I just wondering if anyone has similar problem like mine, and how do you solve it?
Here is the problem description:
We got an issue that affect non-domain PCs connected via NC. Everytime they want to access password protected resources e.g Intranet or Exchange. They always get an extermely slow response.
I did wireshark capture, and found that those delay were caused by rejected netlogon request by the DCs.
We have a workaround for this problem by disabling "Integrated windows Authentication" in IE and force outlook to use only NTLM instead of kerberos/NTLM.
This problem is to be specific on juniper/NC because we didn't face this problem when we connect via ipsec using contivity.
Appreciate for any comments or suggestions.
What happens on the Contivity connection ? Does the user just get prompted to login ? Have you traced the Contivity connection ? I'd be curious to this as well.
By the way, welcome to the 'former Contivity users support group'. There are many of us out here.
I somehow managed to nail down the problem, when connected via NC, it did not try to attempt authentication using using kerberos.
Here is the sequence of events according to the dump, this is done on the same machine
1. DHCP request/ACK
2. GARP 3 times with the new assigned IP
3. Tried to access protected sites (HTTP www.x.x.x.x)
4. www-authenticate header
5. Type user name and password with domain\username format
6. Windows requested DC list from the "domain" via WINS
7. WINS replied with all the DCs
8. Sent netlogon to all DCs with empty user name but with workstation id (hostname)
9. Got rejected with "user unknown" error message because machine is not part of domain
10. Keeps on retrying up to 5 times (while doing this IE still waiting response)
11. Finally windows falls back to NTLMSSP
12. IE got some response
1. GARP 3 times with the new assigned IP
2. Tried to access protected sites (HTTP www.x.x.x.x)
3. www-authenticate header
4. Type user name and password with domain\username format
5. Windows requested DC list from the "domain" via WINS
6. WINS replied with all the DCs
7. Sent netlogon to all DCs with empty user name but with workstation id (hostname)
5. Got rejected with "user unknown" error message because machine is not part of domain
6. DID dns lookup for SRV _kerberos._tcp.site.domain.com
7. DID dns CLDAP to one of the server list from item 6 asking for netlogon server
8. NTLMSSP did the user auth
9. Kerberos transaction happens here
10 We got all the data back
11. IE got some response