Symantec Data Center Security: Server Advanced (DCSS-A) Blocks Active Directory Logon

book

Article ID: 159073

calendar_today

Updated On:

Products

Data Center Security Server Advanced

Issue/Introduction

 When DCSS-A is installed on an Asset machine, after applying any 6.0 Revision 73 IPS policy, Active Directory (AD) logons are blocked.

The following Windows error may be seen after login is attempted:

"The trust relationship between this workstation and the primary domain failed"

You will also see corresponding outbound Network Access blocks for UDP 389 and TCP 88 in the DCSS Manager on that asset.

 

Cause

This occurs because the ports and IP Address(es) that are needed to authenticate to the AD Server(s) are blocked.

This also may appear to be intermittent, or will not immediately show up after applying the policy.  This is because of the Cached Credentials feature of Windows, which is used to locally authenticate a user when the AD server cannot be reached.  By default, Windows caches the last 10 logons, and will allow the logon to proceed if the logon credentials used match what was saved in the Cached Credentials.

Resolution

The workaround is to edit the Local Security Authority Subsystem Service (LSASS) Sandbox in DCSS-A, and allow outbound network traffic on UDP 389 and TCP 88 to either:

1) The IP address of an individual/lone AD Controller that the asset will authenticate against

2) An IP Address range, in CIDR format, of the AD Controllers that authenticate users in the network

3) The local IP address subnet

 


Applies To

 This was tested on a Windows 7 Agent authenticating to a 2012 Server running Active Directory.