Connecting PPTP VPN causes authentication failures on local resources

Hello All,

We are having a lot of problems with Windows 7 (and previously Vista)
while a PPTP vpn is connected.

I have noticed a lot of issues posted to other discussion groups
regarding the same problem, but nobody has a solution.
http://www.techsupportforum.com/netw...connected.html


We are running an Active Directory Domain, and have mapped network
drives to our local resources. We support a lot of clients, and have to
VPN to their network. When this VPN is connected, it appears to start
trying to use the VPN credentials to access our local resources (rather
than the logged on user) - making them unusable!

I have tried mapping the network drives to the local resources and
specifying a password, but this does not work. (well it does, but the
next time a VPN is connected it is broken again)

We are mapping drives using the netbios name.

Can sombody a Microsoft please confirm this is a bug - or provide us
with a fix?

Thanks for the help.

Perhaps, the TCP/IPv4 is not enabled on the VPN connection or a Domain Name
System (DNS) suffix cannot be obtained for the TCP/IPv4 address. Please
check the "Can't access domain resource when establishing a VPN from Vista"
in this page.


Vista VPN IssuesFeb 8, 2007 ... Can establish VPN using XP but Vista · Can't
access domain resource when establishing a VPN from Vista · Can't access
Vista VPN resource by ...
www.chicagotech.net/vista/vistavpn.htm


--
Bob Lin, Microsoft-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com


"Graham" <> wrote in message
news:...
> Hello All,
>
> We are having a lot of problems with Windows 7 (and previously Vista)
> while a PPTP vpn is connected.
>
> I have noticed a lot of issues posted to other discussion groups regarding
> the same problem, but nobody has a solution.
> http://www.techsupportforum.com/netw...connected.html
>
>
> We are running an Active Directory Domain, and have mapped network drives
> to our local resources. We support a lot of clients, and have to VPN to
> their network. When this VPN is connected, it appears to start trying to
> use the VPN credentials to access our local resources (rather than the
> logged on user) - making them unusable!
>
> I have tried mapping the network drives to the local resources and
> specifying a password, but this does not work. (well it does, but the next
> time a VPN is connected it is broken again)
>
> We are mapping drives using the netbios name.
>
> Can sombody a Microsoft please confirm this is a bug - or provide us with
> a fix?
>
> Thanks for the help.

Bob,

Thanks for the reply - access the resources on the other end of the VPN
is fine. It is my local resources that cannot be accessed if I connect a
VPN that uses different credentials to my local domain account. this is
not a DNS issue as i can still ping the server,etc.

Thanks
Graham


Bob Lin (MS-MVP) wrote:
> Perhaps, the TCP/IPv4 is not enabled on the VPN connection or a Domain
> Name System (DNS) suffix cannot be obtained for the TCP/IPv4 address.
> Please check the "Can't access domain resource when establishing a VPN
> from Vista" in this page.
>
>
> Vista VPN IssuesFeb 8, 2007 ... Can establish VPN using XP but Vista ·
> Can't access domain resource when establishing a VPN from Vista · Can't
> access Vista VPN resource by ...
> www.chicagotech.net/vista/vistavpn.htm
>
>

In this case, do a simple test. can you access local resources using a local
administrator account?

--
Bob Lin, Microsoft-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com


"Graham" <> wrote in message
news:%...
> Bob,
>
> Thanks for the reply - access the resources on the other end of the VPN is
> fine. It is my local resources that cannot be accessed if I connect a VPN
> that uses different credentials to my local domain account. this is not a
> DNS issue as i can still ping the server,etc.
>
> Thanks
> Graham
>
>
> Bob Lin (MS-MVP) wrote:
>> Perhaps, the TCP/IPv4 is not enabled on the VPN connection or a Domain
>> Name System (DNS) suffix cannot be obtained for the TCP/IPv4 address.
>> Please check the "Can't access domain resource when establishing a VPN
>> from Vista" in this page.
>>
>>
>> Vista VPN IssuesFeb 8, 2007 ... Can establish VPN using XP but Vista ·
>> Can't access domain resource when establishing a VPN from Vista · Can't
>> access Vista VPN resource by ...
>> www.chicagotech.net/vista/vistavpn.htm
>>

Hello,

This is not an issue with the connectivity - it is an authentication
problem. When i connect a VPN with credentials other than my own, it
does not allow access to mapped network drives.



Bill Kearney wrote:
> You do have the default gateway turned off over the VPN, correct?
>
> When you have the machine running and NOT connected to the VPN, do a
> 'route print' command.
>
> Then run the same 'route print' command after making the VPN connection.
>
> Also check the results of an 'ipconfig /all' for each connection.
>
> Post the results here.
>
> -Bill Kearney
>
>
> "Graham" <> wrote in message
> news:...
>> Hello All,
>>
>> We are having a lot of problems with Windows 7 (and previously Vista)
>> while a PPTP vpn is connected.
>>
>> I have noticed a lot of issues posted to other discussion groups
>> regarding the same problem, but nobody has a solution.
>> http://www.techsupportforum.com/netw...connected.html
>>
>>
>>
>> We are running an Active Directory Domain, and have mapped network
>> drives to our local resources. We support a lot of clients, and have
>> to VPN to their network. When this VPN is connected, it appears to
>> start trying to use the VPN credentials to access our local resources
>> (rather than the logged on user) - making them unusable!
>>
>> I have tried mapping the network drives to the local resources and
>> specifying a password, but this does not work. (well it does, but the
>> next time a VPN is connected it is broken again)
>>
>> We are mapping drives using the netbios name.
>>
>> Can sombody a Microsoft please confirm this is a bug - or provide us
>> with a fix?
>>
>> Thanks for the help.
>

Hi Bob,

Yes this will work, because if I disconnect my mapped drive then
reconnect it, specifying alternative credentials - in this case I use my
own), it does work. (Until i connect another VPN!)

Regards
Graham


Bob Lin (MS-MVP) wrote:
> In this case, do a simple test. can you access local resources using a
> local administrator account?
>

I'm having the exact same problem, -- no it isn't a default route issue. I
have default gateway turned off on the VPN connection, my default gateway
doesn't change when I VPN in.

When establishing a VPN connection to another Windows domain network, you
lose access (not connectivity) to your own network this is usually not
immediate, I've seen it happen up to 9 hours later if you remain VPN'd in.

I know when it happens even if I'm away from my PC because our office
intrusion detection system starts lighting up -- The local domain controllers
report 4 unsucessful login attempts every 10 minutes (security log event ID
529 Login Failure: Unknown user name or bad password. In the description it
shows that the local is trying to pass the VPN credentials to the local
domain controller instead of remembering to send the local domain credentials.

As Graham has stated -- this is NOT a routing issue, I don't even think it's
a DNS issue since the PC knows which domain controller to send the
authentication request to, it just sends the VPN credentials instead of the
local domain credentials.

After disconnecting the VPN session, the PC is able to sucessfully
authenticate without further intervention (you don't need to re-enter your
credentials, log off, or disconnect/reconnect your mapped drives.

Craig

"Bill Kearney" wrote:

> > This is not an issue with the connectivity - it is an authentication
> > problem.
>
> You did not answer my questions. Do that. Did you think I was posting just
> to see my text?
>
> Connectivity, specifically THE IP ROUTING is absolutely relative.
>
>
> .
>

"Craig" wrote:

> I'm having the exact same problem, -- no it isn't a default route issue. I
> have default gateway turned off on the VPN connection, my default gateway
> doesn't change when I VPN in.
>
> When establishing a VPN connection to another Windows domain network, you
> lose access (not connectivity) to your own network this is usually not
> immediate, I've seen it happen up to 9 hours later if you remain VPN'd in.
>
> I know when it happens even if I'm away from my PC because our office
> intrusion detection system starts lighting up -- The local domain controllers
> report 4 unsucessful login attempts every 10 minutes (security log event ID
> 529 Login Failure: Unknown user name or bad password. In the description it
> shows that the local is trying to pass the VPN credentials to the local
> domain controller instead of remembering to send the local domain credentials.
>
> As Graham has stated -- this is NOT a routing issue, I don't even think it's
> a DNS issue since the PC knows which domain controller to send the
> authentication request to, it just sends the VPN credentials instead of the
> local domain credentials.
>
> After disconnecting the VPN session, the PC is able to sucessfully
> authenticate without further intervention (you don't need to re-enter your
> credentials, log off, or disconnect/reconnect your mapped drives.
>
> Craig


Yes, I am having the same issue. I have a windows 7 pro machine connected
to a local Windows Server 2008 R2 domain. As soon as I make a vpn connection
from the windows 7 machine to a remote domain (using different credentials
than my local logon), all attempts to access local resources are made using
the credentials associated with the vpn, rather than the default, local,
logon credentials.

In other words, my local credentials are [domain1\user1, password1] and
access to local resources in domain1 are just fine. However if I establish a
vpn with credentials [vpndomain\vpnuser, vpnpassword], then those vpn
credentials are used for local access attempts until the vpn is torn down (or
unless I explicitly use my local credentials in local access attempts).

http://www.conetrix.com/Blog/post/De...-in-Vista.aspx talks about the issue.

The clearest discussion of the issue is at
http://bink.nu/forums/p/9533/17018.aspx

This is a change in behavior for Windows 7 and Vista over XP. XP would pass
the VPN credentials to SMB authentication only to machines over the VPN.
Windows 7/Vista will use the VPN credentials for all SMB authentication
requests, both local requests and for machines over the VPN.

This behavior seems somewhat counter-intuitive.

Suggested work-arounds (with limitations) include
1) using fully qualified domain names for access to local resources
or
2) "cmdkey /delete /ras" from a command prompt.

Ok, one other work-around is to disable the use of VPN credentials on the
"phonebook" entry for the VPN. This will prevent the credential manager from
storing the credentials used for the VPN, and thus when an ambiguous
resources (non-fully qualified domain name) asks for credentials, instead of
supplying the VPN credentials (which are not stored), the local credentials
will be used.

See:
https://www.conetrix.com/Blog/post/A....aspx#continue