I am bashing my head against what should really be a simple Cisco problem. I have an ASA, it has 3 networks connected to it, it should be simple, but somehow I am failing.
We have the Outbound Network - this is where the ADSL modems and so forth sit, all traffic to the internet goes over the Outbound Interface.
We have Insecure Network - this is where guests connect to our network and we host a smattering of services for the guests. This network should be unable to access the Internal Network, but should be able to access the Internet. There are also one or two services which send reporting data to an Internal server via a static NAT. I don't want this network to be able to connect to the ADSL modem management interfaces.
We have the Internal Network, which should be able to talk to any other network on the ASA (except, obviously the management network).
At the moment, I have the internal network talking to the Outbound network and the Internet. And that is basically it - if I create a NAT rule for the Insecure network to talk to the internet the reporting data won't go through to the Internal Network. The internal Network won't connect to the external network at all!
Can anyone help me with the theory here? I don't want to just post my config and insert voodoo, I'd like to properly understand the theory - if you know the right KB article/guide/part of a manual for something like this it would be much appreciated.
Ultimately, I suspect that this is partly because I don't have an elegant way of referring to the internet other than ANY which also matches internal networks, which seems bad.
TL;DR - please help me understand what an assymetric NAT rule drops are and why portmaps are failing when I expect that internal network should be able to go anywhere?
I know very little about Cisco stuff, I just usually refer to the command line guides they have. And without seeing routing or NAT configs, it's hard to rule other stuff out. By default, networks with higher security levels can talk to lower security levels, so if you have Outside (0), Insecure (50), Internal (100), then Internal can talk to Insecure and Outside, and Insecure can talk to Outside, but Insecure can't talk to Internal and Outside can't talk to anyone. If you turn on NAT Control, that functionality is disabled and you must configure NAT's and/or ACL's on all the networks to do the same job.
SiliconStew on
Just remember that half the people you meet are below average intelligence.
Question: What type of company should I call to help mount a projector into the ceiling? The problem is that we have a drop ceiling and it's not going to hold a projector on it. I'm not even sure where to start... An audio/video place?
Construction company? You can get $100 kits for hanging them in drop ceilings (you suspend them in similar ways with a cable), but they're annoying if you're not used to doing it.
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
Ugh I need to say I can't deliver on what I was asked to do. Boss wants a joomla site with embedded .DOCX capability
This doesn't appear to be possible on our intranet (as all extensions require google docs access)
I've wasted 3 work days trying to find a solution for this and the only thing I've come up with is learn PHP and Java and make an extension or abandon that and tell him I can't do it, which he insists I can but doesn't know how
@TL DR I checked Microsoft Licensing, and I've got 3 versions of 2003, but I don't think they're what you need. You're welcome to them if I'm wrong.
Yeah, we made the brilliant decision of registering every client with their own account on eopen/MS VLSC. I checked the biggest client we had but no 2003 enterprise keys, and dont much feel like checking 300 more accounts!
Guys? Hay guys?
PSN - sumowot
0
Apothe0sisHave you ever questioned the nature of your reality?Registered Userregular
I am bashing my head against what should really be a simple Cisco problem. I have an ASA, it has 3 networks connected to it, it should be simple, but somehow I am failing.
We have the Outbound Network - this is where the ADSL modems and so forth sit, all traffic to the internet goes over the Outbound Interface.
We have Insecure Network - this is where guests connect to our network and we host a smattering of services for the guests. This network should be unable to access the Internal Network, but should be able to access the Internet. There are also one or two services which send reporting data to an Internal server via a static NAT. I don't want this network to be able to connect to the ADSL modem management interfaces.
We have the Internal Network, which should be able to talk to any other network on the ASA (except, obviously the management network).
At the moment, I have the internal network talking to the Outbound network and the Internet. And that is basically it - if I create a NAT rule for the Insecure network to talk to the internet the reporting data won't go through to the Internal Network. The internal Network won't connect to the external network at all!
Can anyone help me with the theory here? I don't want to just post my config and insert voodoo, I'd like to properly understand the theory - if you know the right KB article/guide/part of a manual for something like this it would be much appreciated.
Ultimately, I suspect that this is partly because I don't have an elegant way of referring to the internet other than ANY which also matches internal networks, which seems bad.
TL;DR - please help me understand what an assymetric NAT rule drops are and why portmaps are failing when I expect that internal network should be able to go anywhere?
I know very little about Cisco stuff, I just usually refer to the command line guides they have. And without seeing routing or NAT configs, it's hard to rule other stuff out. By default, networks with higher security levels can talk to lower security levels, so if you have Outside (0), Insecure (50), Internal (100), then Internal can talk to Insecure and Outside, and Insecure can talk to Outside, but Insecure can't talk to Internal and Outside can't talk to anyone. If you turn on NAT Control, that functionality is disabled and you must configure NAT's and/or ACL's on all the networks to do the same job.
Thanks for this - it isn't actually what the issue was, but it did inspire me to go back and go through everything with a fine-toothed comb.
Turns out, if you misdefine a Network Object in your ACL you get a problem, WHO KNEW?
Secondly, while not directly related your thing on security levels lead me to think about NAT pools differently, and now we are working (ALMOST COMPLETELY).
Now a specific set of VPN users on iPads who should be sending their DNS requests to a particular server are generating issues with IPV6 and and not being able to find an egress point (which makes no sense because IPV6 is, in theory, not used within our environment or settings). But they can resolve DNSs by hand for the time being - they only need one server anyway they can remember the IP.
0
TL DRNot at all confident in his reflexive opinions of thingsRegistered Userregular
@AtomBomb Yeah, the key I have is for Enterprise (sometimes listed as "Professional Enterprise")
Although I think the Enterprise just refers to the fact that it's volume-licensed...?
Yeak kept digging and for some reason the PC is now configured so you can't access Internet options in IE, it's not written in the correct registry location, so I'm not sure what's causing that
@AtomBomb Yeah, the key I have is for Enterprise (sometimes listed as "Professional Enterprise")
Although I think the Enterprise just refers to the fact that it's volume-licensed...?
It's volume licensed and includes Access/InfoPath over the other volume license SKUs.
I have a network volume that I've installed from that includes Access and InfoPath. I can zip it up and send it to you somehow if you think it might work?
I just got a 3DS XL. Add me! 2879-0925-7162
0
Apothe0sisHave you ever questioned the nature of your reality?Registered Userregular
And the Cisco hits keep on coming. Getting an account to have a service contract associated with it and then associating serial numbers/devices with that account has proven to be a difficult to impossible task. I HATE the cisco website design. The fact that their "permission denied" page is the same as their "404 error, could not find" drives me up the wall.
Currently waiting to talk to someone from the Cisco to see what they have to say about all of this.
EDIT: I also thing the IPV6 egress problems were related to a Windows Firewall thing on the DNS server, but haven't had a chance to test that out.
0
Apothe0sisHave you ever questioned the nature of your reality?Registered Userregular
New/different question:
Our Outlook/Exchange Environment does the following thing:
Every time you open up Outlook it asks for your Domain Username and password even if you clicked "Save Credentials"/"Save My Password" whatever else. If you don't enter it occasionally it doesn't send/receive email, but usually it has no effect, other than the fact that it pops up the request every now and then. I can't see anything out of the ordinary in any of what I would assume to be the appropriate event logs.
How long has it been doing it? Have you moved or migrated to a new exchange server or domain controller recently? Do you have any kerberos errors in the system log?
Client decided to go with iMacs and wireless keyboard/mice (bluetooth). Running BootCamp and Win7. UGH!!!!! (<-- loudest UGH in history.) At first I was all "ooo!" while unboxing them. Now after fighting with the stupid f*cking things for 30 minutes each, watching them drop and pick up each other's mice randomly, have a mouse just not work in Windows... at least now I know how to right click with the keyboard (Fn-Shift-F10 by the way).
Never have I detested something so much.
But the unboxing experience was heaven.
Guys? Hay guys?
PSN - sumowot
0
Mr_Rose83 Blue Ridge Protects the HolyRegistered Userregular
Pretty sure that's because the built in Windows Bt stack is terrible and no-one really cares enough to fix it. Hell, my desktop can't even find a paired set of headphones best two out of three, and they're the only Bt device in the house.
How long has it been doing it? Have you moved or migrated to a new exchange server or domain controller recently? Do you have any kerberos errors in the system log?
Since day dot - Exchange Server was built and domains migrated.
How long has it been doing it? Have you moved or migrated to a new exchange server or domain controller recently? Do you have any kerberos errors in the system log?
Since day dot - Exchange Server was built and domains migrated.
I will look for some Kerberos errors.
XP or Win7? Try to see if you're using Basic authentication or NTLM. And which version of NTLM if so.
0
lwt1973King of ThievesSyndicationRegistered Userregular
How long has it been doing it? Have you moved or migrated to a new exchange server or domain controller recently? Do you have any kerberos errors in the system log?
Since day dot - Exchange Server was built and domains migrated.
I will look for some Kerberos errors.
I have that occasionally. I've done some research on it and supposedly it's a bug as there a ton of "answers" to the problem. Usually pops up when I do an upgrade on the Exchange server or a user changes their password and then it goes away after a day or two.
"He's sulking in his tent like Achilles! It's the Iliad?...from Homer?! READ A BOOK!!" -Handy
0
Apothe0sisHave you ever questioned the nature of your reality?Registered Userregular
How long has it been doing it? Have you moved or migrated to a new exchange server or domain controller recently? Do you have any kerberos errors in the system log?
Since day dot - Exchange Server was built and domains migrated.
I will look for some Kerberos errors.
XP or Win7? Try to see if you're using Basic authentication or NTLM. And which version of NTLM if so.
Both, Outlook 2007 and 2010. Exchange 2007 SP3.
0
Apothe0sisHave you ever questioned the nature of your reality?Registered Userregular
How long has it been doing it? Have you moved or migrated to a new exchange server or domain controller recently? Do you have any kerberos errors in the system log?
Since day dot - Exchange Server was built and domains migrated.
I will look for some Kerberos errors.
I have that occasionally. I've done some research on it and supposedly it's a bug as there a ton of "answers" to the problem. Usually pops up when I do an upgrade on the Exchange server or a user changes their password and then it goes away after a day or two.
Umfortunately, this is all users and has persisted for a long time and across multiple password changes.
0
Apothe0sisHave you ever questioned the nature of your reality?Registered Userregular
How long has it been doing it? Have you moved or migrated to a new exchange server or domain controller recently? Do you have any kerberos errors in the system log?
Since day dot - Exchange Server was built and domains migrated.
I will look for some Kerberos errors.
XP or Win7? Try to see if you're using Basic authentication or NTLM. And which version of NTLM if so.
Client decided to go with iMacs and wireless keyboard/mice (bluetooth). Running BootCamp and Win7. UGH!!!!! (<-- loudest UGH in history.) At first I was all "ooo!" while unboxing them. Now after fighting with the stupid f*cking things for 30 minutes each, watching them drop and pick up each other's mice randomly, have a mouse just not work in Windows... at least now I know how to right click with the keyboard (Fn-Shift-F10 by the way).
Never have I detested something so much.
Yeah. The default Windows bluetooth stack often has problems with certain devices and doesn't support all profiles. There are different Bluetooth Stacks (drivers) - Broadcom, Windows build in, OSX-Build in, Toshiba, BlueSoleil.
If the iMac uses a Broadcom Chipset you are pretty much set - its the best chipset / driver combination IMO.
I would like to know why the client decided to go for iMacs with Bootcamp.
Its a really high-end skincare shop, where aesthetics rule.
iMacs are definitely pretty. Though a surprising number of staff actually prefer the Lenovo 91z's we're deploying in the exam rooms.
My day today was spent back there hacking apart the server with a SQL 2012 reinstall. Which failed, because I followed the vendors setup instructions (just copy and paste this folder onto the server and overwrite everything... he forgot about attaching the SQL DB). Which required full blown vendor software reinstall. Which required a remote session. Which was super fun because the site didn't have internet installed yet, and today was the big training day with vendor-trainer-dude onsite having to resort to projecting what he is doing on a wall and making everyone take notes rather than everyone individually working from the server copy, while I'm madly sitting writing routing rules into the routing table to get my phone to act as a primary gateway so I can give remote access to vendor-tech-support through my iPhone to my laptop into an RDP session on the LAN.
How long has it been doing it? Have you moved or migrated to a new exchange server or domain controller recently? Do you have any kerberos errors in the system log?
Since day dot - Exchange Server was built and domains migrated.
I will look for some Kerberos errors.
XP or Win7? Try to see if you're using Basic authentication or NTLM. And which version of NTLM if so.
Where would theNTLM/Basic auth bit live?
In the outlook email settings under security. And also under the proxy settings when they're outside the building. The important part is you can't use Basic auth and remember credentials on a proxy connection, as per the microsoft kb article: http://support.microsoft.com/default.aspx?scid=kb;en-us;820281
"If you want to use Basic authentication, you must continue to type your user account credentials. There is no way for the client to submit your user name and password automatically."
XP machine: You can use the command “control keymgr.dll” to impersonate another identity. When NTLM is on, you can add a stored windows credential for the server it's trying to connect to (pay attention to what that name is, it may not match the FQDN). In win7 it’s known as the ‘credential vault’, same principal.
Long wall of text about NTLM:
NTLM is Windows Integrated authentication, and Basic is when you enter a user name and password. NTLM becomes especially problematic if a user's name on their laptop matches their AD username.
For example, if user JSMITH has his laptop in a workgroup, and he attempts to configure Outlook Anywhere to connect to the Exchange server, and his AD credentials are JSMITH, Outlook is going to attempt to authenticate as MACHINENAME\JSMITH as opposed to DOMAIN\JSMITH. This will cause the connection to fail, and in some domains even lead to the user being locked out of the domain. This will also cause continuous prompting for username and password credentials, as well as dropped connections.
Saving passwords has been a common reason for using NTLM authentication as opposed to Basic authentication. It's the official solution for saving passwords for big Hosted Exchange providers like Intermedia: http://hosting.intermedia.net/support/kb/default.asp?id=629
Mei Hikari on
+1
Apothe0sisHave you ever questioned the nature of your reality?Registered Userregular
This is going to be so fucking general, but I'm desperate at this point:
I'm having problems with our Outlook, our Hosted Exchange, our VPN, and loading certain websites. I can't connect to support.microsoft.com, can't update Windows, the webmail portal for Hosted Exchange seems to work intermittantly... but I can download from DropBox without a problem, watch YouTube, or log in to the forums. This is true across just about every computer on the network.
Called Comcast, they said connectivity was fine. Called Microsoft, they were useless (couldn't remote connect). Called our third-party IT people, they had a couple of guesses; we updated some firmware on our Cisco ASA, and that seemed to help a bit, briefly.
I have no idea where to look next; my best guess is maybe it's a problem with the switches? We have two, and were having problems with them a year or two ago, but they got suddenly better out of nowhere. I'm gonna restart the servers and switches tomorrow morning, see what that does.
0
Apothe0sisHave you ever questioned the nature of your reality?Registered Userregular
Than, I take it the first things you've done are checking your DNS and traceroutes and general routing tables?
Everything is on "Negotiate Authentication" - I changed it to Kerberos and it works as expected. I change it to NTLM and it works as expected.
So, "Negotiate Authentication" is that not working as required?
Check your client access settings on your CAS server. It may not have the correct protocol as first priority.
As per Microsoft http://technet.microsoft.com/en-us/library/bb124503.aspx
"Negotiate Ex authentication Do not click this button. Negotiate Ex authentication is an authentication type reserved for future Microsoft use and shouldn't be used. Use of this setting will cause authentication to fail."
So just set everything to NTLM and save yourself the headache.
This is going to be so fucking general, but I'm desperate at this point:
I'm having problems with our Outlook, our Hosted Exchange, our VPN, and loading certain websites. I can't connect to support.microsoft.com, can't update Windows, the webmail portal for Hosted Exchange seems to work intermittantly... but I can download from DropBox without a problem, watch YouTube, or log in to the forums. This is true across just about every computer on the network.
Called Comcast, they said connectivity was fine. Called Microsoft, they were useless (couldn't remote connect). Called our third-party IT people, they had a couple of guesses; we updated some firmware on our Cisco ASA, and that seemed to help a bit, briefly.
I have no idea where to look next; my best guess is maybe it's a problem with the switches? We have two, and were having problems with them a year or two ago, but they got suddenly better out of nowhere. I'm gonna restart the servers and switches tomorrow morning, see what that does.
Never take Comcast's word that "everything is fine on our end." Our upload speed was down to a trickle (like, speedtest.net couldn't even connect to measure it) which was why VPN and email weren't working, but most of the rest of the internet seemed to be.
We are considering moving from our horribly expensive and fairly slow T1 to Comcast Business which is both significantly faster and significantly cheaper. Anyone have experience with them? I specifically worried about how stable it will be for our off-site RDP users since they are connected for the entire day every day and rely on it to do the bulk of their work.
For reference, our T1 is at a blazing 1.5 mbps symmetric, where Comcast is offering 16/2 (DOCSIS 3.0 won't be here for years) for more than %50 less than we are currently paying (although our current provider is going to knock around %20 off if we stay, but I still consider it overpriced)
We moved our main traffic over to Comcast. So far only had one outage that was attributable to them in around a year and a half of service, and it wasn't a complete outage; just really slow inbound traffic. We also maintain a backup DSL line to keep our critical operations at as close to 100% availability as possible. At the time we did the move, we also switched from analog to digital phones (through the DSL company), and all of the above costs less than our old slow T1 used to be.
Your mileage will, of course, vary hugely based on your location.
We are considering moving from our horribly expensive and fairly slow T1 to Comcast Business which is both significantly faster and significantly cheaper. Anyone have experience with them? I specifically worried about how stable it will be for our off-site RDP users since they are connected for the entire day every day and rely on it to do the bulk of their work.
For reference, our T1 is at a blazing 1.5 mbps symmetric, where Comcast is offering 16/2 (DOCSIS 3.0 won't be here for years) for more than %50 less than we are currently paying (although our current provider is going to knock around %20 off if we stay, but I still consider it overpriced)
Anyone have thoughts?
Aside from my recent experience, I've had great experience with them. Their customer service is usually very good, and we've had two outages in three years (one just a system outage, the other when a modem kicked it. The modem died at 3:45 on a Thursday, they were in first thing Friday morning to replace it.
The speed is good, but we generally don't have more than a handful of people connecting over VPN at a time.
Our city is split between Cox and Comcast. Most of our sites are on Cox point-to-point 2mb (main office 20mb fios), but we have one site in Comcast territory. They've been pleasant to deal with, not that I've had to do that much since installation. Of the few issues we've had, most have been from other utility companies fucking up Comcast's lines. Here's that site's speedtest, with normal traffic for the site running as well.
Our move to Comcast/Cox was probably similar to yours. We were on Time Warner before, with a T1 at the main office and fractional T1's (256k) at the branches. Man did that suck. It was more reliable, but for us the trade of 99.999% uptime to 99.9% at 8 to 14 times the speed for slightly less money was worth it.
Your mileage will, of course, vary hugely based on your location.
I haven't had any issues with Comcast business at all for remote offices.
Charter on the other hand...I've had outages blamed on sunspots. Also, they charge $20/month more for a DHCP router/modem whereas Comcast tossed it in for free. I wouldn't deal with them but they're the only service available at one of our locations. Stupid non-compete with Comcast.
"He's sulking in his tent like Achilles! It's the Iliad?...from Homer?! READ A BOOK!!" -Handy
Posts
I know very little about Cisco stuff, I just usually refer to the command line guides they have. And without seeing routing or NAT configs, it's hard to rule other stuff out. By default, networks with higher security levels can talk to lower security levels, so if you have Outside (0), Insecure (50), Internal (100), then Internal can talk to Insecure and Outside, and Insecure can talk to Outside, but Insecure can't talk to Internal and Outside can't talk to anyone. If you turn on NAT Control, that functionality is disabled and you must configure NAT's and/or ACL's on all the networks to do the same job.
I have one :shiftyeyes:
Hmm......
[edit] Never mind, double checked and it is 2007. I only have 2003 Pro[/edit]
PSN - sumowot
Construction company? You can get $100 kits for hanging them in drop ceilings (you suspend them in similar ways with a cable), but they're annoying if you're not used to doing it.
This doesn't appear to be possible on our intranet (as all extensions require google docs access)
I've wasted 3 work days trying to find a solution for this and the only thing I've come up with is learn PHP and Java and make an extension or abandon that and tell him I can't do it, which he insists I can but doesn't know how
Yeah, we made the brilliant decision of registering every client with their own account on eopen/MS VLSC. I checked the biggest client we had but no 2003 enterprise keys, and dont much feel like checking 300 more accounts!
PSN - sumowot
Thanks for this - it isn't actually what the issue was, but it did inspire me to go back and go through everything with a fine-toothed comb.
Turns out, if you misdefine a Network Object in your ACL you get a problem, WHO KNEW?
Secondly, while not directly related your thing on security levels lead me to think about NAT pools differently, and now we are working (ALMOST COMPLETELY).
Now a specific set of VPN users on iPads who should be sending their DNS requests to a particular server are generating issues with IPV6 and and not being able to find an egress point (which makes no sense because IPV6 is, in theory, not used within our environment or settings). But they can resolve DNSs by hand for the time being - they only need one server anyway they can remember the IP.
Although I think the Enterprise just refers to the fact that it's volume-licensed...?
It's volume licensed and includes Access/InfoPath over the other volume license SKUs.
I have a network volume that I've installed from that includes Access and InfoPath. I can zip it up and send it to you somehow if you think it might work?
Currently waiting to talk to someone from the Cisco to see what they have to say about all of this.
EDIT: I also thing the IPV6 egress problems were related to a Windows Firewall thing on the DNS server, but haven't had a chance to test that out.
Our Outlook/Exchange Environment does the following thing:
Every time you open up Outlook it asks for your Domain Username and password even if you clicked "Save Credentials"/"Save My Password" whatever else. If you don't enter it occasionally it doesn't send/receive email, but usually it has no effect, other than the fact that it pops up the request every now and then. I can't see anything out of the ordinary in any of what I would assume to be the appropriate event logs.
Anyone seen this before?
PSN - sumowot
Never have I detested something so much.
But the unboxing experience was heaven.
PSN - sumowot
Nintendo Network ID: AzraelRose
DropBox invite link - get 500MB extra free.
I will look for some Kerberos errors.
XP or Win7? Try to see if you're using Basic authentication or NTLM. And which version of NTLM if so.
I have that occasionally. I've done some research on it and supposedly it's a bug as there a ton of "answers" to the problem. Usually pops up when I do an upgrade on the Exchange server or a user changes their password and then it goes away after a day or two.
Both, Outlook 2007 and 2010. Exchange 2007 SP3.
Where would theNTLM/Basic auth bit live?
Yeah. The default Windows bluetooth stack often has problems with certain devices and doesn't support all profiles. There are different Bluetooth Stacks (drivers) - Broadcom, Windows build in, OSX-Build in, Toshiba, BlueSoleil.
If the iMac uses a Broadcom Chipset you are pretty much set - its the best chipset / driver combination IMO.
I would like to know why the client decided to go for iMacs with Bootcamp.
iMacs are definitely pretty. Though a surprising number of staff actually prefer the Lenovo 91z's we're deploying in the exam rooms.
My day today was spent back there hacking apart the server with a SQL 2012 reinstall. Which failed, because I followed the vendors setup instructions (just copy and paste this folder onto the server and overwrite everything... he forgot about attaching the SQL DB). Which required full blown vendor software reinstall. Which required a remote session. Which was super fun because the site didn't have internet installed yet, and today was the big training day with vendor-trainer-dude onsite having to resort to projecting what he is doing on a wall and making everyone take notes rather than everyone individually working from the server copy, while I'm madly sitting writing routing rules into the routing table to get my phone to act as a primary gateway so I can give remote access to vendor-tech-support through my iPhone to my laptop into an RDP session on the LAN.
Was fun.
PSN - sumowot
"If you want to use Basic authentication, you must continue to type your user account credentials. There is no way for the client to submit your user name and password automatically."
XP machine: You can use the command “control keymgr.dll” to impersonate another identity. When NTLM is on, you can add a stored windows credential for the server it's trying to connect to (pay attention to what that name is, it may not match the FQDN). In win7 it’s known as the ‘credential vault’, same principal.
Long wall of text about NTLM:
NTLM is Windows Integrated authentication, and Basic is when you enter a user name and password. NTLM becomes especially problematic if a user's name on their laptop matches their AD username.
For example, if user JSMITH has his laptop in a workgroup, and he attempts to configure Outlook Anywhere to connect to the Exchange server, and his AD credentials are JSMITH, Outlook is going to attempt to authenticate as MACHINENAME\JSMITH as opposed to DOMAIN\JSMITH. This will cause the connection to fail, and in some domains even lead to the user being locked out of the domain. This will also cause continuous prompting for username and password credentials, as well as dropped connections.
Saving passwords has been a common reason for using NTLM authentication as opposed to Basic authentication. It's the official solution for saving passwords for big Hosted Exchange providers like Intermedia: http://hosting.intermedia.net/support/kb/default.asp?id=629
Everything is on "Negotiate Authentication" - I changed it to Kerberos and it works as expected. I change it to NTLM and it works as expected.
So, "Negotiate Authentication" is that not working as required?
I'm having problems with our Outlook, our Hosted Exchange, our VPN, and loading certain websites. I can't connect to support.microsoft.com, can't update Windows, the webmail portal for Hosted Exchange seems to work intermittantly... but I can download from DropBox without a problem, watch YouTube, or log in to the forums. This is true across just about every computer on the network.
Called Comcast, they said connectivity was fine. Called Microsoft, they were useless (couldn't remote connect). Called our third-party IT people, they had a couple of guesses; we updated some firmware on our Cisco ASA, and that seemed to help a bit, briefly.
I have no idea where to look next; my best guess is maybe it's a problem with the switches? We have two, and were having problems with them a year or two ago, but they got suddenly better out of nowhere. I'm gonna restart the servers and switches tomorrow morning, see what that does.
As per Microsoft http://technet.microsoft.com/en-us/library/bb124503.aspx
"Negotiate Ex authentication Do not click this button. Negotiate Ex authentication is an authentication type reserved for future Microsoft use and shouldn't be used. Use of this setting will cause authentication to fail."
So just set everything to NTLM and save yourself the headache.
We are considering moving from our horribly expensive and fairly slow T1 to Comcast Business which is both significantly faster and significantly cheaper. Anyone have experience with them? I specifically worried about how stable it will be for our off-site RDP users since they are connected for the entire day every day and rely on it to do the bulk of their work.
For reference, our T1 is at a blazing 1.5 mbps symmetric, where Comcast is offering 16/2 (DOCSIS 3.0 won't be here for years) for more than %50 less than we are currently paying (although our current provider is going to knock around %20 off if we stay, but I still consider it overpriced)
Anyone have thoughts?
Your mileage will, of course, vary hugely based on your location.
The speed is good, but we generally don't have more than a handful of people connecting over VPN at a time.
Our move to Comcast/Cox was probably similar to yours. We were on Time Warner before, with a T1 at the main office and fractional T1's (256k) at the branches. Man did that suck. It was more reliable, but for us the trade of 99.999% uptime to 99.9% at 8 to 14 times the speed for slightly less money was worth it.
I swear to God this thing just does not work.
I haven't had any issues with Comcast business at all for remote offices.
Charter on the other hand...I've had outages blamed on sunspots. Also, they charge $20/month more for a DHCP router/modem whereas Comcast tossed it in for free. I wouldn't deal with them but they're the only service available at one of our locations. Stupid non-compete with Comcast.
*chokes* *spits coffee on monitor* *laughs* *chokes again* *dies*
PSN - sumowot