Wrong credentials used on local LAN/Domain when VPN in effect

[Ken Elmy]

When I VPN to another network from my Windows Vista Ultimate PC it appears I
loose security credentials on my local network. While VPN'ed out if I
attempt to access any shares on servers in my local network (same domain and
subnet as my PC) I get a challenged for credentials that oddly default to
the credentials I use for my VPN connection. I correct the credentials with
those of my local domain and can get access to the local resource. As soon
as I drop the VPN connection my authentication with local resources returns
to normal (is automatic and seamless, no challenge)

More facts:
1. I DO NOT have the "default gateway" option enabled on the IP stack of the
VPN connection.
2. I am using only IPV4, IPV6 is disabled on the VPN connection.
3. NetBIOS over TCP is enabled on both my local and VPN connection.
4. I'm using the standard Microsoft PPTP VPN connection to a remote ISA
server.

Any ideas?

Thanks for the help in advance.

 

[Aanand Ramachandran]

Ken,
This is because of a design change in credential caching wherein it does
not fall back to local creds when VPN creds do not work. In order to access
the local resources specify the entire FQDN name of the local resource. THis
should solve the problem
Let me know if you need more help.

thanks
Aanand

 

[Ken Elmy]

Aanand,

That did the trick. My first reaction was "you gotta be kidding me!" but
then thinking through the problem it made sense to use the FQDN as the logic
point that directed the stack as to what credentials to use (an probably to
some degree what network to interface to send the request down) -- how else
would you automate it?. The only problem I had remaining was for those
hosts that had public IP addresses I had to add their local address to the
HOSTS file. This appears to be due to the fact that the VPN connection's DNS
becomes the primary name server for the stack. It knows how to resolve the
host names to their public IP address so the local DNS server never gets a
crack at resolving them to their local addresses. The applies specifically
to Exchange servers (and no not all of us are big enough to have a front-end
exchange server in addition to a a mailbox exchange server).

While I don't like typing FQDNs (my domain name is HUGE) I do like the fact
that the appropriate credentials are used on both the local domain and the
remote one over the VPN. Not having to provide credentials for each and
every server I touch is just fantastic!

Now all I have to do is sell everyone on using FQDN's instead of NetBIOS
names when mapping drives, setting up VSS, etc...

BTW, I don't know if this helps or not but I've also started using the
LoginName@FDQN format for my credentials (VPN and local) rather than
DOMAIN\LoginName. In for a penny...in for a pound...

Thanks for all of your help.