Connecting PPTP VPN causes authentication failures on local resources

Discussion in 'Server Networking' started by Graham, Nov 27, 2009.

  1. Graham

    Graham Guest

    Hello All,

    We are having a lot of problems with Windows 7 (and previously Vista)
    while a PPTP vpn is connected.

    I have noticed a lot of issues posted to other discussion groups
    regarding the same problem, but nobody has a solution.
    http://www.techsupportforum.com/net...annot-access-local-network-vpn-connected.html


    We are running an Active Directory Domain, and have mapped network
    drives to our local resources. We support a lot of clients, and have to
    VPN to their network. When this VPN is connected, it appears to start
    trying to use the VPN credentials to access our local resources (rather
    than the logged on user) - making them unusable!

    I have tried mapping the network drives to the local resources and
    specifying a password, but this does not work. (well it does, but the
    next time a VPN is connected it is broken again)

    We are mapping drives using the netbios name.

    Can sombody a Microsoft please confirm this is a bug - or provide us
    with a fix?

    Thanks for the help.
     
    Graham, Nov 27, 2009
    #1
    1. Advertisements

  2. Perhaps, the TCP/IPv4 is not enabled on the VPN connection or a Domain Name
    System (DNS) suffix cannot be obtained for the TCP/IPv4 address. Please
    check the "Can't access domain resource when establishing a VPN from Vista"
    in this page.


    Vista VPN IssuesFeb 8, 2007 ... Can establish VPN using XP but Vista · Can't
    access domain resource when establishing a VPN from Vista · Can't access
    Vista VPN resource by ...
    www.chicagotech.net/vista/vistavpn.htm


    --
    Bob Lin, Microsoft-MVP, MCSE & CNE
    Networking, Internet, Routing, VPN Troubleshooting on
    http://www.ChicagoTech.net
    How to Setup Windows, Network, VPN & Remote Access on
    http://www.HowToNetworking.com
     
    Bob Lin \(MS-MVP\), Nov 27, 2009
    #2
    1. Advertisements

  3. Graham

    Graham Guest

    Bob,

    Thanks for the reply - access the resources on the other end of the VPN
    is fine. It is my local resources that cannot be accessed if I connect a
    VPN that uses different credentials to my local domain account. this is
    not a DNS issue as i can still ping the server,etc.

    Thanks
    Graham
     
    Graham, Nov 27, 2009
    #3
  4. In this case, do a simple test. can you access local resources using a local
    administrator account?

    --
    Bob Lin, Microsoft-MVP, MCSE & CNE
    Networking, Internet, Routing, VPN Troubleshooting on
    http://www.ChicagoTech.net
    How to Setup Windows, Network, VPN & Remote Access on
    http://www.HowToNetworking.com
     
    Bob Lin \(MS-MVP\), Nov 27, 2009
    #4
  5. Graham

    Graham Guest

    Hello,

    This is not an issue with the connectivity - it is an authentication
    problem. When i connect a VPN with credentials other than my own, it
    does not allow access to mapped network drives.
     
    Graham, Nov 30, 2009
    #5
  6. Graham

    Graham Guest

    Hi Bob,

    Yes this will work, because if I disconnect my mapped drive then
    reconnect it, specifying alternative credentials - in this case I use my
    own), it does work. (Until i connect another VPN!)

    Regards
    Graham
     
    Graham, Nov 30, 2009
    #6
  7. Graham

    Craig Guest

    I'm having the exact same problem, -- no it isn't a default route issue. I
    have default gateway turned off on the VPN connection, my default gateway
    doesn't change when I VPN in.

    When establishing a VPN connection to another Windows domain network, you
    lose access (not connectivity) to your own network this is usually not
    immediate, I've seen it happen up to 9 hours later if you remain VPN'd in.

    I know when it happens even if I'm away from my PC because our office
    intrusion detection system starts lighting up -- The local domain controllers
    report 4 unsucessful login attempts every 10 minutes (security log event ID
    529 Login Failure: Unknown user name or bad password. In the description it
    shows that the local is trying to pass the VPN credentials to the local
    domain controller instead of remembering to send the local domain credentials.

    As Graham has stated -- this is NOT a routing issue, I don't even think it's
    a DNS issue since the PC knows which domain controller to send the
    authentication request to, it just sends the VPN credentials instead of the
    local domain credentials.

    After disconnecting the VPN session, the PC is able to sucessfully
    authenticate without further intervention (you don't need to re-enter your
    credentials, log off, or disconnect/reconnect your mapped drives.

    Craig
     
    Craig, Dec 15, 2009
    #7

  8. Yes, I am having the same issue. I have a windows 7 pro machine connected
    to a local Windows Server 2008 R2 domain. As soon as I make a vpn connection
    from the windows 7 machine to a remote domain (using different credentials
    than my local logon), all attempts to access local resources are made using
    the credentials associated with the vpn, rather than the default, local,
    logon credentials.

    In other words, my local credentials are [domain1\user1, password1] and
    access to local resources in domain1 are just fine. However if I establish a
    vpn with credentials [vpndomain\vpnuser, vpnpassword], then those vpn
    credentials are used for local access attempts until the vpn is torn down (or
    unless I explicitly use my local credentials in local access attempts).

    http://www.conetrix.com/Blog/post/D...o-Preserve-Local-Authentication-in-Vista.aspx talks about the issue.
     
    big joe smith, Jan 1, 2010
    #8
  9. The clearest discussion of the issue is at
    http://bink.nu/forums/p/9533/17018.aspx

    This is a change in behavior for Windows 7 and Vista over XP. XP would pass
    the VPN credentials to SMB authentication only to machines over the VPN.
    Windows 7/Vista will use the VPN credentials for all SMB authentication
    requests, both local requests and for machines over the VPN.

    This behavior seems somewhat counter-intuitive.

    Suggested work-arounds (with limitations) include
    1) using fully qualified domain names for access to local resources
    or
    2) "cmdkey /delete /ras" from a command prompt.
     
    big joe smith, Jan 2, 2010
    #9
  10. Ok, one other work-around is to disable the use of VPN credentials on the
    "phonebook" entry for the VPN. This will prevent the credential manager from
    storing the credentials used for the VPN, and thus when an ambiguous
    resources (non-fully qualified domain name) asks for credentials, instead of
    supplying the VPN credentials (which are not stored), the local credentials
    will be used.

    See:
    https://www.conetrix.com/Blog/post/Access-Domain-Resources-When-Connected-to-VPN.aspx#continue
     
    big joe smith, Jan 2, 2010
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.