Video Screencast Help

GSS2.5 - 'Failed to join domain xxx: The system detected a possible attempt to compromise security'

Created: 21 Apr 2009 • Updated: 21 May 2010 | 3 comments

Hi,

I searched for this issue and saw that it was also addressed while ago in the thread https://www-secure.symantec.com/connect/forums/gss...

Our organization has Windows Server 2008 and does not allow anything other than NTLMv2 authentications. Will there be an update for Ghost (or the relevant tool) that allows us to specify what authentication mechanisms to attempt? We're using GSS 2.5

This seems crazy that deploying a machine back on the domain requires a manual visit to it. I've tried just running Configuration tasks but they still fail.

Is there any workaround for this at present that does not rely on changing the domain controller policy (since I know that's not going to happen)?

Thanks,

Derek

Discussion Filed Under:

Comments 3 CommentsJump to latest comment

Farhan2Rescue's picture

source
http://service1.symantec.com/SUPPORT/on-technology...

http://support.microsoft.com/kb/942564

To work around this problem, make sure that client computers use the cryptography algorithms that are compatible with Windows Server 2008. You may have to request software updates from the product vendors.

If you cannot install software updates because a service outage will occur, follow these steps:
Log on to a Windows Server 2008-based domain controller.
Click Start, click Run, type gpmc.msc, and then click OK.
In the Group Policy Management console, expand Forest: DomainName, expand DomainName, expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, click Net Logon, and then double-click Allow cryptography algorithms compatible with Windows NT 4.0.
In the Properties dialog box, click the Enabled option, and then click OK.

Notes
By default, the Not Configured option is set for the Allow cryptography algorithms compatible with Windows NT 4.0 policy in the following Group Policy objects (GPO):
Default Domain Policy
Default Domain Controllers Policy
Local Computer Policy
By default, the behavior for the Allow cryptography algorithms compatible with Windows NT 4.0 policy on Windows Server 2008-based domain controllers is to programmatically prevent connections from using cryptography algorithms that are used in Windows NT 4.0. Therefore, tools that enumerate effective policy settings on a member computer or on a domain controller will not detect the Allow cryptography algorithms compatible with Windows NT 4.0 policy unless you explicitly enable or disable the policy.
Windows 2000 Server-based domain controllers and Windows Server 2003-based domain controllers do not have the Allow cryptography algorithms compatible with Windows NT 4.0 policy. Therefore, pre-Windows Server 2008-based domain controllers accept security channel requests from client computers even if the client computers use the old cryptography algorithms that are used in Windows NT 4.0. If security channel requests are intermittently processed by Windows Server 2008-based domain controllers, you will experience inconsistent results.
Install third-party software updates that fix the problem, or remove client computers that use incompatible cryptography algorithms.
Repeat steps 1 through 4.
In the Properties dialog box, click the Disabled option, and then click OK.

Important For security reasons, you should set the option for this policy back to Disabled.

Krish Jayaratne's picture

Hi Derek,

GSS 2.5 does not send the domain admin credentials to the client and this is required to join the machines to 2k8 domains without changing the policies. 2.5 does not support secure enough communication to send such sensitive data over the network.

Other alternatives I can suggest is using sysprep (sysprep is supported in GSS Console) or a MS utility such as netdom. If I remember correct, both these methods use weak or no encryption to protect credentials (based on MS documentation - please do a search for more info).

Krish

Aledo's picture

I installed this patch from Microsoft and i can join Windows XP SP3 computers to W2k8 domain controller.

Install this patch http://support.microsoft.com/kb/944043/en-us on Windows XP only, not on Domain Controller.