Cannot connect to 2000 file shares via VPN

G

Guest

Hi,



Client: Windows XP Pro SP2

Server: Windows 2000 Server SP4 (DC, AD)



I logon to my laptop with cached domain credentials (Event ID: 5719, Source:
Netlogon). I start a VPN connection to my corporate network . I can ping our
file server and Outlook connects to the Exchange server.



When I want to make a connection to a server share \\192.168.0.3\data i see
a window asking my domain credentials. I give these credentials:
DOMAIN\Username and the password (same as the cached domain credentials). I
receive an error message that: "this account is the same as the one logged
on to the system and that this account was tried before to logon. There is
no domain controller available to validate this account."



At the same time i see these errors in the system log of the Windows XP
client:

Event ID: 40960, Source: LSASRV, Category: SPNEGO (Negotiator)

Event ID: 40961, Source: LSASRV, Category: SPNEGO (Negotiator)



When i use other credentials to logon to this share (DOMAIN\AnotherUsername
and the password - NOT the same credentials as the cached domain
credentials) there is no problem. I don't see any messages in the event log.



When i logon to this laptop with a local account (no cached domain
credentials), start the VPN connection and make a connection to
\\192.168.0.3\data with DOMAIN\Username i don't have any problem either.



It seems that the problem is that the logon process only wants to validate
my account only one time. At start-up the domain controller is not yet
available and thus the system is using the cached domain credentials. When
my domain controller is available (vpn is active) the system doesn't want to
validate my account anymore....



Does anyone have an idea?

Thanks in advance!



Nick
 
P

Phillip Windell

You are not logging in the right way to begin with. At the Ctrl-Alt-Del
prompt you must enable the checkbox that says "Log on with dialup
connection". It will prompt for the connection to use,..choose the proper
VPN connection. The machine will then log in as normal,...it won't be a
cached account but rather the "real thing".
 
G

Guest

Unfortunately the VPN is via a Cable Modem so the dial up option is not
availible.

Phillip Windell said:
You are not logging in the right way to begin with. At the Ctrl-Alt-Del
prompt you must enable the checkbox that says "Log on with dialup
connection". It will prompt for the connection to use,..choose the proper
VPN connection. The machine will then log in as normal,...it won't be a
cached account but rather the "real thing".

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


Nick Maxwell said:
Hi,



Client: Windows XP Pro SP2

Server: Windows 2000 Server SP4 (DC, AD)



I logon to my laptop with cached domain credentials (Event ID: 5719, Source:
Netlogon). I start a VPN connection to my corporate network . I can ping our
file server and Outlook connects to the Exchange server.



When I want to make a connection to a server share \\192.168.0.3\data i see
a window asking my domain credentials. I give these credentials:
DOMAIN\Username and the password (same as the cached domain credentials). I
receive an error message that: "this account is the same as the one logged
on to the system and that this account was tried before to logon. There is
no domain controller available to validate this account."



At the same time i see these errors in the system log of the Windows XP
client:

Event ID: 40960, Source: LSASRV, Category: SPNEGO (Negotiator)

Event ID: 40961, Source: LSASRV, Category: SPNEGO (Negotiator)



When i use other credentials to logon to this share (DOMAIN\AnotherUsername
and the password - NOT the same credentials as the cached domain
credentials) there is no problem. I don't see any messages in the event log.



When i logon to this laptop with a local account (no cached domain
credentials), start the VPN connection and make a connection to
\\192.168.0.3\data with DOMAIN\Username i don't have any problem either.



It seems that the problem is that the logon process only wants to validate
my account only one time. At start-up the domain controller is not yet
available and thus the system is using the cached domain credentials. When
my domain controller is available (vpn is active) the system doesn't want to
validate my account anymore....



Does anyone have an idea?

Thanks in advance!



Nick
Click to expand...
Click to expand...
 
J

Jetro

You may run into Kerberos authentication issues if you are attempting to
access network resources through VPN tunnel. By default, the Kerberos
packets are UDP packets until they exceed 2000 bytes. This results in
fragmented UDP packets which will not traverse the tunnel.

Look if this helps:

http://support.microsoft.com/default.aspx?scid=kb;en-us;244474
How to force Kerberos to use TCP instead of UDP
 
G

Guest

After about 4 hours of fiddling round with it I found the solution.

In the VPN options under dialing options there was a tick box checked for
"Include Windows logon domain"

Once this was unticked the whole thing worked like a charm!
 
P

Phillip Windell

Nick Maxwell said:
Unfortunately the VPN is via a Cable Modem so the dial up option is not
availible.
Click to expand...

No it is not the Cable Modem. That is totally different. The VPN wouldn't
know what the Cable Modem was if it tripped over it. VPN is only "aware" of
the VPN Dialup Adapter which is a "logical" dialup modem that exist only in
software. The "Connectiod" that you active the VPN with is the "VPN Dialup
Connection" and it is the "connection" that you have to choose during the
Crtl-Alt-Del logon with the checkbox enabled.
 
P

Phillip Windell

Nick Maxwell said:
After about 4 hours of fiddling round with it I found the solution.

In the VPN options under dialing options there was a tick box checked for
"Include Windows logon domain"

Once this was unticked the whole thing worked like a charm!
Click to expand...

I don't know that this gives you all the same functionality, but if it does
what you require then that is fine. But it would be pointless for MS to have
the checkbox at the Ctrl-Alt-Del prompt if this other thing was all you had
to do,..they would just be redundant of each other.
 
E

Eugene Taylor

Not pointless in the old days you could check that box to actually dialup
usint a modem and pots and authenticate into your network.
 
R

Ryan Hanisco

That and some things like the Cisco VPN Concentrators can ignore those
settings making you handle them in the VPN Client.
 
P

Phillip Windell

Ryan Hanisco said:
That and some things like the Cisco VPN Concentrators can ignore those
settings making you handle them in the VPN Client.
Click to expand...

...and..

Eugene Taylor said:
Not pointless in the old days you could check that box to actually dialup
usint a modem and pots and authenticate into your network.
Click to expand...


So the answer is a definite, solid "we're not sure" :)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

cached credentials, vpn, failed authentication 4
cached domain credentials, vpn, authentication failed 1
cached domain credentials, vpn, authentication failed 2
cashed domain credentials, vpn, authentication failed 3
Cached credentials, VPN connection, authentication failed. 1
VPN problem (Netscreen) 3
error 40960 and 40961 HELP ! 1
VPN and "No logon servers available" error 5

Top