What happens if you set the primary DNS suffix for the non-domain VPN client to the internal domain name? Maybe the lack of a correct DNS suffix is causing the NetBIOS broadcasts? Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > (Hammer of God) > Sent: Thursday, January 25, 2007 1:13 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: OT: Vista VPN Client Credentials > > Well now, isn't that interesting. When limiting VPN clients > to CIFS only > for share access, XP clients work just fine as they will use > CIFS by default > for both domain members and non-domain members. I did notice that the > non-domain member broadcasts NBT (if allowed) where the > domain member does > not, but I think that's because I've set TCP broadcast to hybrid (or > whatever I did) in DHCP for the domain, but not for the > stand-alone box. > Regardless, XP works fine with CIFS only. > > However, it seems that Vista VPN clients won't use CIFS even > if forced. I > don't know that for sure, but that is definitely the behavior > I have seen > now. If I open up NetBios name server, datagram and session > protocols, the > Vista client now authenticates as the VPN user silently. > Otherwise, it > either times out or sends local creds (yet to be verified) > but prompts for > username and password. Seems like a sneaky way to make a client send > interactive logon infoz if I can get them to connect to my > VPN. Easy enough > to do, tho... Hmmm. > > t > > > On 1/25/07 10:28 AM, "Thomas W Shinder" > <tshinder@xxxxxxxxxxx> spoketh to > all: > > > Maybe they thought interactive credentails were less likely > to be domain > > credentails, so it's more secure to blast them than your domain > > credentails. > > > > Heck, makes about as much sense as the rationale they used to hork > > NAT-T. > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- Microsoft Firewalls (ISA) > > > > > > > >> -----Original Message----- > >> From: isapros-bounce@xxxxxxxxxxxxx > >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > >> (Hammer of God) > >> Sent: Thursday, January 25, 2007 11:51 AM > >> To: isapros@xxxxxxxxxxxxx > >> Subject: [isapros] Re: OT: Vista VPN Client Credentials > >> > >> Yes, clearly more secure. Connect up to a hotspot connection > >> and have your > >> interactive credentials automatically and silently basted > >> downrange to any > >> service that asks for it :-/ > >> > >> t > >> > >> > >> On 1/25/07 9:55 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > >> spoketh to > >> all: > >> > >>> OK, just testing you :) > >>> > >>> Since Vista is more secure, this must be a security issue ;)) > >>> > >>> Security is inversely proportional to functionality. > >>> > >>> Thomas W Shinder, M.D. > >>> Site: www.isaserver.org > >>> Blog: http://blogs.isaserver.org/shinder/ > >>> Book: http://tinyurl.com/3xqb7 > >>> MVP -- Microsoft Firewalls (ISA) > >>> > >>> > >>> > >>>> -----Original Message----- > >>>> From: isapros-bounce@xxxxxxxxxxxxx > >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > >>>> (Hammer of God) > >>>> Sent: Thursday, January 25, 2007 11:41 AM > >>>> To: isapros@xxxxxxxxxxxxx > >>>> Subject: [isapros] Re: OT: Vista VPN Client Credentials > >>>> > >>>> No less than 1 million times ;) > >>>> > >>>> For years and years I've been logging in from non-domain XP > >>>> boxes as unique > >>>> local users and VPN'ing in to remote networks with completely > >>>> different > >>>> usernames/passwords and directly accessing network resources > >>>> silently as the > >>>> VPN user, not the local interactive user. > >>>> > >>>> I know I could join the domain and/or pair up usernames and > >>>> passwords, but I > >>>> never do that. I wouldn't have usernames and passwords on a > >>>> laptop that > >>>> matched usernames and passwords on my domain- that's > just silly ;) > >>>> > >>>> t > >>>> > >>>> > >>>> On 1/25/07 9:42 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > >>>> spoketh to > >>>> all: > >>>> > >>>>> Tim, > >>>>> > >>>>> Are you sure it actually ever worked the way you thought it > >>>> did? That is > >>>>> to say, did it actually work where where you log in > >>>> interactively with > >>>>> one set of local non-domain credentails, and then create a > >>>> remote access > >>>>> VPN client connection using a second set of credentials and > >>>> then have > >>>>> the dial-in credentials sent to the remote file servers? > >>>>> > >>>>> I think in order for that scenario to possibly work, you > >>>> have to dial-in > >>>>> via dial-up networking during interactive logon. Try that > >>>> with the Vista > >>>>> client. > >>>>> > >>>>> Worst comes to worst, you can mirror your credentials on > >>>> the non-domain > >>>>> client with the domain accout. > >>>>> > >>>>> Tom > >>>>> > >>>>> Thomas W Shinder, M.D. > >>>>> Site: www.isaserver.org > >>>>> Blog: http://blogs.isaserver.org/shinder/ > >>>>> Book: http://tinyurl.com/3xqb7 > >>>>> MVP -- Microsoft Firewalls (ISA) > >>>>> > >>>>> > >>>>> > >>>>>> -----Original Message----- > >>>>>> From: isapros-bounce@xxxxxxxxxxxxx > >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > >>>>>> (Hammer of God) > >>>>>> Sent: Thursday, January 25, 2007 11:26 AM > >>>>>> To: isapros@xxxxxxxxxxxxx > >>>>>> Subject: [isapros] Re: OT: Vista VPN Client Credentials > >>>>>> > >>>>>> Hi Ara- thanks for checking. Yes, if the system is a domain > >>>>>> member, it > >>>>>> works as you describe. The point is that remote systems > >>>>>> should not need to > >>>>>> be domain members in order to VPN into a network and > have the VPN > >>>>>> credentials used for access to that network's resources. > >>>>>> > >>>>>> A laptop user should not have to move around using cached > >>>>>> domain credentials > >>>>>> to log on to their system as a domain member... More > >>>>>> importantly, the local > >>>>>> users' interactive credentials should not automatically be > >>>>>> sent to a remote > >>>>>> host on a dial-up/VPN connection. That is a security issue > >>>>>> in itself... > >>>>>> > >>>>>> t > >>>>>> > >>>>>> > >>>>>> On 1/25/07 8:59 AM, "Ara Avvali" <Ara.Avvali@xxxxxxxxxxxxx> > >>>>>> spoketh to all: > >>>>>> > >>>>>>> I did a test myself last night from Vista. It dials in with > >>>>>> no problem, > >>>>>>> outlook opens fine, and I can go to > >> \\servername\sharename and no > >>>>>>> problem. One thought, I have the firewall client for vista > >>>>>> installed and > >>>>>>> laptop is a domain member which is going back and forward > >>>> work/home > >>>>>>> > >>>>>>> -----Original Message----- > >>>>>>> From: isapros-bounce@xxxxxxxxxxxxx > >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] > >>>>>>> On Behalf Of Thor (Hammer of God) > >>>>>>> Sent: Thursday, January 25, 2007 7:08 AM > >>>>>>> To: isapros@xxxxxxxxxxxxx > >>>>>>> Subject: [isapros] Re: OT: Vista VPN Client Credentials > >>>>>>> > >>>>>>> Anyone? Bueller? Anyone? > >>>>>>> > >>>>>>> Is there anyone out there who is VPN'ing into a network on > >>>>>> a non-domain > >>>>>>> machine with Vista? Is it time to post to the > Focus-MS list??? > >>>>>>> > >>>>>>> t > >>>>>>> > >>>>>>> > >>>>>>> On 1/24/07 12:36 PM, "Thor (Hammer of God)" > >> <thor@xxxxxxxxxxxxxxx> > >>>>>>> spoketh > >>>>>>> to all: > >>>>>>> > >>>>>>>> Greetings... I'm hoping this something stupid that > I'm just not > >>>>>>> seeing, but > >>>>>>>> I'm having an issue automatically authenticating to a > >>>>>> remote network > >>>>>>> under > >>>>>>>> my VPN credential in Vista (x64). > >>>>>>>> > >>>>>>>> With XP, on a non-domain, standalone workgroup box, I > >>>> can create a > >>>>>>> standard > >>>>>>>> VPN client and log on to the remote network using my user > >>>>>> account on > >>>>>>> remote > >>>>>>>> network domain. Though I'm logged on interactively as a > >>>>>> local user on > >>>>>>> that > >>>>>>>> XP box, when I go to \\host.domain.com, my VPN > credentials are > >>>>>>> automatically > >>>>>>>> used to access shared resources on the remote network. > >>>> Same thing > >>>>>>> with > >>>>>>>> connecting to a remote SQL box (requiring integrated > auth). No > >>>>>>> problems at > >>>>>>>> all with XP, been doing it for years. > >>>>>>>> > >>>>>>>> However, with Vista, the credentials I use to log onto > >> the remote > >>>>>>> network > >>>>>>>> are NOT being used when I access resources on the > >> remote network. > >>>>>>> Browsing > >>>>>>>> to the share point results in a logon box being > >> displayed. If I > >>>>>>> attempt to > >>>>>>>> connect to a SQL box, it says "not a trusted connection" > >>>>>> (as it would > >>>>>>> if my > >>>>>>>> local user is being used.) WTF? I've looked through and set > >>>>>>> everything > >>>>>>>> that I can, including setting the location as "Work" and > >>>>>> "Home." I do > >>>>>>> NOT > >>>>>>>> want to have to join the box to the remote domain. > >>>>>>>> > >>>>>>>> Anyone know what I'm doing wrong?? Thanks. > >>>>>>>> t > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>> > >>>>> > >>>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>> > >>> > >>> > >> > >> > >> > >> > >> > > > > > > > > > > >