I ran into problems when I first started testing ipsec. Anytime I tried to
use ipsec where domain controllers were involved the domain user could not
logon to the domain computer after rebooting [cached logons were disabled].
The reason is that the domain controllers are also the KDC and the computer
could not authenticate with the domain controller because the domain
controller insisted on authentication before allowing communications which
made authentication impossible. So then I tried using a request ipsec policy
for the domain controller and it still would not work. Creating exemptions
for the ports/protocols used for authentication did not work and even if
they did you would make the ipsec policy almost useless for any degree of
protection by creating that many exemptions as ports 139/445 TCP are used
also during authentication. This all happened when Windows 2000 was fairly
new and there was no documentation that warned about this configuration.
That has since changed and Microsoft considers using ipsec to secure
communications between domain controllers and domain members to not being
recommended and not being supported which means they will not help you with
problems resulting with such. The links below explain more. The same
behavior has been seen in Windows 2003 even if you try to use certificate
authentication for traffic between domain members and domain controllers
though the KB article does not mention that and I see the same results
whether the ipsec policy is local configured or by Group Policy. If you can
get it to work and can confirm that ipsec is being used [ESP] for traffic
between domain computers and domain controllers without any problems
including after computer reboots with cached logons disable be sure to let
me know! --- Steve
http://tinyurl.com/7q3bz -- link to newsgroup discussion about ipsec with
domain controllers.
http://support.microsoft.com/default.aspx?scid=kb;en-us;q254949
We support the use of IPSec to encrypt network traffic in end-to-end
client-to-client, client-to-server, and server-to-server implementations
when you use either Kerberos computer authentication or when you use
certificate-based computer authentication. Currently, we do not support
using IPSec to encrypt network traffic from a domain member server to a
domain controller when you apply the IPSec policies by using Group Policy or
when you use the Kerberos authentication method.
From another Microsoft Source - the Windows 2003 Servers Deployment Kit
******
IPSec is based on the authentication of computers on a network;
therefore, before a computer can send IPSec-protected data, it must be
authenticated. The Active Directory security domain provides this
authentication using the Kerberos protocol. Accordingly, when IKE uses
Kerberos to authenticate, the Kerberos protocol and other dependent
protocols (DNS, UDP LDAP and ICMP) are used for communication with domain
controllers. Additionally, Active Directory-based IPSec policy settings
are typically applied to domain members through Group Policy. As a
result, if IPSec is required from domain members to the domain
controllers, authentication traffic will be blocked and IPSec
communications will fail. In addition, no other authenticated connections
can be made using other protocols, and no IPSec other policy settings can
be applied to that domain member through Group Policy. For these reasons,
using IPSec for communications between domain members and domain
controllers is not supported.
