Issues with Authenticating to My Domain via VPN

The issue is that my 10+ remote users connect to my network via a Nortel
Contivity Client. The remote users are members of my Domain, but use cached
accounts to logon to their laptops since the Domain/Controllers are not
available. Once logged on they connect to the Network via the VPN client.
They are connected to the network, but are not authenticated via the
DC/Domain. My question is since they logon first, then connect to the
network, how can I make the remote machines authenticate to the domain post
logging on and using VPN software other than Microsoft and Ras? I have tried
to map drives using IP addresses, but the users are prompted for credentials
to access the mappings, which that session ends every time they logoff. I
would like the remote users to be able to access everything they have
permissions to access as if they were connected locally. I’ve tried using
the LMHost file to point to the DC and the TCP/IP Advanced setting to point
to the DNS server, but that doesn’t seem to work to authenticate as if they
were local, and they would need to reload it post logon. Also, I want to
make this automated so the users don’t have to run any special commands, they
just have to connect to the VPN and have everything at their finger tips.

In news:7F4512C7-EF70-4672-B114-(E-Mail Removed),
Techdewd49 <(E-Mail Removed)> typed:
> The issue is that my 10+ remote users connect to my network via a
> Nortel Contivity Client. The remote users are members of my Domain,
> but use cached accounts to logon to their laptops since the
> Domain/Controllers are not available. Once logged on they connect to
> the Network via the VPN client. They are connected to the network,
> but are not authenticated via the DC/Domain. My question is since
> they logon first, then connect to the network, how can I make the
> remote machines authenticate to the domain post logging on and using
> VPN software other than Microsoft and Ras? I have tried to map
> drives using IP addresses, but the users are prompted for credentials
> to access the mappings, which that session ends every time they
> logoff. I would like the remote users to be able to access
> everything they have permissions to access as if they were connected
> locally. I've tried using the LMHost file to point to the DC and
> the TCP/IP Advanced setting to point to the DNS server, but that
> doesn't seem to work to authenticate as if they were local, and they
> would need to reload it post logon. Also, I want to make this
> automated so the users don't have to run any special commands, they
> just have to connect to the VPN and have everything at their finger
> tips.

DNS is the answer to AD authentication, not lmhosts files, for that is for
NetBIOS authentication only meaning legacy NT4. So the issue at hand depends
on how you have your VPN server setup. You implied a third party VPN. What
vendor? I've used Watchguard, Netscreen and Cisco PIX. I prefer the PIX
actually, but they all work.

Make sure it is handing out only the internal DNS in DHCP, whether you are
using the DHCP service on the VPN box or the internal DHCP server. I prefer
to use the internal DHCP server.
Make sure split-tunneling is enabled. THis setting is also the same as
unchecking 'use remote gateway' in the Windows VPN client. This way when the
client wants to go to the internet while connected, all the traffic is going
thru the local gateway and not thru the company network.
Block NOTHING between the VPN client pool and the network.

While connected, run an nslookup. Which DNS server does it initialize with?

Post an ipconfig /all of a client before and while connected please.

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

The third party VPN software is Nortel Contivity. I don’t administer the
VPN Server, but the client options give me a place to input DNS Server info.
I’ve tried that and able to ping my local DC and File Server by name. The
issue is when I try to access the File Server by name or IP I get prompted
for Credentials. When I do connect to the VPN Server, I get an IP address
that is local to the VPN Server, not my local domain.

As far as the IPCONFIG/All goes , I don't want to post that kind of info.

I can tell you that once connected via the VPN I'm assigned an IP that is
not within my DC/File Server Network. But, since I've put the DNS info into
the VPN client the name does register with my DNS Server.

"Ace Fekay [MVP]" wrote:

> In news:7F4512C7-EF70-4672-B114-(E-Mail Removed),
> Techdewd49 <(E-Mail Removed)> typed:
> > The issue is that my 10+ remote users connect to my network via a
> > Nortel Contivity Client. The remote users are members of my Domain,
> > but use cached accounts to logon to their laptops since the
> > Domain/Controllers are not available. Once logged on they connect to
> > the Network via the VPN client. They are connected to the network,
> > but are not authenticated via the DC/Domain. My question is since
> > they logon first, then connect to the network, how can I make the
> > remote machines authenticate to the domain post logging on and using
> > VPN software other than Microsoft and Ras? I have tried to map
> > drives using IP addresses, but the users are prompted for credentials
> > to access the mappings, which that session ends every time they
> > logoff. I would like the remote users to be able to access
> > everything they have permissions to access as if they were connected
> > locally. I've tried using the LMHost file to point to the DC and
> > the TCP/IP Advanced setting to point to the DNS server, but that
> > doesn't seem to work to authenticate as if they were local, and they
> > would need to reload it post logon. Also, I want to make this
> > automated so the users don't have to run any special commands, they
> > just have to connect to the VPN and have everything at their finger
> > tips.
>
> DNS is the answer to AD authentication, not lmhosts files, for that is for
> NetBIOS authentication only meaning legacy NT4. So the issue at hand depends
> on how you have your VPN server setup. You implied a third party VPN. What
> vendor? I've used Watchguard, Netscreen and Cisco PIX. I prefer the PIX
> actually, but they all work.
>
> Make sure it is handing out only the internal DNS in DHCP, whether you are
> using the DHCP service on the VPN box or the internal DHCP server. I prefer
> to use the internal DHCP server.
> Make sure split-tunneling is enabled. THis setting is also the same as
> unchecking 'use remote gateway' in the Windows VPN client. This way when the
> client wants to go to the internet while connected, all the traffic is going
> thru the local gateway and not thru the company network.
> Block NOTHING between the VPN client pool and the network.
>
> While connected, run an nslookup. Which DNS server does it initialize with?
>
> Post an ipconfig /all of a client before and while connected please.
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Infinite Diversities in Infinite Combinations
>
>
>

I can't think of any reason why you would consider posting the results of
ipconfig any sort of risk, but that is your choice.

Making a VPN connection and logging in to a domain are two completely
separate operations. The username and password that is used to make the VPN
connection have nothing to do with the credentials used for file access. The
file access credentials are related to the username and password used when
you log on to the machine, not the ones you use to make the VPN connection.
This is quite different from the LAN situation where the initial logon is
usually a domain login.

When a user starts up a machine, he logs into either the local machine
or to the local domain controller. If he then makes a VPN connection to a
remote site it does not change these credentials.


"Techdewd49" <(E-Mail Removed)> wrote in message
news:44052209-56EB-4FBF-B92D-(E-Mail Removed)...
> The third party VPN software is Nortel Contivity. I don’t administer the
> VPN Server, but the client options give me a place to input DNS Server
> info.
> I’ve tried that and able to ping my local DC and File Server by name.
> The
> issue is when I try to access the File Server by name or IP I get prompted
> for Credentials. When I do connect to the VPN Server, I get an IP
> address
> that is local to the VPN Server, not my local domain.
>
> As far as the IPCONFIG/All goes , I don't want to post that kind of info.
>
> I can tell you that once connected via the VPN I'm assigned an IP that is
> not within my DC/File Server Network. But, since I've put the DNS info
> into
> the VPN client the name does register with my DNS Server.
>
> "Ace Fekay [MVP]" wrote:
>
>> In news:7F4512C7-EF70-4672-B114-(E-Mail Removed),
>> Techdewd49 <(E-Mail Removed)> typed:
>> > The issue is that my 10+ remote users connect to my network via a
>> > Nortel Contivity Client. The remote users are members of my Domain,
>> > but use cached accounts to logon to their laptops since the
>> > Domain/Controllers are not available. Once logged on they connect to
>> > the Network via the VPN client. They are connected to the network,
>> > but are not authenticated via the DC/Domain. My question is since
>> > they logon first, then connect to the network, how can I make the
>> > remote machines authenticate to the domain post logging on and using
>> > VPN software other than Microsoft and Ras? I have tried to map
>> > drives using IP addresses, but the users are prompted for credentials
>> > to access the mappings, which that session ends every time they
>> > logoff. I would like the remote users to be able to access
>> > everything they have permissions to access as if they were connected
>> > locally. I've tried using the LMHost file to point to the DC and
>> > the TCP/IP Advanced setting to point to the DNS server, but that
>> > doesn't seem to work to authenticate as if they were local, and they
>> > would need to reload it post logon. Also, I want to make this
>> > automated so the users don't have to run any special commands, they
>> > just have to connect to the VPN and have everything at their finger
>> > tips.
>>
>> DNS is the answer to AD authentication, not lmhosts files, for that is
>> for
>> NetBIOS authentication only meaning legacy NT4. So the issue at hand
>> depends
>> on how you have your VPN server setup. You implied a third party VPN.
>> What
>> vendor? I've used Watchguard, Netscreen and Cisco PIX. I prefer the PIX
>> actually, but they all work.
>>
>> Make sure it is handing out only the internal DNS in DHCP, whether you
>> are
>> using the DHCP service on the VPN box or the internal DHCP server. I
>> prefer
>> to use the internal DHCP server.
>> Make sure split-tunneling is enabled. THis setting is also the same as
>> unchecking 'use remote gateway' in the Windows VPN client. This way when
>> the
>> client wants to go to the internet while connected, all the traffic is
>> going
>> thru the local gateway and not thru the company network.
>> Block NOTHING between the VPN client pool and the network.
>>
>> While connected, run an nslookup. Which DNS server does it initialize
>> with?
>>
>> Post an ipconfig /all of a client before and while connected please.
>>
>> --
>> Regards,
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
>> MVP Microsoft MVP - Directory Services
>> Microsoft Certified Trainer
>>
>> Infinite Diversities in Infinite Combinations
>>
>>
>>

In news:44052209-56EB-4FBF-B92D-(E-Mail Removed),
Techdewd49 <(E-Mail Removed)> typed:
> The third party VPN software is Nortel Contivity. I don't
> administer the VPN Server, but the client options give me a place to
> input DNS Server info. I've tried that and able to ping my local DC
> and File Server by name. The issue is when I try to access the File
> Server by name or IP I get prompted for Credentials. When I do
> connect to the VPN Server, I get an IP address that is local to the
> VPN Server, not my local domain.
>
> As far as the IPCONFIG/All goes , I don't want to post that kind of
> info.
>
> I can tell you that once connected via the VPN I'm assigned an IP
> that is not within my DC/File Server Network. But, since I've put
> the DNS info into the VPN client the name does register with my DNS
> Server.
>

I agree with Bill on everything, from what account is being logged on to
the local machine as as well as including the ipconfig's, especially with
private IPs, but then again that's your choice. We were trying to get a feel
for the machine;s network config, gateway, even the Primary DNS Suffix, etc.
Too much to explain about the Primary DNS suffix. It's an AD thing. I don't
even know if you set the client to use the local gate or remote gate, but
that may or may not apply here.

By stating that you couldn't ping the DC by FQDN, and that you don't
administer the VPN server, as well as having to manually enter the DNS
server addresses in the client, then it obviosly sounds like the wrong IP
configuration is being handed the client from the Nortel box.

As for logging on before the connection is established, the VPN client
should have an option to connect BEFORE you logon, i.e., in the Windows
logon box, there should be an option to connect using the NOrtel client
BEFORE logging in. If it doesn't have that integration into WIndows, then I
would extremely seriously consider another solution.

You also have to work with your infrastructure group to work out issues like
this, especially if they're the ones administering the appliance.

Ace