Windows 2000 GSS-TSIG failed

Kenn · ‎10-22-2017

Hi,

Has anyone encountered the issue with WIndows 2000 server doing dynamic updates using des-mac-md5?

I ran the command as crypto all, assigned all keys for DNS dynamic updates.

I had windows 2000, 2003, 2008 and 2012 but only Windows 2000 is not able to update properly.

In the syslogs, I could see TSIG verify failure, BADSIG.

I did a traffic capture, the error shows BAD OPT version or TSIG Signature Failure.

Can anyone advise?

Regards,

Kenn

harrys · ‎10-23-2017

Kenn,

I don't think Windows 2000 is supported. What you can do is enable secure & unsecure updates on the Windows 2000 zones.

Kenn · ‎10-24-2017

Hi Harrys,

Thanks for the reply.

Apology if I didn't explain clearly above.

The windows 2000 is a client doing dynamic updates to Infoblox DNS servers.

Infoblox DNS has refused all windows 2000 clients despite des-mac-md5 crypto have been assigned to the DNS Master member.

Does Infoblox support windows 2000 for dynamic updates?

Regards,

Kenn

harrys · ‎10-26-2017

Ok, now I understand what you are trying to achieve. When exporting the keytab, the manual says

Microsoft Windows 2000 Specify /crypto DES-CBC-MD5 as the export keytab.

while other versions use:

Microsoft Windows 2008 and higher Specify /crypto RC4-HMAC-NT as the export keytab.

You mentioned des-mac-md5, not sure if they are the same as des-cbc-md5

Kenn · ‎12-21-2017

Hi Harry,

I had just got some response from the tech support and they mentioned that it was due to some windows 2000 bug which will need to be patched in order to support the GSS-TSIG updates.

Thanks a lot for your help!

Regards,

Kenneth

DNS DHCP IPAM

Windows 2000 GSS-TSIG failed

Re: Windows 2000 GSS-TSIG failed

Re: Windows 2000 GSS-TSIG failed

Re: Windows 2000 GSS-TSIG failed

Re: Windows 2000 GSS-TSIG failed