Windows Authentication behaves oddly when VPN'd

active-directory vpn authentication windows-authentication
9,993

Solution 1

I was also having this same issue and found the solution here:

http://social.technet.microsoft.com/forums/en-US/itprovistanetworking/thread/275599f0-6239-46a5-8245-50a5c13a2713/

You'll need to locate your VPN connections .pbk file.

You can find it here:

C:\Users\{WindowsLogin}\AppData\Roaming\Microsoft\Network\Connections\Pbk

Or if you have it set to allow all users to use the connection, you can find it here:

C:\ProgramData\Microsoft\Network\Connections\Pbk

Edit it with a text editor and find the line that says:

UseRasCredentials=1

Disable it by setting it to 0

UseRasCredentials=0

Solution 2

We use Cisco VPN software for some off-site users. The VPN software prompts for credentials which queries against Active Directory to ensure username/password are correct and the user has rights to logon via VPN. But a successful authentication only establishes a connection to the network. Access to network resources relies on the authentication you provided to the workstation when you logged on.

This became an issue for us because users would logon to the laptop with cached credentials, establish a VPN connection, then change their password. They would then lockout their domain accounts because their user token had their old credentials. We have since advised these users to lock and unlock their workstation after changing their password while the VPN tunnel is established. This updates the user token and lets them access network resources using the updated credentials.

Share:
9,993

Related videos on Youtube

tree
Author by

tree

Updated on September 17, 2022

Comments

  • tree
    tree over 1 year

    We've got a few apps that rely on windows authentication - a couple of web apps with AD auth turned on and we usually connect to our SQL servers with windows auth. This normally runs without a hitch. It doesn't work so well if we're VPN'd to a client site though.

    SSMS

    Opening SSMS normally from the start menu, then picking a server that normally accepts windows auth, results in a message saying:

    Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. (.Net SqlClient Data Provider)

    If I drop to a command prompt and use runas /user:domain\user to launch SSMS I can successfully windows auth to our SQL server instances with that ssms process.

    If I look in task manager, both copies of ssms.exe (start menu vs runas) have the same user, and I can see no discernible differences between the processes in procexp.

    AD Auth websites

    If I open IE and browse to any of our websites that require an authenticated windows user, I get the "who are you" prompt, and that dialog thinks I'm whoever the VPN user is. I can click "Use another account" and authenticate that way though.

    Outlook

    Even Outlook prompts for a username when we are VPN'd!

    It's affecting our Win7 and Vista machines. It's been a while since we had an XP box, but I don't recall having this issue on XP for what it's worth.

    The VPN connections are just using the built in windows VPN connections, they're not fancy cisco VPNs or anything of that nature.

    Does anyone know how to tell windows that I'd like to be my normal old primary domain user rather than the VPN user when authenticating to resources in our domain? Heck, I'd be happy with a solution that prompted me with the "who are you" if I was trying to access windows auth requiring resources on the client's VPN.

    Thanks!

    Apologies if this is more a superuser question, I wasn't sure which site it best suited. It's about networking and infrastructure and plagues all of our developers here, so I hope it's a serverfault Q.

    • Jack B Nimble
      Jack B Nimble over 14 years
      Are you using windows authentication when you connect to your VPN server? ie The VPN server uses AD or Windows Authentication.
    • tree
      tree over 14 years
      Erm, I think so. I believe username+password we put in when we connect to clients VPN servers is an AD username for their network. I hope that helps :-)
  • LucasS
    LucasS about 11 years
    NICE! Worked first time!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

"Unknown user name or bad password" when I launch ADUC
Change Active Directory password over VPN
Get Active Directory User Information With Windows Authentication in MVC 4
How to connect to microsoft VPN server with MSCHAPV2 authentication
401 - Unauthorized in IE7 only with windows authentication.
C# / ASP.NET / AD - "The specified directory service attribute or value does not exist."
Authenticate Oracle Database with Active Directory Users
C# netcore ldap authentication using Novell.Directory.Ldap.NETStandard library
Can't login to website using windows authentication IIS
How to check AD user credentials when the user password is expired or "user must change password at next logon"