Bitlocker Network Unlock Only Working w/ IPv6 not IPv4 ?

F

Flisker

Hey, o/

I'm running Windows Server 2016 in VirtualBox, the server is running AD,DNS,WDS services and I got Bitlocker Network Unlock configured, it works ok via link-local auto configuration IPv6, but for some reason it doesn't work when I disable IPv6 on the server and force client to use IPv4.

Everything seems to look ok, yet via IPv4 client fails to unlock the OS drive and boot, I will get Bitlocker blue screen prompting me to enter PIN manually.

I went trough WDS logs on the server, activated debug logging and with IPv6 it logs some errors (don't know what those mean) and then logs info about getting keys and sending them back to client in next step.


IPv4 logs zero errors and also logs info about getting NKP from client and sending it back to client properly, yet fails to unlock.

I used Wireshark to log what's going on, on server side, and even on Wireshark it seems to look like everything is working correctly, I'm kinda stuck at this point. Any help, ideas or tips would be amazing. Thank you.


I also tried putting hub right before the test client PC, connect notebook to it and check if the last unlock packet from server actually gets to the client and doesn't get dropped somewhere on the way. It indeed arrives fine and I can sniff it with Wireshark.

One thing to note is that DHCPv4 service is running on separate Linux server and IP's are being distributed based on the MAC addresses, but that shouldn't be a problem in this case. (Manual for Bitlocker Network Unlock, says that DHCP has to be on different server anyway)


IPv6 Wireshark log, which unlocks the client PC correctly.

fe80::5c29:1256:285c:7ba being the Windows Server 2016 on VirtualBox

fe80::ec4:7aff:fec9:bb42 being the client, highlighted message is the last packet that contains the final intermediate key that combines with key from TPM and unlocks the OS volume and allows for the network boot.

Pye9Qsq.png

WDS debug log :


[WDSServer] [NetMon] Interfaces Changed.

[WDSServer] Interfaces visible to WDS Server:

[WDSServer] Interface: fe80::5c29:1256:285c:7ba

WDSServer] Interface: 192.168.200.40

[WDSServer] Interface: ::1

[WDSServer/WDSPXE] [onecore\base\eco\wds\wdslib\dhcplib\dhcpv6options.cpp:1587] Expression: , Win32 Error=0x2

[WDSServer/WDSPXE] [base\eco\wds\wdssrv\wdspxe\src\pxeapi.cpp:1691] Expression: , Win32 Error=0x2

[WDSServer/WDSPXE] [onecore\base\eco\wds\wdslib\dhcplib\dhcpv6options.cpp:1587] Expression: , Win32 Error=0x2

[WDSServer/WDSPXE] [base\eco\wds\wdssrv\wdspxe\src\pxeapi.cpp:1691] Expression: , Win32 Error=0x2

[WDSServer/WDSPXE] [onecore\base\eco\wds\wdslib\dhcplib\dhcpv6options.cpp:1587] Expression: , Win32 Error=0x2

[WDSServer/WDSPXE] [base\eco\wds\wdssrv\wdspxe\src\pxeapi.cpp:1691] Expression: , Win32 Error=0x2

[WDSServer/WDSPXE] [onecore\base\eco\wds\wdslib\dhcplib\dhcpv6options.cpp:1587] Expression: , Win32 Error=0x2

[WDSServer/WDSPXE] [base\eco\wds\wdssrv\wdspxe\src\pxeapi.cpp:1691] Expression: , Win32 Error=0x2

[WDSServer/WDSPXE] [onecore\base\eco\wds\wdslib\dhcplib\dhcpv6options.cpp:1587] Expression: , Win32 Error=0x2

[WDSServer/WDSPXE] [base\eco\wds\wdssrv\wdspxe\src\pxeapi.cpp:1691] Expression: , Win32 Error=0x2

[WDSServer/WDSPXE/NKPPROV] Received NKP IPv6 request. Remote address: fe80:0:0:0:ec4:7aff:fec9:bb42, Port: 546, Packet length: 351.


[WDSServer/WDSPXE/NKPPROV] NKP request processing succeeded. Remote address: fe80:0:0:0:ec4:7aff:fec9:bb42, Link address: 0:0:0:0:0:0:0:0, Port: 546, Reply packet length: 135.


IPv4 Wireshark log, which looks to me like it's ok, but client just won't unlock and PC will ask me for PIN to unlock the OS volume.

192.168.200.40 - server

192.168.200.112 - client

WHYc50D.png

WDS debug log :


[WDSServer/WDSPXE/NKPPROV] Received NKP IPv4 request. Remote address: 192.168.200.112:68, Packet length: 630.

[WDSServer/WDSPXE/NKPPROV] NKP request processing succeeded. Remote address: 192.168.200.112:68, Reply packet length: 316.


Continue reading...
 

Similar threads

Back
Top Bottom