Symantec Data Center Security: Server Advanced (DCSS-A) Blocks Active Directory Logon
Last Updated March 18, 2014
When DCSS-A is installed on an Asset machine, after applying any 6.0 Revision 73 IPS policy, Active Directory (AD) logons are blocked.
The following Windows error may be seen after login is attempted:
"The trust relationship between this workstation and the primary domain failed"
You will also see corresponding outbound Network Access blocks for UDP 389 and TCP 88 in the DCSS Manager on that asset.
This occurs because the ports and IP Address(es) that are needed to authenticate to the AD Server(s) are blocked.
This also may appear to be intermittent, or will not immediately show up after applying the policy. This is because of the Cached Credentials feature of Windows, which is used to locally authenticate a user when the AD server cannot be reached. By default, Windows caches the last 10 logons, and will allow the logon to proceed if the logon credentials used match what was saved in the Cached Credentials.
The workaround is to edit the Local Security Authority Subsystem Service (LSASS) Sandbox in DCSS-A, and allow outbound network traffic on UDP 389 and TCP 88 to either:
1) The IP address of an individual/lone AD Controller that the asset will authenticate against
2) An IP Address range, in CIDR format, of the AD Controllers that authenticate users in the network
3) The local IP address subnet
This was tested on a Windows 7 Agent authenticating to a 2012 Server running Active Directory.
Imported Document ID: TECH215917
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe