- IPsec is configured between Windows Domain members and domain controllers.
- The Connection Security rules are configured to "request authentication" and are active on the Domain Profile only.
- A domain member (client) that has an IPsec connection established to a domain controller is restarted.
- While shutting down the IKE and AuthIP IPsec Keying Modules (IKEEXT) service, the client sends an Internet Security Association and Key Management Protocol (ISAKMP) Notify message to the domain controller to delete the Main Mode Security Association (MMSA).
- Immediately after the client restarts, it tries to connect to a domain controller. By chance, it ends up on the same domain controller as before.
- The client tries to connect by using clear text, because it is still in the Public Profile.
- The clear-text messages from the client are answered by using an Encapsulated Security Payload (ESP) packet sent by the domain controller.
Additionally, you may receive the following error messages:
Event ID: 5719
This computer was not able to set up a secure session with a domain controller in domain %domain name% due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
Log Name: System
Event ID: 1129
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
Important This registry entry is interpreted as a bit-mask. The bit that forces IKEEXT to send ISAKMP Notify Delete messages for QMSAs is positioned at the 0x100 bit. We recommend that you do not modify the other bits. To prevent any other issues, do not change the other bits. For example, if IKEFlags has the 0x1440 DWORD value change it to a 0x1540 DWORD value.
By default, the NlbReconnectForAllPeers key is set to 1, and the NlbsIdleTime key is set to 0x19 (25).
Starting with Windows 8 and Windows Server 2012, these registry keys have no effect.
ID članka: 2997061 - Poslednji pregled: 15.10.2014. - Verzija: 1