[isapros] Re: OT: Vista VPN Client Credentials

  • From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
  • To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
  • Date: Thu, 25 Jan 2007 11:13:07 -0800

Well now, isn't that interesting.  When limiting VPN clients to CIFS only
for share access, XP clients work just fine as they will use CIFS by default
for both domain members and non-domain members.  I did notice that the
non-domain member broadcasts NBT (if allowed) where the domain member does
not, but I think that's because I've set TCP broadcast to hybrid (or
whatever I did) in DHCP for the domain, but not for the stand-alone box.
Regardless, XP works fine with CIFS only.

However, it seems that Vista VPN clients won't use CIFS even if forced.  I
don't know that for sure, but that is definitely the behavior I have seen
now.  If I open up NetBios name server, datagram and session protocols, the
Vista client now authenticates as the VPN user silently.  Otherwise, it
either times out or sends local creds (yet to be verified) but prompts for
username and password.  Seems like a sneaky way to make a client send
interactive logon infoz if I can get them to connect to my VPN.  Easy enough
to do, tho... Hmmm.

t


On 1/25/07 10:28 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to
all:

> Maybe they thought interactive credentails were less likely to be domain
> credentails, so it's more secure to blast them than your domain
> credentails.
> 
> Heck, makes about as much sense as the rationale they used to hork
> NAT-T.
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
> 
>  
> 
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>> (Hammer of God)
>> Sent: Thursday, January 25, 2007 11:51 AM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: OT: Vista VPN Client Credentials
>> 
>> Yes, clearly more secure.  Connect up to a hotspot connection
>> and have your
>> interactive credentials automatically and silently basted
>> downrange to any
>> service that asks for it :-/
>> 
>> t
>> 
>> 
>> On 1/25/07 9:55 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>> spoketh to
>> all:
>> 
>>> OK, just testing you :)
>>> 
>>> Since Vista is more secure, this must be a security issue ;))
>>> 
>>> Security is inversely proportional to functionality.
>>> 
>>> Thomas W Shinder, M.D.
>>> Site: www.isaserver.org
>>> Blog: http://blogs.isaserver.org/shinder/
>>> Book: http://tinyurl.com/3xqb7
>>> MVP -- Microsoft Firewalls (ISA)
>>> 
>>>  
>>> 
>>>> -----Original Message-----
>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>>>> (Hammer of God)
>>>> Sent: Thursday, January 25, 2007 11:41 AM
>>>> To: isapros@xxxxxxxxxxxxx
>>>> Subject: [isapros] Re: OT: Vista VPN Client Credentials
>>>> 
>>>> No less than 1 million times ;)
>>>> 
>>>> For years and years I've been logging in from non-domain XP
>>>> boxes as unique
>>>> local users and VPN'ing in to remote networks with completely
>>>> different
>>>> usernames/passwords and directly accessing network resources
>>>> silently as the
>>>> VPN user, not the local interactive user.
>>>> 
>>>> I know I could join the domain and/or pair up usernames and
>>>> passwords, but I
>>>> never do that.  I wouldn't have usernames and passwords on a
>>>> laptop that
>>>> matched usernames and passwords on my domain- that's just silly ;)
>>>> 
>>>> t
>>>> 
>>>> 
>>>> On 1/25/07 9:42 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>>>> spoketh to
>>>> all:
>>>> 
>>>>> Tim,
>>>>> 
>>>>> Are you sure it actually ever worked the way you thought it
>>>> did? That is
>>>>> to say, did it actually work where where you log in
>>>> interactively with
>>>>> one set of local non-domain credentails, and then create a
>>>> remote access
>>>>> VPN client connection using a second set of credentials and
>>>> then have
>>>>> the dial-in credentials sent to the remote file servers?
>>>>> 
>>>>> I think in order for that scenario to possibly work, you
>>>> have to dial-in
>>>>> via dial-up networking during interactive logon. Try that
>>>> with the Vista
>>>>> client.
>>>>> 
>>>>> Worst comes to worst, you can mirror your credentials on
>>>> the non-domain
>>>>> client with the domain accout.
>>>>> 
>>>>> Tom
>>>>> 
>>>>> Thomas W Shinder, M.D.
>>>>> Site: www.isaserver.org
>>>>> Blog: http://blogs.isaserver.org/shinder/
>>>>> Book: http://tinyurl.com/3xqb7
>>>>> MVP -- Microsoft Firewalls (ISA)
>>>>> 
>>>>>  
>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>>>>>> (Hammer of God)
>>>>>> Sent: Thursday, January 25, 2007 11:26 AM
>>>>>> To: isapros@xxxxxxxxxxxxx
>>>>>> Subject: [isapros] Re: OT: Vista VPN Client Credentials
>>>>>> 
>>>>>> Hi Ara- thanks for checking.  Yes, if the system is a domain
>>>>>> member, it
>>>>>> works as you describe.  The point is that remote systems
>>>>>> should not need to
>>>>>> be domain members in order to VPN into a network and have the VPN
>>>>>> credentials used for access to that network's resources.
>>>>>> 
>>>>>> A laptop user should not have to move around using cached
>>>>>> domain credentials
>>>>>> to log on to their system as a domain member... More
>>>>>> importantly, the local
>>>>>> users' interactive credentials should not automatically be
>>>>>> sent to a remote
>>>>>> host on a dial-up/VPN connection.  That is a security issue
>>>>>> in itself...
>>>>>> 
>>>>>> t
>>>>>> 
>>>>>> 
>>>>>> On 1/25/07 8:59 AM, "Ara Avvali" <Ara.Avvali@xxxxxxxxxxxxx>
>>>>>> spoketh to all:
>>>>>> 
>>>>>>> I did a test myself last night from Vista. It dials in with
>>>>>> no problem,
>>>>>>> outlook opens fine, and I can go to
>> \\servername\sharename and no
>>>>>>> problem. One thought, I have the firewall client for vista
>>>>>> installed and
>>>>>>> laptop is a domain member which is going back and forward
>>>> work/home
>>>>>>> 
>>>>>>> -----Original Message-----
>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>>>>>>> On Behalf Of Thor (Hammer of God)
>>>>>>> Sent: Thursday, January 25, 2007 7:08 AM
>>>>>>> To: isapros@xxxxxxxxxxxxx
>>>>>>> Subject: [isapros] Re: OT: Vista VPN Client Credentials
>>>>>>> 
>>>>>>> Anyone?  Bueller?  Anyone?
>>>>>>> 
>>>>>>> Is there anyone out there who is VPN'ing into a network on
>>>>>> a non-domain
>>>>>>> machine with Vista?  Is it time to post to the Focus-MS list???
>>>>>>> 
>>>>>>> t
>>>>>>> 
>>>>>>> 
>>>>>>> On 1/24/07 12:36 PM, "Thor (Hammer of God)"
>> <thor@xxxxxxxxxxxxxxx>
>>>>>>> spoketh
>>>>>>> to all:
>>>>>>> 
>>>>>>>> Greetings... I'm hoping this something stupid that I'm just not
>>>>>>> seeing, but
>>>>>>>> I'm having an issue automatically authenticating to a
>>>>>> remote network
>>>>>>> under
>>>>>>>> my VPN credential in Vista (x64).
>>>>>>>> 
>>>>>>>> With XP, on a non-domain, standalone workgroup box, I
>>>> can create a
>>>>>>> standard
>>>>>>>> VPN client and log on to the remote network using my user
>>>>>> account on
>>>>>>> remote
>>>>>>>> network domain.  Though I'm logged on interactively as a
>>>>>> local user on
>>>>>>> that
>>>>>>>> XP box, when I go to \\host.domain.com, my VPN credentials are
>>>>>>> automatically
>>>>>>>> used to access shared resources on the remote network.
>>>> Same thing
>>>>>>> with
>>>>>>>> connecting to a remote SQL box (requiring integrated auth).  No
>>>>>>> problems at
>>>>>>>> all with XP, been doing it for years.
>>>>>>>> 
>>>>>>>> However, with Vista, the credentials I use to log onto
>> the remote
>>>>>>> network
>>>>>>>> are NOT being used when I access resources on the
>> remote network.
>>>>>>> Browsing
>>>>>>>> to the share point results in a logon box being
>> displayed.  If I
>>>>>>> attempt to
>>>>>>>> connect to a SQL box, it says "not a trusted connection"
>>>>>> (as it would
>>>>>>> if my
>>>>>>>> local user is being used.)  WTF?  I've looked through and set
>>>>>>> everything
>>>>>>>> that I can, including setting the location as "Work" and
>>>>>> "Home."  I do
>>>>>>> NOT
>>>>>>>> want to have to join the box to the remote domain.
>>>>>>>> 
>>>>>>>> Anyone know what I'm doing wrong??  Thanks.
>>>>>>>> t
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>>> 
>>> 
>> 
>> 
>> 
>> 
>> 
> 
> 
> 



Other related posts: