VPN problem (Netscreen)

[news.microsoft.com]

Hi,

I have some problems with VPN

Setup,
W2k domain with domain clients and non-domain clients.
All clients use the NetScreen Secure Remote client to connect to our
network and are authenticated on RADIUS (installed on a W2k DC)
Connecting to the VPN works fine for all clients, the main problem is that
domain clients cannot connect to any shares on the servers.

A non-domain client can connect to a share by useing his/her domain password
in the form DOMAIN\PASSWORD via the windows explorer.

The domain clients are laptops users and when they are not connected to our
network they log in locally with cached credentials.
(so they can use there current profiles)
When they make a VPN connection they cannot connect to a share, they get the
error message 1311
When they try to use 'net view \\server' they get the error 'acces denied'
(making them a member of the local administrators group did not help)

When I create a local account on a domain client with the same username and
password as the domain account, and then logon with that account on the
domain client, then they can connect a share.

What I really want is that users logon using there cached credentials and
then be able to connect to shares.
I already tried to use a WINS server but that did not resolve the problem. I
also tried to put the domain in the lmhosts file.
Searching through technet did give me any solutions either.

Does anyone has an idea what the solution might be, or a push in the right
direction. Maybe there are any people with the same problem ?
I there a way to manually logon to the network via the command prompt in W2k
and/or XP ?

Kind regards
Arend van der Boom

 

[Ryan Lambert]

I think you may want to try eliminating cached credentials
and just log them on locally instead. I do not see this as
a VPN problem. More a configuration issue.

If I had to guess, there's a disagreement between the
server and the client as to whether or not it's a
legitimate user on the network because the machine has not
directly authenticated to the domain in your scenario.

Just a guess, though.

I would consider this normal behavior.

 

[Alan Wood [MSFT]]

Hi ...
That is correct. If you are logging on a system that is joined to a
domain using Cached Credentials, then the system account is not logged on
the domain.
Error 1311 translates to the following:
"There are currently no logon servers available to service the logon
request."

Here's the deal. The system account has to authenticate with the domain
for this to work correctly.
So either the VPN software has to have this functionality built it in. OR
you have to have the ability to use the "Logon on the Domain using Dial Up
connnection" on the Security Screen (CTRL+ALT+DEL).

This is exactly what the option was designed for. When you choose this
option, the system account will be able to log on the domain as well as the
user account.

Also note that in Windows XP you could use Credential Manager to force the
credentials to be passed. This is not avialable in Windows 2000.
281660 Behavior of Stored User Names and Passwords
http://support.microsoft.com/?id=281660


Hope this Helps!

Alan Wood[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Arend van der Boom]

Hi ...
That is correct. If you are logging on a system that is joined to a
domain using Cached Credentials, then the system account is not logged
on the domain.
Error 1311 translates to the following: "There are currently no logon
servers available to service the logon request."

Here's the deal. The system account has to authenticate with the domain
for this to work correctly.
So either the VPN software has to have this functionality built it in.
OR you have to have the ability to use the "Logon on the Domain using
Dial Up connnection" on the Security Screen (CTRL+ALT+DEL).

<cut>

I did not tried the "Logon on the Domain using Dial Up connnection" but
first checked if there was a newer version of the NSRclient, and there
was.
So I have tried it with the latest version NSR8.3 and 'low and behold' it
seems to work.
With the new NSRclient you simply can logon to Windows with cached credentials and when
the VPN connection is up, simply connect to a share via 'net use e:
\\server\share /user:domain\user'
(tried this both on W2k and XPpro)

In the new version is also the MTU size problem resolved, (in the prior
version you had to set the MaxMTUsize to 1002 to get it working with o.a.
Terminal Server Client) and some other minor things.

The only thing I have done now is configured the NSRclient different, I
now let the NSRclient make use of the virtual NSR NIC by which the computer knows
which DNS server to use so it can resolv NETBIOS names. This also
eliminates the use of LMHost.
(the support guy off our Netscreen supplier gave me that tip)

--
Arend van der Boom

#--/\---------^-^-^-^-^----- - -//-~~>
Homepage - http://home.kabelfoon.nl/~avdboom
KabArch - http://kabarch.dyndns.org
LCARS - http://lcarsscan.dyndns.org
KTZ - http://kabelzone.dyndns.org