IPC$ Password

[ITGL72]

I'm looking for some steps in what I need to do to fix a problem with a VPN Connection.

I have a client coming into our LAN via VPN. When the client tries to access a server they get a request for an IPC$ Password.

They re-enter their password, but thats not it.

What sort of things should I do, or look at in order to resolve this IPC$ Password request issues?

Thank You

 

[peterve]

On you Win2K server : Create a AD account for that user,
let that user log in (locally) to his computer using that accountname, then connect to your LAN using VPN and try again... it should work Peter Van Eeckhoutte
peter.ve@pandora.be

 

[ITGL72]

Actually its an NT4 network. Its a domain account this VPN CLIENT is using.

My assumption right now is this:


1. User has an account in the domain that I want them to view/access.

2. User (VPN CLIENT) has that SAME account on their personal computer they are
using to login with, and is logged into that account on their personal PC (W98/ME).

3. User (VPN CLIENT) has their PC's workgroup box filled in with the name of the
domain I want them to access.

3. User also uses that account information in their DUN setup to connect via VPN
to the LAN.


Am I missing Anything?

Here are some more questions?

What would prevent the user from being able to connect to or ping a machine by its netbios name? For example, you can ping or connect via IP address on some machines, but you can't connect or ping with the computers name itself. There is a WINS server set in the VPN clients settings. That is what has confused me. What would I look for here? Is there something I'm missing?

Also, unable to view My network Places/Network Neighborhood. What might be causing this?

Thanks for your help!

 

[ITGL72]

Actually its an NT4 network. Its a domain account this VPN CLIENT is using.

My assumption right now is this:


1. User has an account in the domain that I want them to view/access.

2. User (VPN CLIENT) has that SAME account on their personal computer they are
using to login with, and is logged into that account on their personal PC (W98/ME).

3. User (VPN CLIENT) has their PC's workgroup box filled in with the name of the
domain I want them to access.

3. User also uses that account information in their DUN setup to connect via VPN
to the LAN.


Am I missing Anything?

Here are some more questions?

What would prevent the user from being able to connect to or ping a machine by its netbios name? For example, you can ping or connect via IP address on some machines, but you can't connect or ping with the computers name itself. There is a WINS server set in the VPN clients settings. That is what has confused me. What would I look for here? Is there something I'm missing?

Also, unable to view My network Places/Network Neighborhood. What might be causing this?

Thanks for your help!

 

[Mubashir]

Check out the IP addresses and subnet mask on the clients. All clients must be configured with same subnet as the VPN servers. BTW how are you configuring IP on clients?

Second, ensure that the client machine has computer account on the PDC of the domain. User account and the machine must exist on the authenticating domain in order for the user to login. Mubashir
muhammad.mubashir@sbp.org.pk

Imagination is more important than knowledge. - Newton

 

[ITGL72]

I have the system configured where it sends out an IP address to the client from a pool. I have another user that VPN's into our network daily and does what he needs to do with no problem. So I think it may be a client issue here on my side. I make the VPN client put the WINS info, etc into their configuration manually. Only the IP address is sent to them from the RAS server.

As far as the computer account, doesn't it get registered automatically when the user logs in? or should I go and put that name in there myself?

 

[mikes999]

You can also put netbios names into LMHOSTS file on the VPN client PCs, just to ease up name translation. Is your VPN server a DHCP server also? How clients get their IP addresses?

 

[Mubashir]

Fine.

I understand that your VPN user can login successfully but can't connect to a server share. He's asked for an IPC$ password. Right?

To resolve this make the user's windows pwd and the domain pwd the same. Sounds funny but try this. Also, ensure that the user has share permission on that server. If the server is a standalone server, ensure that it doesn't have a duplicate user account in it's local database. And check again the workgroup/domain entry on the client machine.

Regarding computer account, I agree it's automatic in case of 9x machines but required in NT based machines. The reason I suggested this is that authentication problems for remote users can be complex and some degree of complexity can be minimized by creating a computer account in the domain for the machine VPNing. But, since you're using 9x, it doesn't matter much.

And that the user cannot connect to or ping to a machine by its netbios name, is obviously a name resolution problem. Check your WINS configuration and TCP/IP setting too. Why don't you try static IP just for testing? Set static IP config and confirm the setting by 'winipcgf.exe' on the client machine.
Mubashir
muhammad.mubashir@sbp.org.pk

Imagination is more important than knowledge. - Newton

 

[butchrecon]

Mubashir is correct. It is a permissions problem with the user. They may not have permission to use the shares. Please let us (Tek-tips members) know if the solutions we provide are helpful to you. Not only do they help you but they may help others.


James Collins
Computer Hardware Engineer
A+, MCP

email: butchrecon@skyenet.net

 

[ITGL72]

Everything you have said has been helpful. I knew most of it, but it needed to be rekindled in the back of my memory. Funny how all this information can be stored in your head but forgotten with out regular use!

Now, when you say the user has permissions for the shares, I beleive I already have accomplished this. I have the users user account as a member of the DOMAIN USERS group. If the shares are available to the members on the LAN I will assume then they are available to the users in this same group that VPN into my network so thats how I have it.

Correct me if I'm wrong but it seems to be working fine.

It seems now, despite still having a NAME RESOLUTION ISSUE (not sure of this however, USER is all thumbs on setting this thing up and explaining the problem, but can program like a mad man) that the user can now VPN in, access the shares, and get what he needs. But.. ONLY IN THE DOMAIN WHERE HE IS AUTHENTICATED!

I am almost 100% certain that our 3 NT Domains ALL TRUST EACH OTHER. But I may have to recheck this. When the user attempts to access a share on the DOMAIN oustide the authenticating domain he gets a message that states the domain is not available.

The USER has an account in ALL OF THE 3 DOMAINS just for safety sake at the least.

If the USER changes his DOMAIN/WORKGROUP to the other domain however he can VPN into that domain and that computers shares, but now the OTHER DOMAIN. So thats really where I am at right now.

Thanks for the suggestions thus far!

 

[jguillory]

Give the user rights in the domain he cannot access while in his current domain. For instance, if the user is logging into domain1 but wanted to access a share in domain2 then you could set domain2 permissions to allow access from "domain1\user". Even better, you could create a group for the user in domain1 and give that group access to the share in domain2. That way you could add other users to the group if need be.

 

[hchman]

How are your trust relationships set up. In order for a user to access a from a trusted domain to a trusting domain don't you have to set up a local group?

 

[Highland]

Dont know if the following will help, but it might be of interest to everyone anyway.......sounds like your problem is down to Domain Authentication but you never know...!!!!

Anyway I was looking at an issue connecting a 98 Client to an NT Server.......it turns out that the MaxMpxCt setting in the registry controls the connection between Nt and Win98.......according to an article I found Win 98 only checks the last 2 digits of this setting, if these are 00h then Win98 assumes the connection is not available...!!!! the solution is to set a non zero ending value in Hex....