DNS DHCP IPAM

Reply
Highlighted

Windows 2000 GSS-TSIG failed

Kenn
Techie
Posts: 9
788     0

Hi,

 

Has anyone encountered the issue with WIndows 2000 server doing dynamic updates using des-mac-md5?

 

I ran the command as crypto all, assigned all keys for DNS dynamic updates.

I had windows 2000, 2003, 2008 and 2012 but only Windows 2000 is not able to update properly.

 

In the syslogs, I could see TSIG verify failure, BADSIG.

 

I did a traffic capture, the error shows BAD OPT version or TSIG Signature Failure. 

 

Can anyone advise? 

 

Regards,

Kenn

Re: Windows 2000 GSS-TSIG failed

Adviser
Posts: 44
789     0

Kenn,

I don't think Windows 2000 is supported. What you can do is enable secure & unsecure updates on the Windows 2000 zones.

Re: Windows 2000 GSS-TSIG failed

Kenn
Techie
Posts: 9
789     0

Hi Harrys,

 

Thanks for the reply.

 

Apology if I didn't explain clearly above. 

 

The windows 2000 is a client doing dynamic updates to Infoblox DNS servers.

 

Infoblox DNS has refused all windows 2000 clients despite des-mac-md5 crypto have been assigned to the DNS Master member.

 

Does Infoblox support windows 2000 for dynamic updates?

 

Regards,

Kenn

Re: Windows 2000 GSS-TSIG failed

Adviser
Posts: 44
789     0

Ok, now I understand what you are trying to achieve. When exporting the keytab, the manual says

 

Microsoft Windows 2000 Specify /crypto DES-CBC-MD5 as the export keytab.

 

while other versions use:

 

Microsoft Windows 2008 and higher Specify /crypto RC4-HMAC-NT as the export keytab.

 

You mentioned des-mac-md5, not sure if they are the same as des-cbc-md5

 

 

Re: Windows 2000 GSS-TSIG failed

Kenn
Techie
Posts: 9
789     0

Hi Harry,

 

I had just got some response from the tech support and they mentioned that it was due to some windows 2000 bug which will need to be patched in order to support the GSS-TSIG updates. 

 

Thanks a lot for your help!

 

Regards,

Kenneth

Showing results for 
Search instead for 
Do you mean 

Recommended for You