Domain over VPN logon problem

[dhn]

I have a w98se machine which I use to connect to a w2000 domain via a cisco VPN tunnel. The problem is that I need to set up the w98se machine to use domain authorization when I get the secure connection.

This is a problem, because if I enable Domain logon in network settings, the machine asks for domain pass and login when I start it. Since there is no domain controller in the local network where this machine is located, I have to cancel that login. However, if I do that, the VPN connection will not connect, probably (I think) because of the lack of authorisation from the initial login.

Thus I have a deadlock: If I run the machine with a simple windows logon, I can use the VPN fine (however, if I cancel the windows logon, the problem is the same, the vpn connection will not work), but then I am not prompted for domain login when the secure link is established, only a normal windows login - which is insufficient, since I want to join the domain, not be a solo windows user outside the domain.

On the other hand, if I enable domain logon, I am prompted for that right from boot-up, where there is not yet a VPN link established. Thus I have to cancel that logon, with the result that the VPN won't work.

I see to ways of solving the problem:
1) get windows to not prompt for domain login at boot-up, but only when secure link is established.

2) Establish the VPN link prior to login at boot-up, and thus being already on the new network when the domain logon comes up.

But how? Any ideas will be greatly appreciated.

-dennis

 

[TheGrey]

in windows 2000, there is a setting that lets the vpn connection use a dialup first
if you then log on using the vpn connection, you would have a direct logon to the domain
no idea how it works in win98...
cisco has got their own vpn clients, maybe they have some settings?
rather stupid of me to write this, not knowing anything about win98 and vpn
well.. hope it helps someone, somewhere, somehow

 

[dhn]

Hm - thanx anyways. The problem persists - anyone have another idea?

-dennis

 

[djjazzyjeff]

There is an option in the Cisco 3.5 client that allows domain logons after establishing the VPN tunnel. Might be worth a look...

 

[lwinstead]

Hey! I've got pretty much the same problem, except that my Win2k server lies behind a NAT. And since I'm totally new to VPNs, I have no idea if this is really causing a problem. But anyway, I'm trying to establish a VPN connection to my win2k server from my Win98SE laptop. Our company has a 3Com Internet Firewall, and I'm using the SafeNet VPN client on the laptop. This is -extremely- frustrating. If anyone has a good solution, or can help me out, I'd be in your debt. Thanks!!!

-Lawrence <<<<[flux]>>>>

 

[Guest_imported]

I found the below information which may be helpful at

http://support.checkpoint.com/kb/docs/public/os/win9x/pdf/SDL-98.pdf

The information is for Checkpoint VPN but looks like it will work with any VPN connection to allow you to authenticate to the NT Domain.

Secure Domain Logon: Win98 as a Client Option #1:
If File and Print Sharing for Microsoft Networks is enabled, the Win98 client can be left
idle after booting. Once the client has loaded all services and remains idle for a number
of seconds, the VPN authentication dialog will popup. This allows the Win98 client to
authenticate the VPN before entering domain logon information. Once the VPN is
successfully authenticated by SecureClient, the user can make a normal domain logon
and authenticate on a domain controller. When used in conjunction with a security
policy in SecureClient, this may not pose a security threat to the client.
Option #2:
It is possible to cache the user’s VPN authentication information in Win98 to facilitate a
hands-off VPN authentication. Information on this configuration can be found in the
document (I assume at microsoft.com) How to Cache Windows 95 SecuRemote Configuration. This configuration
allows a feature set comparable to the Single Sign-On (SSO) option available on WinNT.
The user’s authentication information with Win98 is not encrypted as it is stored in the
registry as it is with WinNT using SSO.

Regards,
Chip (Chip@chehost.com)

 

[espIKEkid]

Hi

Had the same problems..

From Dialup .. do not login to the domain (U can't anyway).
under the network properties there is a login to network checkbox, enable it. now dial-up to your isp or ras box.
soon as you attach your domain login will now pop-up.
depending on the client (i have used the ciso one mostly) u will have configured &quot;intresting&quot; traffic, and as soon as you attempt to log in the vpn client will pop up and prompt you for password etc.. you enter it and the vpn comes up..problem is chances are the domain login has timed out.. so click on cancel and try again you should now get logged in. Messy i know but works...

I have setup a dial script that
1.dial isp
2.wait for 30 secs(approx time takes for modem to connect)
3.ping to and &quot;intresting&quot; address

before domain login appears you have already sent some traffic to force vpn to try to come up.. so you create vpn before you attempt to login.

This works...

Enjoy..

 

[lwinstead]

Thanks for the tip! I hope this works. Here are my worries about this solution, however:
1) My dial-up connection is not to the domain at work (which is where I'm trying to VPN into)
2) You say I should &quot;click on cancel and try again...&quot; Won't clicking on cancel close the login window, forcing me to dial up again? Or will it simply bring up the login window again? In other words, if clicking on cancel actually cancels the login, then this solution isn't a solution at all.

Please help me understand your solution more clearly. Thanks!

-Lawrence <<<<[flux]>>>>

 

[espIKEkid]

Hi

Yeah this works ok even dialing into the internet...
so long as your VPN tunnel endpoint is a public ip address.

When your domain login fails you are told to click &quot;ok&quot; to continue but some services will not be available or cancel which goes back to the domain login prompt.
As i recall you are not cancelling the domain login only the message that appears when the login in fails.. if your where to cancel the login from the main domain login that would disconnect you.

The whole point of my little script file was to send some intresting traffic which will prompt the vpn to kick off before the domain login prompt appears. I found this was a much better way for users to grasp the whole thing..

Cisco actually recommend you click cancel option!!!

This any help to you???

Regards Jonathan

 

[lwinstead]

Jonathan,

No offense, but it took a few seconds to get through your grammer. But otherwise, your point is solidly made, and I feel confident in your success. I'll give this a try. I trust you're right that clicking cancel on the dial-up domain login will simply bring you back to the domain login instead of exiting from logging on.

My biggest problem in all of this is that I still don't know if I need to touch the server in terms of Remote Access in order to allow me in....

-Lawrence <<<<[flux]>>>>

 

[espIKEkid]

I look after a 7000 site ospf /rip network...

the last thing on my mind is my grammer... hay thats what word is for!!!

 

[lwinstead]

Jonathan,

Well, sorry to say, but you're wrong. When I clicked &quot;Cancel&quot; at the Domain login window upon dialing up, it cancels the domain login and finishes connecting to my ISP. Granted, I don't know how to create a script to make the Domain Login window wait before appearing, and if that's the key to your solution, that's all I need. But as of now, I'm still totally unable to successfully create a VPN tunnel AND log into our server at work.

Isn't there anyone else out there with answers?? (Not that I'm dismissing you, Jonathan... but more answers are always better than one)

-Lawrence <<<<[flux]>>>>

 

[EddieVenus]

with the cisco client there is an option to set the client up to log in before windows logon. Use that, it will allow you to VPN before the login to domain attempt is made. Unless this is not present in the win98 version of the VPN client, this should be a direct solution. If you have to log in first for some reason. Log in locally to your machine, by hitting escape then connect to the VPN, log out, and back in this time to the domain. I know the 2k and XP version lets you do this. Again with an option in the preferences, but none the less it is possible. But you should be able to log into the domain with the Cisco VPN client itself on the win98 version anyways, no need to use the windows logon. try that again, I used this once, and seem to remember it working, though it was just a test and I did not see if it was practical.

 

[williampzt]

What has been working for use is to the windows password to authenticate. Disable the network login and use windows login. Use the same user/pass for the domain. Once you connect to your VPN and try to use domain resources the domain will check your credentials stored in the *.pwl file.

 

[Gifted1]

I beleive if you use normal network logon when you get prompted for the domain info enter it in the following format domain\username then you password or domain/username then you password. One of those works, I haven't used 98 in a while

 

[TECHPMEB]

I've setup a VPN tunnel with 98se workstations at remote office connecting to W2k server by creating the VPN connectiod and installing it on the remote workstations. Logon to workstation as local user open the connectiod and configure it with an account that is setup on the Domain controller. This setup is with a Cisco router, NAT on the server.
Info on the setup was found at Microsofts KB site.