• "The trust relationship between this workstation and the primary domain failed."

    Posted over 2 years ago
    by Paulo Viralhadas}

    How many times have you came across reports of users complaining that they cannot logon to the domain?

    Logon fails with "The trust relationship between this workstation and the primary domain failed."

    Additionally the NETLOGON service also logs:

    Event ID 5723

    "The session setup from the computer DOMAINMEMBER failed to authenticate.
    The name of the account referenced in the security database is DOMAINMEMBER$.

    The following error occurred: Access is denied."

    What do you have to do in those cases?

    Exactly... I heard you saying "Disjoin and rejoin the machine to the domain"

    Some of you may wonder why we can’t just reset the computer account password in AD and fix the problem.

    Well by resetting the computer account password, AD sets the password to the default value and the probability of the member having the same password is practically null.

    Every domain member has a secure channel (SC) with a domain controller, this SC is created and mantained by the NETLOGON service on both member and DC.
    (Like users, computers also have passwords which are managed automatically).

    If the SC gets broken the member won't be able to authenticate in the domain.

    Note:

    A secure channel is an authenticated remote procedure call (RPC) connection between two machines in a domain with an established security context used for signing and encrypting RPC packets.

    For the SC to be successfully established, the computer account password (stored in Active Directory) and the member's password (known as LSA secret and stored in the member) have to be in sync.

    The member has to change its password every 30 days by default.

    This setting is controlled by "Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age" using Local computer policies or domain GPOs.

    Note:
    If you increase this interval significantly, or set it to 0 so that the computers no longer change their passwords, an attacker will have more time to undertake a brute force attack to guess the password of one or more computer accounts.

    For more information on recommended security settings see Microsoft Security Compliance Manager (SCM) which you can download from: http://www.microsoft.com/en-us/download/details.aspx?id=16776

    So you might be asking what can go wrong if the member's password is automatically changed and managed.

    One thing that is very important to keep in mind is that the requirements for a machine to change its password has changed in versions later than Windows XP/Server 2003.

    Later OSes only change their password if they can contact a DC whereas Windows XP/Server 2003 change their password even without being able to contact a DC.

    Which breaks the secure channel immediately.

    Let me give you 3 examples for clarity sake:

    Example 1:

    Joe laptop (running XP) changes its password on Nov 15 (and syncs with AD)

    Joe goes on leave and takes his laptop with him on Dec 1

    On Dec 15 while Joe was preparing his agenda for his 1st day of work, his laptop decides to change its password without being able to notify the DC

    Joe returns on Dec 16

    when he tries to logon he gets the message mentioned above - and you get a phone call :)

    Example 2:

    Same situation but now Joe closes his laptop and leaves it on his desk.

    When he returns notices his laptop has been stolen...

    please ignore previous line :)

    starts his laptop and logs on without problems.

    The computer password gets reset later on the same day and life goes on.

    Example 3:

    Wisely the IT department has upgraded all laptops to Windows 8.

    So when Joe returns from leave experiences no problems logging on to the domain because his computer only changes its password if it can contact a DC.

    By the way if you read my previous blog, mind the Windows XP support lifecycle note.

    Recently I came across an issue that has been puzzling System Admins minds for some time.

    Since deployment of Windows 7 that machines in training rooms where "re-imaged" as needed via SCCM.

    However broken secure channels where happening daily on many of them.

    You may ask how that can happen if Windows 7 doesn't change the password unless it can communicate with a DC.

    Well cutting a long story short, after enabling netlogon logging on the DCs (http://support.microsoft.com/kb/109626) and analysing a number of netlogon logs, I ended up finding a number of Windows XP machines that no one was aware of and that didn't even appear in SCCM since they were not managed via SCCM.

    Basically found out that a particular branch was still using the old re-imaging process with Windows XP images using the same names as the Windows 7 machines, thus using and changing the password of Windows 7 members.

    So once a Windows 7 member tries to authenticate it would fail and that was happening on an endless loop, because the Windows 7 admins would disjoin/re-jointhe Windows 7 box (thus fixing the SC problem) and then the XP admin would do the same on the XP machine.


    This post is a bit long now so I will add another one for the ones interested in knowing that SC issues may also occur on DCs and Domain trusts.
    Additionally, tools we can use for troubleshooting.

    As always you are very welcome to add your comments!

    Thanks

    Paulo

  • WMI through firewall

    Posted over 2 years ago
    by Paulo Viralhadas}

    In a number of ocasions have been asked to configure services running under the svchost process to pass through the Firewall on Windows XP.
    Particularly for WMI access as administrators and applications might need it for performing data collection, monitoring and other administrative tasks.


    The problem is that Windows Firewall on XP doesn’t allow to add SVCHOST.exe as a Program exception (the reason behind it is that other services run under SVCHOST and there are several SVCHOST processes running at the same time).
    An example is wmimgmt which runs along with AudioSrv, Browser, CryptSvc, etc, under the same SVCHOST process.
    Additionally the RPC ports used by the services running under the SVCHOST processes are assigned dynamically by default.


    This is very easy to configure if you are using Windows Firewall with Advanced Security on clients running Windows Vista or above, on XP is a diferent story though.
    By the way the Mainstream Support phase ended on 2009/04/14 and the Extended Support phase will end on 2014/04/08.
    Which means you have had 5 years to plan and upgrade to a newer client OS.
    If haven't done so yet I strongly recommend you to start right away (You may get more info on the support lifecycle for Windows XP in http://support.microsoft.com/lifecycle/?LN=en-gb&C2=1173).

    Note:
    When using GPOs to configure firewall settings XP settings should be configured under Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall.
    Computer Configurations/Windows Settings/Security Settings/Windows Firewall with Advanced Security only applies to Windows Vista or above.
        
    So, first we need to configure WMI to run on a separate SVCHOST process:

    To configure Windows Management Instrumentation Service (wmimgmt) to run under a separate SVCHOST process.
    1.Install Hotfix that is mentioned in http://support.microsoft.com/kb/897571
    2.Click Start, click Run, type Cmd, and then click OK.
    3.At a command prompt, type net stop winmgmt, and then press ENTER.
    4.Click Start, click Run, type Notepad, and then click OK.
    5.Copy the following code into Notepad. 
     
    Windows Registry Editor Version 5.00
     
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
    "Winmgmt"=hex(7):77,00,69,00,6e,00,6d,00,67,00,6d,00,74,00,00,00,00,00
     
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\winmgmt]
    "CoInitializeSecurityParam"=dword:00000001
    "AuthenticationCapabilities"=dword:00003020
    "CoInitializeSecurityAppID"="{D16904E8-7F7D-4821-ACF5-FDE160CBE65E}"
     
    [HKEY_CLASSES_ROOT\AppID\{D16904E8-7F7D-4821-ACF5-FDE160CBE65E}]
    @="Svchost_winmgmt"
    "EndPoints"=hex(7):6e,00,63,00,61,00,63,00,6e,00,5f,00,69,00,70,00,5f,00,74,00,\
    63,00,70,00,2c,00,30,00,2c,00,34,00,33,00,32,00,31,00,00,00,00,00

     
    Note:
    In this code we configure the port number 4321 as an example.
    You may use Dcomcnfg.exe tool to set the port number later.
     
    6.Save the file that you created in step 5. Name the file Winmgmtsvc.reg
    7.Double-click Winmgmtsvc.reg, click Yes to add the information to the registry, and then click OK.
    8.Click Start, click Run, type sc config winmgmt binPath= "%systemroot%\system32\svchost.exe -k winmgmt", and then click OK.
     
    Note:
    This command configures the WMI service to run in a separate process.
    In this command, the quotation marks are required.
    In this command, the space after binPath= is required.
     
     "Path to executable"


    Now to configure wmimgmt to use a static endpoint. (in order to change the port used in the example above ie. 4321)


    9.Click Start, click Run, type dcomcnfg , and then click OK.
    10.Under Console Root, expand Component Services, expand Computers, expand My Computer, and then expand DCOM Config.
    11.Right-click Svchost_winmgmt, and then click Properties.
    12.On the Endpoints tab, click Add.
    13.Click Static endpoint, configure the static endpoint that you want, and then click OK two times.
    14.Click Start, click Run, type Cmd, and then click OK.
    15.At a command prompt, type net start winmgmt, and then press ENTER.
     
    Note:

    This specifies a static port instead of the WMI default dynamic port behavior.
    The static endpoint will not be visible by using Netstat.exe until a remote WMI request is sent to the server.
     


    Finally configure “Define Inbound Port Exception” under Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall/Domain profile for the same port configured on the action above.
    The settings should look as follows:
    Windows Firewall: Protect all network connections  Enabled
    Windows Firewall: Define port exceptions
    135:TCP:*:enabled:EPM-DCOM135
    4321:TCP:*:enabled:winmgmt4321 (NOTE: This is according to the example above, Should be changed to the port you selected)
     
    Note:
    This procedure is described on KB897571 and although the article doesn’t refer to Windows XP, the same hotfix is also available for XP.
    hotfix - fix230723 is REQUIRED, without the hotfix these settings are ignored.
    You might be able to use the same concept for other services running under SVCHOST.

     

    Important: I strongly recommend the above to be tested for functionality and security before deploying to production.

    You're more than welcome to share your views.

    Thanks

    Paulo