Thursday, January 23, 2020

Windows Server - Secure Channel

What is a secure channel?

A secure channel is used for all computer communications
The NetLogon service uses the computer credentials to log on to the domain, which establishes the secure channel with a domain controller. This secure channel between a computer and a domain controller is used for all communication with the domain.
If the computer is unable to sign in successfully, the secure channel is not established. The effect is similar to when a user enters the wrong user name or password. In both circumstances, the user is not able to authenticate to the domain.

Can the secure channel be broken?

A visual representation of the three ways the secure channel can be broken.
Computer accounts and the secure relationships between computers and their domain are robust. Nevertheless, there are certain scenarios in which a computer cannot authenticate with the domain.
  • Reinstalling the operating system. After reinstalling the operating system, the computer cannot authenticate, even though the same computer name was used in the previous installation. This is because the new installation generated a new SID, and because the new computer does not know the original computer account password in the domain. This new computer does not belong to the domain and cannot authenticate.
  • Computer inactivity. If a computer has not been used for an extended period, an administrator may have reset or deleted the computer account. This could occur when a user works offline for an extended time, or when a computer spare has not been needed for a long time.
  • Password synchronization. A computer’s LSA secret gets out of synchronization with the password that the domain knows. You can think of this as the computer forgetting its password. Although it did not forget its password, it just disagrees with the domain over what the password really is. When this happens, the computer cannot authenticate, and the secure channel cannot be created.

Broken channel symptoms

Know the symptoms of a broken secure channel
A broken computer account manifests itself with a variety of symptoms, error messages, and event‑log entries. The most common signs of computer account problems are sign-in messages and event log messages.
Sign-in messages
Screenshot of a user login error: The trust relationship between this workstation and the primary domain failed.
Messages at sign-in indicate that a domain controller cannot be contacted, that the computer account might be missing, that the password on the computer account is incorrect, or that the trust relationship (also called the secure relationship) between the computer and the domain has been lost.
Event log messages
Screenshot of NetLogon Event ID 5722: The session setup from the computer failed to authenticate. Access denied.
Error messages or events in the event log indicate similar problems or suggest that passwords, trusts, secure channels, or relationships with the domain or a domain controller have failed.

Resetting the secure channel

Know what to do if the secure channel is broken
When the secure channel fails, you must reset the computer account. To do this you can use the Active Directory Users and Computers snap-in. When you reset an account the computer's SID remains the same, and the computer maintains its group memberships. If you prefer to use PowerShell the command is Test-ComputerSecureChannel -Repair.
Screenshot of the Reset Account menu selection obtained by right-clicking on a domain computer, LON-CL1.
You can reset a computer account by disjoining the computer from the domain (putting it in a workgroup), and then rejoining the domain. This is not a good practice because it has the potential to delete the computer account, which loses the computer’s SID, and its group memberships. When you rejoin the computer to the domain, even when the computer has the same name, the account has a new SID, and all the group memberships of the previous computer object must be recreated.

Rejoining the domain

After the computer account has been reset you can join the computer to the domain.
Screenshot of the Join a Domain or Workgroup login page. The username, password, and domain information is displayed.
To join a computer to an AD DS domain, three conditions must be met:
  • You must have appropriate permissions on the computer object that allows you to join a physical computer with the same name to the domain.
  • You must be a member of the local Administrators group on the computer. This allows you to change the computer’s domain or workgroup membership.
  • You must have delegated rights to add computers to the domain or you must not have exceeded the maximum number of computer accounts that users, by default, can add to the domain. By default, users can add a maximum of 10 computers to the domain
at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)