D
d.missen
Hi,
Sorry this is a bit of a saga - but there's quite a bit of
background that I need to relate so that what I am trying to achieve
makes sense. (I hope!)
I have a three Interface Cisco PIX firewall attached to the Internet as
my External Firewall connected in series with an ISA 2004 (SP2) two
interface Firewall as my Internal Firewall.
On the DMZ interface (that's the actual third Interface of the PIX
not the subnet between the PIX and the ISA) I have two servers both of
which are members of my Internal domain. These are a Citrix
Presentation server V4 and a SQL 2000 Sever. I am providing access to
an application on the Citrix server to a number of internet based VPN
users with access being controlled by accounts in my AD. (They can
basically run a locked down desktop on the Citrix server with access to
the single application which in turn uses the database on the SQL
Server)
Everything pretty much works - but I have hit a small snag and I was
wondering if anyone had any ideas.
The application is an ERP application (Microsoft Dynamics Navision)
that used Windows Authentication and AD accounts to grant the user
permissions within the ERP system. The problem I am experiencing is
that when I try to retrieve the list of AD accounts from within the
Application I only get a partial list and eventually get an error
message along the lines of "failed to retrieve information for the
account with GUID etc. etc. ". However, the point at which it fails
is random, and what seems to happen is it gets to list quite a lot of
the accounts and groups relatively quickly and then slows down -
adding a few more entries before eventually giving the error above. (By
the way - we're not talking about a massive amount of
accounts/groups here - probably less than 200 objects total)
My Internal domain is Windows 2003 - but it's not an "anonymous
LDAP" issue because the same application can retrieve the list of
accounts when on an Internal PC. The problem is, I believe, with the
ISA server but here's what I have done to test this theory and why I
am currently at a loss.
LDP, ADSIEDIT and setting up a test share on the Citrix Server can ALL
retrieve the entire AD list via LDAP without a problem.
Changing my ISA rules temporarily to allow complete access from the
Citrix Server to the Internal LAN doesn't fix the problem.
Monitoring the ISA server when the application is trying to retrieve
the accounts I can see (initially) loads of initiated and closed
connection messages using LDAP (and my designed rule) between the
Citrix server and the AD DCs but then I start to get connection denied
messages (but the traffic still appears to be LDAP and is still between
my Citrix server and the same DC).When these connections are denied no
rule (- not even the default last rule) is given as a reason.
Running NETDIAG on the Citrix server gives the following error
(everything else passes OK)
Redir and Browser test . . . . . . : Failed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{89C3110C-9D44-4233-95BD-704EC8114ECD}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{89C3110C-9D44-4233-95BD-704EC8114ECD}
The browser is bound to 1 NetBt transport.
[FATAL] Cannot send mailslot message to \\DOMIAN NAME
REMOVED*\MAILSLOT\NET\NETLOGON' via redir. [ERROR_BAD_NETPATH]
If I type an account manually into the Navision account screen using
the format domain\username - you can set the application permissions
for this user - the user can run the restricted desktop (restricted
by a GP applied in AD) and the application runs OK (but see below)-
Now - some might argue - why worry about the problem if the
application works OK - well there are two reasons:-
1. I don't like things that I can't explain, and this is driving me
nuts!
2. The application sometimes crashes with a message - Navision has
encountered an error and needs to close - something that only happens
when running the application from the DMZ so I want to see if this LDAP
issue is behind this crash.
Does anyone have any ideas to help save my sanity? (Which don't
include giving up IT and taking up something less stressful - because
I am already considering this!)
Sorry this is a bit of a saga - but there's quite a bit of
background that I need to relate so that what I am trying to achieve
makes sense. (I hope!)
I have a three Interface Cisco PIX firewall attached to the Internet as
my External Firewall connected in series with an ISA 2004 (SP2) two
interface Firewall as my Internal Firewall.
On the DMZ interface (that's the actual third Interface of the PIX
not the subnet between the PIX and the ISA) I have two servers both of
which are members of my Internal domain. These are a Citrix
Presentation server V4 and a SQL 2000 Sever. I am providing access to
an application on the Citrix server to a number of internet based VPN
users with access being controlled by accounts in my AD. (They can
basically run a locked down desktop on the Citrix server with access to
the single application which in turn uses the database on the SQL
Server)
Everything pretty much works - but I have hit a small snag and I was
wondering if anyone had any ideas.
The application is an ERP application (Microsoft Dynamics Navision)
that used Windows Authentication and AD accounts to grant the user
permissions within the ERP system. The problem I am experiencing is
that when I try to retrieve the list of AD accounts from within the
Application I only get a partial list and eventually get an error
message along the lines of "failed to retrieve information for the
account with GUID etc. etc. ". However, the point at which it fails
is random, and what seems to happen is it gets to list quite a lot of
the accounts and groups relatively quickly and then slows down -
adding a few more entries before eventually giving the error above. (By
the way - we're not talking about a massive amount of
accounts/groups here - probably less than 200 objects total)
My Internal domain is Windows 2003 - but it's not an "anonymous
LDAP" issue because the same application can retrieve the list of
accounts when on an Internal PC. The problem is, I believe, with the
ISA server but here's what I have done to test this theory and why I
am currently at a loss.
LDP, ADSIEDIT and setting up a test share on the Citrix Server can ALL
retrieve the entire AD list via LDAP without a problem.
Changing my ISA rules temporarily to allow complete access from the
Citrix Server to the Internal LAN doesn't fix the problem.
Monitoring the ISA server when the application is trying to retrieve
the accounts I can see (initially) loads of initiated and closed
connection messages using LDAP (and my designed rule) between the
Citrix server and the AD DCs but then I start to get connection denied
messages (but the traffic still appears to be LDAP and is still between
my Citrix server and the same DC).When these connections are denied no
rule (- not even the default last rule) is given as a reason.
Running NETDIAG on the Citrix server gives the following error
(everything else passes OK)
Redir and Browser test . . . . . . : Failed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{89C3110C-9D44-4233-95BD-704EC8114ECD}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{89C3110C-9D44-4233-95BD-704EC8114ECD}
The browser is bound to 1 NetBt transport.
[FATAL] Cannot send mailslot message to \\DOMIAN NAME
REMOVED*\MAILSLOT\NET\NETLOGON' via redir. [ERROR_BAD_NETPATH]
If I type an account manually into the Navision account screen using
the format domain\username - you can set the application permissions
for this user - the user can run the restricted desktop (restricted
by a GP applied in AD) and the application runs OK (but see below)-
Now - some might argue - why worry about the problem if the
application works OK - well there are two reasons:-
1. I don't like things that I can't explain, and this is driving me
nuts!
2. The application sometimes crashes with a message - Navision has
encountered an error and needs to close - something that only happens
when running the application from the DMZ so I want to see if this LDAP
issue is behind this crash.
Does anyone have any ideas to help save my sanity? (Which don't
include giving up IT and taking up something less stressful - because
I am already considering this!)