Firewall preventing users logging on to domain


I am testing CIS (AV, Firewall & Defense+) in our Active Directory domain. I am having some problems with users logging on to the domain after CIS has been installed. Clients are running Windows XP, domain controller is Windows 2K3.

Once installed, I can log on to the client locally, and when I do so, a new network is detected by CIS. If I attempt to log on to the domain, the user cannot logon. After entering the username and password, the screen freezes for several minutes, and there is no disk activity. Then the message ‘loading your personal settings’ is displayed. If I leave it long enough (45 minutes or more) an error message is displayed saying the profile cannot be found.

I have tried amending the global rules to allow all traffic with a source address of the domain controller. I have also tried disabling AV, Firewall and Defense+, but still get the same result. The only way around this, is to completely remove CIS.

The problem doesn’t occur on all clients, but a significant number, about 50%.

Any suggestions would be appreciated.



The Protocol and Port requirement is quite complex in AD. The first thing to ensure is that you have defined a trusted network. Open:

CIS/Firewall/Common Tasks/ Create a new Trusted network, Stealth my Port to everyone else

Enter the details of the network. This will create a pair of Global Rules that allow communication on your LAN.

Try this and test communication: You might also want to read the following:


Thanks for the advice, and document link.

I opened Firewall > Common Tasks > Stealth Ports Wizard > Define a new trusted network stealth my ports to everyone else.

I selected “I would like to define and trust a new network zone”, and entered IP range - This range cantains all servers and networking equipment, clients are onwards.

2 new global rules now allow incoming and outgoing traffic for that IP range, however, I still have the same problem.


Ok, I’m assuming the firewall is installed on the client and not on the server?

A couple things before we get carried away. First, can you tell me your settings for the firewall. Second, make sure you have basic connectivity.

Open a command prompt and ping the server.
Also try a net view.

That will give us some clues.

The firewall is installed on the client only.

I have not created any settings for the firewall, just installed it, then rebooted. As I mentioned previously, I have also added IP range - as a trusted network. Also, the client’s own IP address is trusted as ‘local area network #1’.

I can connect to the domain controllers (there are two) using ping and net view when I am logged on locally, I can’t try this test when logged on the the domain because I can’t log on.



Check your Application rules and ensure you have Trusted Network (same as the global rules) applied to the system object not you will need to create these manually.

Depending upon your requirements, you will need to allow for communication on the following ports and protocols:

UDP 138
UDP 137
TCP 139

TCP 445

TCP 135

You may also need to allow for:

UDP 53

UDP 67/68


There may also be others but it really hinges on what additional connectivity you need.

In the firewall advanced settings change the slider to custom policy mode and set the alerts to very high.

Check the system and svchost entries in Application rules. Ensure the last rule in each is ASK and Log. Clear your log files and attempt a logon.

Now you can watch and answer the firewall prompts and inspect your log files for details of protocol and port requirments.

As I said in my first post, domain validation and service acquisition can be quite a complex task. It depends how much control you want.

[attachment deleted by admin]

Thanks for your suggestions. I have been running some tests, but still have the same problem. When I enter the username and password to log on, it takes about 45 minutes to log on. If I remove Comodo, the account logs on normally (less than a minute).

For System in Application Rules, I have allowed the Local area network #1, a trusted Zone containing IP addresses - I have also allowed any IP in/out with any port. Everything I have added is logging.

I added all the ports you suggested in Global Rules
Firewall is set to Custom Policy mode, and Alerts set to very high.

When I check the log files, nothing shows as blocked during log on.

When I check the event log, I see event id 1053 listed each time I attempt to log on.

Do you have any other suggestions?



[attachment deleted by admin]

Hi. Unfortunately I don’t have a Domain established at home at the moment, so I can’t do any testing. I’ll try and set something up tomorrow and see where it takes me.

Microsoft’s event ID’s are notoriously vague, so I’m not sure where that will take us, but by all means take a look at this and see if it helps:

I think we’ll have to clean up those rules of yousr before we do much else. I’ll try and post something tomorrow. In the mean time, if anyone else wants to join in, feel free :slight_smile:

I’ve been doing some more testing. With Comodo installed, the event log reports all these errors:

Event id 1054
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event id 15
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event id 4356
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{6295DF2D-35EE-11D1-8707-00C04FD93327}. CoGetObject returned HRESULT 8000401A.

Event id 1521
Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.

DETAIL - The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.

Event id 1053
Windows cannot determine the user or computer name. (An internal error occurred. ). Group Policy processing aborted.

I uninstalled Comodo, and Windows logged on without any of the above errors.

I also set up a new PC and a new user, and excluded both user and PC from any group policies.

I installed Comodo with the default settings. The new user was able to log on the first time, but after restart and logging in a second time, I had the same problem again. The attachment shows the application rules. Again I have the same error in event viewer: “Windows cannot obtain the domain controller name for your computer network”

[attachment deleted by admin]

I managed to get this working, after many hours of testing!

This is what did it:

Firewall > Advanced > Network Security Policy > Application Rules

Allow IP In from IP Domain_Controller_IP to IP Any where protocol is Any
Allow IP Out from IP Any to IP Domain_Controller_IP where protocol is Any

Firewall > Advanced > Attack Detection Settings > Miscellaneous
Remove tick from Block Fragmented IP Datagrams

With these options set in the local administrator account, a domain user can log on straight away. Other ports and protocols do need to be permitted, such as winlogon.exe and svchost.exe, but they can be approved via the alerts that pop up during log on. Without the above settings, domain users cannot log on.

Well done and thanks for the feed back. I haven’t had the time to get my domain completely organised. That’s good information :slight_smile: