VPN & Cached Credentials Issues 1

[jhutton]

After establishing a VPN, the VPN client can access the mail system to receive/send mails but can't access other network resources.
When attempting to access a shared folder, the client is prompted again for the username and password.

It states that I'm already logged in and will not allow access.
However I can access a different accounts drive using their login and password, just not my own.
This appears to be a cached credentials issue, I just not sure how to work around it.

Thanks in advance,
Jim

 

[linney]

Anything showing up in the Event Viewer?

What is the exact message you are receiving?

Is you situation similar to this post?

User Authentication- DNS issue

http://groups.google.com.au/group/m...annot+logon+twice"+xp&rnum=1#158d4b4feea6bd5e

 

[bcastner]

XP Pro or XP Home?
This behavior would be normal for XP Home.



____________________________
Users Helping Users

 

[jhutton]

The client OS is XP-Pro and the server is 2003 SBS.
I log into the laptop and then I log into the server through a Linksys VPN router to establish the server connection from my home network.
I can then use outlook with out a problem.

When I try and open any of the drives on the server it prompts me for a password and after that I get the following error:
“The user name you typed is the same as the user name you logged in with. That user has already been tried. A domain controller cannot be found to verify that user name.”


It is very similar to the link provided by Linney’s reply. The big difference is it is not intermittent.
It does happen on multiple XP-Pro laptops
I can login successfully onto the drive with the Admin or other users login, while I’m logged in as myself.
Any other login will get you drive access except the ones that are used when logging into the laptop.

I need to investigate the event viewer to get you an answer.

Thanks for your help,
Jim

 

[bcastner]

Thank you for the added information.

I noticed in researching this an identical claim by a VPN user. The issue never arose on dial-up, only on Broadband connection. Which led to my thinking about the Kerberos token under UDP. One tech suggested the following:

Kerberos uses by default UDP protocol and Windows limits the maximum UDP datagram size to 2000 bytes by default. In some situations the limitation on the UDP packet size makes the authentication process fail (especially if the group membership is large).

Large group memberships can create a problem for the Kerberos in that it takes 2 frames to pass the token. Old router firmware strips the second frame, thus removing some of the groups that should be part of the token. Since UDP is a connectionless protocol, there is no acknowledgement and no resend if a packet fails at the destination (hence shares do not reconnect, yet the workstation has valid credentials and does not understand why you are giving it valid credientials again.)

Similarly, other hardware problems and unique conditions created by WLAN, remotely connected, failing or misconfigured hardware can create havoc with UDP.

You can make Windows always use TCP instead of UDP inserting a new registry key (or changing it if it already exists).

The key is

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

And you must insert the value MaxPacketSize, type DWORD, set to 0x1. This, as I said, makes Windows use TCP.


____________________________
Users Helping Users

 

[jhutton]

Does the “Parameters” section need to be added to the client?
I do not currently have the “Parameters” section under Kerberos on the client.

I have seen the following error in the server security log:
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000006D
Substatus code: 0xC0000133
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.10.50.111
Source Port: 1077

Does this error correlate with what you are thinking?

 

[jhutton]

I just check the server and it has the "Parameters" section but there is not a value set.

 

[bcastner]

It fits my guess exactly.
I routinely change Kerberos to TCP and not UDP for the reasons given above.

I had not considered it directly in the VPN setting, but the argument made above is persuasive. As I said, several users have stated that there is no dial-up problem, the problem only occurs if they use Broadband.

As to there not being the Key value at that location:

And you must insert the value MaxPacketSize, type DWORD, set to 0x1.

I apologize for not making this clearer.

The issue is discussed in this MS KB:

http://support.microsoft.com/?id=244474

One last thought: XP will default to a 1500 MTU setting for a broadband connection. This is fine for most cable broadband situations. For ADSL under PPoE, a value of 1492 is the best fit. (Except for AOL broadband. Use 1432 at the highest).

Test, and then use DrTCP to set the client MTU as the test results suggest:

Test site:

http://www.dslreports.com/tweaks

DrTCP utility:

http://www.dslreports.com/drtcp

In addition, your Linksys router likely has a manual MTU setting feature. Set it to the same value you determined from testing above for the client.

Finally, some VPN client software has a configurable MTU to adjust for the difference between broadband and dial-up. CISCO, for example, has this in its Options. Set the value if available as an option to the same value determined by your earlier testing.

Best of luck.
Bill Castner



____________________________
Users Helping Users

 

[jhutton]

Bill,
Sorry, just so I'm clear on the changes.

Make the registry edit for "MaxPacketSize" to both the client and the server or just the client?

Thanks for the heads up on the MTU setting also; I'll read up on it from the links you provided.

Thanks for being so insightful,
Jim

 

[bcastner]

The client was what I was thinking of.

The server should understand whether the Kerberos packet is sent UDP or TCP.

For Win2k Servers, the following patch from Microsoft should be applied if you have refusal issues from the server:

http://support.microsoft.com/kb/320903/

Generally speaking the server usually requires no changes.


____________________________
Users Helping Users

 

[jhutton]

Bill,
I'll make the changes based on your suggestions and let you know how it goes.

Thanks again,
Jim

 

[linney]

Bill or Jim,

There is an interesting question (and answers) on Expert-exchange which may be somewhat relevant, I don't pretend to know whether it is or isn't, or the answer to this thread.

But, if you are members (It is that type of forum which requires a joining fee, don't join just to see the answers), you could put me out of my misery by telling me if there is anything of relevance there?

Title: Unable to Browse Network Shares over VPN

http://www.experts-exchange.com/Networking/Q_21449978.html

http://www.experts-exchange.com/Networking/Q_21449978.html?qid=21449978#14165744

asked by smartin0924 on 06/07/2005 12:14PM PDT
This solution was worth 500 Points and received a grade of A

 

[bcastner]

linney, they are the same link. The two constuctive suggestions made there:

In AD, right click on the user you want to allow access to your network and go to the properties option.
Next go to the "Dial-In" Tab. Under the first section labeled "Remote Access Permission (Dial-In or VPN) select the Allow Radio button.

That was it. I am now able to access my network from outside the office coming across the VPN.

---------------
Check also to make sure your VPN connection is set to allow NetBIOS broadcasts through the tunnel -- that has to be on in order to browse in Network Neighborhood and the like through a VPN.


____________________________
Users Helping Users

 

[linney]

Thanks for that interpretation, those expensive thoughts may, or may not, add something to this post.

 

[bcastner]

I have never paid. A long time ago I registered and earned some "points" and they have never asked me to pay anything.

I really do not know much about the site. I always thought you paid $$ if you wanted to ask questions, not if you wanted to view and answer them. But I just do not really know much about the site.


____________________________
Users Helping Users

 

[jhutton]

Here are the results from testing the VPN logins after making the registry edits:

Laptop on the Domain:
Logged onto the laptop
Connected to server using the VPN
Opened OutLook successfully with no extra login
Opened my directory successfully, but still needed a login. The login for the directory required the domain\user name and password. And when I just used the user name and password it resulted in the same error as before.
Neither of these options worked before the registry edit.

Desktop NOT on the Domain:
Logged onto desktop which is not part of the Domain we will VPN into.
Connected to server using the VPN
Opened OutLook successfully with Login, domain\user name and password
Opened my directory successfully with Login, domain\user name and password
It should be noted that after doing five tests the directory only prompted for another Login 2 out of the five times.


We have definitely made progress. I can now access the drives with the same account that I used to logon to the laptop.
It would be nice to not have to supply another Login for the drives. Is this possible?

Thanks,
Jim

 

[bcastner]

Clean the cached credential cache. I believe you have solved the underlying issue:

Start, Run, control userpasswords2
Click Advanced.
Use the top box to manage the cached credentials.
I would remove all references to the Domain.



____________________________
Users Helping Users

 

[jhutton]

Bill,
I just looked inside the Manage Password list and is empty.
Any other possible suggestions?

Thanks for your help,
Jim

 

[bcastner]

Do a Net Use statement with all information:
password Domain/username and include the /Savecred switch.


____________________________
Users Helping Users

 

[jhutton]

Bill,
Can you please elaborate on doing the Net Use statement?

Thanks