File sharing between domains across site-to-site VPN

We have two domains, DOMAIN1 and DOMAIN2. They each have their own
firewall and there is a persistent VPN tunnel setup between the two.
All traffic is allowed between the firewall and I've checked the logs
to make sure that the issue isn't with the firewall. Going from
DOMAIN2 to DOMAIN1 the shares work perfectly. All users (which is
what we want) can access any UNC path share in DOMAIN1 by logging in
with their DOMAIN1 user account. Going the other way, DOMAIN1 to
DOMAIN2 isn't working entirely. I can access any UNC path share in
DOMAIN2 from DOMAIN1 using my DOMAIN2 account, but that's only because
it's a domain administrator. Any of my users that try to access
DOMAIN2 resources from a DOMAIN1 machine are denied. What is the
issue here? It's not an individual computer issue since my account
will work when theirs doesn't on the exact same machine and the exact
same share. I see a lot of Event ID: 529's in the log.

Any ideas?

The only traffic you need to allow through the firewall is the VPN
traffic. The firewall sees only the PPTP or IPSec header. The "real" packet
is just the payload and is encypted, and cannot be examined by the firewall.
You should not have the file sharing ports open on the firewall.

Have you set up a trust between the two domains? Credentials which are
valid in one domain do not automatically work in another unless there is a
domain trust.

"pk" <(E-Mail Removed)> wrote in message
news:3a6bffe2-4b35-44e2-850d-(E-Mail Removed)...
> We have two domains, DOMAIN1 and DOMAIN2. They each have their own
> firewall and there is a persistent VPN tunnel setup between the two.
> All traffic is allowed between the firewall and I've checked the logs
> to make sure that the issue isn't with the firewall. Going from
> DOMAIN2 to DOMAIN1 the shares work perfectly. All users (which is
> what we want) can access any UNC path share in DOMAIN1 by logging in
> with their DOMAIN1 user account. Going the other way, DOMAIN1 to
> DOMAIN2 isn't working entirely. I can access any UNC path share in
> DOMAIN2 from DOMAIN1 using my DOMAIN2 account, but that's only because
> it's a domain administrator. Any of my users that try to access
> DOMAIN2 resources from a DOMAIN1 machine are denied. What is the
> issue here? It's not an individual computer issue since my account
> will work when theirs doesn't on the exact same machine and the exact
> same share. I see a lot of Event ID: 529's in the log.
>
> Any ideas?

There is no trust setup between the domains.

When accessing a remote domain, I use the credentials of the domain
I'm accessing. For instance, if I'm in DOMAIN1 and accessing a
machine in DOMAIN2, I'll type in the UNC path of the machine in
DOMAIN2 and an authentication box will come up. I enter
"DOMAIN2\FakeUser" for the user and this process works if
"DOMAIN2\FakeUser" is a domain administrator in DOMAIN2, but not if he
is anything less than that.

On Apr 11, 7:37*pm, "Bill Grant" <gran...@aliencamel.com> wrote:
> * *The only traffic you need to allow through the firewall is the VPN
> traffic. The firewall sees only the PPTP or IPSec header. The "real" packet
> is just the payload and is encypted, and cannot be examined by the firewall.
> You should not have the file sharing ports open on the firewall.
>
> * * Have you set up a trust between the two domains? Credentials whichare
> valid in onedomaindo not automatically work in another unless there is adomaintrust.
>
> "pk" <philip.kl...@gmail.com> wrote in message
>
> news:3a6bffe2-4b35-44e2-850d-(E-Mail Removed)...
>
> > We have two domains, DOMAIN1 and DOMAIN2. *They each have their own
> > firewall and there is a persistent VPN tunnel setup between the two.
> > All traffic is allowed between the firewall and I've checked the logs
> > to make sure that the issue isn't with the firewall. *Going from
> > DOMAIN2 to DOMAIN1 the shares work perfectly. *All users (which is
> > what we want) can access any UNC path share in DOMAIN1 by logging in
> > with their DOMAIN1 user account. *Going the other way, DOMAIN1 to
> > DOMAIN2 isn't working entirely. *I can access any UNC path share in
> > DOMAIN2 from DOMAIN1 using my DOMAIN2 account, but that's only because
> > it's adomainadministrator. *Any of my users that try to access
> > DOMAIN2 resources from a DOMAIN1 machine are denied. *What is the
> > issue here? *It's not an individual computer issue since my account
> > will work when theirs doesn't on the exact same machine and the exact
> > same share. *I see a lot of Event ID: 529's in the log.
>
> > Any ideas?