03-05-2020 12:09 PM
We have GSS-TSIG enabled in Infoblox and version is 8.4.4.
Newly provisioned Vm Guests running Windows 2019 Datacenter with the CIS benchmarks applied.
When these new serves are joined to our domain, the DNS records (A, PTR or Host) are not being created in Infoblox.
Spoke to support who mentioned something in the CIS benchmark template is causing the GSS-TSIG Tkey to not communicate with the Infoblox DNS server from the client.
I have tried changing the local GPO on the new servers (Local computer policy>Admin templates>Network>DNS client>Update Security level>only Secure) and then running ipconfig /registerdns but still unable to see the DNS records being created.
CIS benchmark is here:
Anyone know which setting needs to be changed here ?
Solved! Go to Solution.
03-05-2020 03:23 PM
No worries, I resolved it.
CIS hardening enabled the following setting:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos
AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types
I unchecked all three encryption types and rebooted the server and saw a successfull key auth message in Infoblox syslog:
client @xxxxxxxxxx 10.x.x.x.#xxxx/key xxxxx\$.xxxxxxxx signer "xxxxxxxx\$.xxxxxxxx" approved