Cannot access UNC path over VPN.

[Guest]

I have a domain laptop that is used on both the local corporate LAN and over
a dynamic VPN tunnel. Outlook and other apps do work over the VPN, but we
are experiencing issues with accessing UNC shares on a Windows 2000 server,
particularly under this user's name and profile. When the user attempts to
access his home folder e.g. (\\servername\share\username), he will receive a
message alerting him that the username and password have already been tried
and failed, and to ensure that the domain controller that authenticated him
is available. To ensure that an authenticating domain controller was
available over the VPN I not only rejoined the workstation to the domain over
VPN, but changed his password via Remote Desktop and successfully logged him
in over VPN.

It seems that as the domain admin I was able to look at UNC shares, but
under his account I cannot. I have also received this message:

The system detected a possible attempt to compromise security. Please
ensure that you can contact the server that authenticated you.

The share that is most critical is the home folder assigned to him via AD,
and has no problems on the local LAN. Furthermore this folder is
synchronized with My Documents and logon and logoff, and the errors and
authentication prompts take place when trying to synchronize. If he
synchronizes in the office, the data will be available when the unit has no
TCP/IP connection, but as soon as he gets on the VPN the My Documents folder
is empty.

Please note that I recently installed 2 Windows 2003 domain controllers. I
am not seeing any errors from the AD integrated DNS zone. There are
currently 2 W2k3 DC's and 2 Win2k DC's running in Windows 2000 native mode.
I have made all machines Global Catalogs as there seemed to be some issues
with that too. Hope this was readable, let me know what you think.

 

[Vanguard]

I have a domain laptop that is used on both the local corporate LAN and
over
a dynamic VPN tunnel. Outlook and other apps do work over the VPN,
but we
are experiencing issues with accessing UNC shares on a Windows 2000
server,
particularly under this user's name and profile. When the user
attempts to
access his home folder e.g. (\\servername\share\username), he will
receive a
message alerting him that the username and password have already been
tried
and failed, and to ensure that the domain controller that
authenticated him
is available. To ensure that an authenticating domain controller was
available over the VPN I not only rejoined the workstation to the
domain over
VPN, but changed his password via Remote Desktop and successfully
logged him
in over VPN.

It seems that as the domain admin I was able to look at UNC shares,
but
under his account I cannot. I have also received this message:

The system detected a possible attempt to compromise security. Please
ensure that you can contact the server that authenticated you.

The share that is most critical is the home folder assigned to him via
AD,
and has no problems on the local LAN. Furthermore this folder is
synchronized with My Documents and logon and logoff, and the errors
and
authentication prompts take place when trying to synchronize. If he
synchronizes in the office, the data will be available when the unit
has no
TCP/IP connection, but as soon as he gets on the VPN the My Documents
folder
is empty.

Please note that I recently installed 2 Windows 2003 domain
controllers. I
am not seeing any errors from the AD integrated DNS zone. There are
currently 2 W2k3 DC's and 2 Win2k DC's running in Windows 2000 native
mode.
I have made all machines Global Catalogs as there seemed to be some
issues
with that too. Hope this was readable, let me know what you think.

Determine if the user has access rights when logged in under the VPN.
ACL is probably different when on the corporate network than when coming
across the VPN. Also, not only can the ACLs be different when coming to
the same domain but over a VPN but the fact the user is using a laptop
may end up placing their machine in a security zone for laptops that
further restricts his access to various hosts.

I have fought since last September trying to get the IT folks and
sysadmins to get the ACLs updated so I have full access to all hosts
when at home using a VPN and a laptop. First, all laptops, regardless
of where they are, are managed under a different security zone which
restricts their access to various hosts more than a workstation. I log
onto one domain (for my login and Exchange) but most of the hosts that I
need to get at are under another trusted domain but I don't have all the
ACLs when using my laptop. It becomes worse when coming across the VPN
with my laptop. My solution was to enable the Remote Desktop feature on
my office workstation. It is NOT in the laptop security zone and it is
gets access to all the lab hosts on domain-B although I logon under
domain-A. I can get to my workstation from work on the corporate
network or from home across the VPN. So I remote desktop to my
workstation and get the full access that I need to perform my duties.
It sucks but is better than getting denied access and waiting until
doomsday until the SA gets around to figuring out what is wrong or
getting IT to stop screwing up everyone's work schedule with ridiculous
security restrictions.