnet, so firewall port blocking does not seem to >> be >> > a >> > > possible cause. I say possible because one previous issue was solved >> > > by >> > > turning off NAT reflection. >> > > >> > > I am going to try and get more details tomorrow and will share what I >> > learn. >> > > >> > > On Tue, Mar 17, 2009 at 9:53 PM, Dana <[email protected]> wrote: >> > > >> > >> >> > >> what is connectivity issues? Does not connect or the connection is >> bad? >> > >> >> > >> On Tue, Mar 17, 2009 at 8:38 PM, Jim Davis < >> [email protected] >> > > >> > >> wrote: >> > >> > >> > >> >> -----Original Message----- >> > >> >> From: Robert Munn [mailto:[email protected]] >> > >> >> Sent: Tuesday, March 17, 2009 7:45 PM >> > >> >> To: cf-community >> > >> >> Subject: XP connection error >> > >> >> >> > >> >> >> > >> >> I have a client that we just helped convert some of their network >> > >> >> infrastructure for. We switched out a Netgear VPN Firewall router >> for >> > a >> > >> >> Soekris Net5501 running pfSense firewall. Previously, the internal >> > >> >> Windows >> > >> >> Domain Controller was providing WINS and DHCP services, and DNS >> > >> >> services >> > >> >> were all pointing to their ISP addresses. Now, the pfSense >> appliance >> > is >> > >> >> providing DNS and DHCP services, and it is pointing to the >> company's >> > >> >> internal DNS server first and the ISP servers second. >> > >> >> >> > >> >> Mostly this setup work fine, but users who are running Windows XP >> are >> > >> >> experiencing a connectivity issues with some legacy software apps >> > >> >> - >> > an >> > >> >> Access database that is linked to an internal SQL Server 2000 >> > instance, >> > >> > >> > >> > Are you sure it's not something simpler - SQL Server usually runs >> over >> > >> port >> > >> > 1433, has that port been opened in the new firewall? >> > >> > >> > >> > Jim Davis >> > >> > >> > >> > >> > >> > >> > >> > >> > >> >> > >> >> > > >> > > >> > >> > >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-community/message.cfm/messageid:292376 Subscription: http://www.houseoffusion.com/groups/cf-community/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.5
