Acct. lockout - using cached pw @ Win logon & current pw for VPN l

G

Guest

This seems like it should be a no-brainer, but I'm having trouble finding an
answer. We run an NT4 LAN with a Win2k VPN server. We're setting up some
computers that will be used at remote locations, and not be a part of any
domain other than that which houses the VPN server. Additionally, they will
usually be in the field (not directly connected to the LAN) for periods
exceeding 6 months. On the LAN, passwords expire every 90 days.
One of our first VPN users was an executive with a computer that she keeps
in the office, and one that's permanently stationed at home. She changed her
password one day from the office. Later she signed in on the home pc, having
to use cached credentials to get into Windows. Since our VPN authenticates
users with our LAN's DCs, her VPN password was different than her home
password. In the course of working while connected to the VPN, her account
got locked out. We presume it's because she had logged onto the computer
(which is a member of [MYDOMAIN]) using her old (cached) password, and then
logged onto the VPN (which authenticates in [MYDOMAIN]) using her current
password. We think that Windows sent authentication information through the
VPN using the cached credentials during the course of the connection. We've
temporarily set her password to not expire.
We are now getting ready to set up more remote pcs. When we set them up, we
plan to make them members of our domain, but if we do, we may run into the
same problem - a user will connect through the VPN, and either have an
expired password or be asked to change his / her password when connecting to
Exchange, for example. The passwords therefore have the potential to fall
"out-of-sync", and therefore lock out the user during or after a VPN session.
We considered NOT making these remote pcs domain members, but want them to
reap the benefits of domain membership - policies, updates, and eventually AD
GPs. Any thoughts as to how we could keep these passwords synchronous for
the local (cached) logon and the VPN (domain) logon? We thought of forcing
them to CTRL + ALT + DEL to the Windows Security box, and choose "Change
Password" while connected to the VPN, but we weren't sure if that would be
effective.
Any help would be greatly appreciated. Thank you.
 
G

Guest

I know this isn't an answer to your problem, but I am having a simialr issue.
We are using a Win2k AD controlled network, with windows XP clients. The
client comptuers in our remote sites have the similar issues..

Once a user has changed his password either in an office or on one of our
Terminal Servers, the next time he/she attempts to log on a remote computer,
in order to establish the vpn he/she must enter his old password, and log
into to windows with the old password. To avoid any problems, we have
instructed them to then log off and start over with the new passwords. This
is the case no matter how many days goes by before an attempt to log in
remotely. The cahced password into windows makes sense to me, but why does
the vpn connection still 1 password behind, ecspecilly when it validates the
users domain password???



Kevin said:
This seems like it should be a no-brainer, but I'm having trouble finding an
answer. We run an NT4 LAN with a Win2k VPN server. We're setting up some
computers that will be used at remote locations, and not be a part of any
domain other than that which houses the VPN server. Additionally, they will
usually be in the field (not directly connected to the LAN) for periods
exceeding 6 months. On the LAN, passwords expire every 90 days.
One of our first VPN users was an executive with a computer that she keeps
in the office, and one that's permanently stationed at home. She changed her
password one day from the office. Later she signed in on the home pc, having
to use cached credentials to get into Windows. Since our VPN authenticates
users with our LAN's DCs, her VPN password was different than her home
password. In the course of working while connected to the VPN, her account
got locked out. We presume it's because she had logged onto the computer
(which is a member of [MYDOMAIN]) using her old (cached) password, and then
logged onto the VPN (which authenticates in [MYDOMAIN]) using her current
password. We think that Windows sent authentication information through the
VPN using the cached credentials during the course of the connection. We've
temporarily set her password to not expire.
We are now getting ready to set up more remote pcs. When we set them up, we
plan to make them members of our domain, but if we do, we may run into the
same problem - a user will connect through the VPN, and either have an
expired password or be asked to change his / her password when connecting to
Exchange, for example. The passwords therefore have the potential to fall
"out-of-sync", and therefore lock out the user during or after a VPN session.
We considered NOT making these remote pcs domain members, but want them to
reap the benefits of domain membership - policies, updates, and eventually AD
GPs. Any thoughts as to how we could keep these passwords synchronous for
the local (cached) logon and the VPN (domain) logon? We thought of forcing
them to CTRL + ALT + DEL to the Windows Security box, and choose "Change
Password" while connected to the VPN, but we weren't sure if that would be
effective.
Any help would be greatly appreciated. Thank you.
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

IPad remote 10
Changing the cached credentials password without domain access 1
VPN client and cached creds???? 1
Machine disjoined/joined to domain remotely via VPN 5
VPN User Forgot Password, Can't Access AD 4
Help with VPN Client and Cached Credentials, please! 3
Cached credentials, VPN connection, authentication failed. 1
VPN DNS ISSUES 3

Top