cancel
Showing results for 
Search instead for 
Did you mean: 

slow network connect accessing authenticated services (e.g intranet/exchange)

budi-widjojo_
New Contributor

slow network connect accessing authenticated services (e.g intranet/exchange)

Hi Guys,

I just wondering if anyone has similar problem like mine, and how do you solve it?

Here is the problem description:

We got an issue that affect non-domain PCs connected via NC. Everytime they want to access password protected resources e.g Intranet or Exchange. They always get an extermely slow response.

I did wireshark capture, and found that those delay were caused by rejected netlogon request by the DCs.

We have a workaround for this problem by disabling "Integrated windows Authentication" in IE and force outlook to use only NTLM instead of kerberos/NTLM.

This problem is to be specific on juniper/NC because we didn't face this problem when we connect via ipsec using contivity.

Appreciate for any comments or suggestions.

Cheers

Budi

2 REPLIES 2
Jickfoo_
Super Contributor

Re: slow network connect accessing authenticated services (e.g intranet/exchange)

What happens on the Contivity connection ? Does the user just get prompted to login ? Have you traced the Contivity connection ? I'd be curious to this as well.

By the way, welcome to the 'former Contivity users support group'. There are many of us out here.

budi-widjojo_
New Contributor

Re: slow network connect accessing authenticated services (e.g intranet/exchange)

Hi,

I somehow managed to nail down the problem, when connected via NC, it did not try to attempt authentication using using kerberos.

Here is the sequence of events according to the dump, this is done on the same machine

Network connect:

1. DHCP request/ACK

2. GARP 3 times with the new assigned IP

3. Tried to access protected sites (HTTP www.x.x.x.x)

4. www-authenticate header

5. Type user name and password with domain\username format

6. Windows requested DC list from the "domain" via WINS

7. WINS replied with all the DCs

8. Sent netlogon to all DCs with empty user name but with workstation id (hostname)

9. Got rejected with "user unknown" error message because machine is not part of domain

10. Keeps on retrying up to 5 times (while doing this IE still waiting response)

11. Finally windows falls back to NTLMSSP

12. IE got some response

on Contivity;

1. GARP 3 times with the new assigned IP

2. Tried to access protected sites (HTTP www.x.x.x.x)

3. www-authenticate header

4. Type user name and password with domain\username format

5. Windows requested DC list from the "domain" via WINS

6. WINS replied with all the DCs

7. Sent netlogon to all DCs with empty user name but with workstation id (hostname)

5. Got rejected with "user unknown" error message because machine is not part of domain

6. DID dns lookup for SRV _kerberos._tcp.site.domain.com

7. DID dns CLDAP to one of the server list from item 6 asking for netlogon server

8. NTLMSSP did the user auth

9. Kerberos transaction happens here

10 We got all the data back

11. IE got some response

Thanks