This question builds off of a previous issue that I had with LDAP responses from both DC's. After analyzing the capture file of our vendor's requesting server, I have come accross something that concerns me. Everything works when they only configure their server to point at only one of our DCs. When they configure another of our DCs as a failover server, things start to fail. The traffic happens as follows when things work correctly and users are allowed into the application. Im using example IP addresses (real IP addresses are public):
192.168.105.74 10.10.2.31 TCP 55555 > LDAP [syn] seq=0 win=8192 len=0 mss=1380 ws=256
10.10.2.31 192.168.105.74 TCP LDAP > 55555 [syn,ack] seq=0 win=8192 len=0 mss=1460 ws=256
192.168.105.74 10.10.2.31 TCP 55555 > LDAP [ack] seq=1 win=66048 len=0
192.168.105.74 10.10.2.31 LDAP SearchRequest(3912) "<Roots>" baseObject
When it goes wrong, there are two handshakes going on simultaneously with one handshake finishing and the other reporting:
192.168.105.74 10.10.2.31 TCP [TCP Dup ack 984#1] 55555 > LDAP [ack] seq=1 win=66048 len=0
Would this cause both handshakes to fail? This seems to be the only difference between the passing and failing authentication. If anyone could shed some light on the subject it would be greatly apprectiated. Im excited to hear everyone's opinions because I want to learn how to read all of this stuff on wireshark.
Thanks to all
