Domain logon on VPN 1

[Buggeroo]

I have been trying for some time to get VPN up and running at work with a 3Com Superstack 3 firewall (which has build-in VPN support). The problem has been with domain accounts not being able to properly authenticate while connected to the VPN. I have set up WINS and IAS on the W2k server i want people to be able to connect to (it has all the file-shares and so on) and configured the firewall to use RADIUS. The problem is the &quot;There are no logon servers available to service the logon request&quot; error message. Although if I do a &quot;net use \\<servername> <password>&quot; I can connect to the shares fine. It is not a &quot;true&quot; domain-logon, but if I could just get it to do this automatically it would be a step in the right direction. Oh, BTW the clients are W2k pro and connecting with the Safenet/Soft-PK VPN client.

Sure hope someone can help.

 

[MattWray]

Buggeroo, Is it possible for your clients to join the domain? I have mine setup like this and it works fine, but my machine is simply a home desktop so I don't have to worry about conflicting domains and whatnot.. Matt Wray
CCNA, MCP
mwray77518@yahoo.com

 

[Buggeroo]

The problem is that people with laptops, must be able to connect to the office network when not there, while at the same time being able to logon to the domain when they are at the office.

The problem is that when logging on to windows with the domain account it cannot find the PDC, as the VPN is not connected yet, and so you log on with the cached credentials and the PDC won't authenticate you (apparently). It must be possible to solve this as I am hardly the only one who has encountered this situation

 

[ronnieppsi]

Has anyone provided you with an answer to this thorny problem yet?
I am in exactly the same position - supporting remote users and using vpn to get into network. Works fine until I try to map a drive or access mapped drives.

if you have the solution I would be very grateful to receive it.

Thanks

 

[lwinstead]

Ronnieppsi,

I'm also having the exact same problem. I have a Win2k Server at work that I'm trying to VPN into from a dial-up account on a Win98SE laptop. I'm using a 3Com Internet Firewall, along with the SafeNet client software on the laptop. I setup the firewall to accept a general incoming VPN connection (ie - no specified destination network), and I can create the VPN tunnel, but from there, I still can't access anything on our network. Its like the tunnel is closed at the network end...

If you have any ideas let us know.

-Lawrence <<<<[flux]>>>>

 

[TimRaines]

This is exactly the problem I'm having, too.

I've been able to make it work (sort of), by specifying the IP of my WINS server in the original connection to the internet.

The cached logon occurs and then I setup the VPN and ping away. I *can* connect to the server (I have Client for Microsoft Networks enabled in the original connection, too) and see shares, etc. But it's SLOOOOOOOWW. Unusably slow.

I've started thinking that maybe there's just a truckload of traffic that's going on between the DC and the workstation (the computer has to authenticate, the user has to, time has to be synchronized, etc, etc). Could it be that there's just a LOT of traffic that has to go back and forth?

Or are we all missing something?

Also, I've noticed that I do NOT get a &quot;local&quot; address when connected through the tunnel. I'm still connecting with my ISP-provided IP address. In other words, my local subnet has addresses like 192.168.128.x and I connect to the local subnet with an address like 64.23.122.x Could the DC not like that?

 

[babalou]

Sounds like the problem is that you need to edit your LMHOSTS file- TimRaines was on the right track. Since Windows loves to use NETBIOS, you need to add lines inyour LMHOSTS file like this:

10.0.0.3 ACME_PDC #PRE #DOM:ACME
10.0.0.4 ACME_BDC #PRE #DOM:ACME
10.0.0.5 ACME_Exchange #PRE #Exchange Server

Where the IP Addresses are for the domain controllers and the #PRE loads automatically and the #DOM: is the domain.

make sure you hit the <enter> key at the end. Save the LMHOSTS.sam file as &quot;lmhosts&quot; with the &quot;&quot; around it to get rid of the .sam. I have done this a lot with users with VPN clients for use with Exchange and authentication through the VPN.

 

[lwinstead]

TimRaines,

Thanks for your input. I'm sure any input is better than no input here...

And I should probably mention that my destination network (at work) is using Network Address Translation, as seems to be the case with TimRaines. I figured that shouldn't really affect the tunnel creation, which is why I didn't mention it before.

Otherwise, I have to make the observation that apparently the WINS server address is crucial for this VPN connection to work. Why is this so? And can anyone explain it in detail? Thanks!

-Lawrence <<<<[flux]>>>>

 

[babalou]

Make sure te WINS server is in the TCPIP options, If you want to browse the network. Our sonicwalls allow NETBIOS passthrough if we want so all NETBIOS is passed back and forth or in one direction. I have a Win2k network at home and have it on so I can see my network at my office. This helps so I do not have to remember tons of IP Addresses.

 

[TimRaines]

I believe the WINS is necessary for your computer to find a DC to present credentials to.

But, as I said, enabling the WINS address (which also happens to be my DC), allows me to view my shares, etc. But it's darned close to useless.

Opening a text file with nothing but a &quot;.&quot; in it takes upwards of a minute or two.

Haven't tried opening a database, as I plan to have children one day, and doing so would seem to be in direct opposition to looking at my Windows desktop for 13 years.

 

[lwinstead]

TimRaines,

Uh... if what you say is true, then I might as well forget it. Granted, I'll try it, but if it takes that long, I'll have to re-figure out how to setup my VPN connections for our salesmen. ... But like I said, I'll give it a shot and see what happens.

-Lawrence

<<<<[flux]>>>>

 

[TimRaines]

That's just it, though. I'm SURE there's something I've got screwed up on my end. NOt sure what, but....

I have to take a closer look at my logs, I think. I noticed some kerberos-type errors this morning, but I want to do some more testing to make sure they are related.

 

[TimRaines]

OK....did some more checking. I misspoke. It's not the WINS server that's necessary (I think)...it's the DNS server. This is a win2k pro box connecting to a win2k dc.

I removed the WINS server and enabled the DNS and it works.

However, to open a 20 byte (NOT Kbyte, mind you) text file took approximately 25 seconds.

Sounds like I've got a lot of overhead going on somewhere.

 

[slackerboy]

In the advanced DNS settings, ensure you have a DNS suffix for you location (ie: yahoo.com, gov.on.ca)

 

[TimRaines]

I've got it set up that way. And I've tried specifying my internal DNS server (I'm running Active Directory), my WINS server, both at the same time, and none.

I think the only time it doesn't work at all is when I have none specified.

I've also tried specifying (and not specifying) my internal domain DNS suffix. Seems to make no difference either way.

HOWEVER, my internal domain is not publicly routable. In other words, I've registered domain.com and

http://www.domain.com

(hosted by a web hosting company) works and is handled by their dns servers. But my &quot;internal&quot; domain is called internal.domain.com. And I've not had my web hosting company add an A record for it. So no one in the outside world even knows about it.

Would this make a difference in the slowness? Could this be what all the overhead / slowdown is in my connection?

Are you listening, Lawrence? Is this what you've got going, too?

 

[ronnieppsi]

no solution yet. However there is a work round. To map a drive, use the connect as a different user. Give the same credentials (i.e.domain\user)as the logged on user and it should work. However, only if there are no drive mappings already existing. (or the error is already conflicts with existing user) So this means before dialing in, disconnect the drive mappings, and when in the vpn map the drives as above. Clumsy but it works - anyone got the real answer yet?
My problem too is that the dial up software does not allow me to change any dial up setting such as ip etc.

 

[jimsworld]

I had the same problem. What worked was to reinstall sp2 and the hotfixes on the w2k client. That was about 2 months ago. Now the client has been scrubbed, reinstalled and I'm having the same problem again. Gotta love it!

 

[Guest_imported]

I think I have a solution. On my w2k client I have set the Net Logon service to Manual. Reboot after making the change, just stopping the service does not appear to do it. Accessing shares thru the VPN works perfectly now. I have not tried it while plugged into the network yet, but worst case I just start the service up again. Hope it helps.

 

[ronnieppsi]

jimsworld2 is the champion! I stopped the netlogon service, changed it to manual, rebooted and hey presto I could map drives.
However, I thougt my user will not be able to logon whilst in the office via the network as the logon service is not running. Amazingly enough he can! So I think the answer appears to be stop the service and put it onto manual.
Anyone know anything detrimental about net logon service stopped whilst connected physically to the network?

Cheers again jimsworld2!!

 

[ronnieppsi]

More news on net logon service.
This service is used for nt domains. If you have a Windows 2000 domain using active directory, the authentication protocol is kerberos. W2k client uses kerberos if it exists then looks for net logon if not. So the solution will work with no detriment if the client is logging on to a windows 2000 domain.
Hope this helps!