[isapros] Re: OT: Vista VPN Client Credentials
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Thu, 25 Jan 2007 13:25:55 -0600
What happens if you set the primary DNS suffix for the non-domain VPN
client to the internal domain name? Maybe the lack of a correct DNS
suffix is causing the NetBIOS broadcasts?
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> (Hammer of God)
> Sent: Thursday, January 25, 2007 1:13 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: OT: Vista VPN Client Credentials
>
> Well now, isn't that interesting. When limiting VPN clients
> to CIFS only
> for share access, XP clients work just fine as they will use
> CIFS by default
> for both domain members and non-domain members. I did notice that the
> non-domain member broadcasts NBT (if allowed) where the
> domain member does
> not, but I think that's because I've set TCP broadcast to hybrid (or
> whatever I did) in DHCP for the domain, but not for the
> stand-alone box.
> Regardless, XP works fine with CIFS only.
>
> However, it seems that Vista VPN clients won't use CIFS even
> if forced. I
> don't know that for sure, but that is definitely the behavior
> I have seen
> now. If I open up NetBios name server, datagram and session
> protocols, the
> Vista client now authenticates as the VPN user silently.
> Otherwise, it
> either times out or sends local creds (yet to be verified)
> but prompts for
> username and password. Seems like a sneaky way to make a client send
> interactive logon infoz if I can get them to connect to my
> VPN. Easy enough
> to do, tho... Hmmm.
>
> t
>
>
> On 1/25/07 10:28 AM, "Thomas W Shinder"
> <tshinder@xxxxxxxxxxx> spoketh to
> all:
>
> > Maybe they thought interactive credentails were less likely
> to be domain
> > credentails, so it's more secure to blast them than your domain
> > credentails.
> >
> > Heck, makes about as much sense as the rationale they used to hork
> > NAT-T.
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- Microsoft Firewalls (ISA)
> >
> >
> >
> >> -----Original Message-----
> >> From: isapros-bounce@xxxxxxxxxxxxx
> >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> >> (Hammer of God)
> >> Sent: Thursday, January 25, 2007 11:51 AM
> >> To: isapros@xxxxxxxxxxxxx
> >> Subject: [isapros] Re: OT: Vista VPN Client Credentials
> >>
> >> Yes, clearly more secure. Connect up to a hotspot connection
> >> and have your
> >> interactive credentials automatically and silently basted
> >> downrange to any
> >> service that asks for it :-/
> >>
> >> t
> >>
> >>
> >> On 1/25/07 9:55 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> >> spoketh to
> >> all:
> >>
> >>> OK, just testing you :)
> >>>
> >>> Since Vista is more secure, this must be a security issue ;))
> >>>
> >>> Security is inversely proportional to functionality.
> >>>
> >>> Thomas W Shinder, M.D.
> >>> Site: www.isaserver.org
> >>> Blog: http://blogs.isaserver.org/shinder/
> >>> Book: http://tinyurl.com/3xqb7
> >>> MVP -- Microsoft Firewalls (ISA)
> >>>
> >>>
> >>>
> >>>> -----Original Message-----
> >>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> >>>> (Hammer of God)
> >>>> Sent: Thursday, January 25, 2007 11:41 AM
> >>>> To: isapros@xxxxxxxxxxxxx
> >>>> Subject: [isapros] Re: OT: Vista VPN Client Credentials
> >>>>
> >>>> No less than 1 million times ;)
> >>>>
> >>>> For years and years I've been logging in from non-domain XP
> >>>> boxes as unique
> >>>> local users and VPN'ing in to remote networks with completely
> >>>> different
> >>>> usernames/passwords and directly accessing network resources
> >>>> silently as the
> >>>> VPN user, not the local interactive user.
> >>>>
> >>>> I know I could join the domain and/or pair up usernames and
> >>>> passwords, but I
> >>>> never do that. I wouldn't have usernames and passwords on a
> >>>> laptop that
> >>>> matched usernames and passwords on my domain- that's
> just silly ;)
> >>>>
> >>>> t
> >>>>
> >>>>
> >>>> On 1/25/07 9:42 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> >>>> spoketh to
> >>>> all:
> >>>>
> >>>>> Tim,
> >>>>>
> >>>>> Are you sure it actually ever worked the way you thought it
> >>>> did? That is
> >>>>> to say, did it actually work where where you log in
> >>>> interactively with
> >>>>> one set of local non-domain credentails, and then create a
> >>>> remote access
> >>>>> VPN client connection using a second set of credentials and
> >>>> then have
> >>>>> the dial-in credentials sent to the remote file servers?
> >>>>>
> >>>>> I think in order for that scenario to possibly work, you
> >>>> have to dial-in
> >>>>> via dial-up networking during interactive logon. Try that
> >>>> with the Vista
> >>>>> client.
> >>>>>
> >>>>> Worst comes to worst, you can mirror your credentials on
> >>>> the non-domain
> >>>>> client with the domain accout.
> >>>>>
> >>>>> Tom
> >>>>>
> >>>>> Thomas W Shinder, M.D.
> >>>>> Site: www.isaserver.org
> >>>>> Blog: http://blogs.isaserver.org/shinder/
> >>>>> Book: http://tinyurl.com/3xqb7
> >>>>> MVP -- Microsoft Firewalls (ISA)
> >>>>>
> >>>>>
> >>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> >>>>>> (Hammer of God)
> >>>>>> Sent: Thursday, January 25, 2007 11:26 AM
> >>>>>> To: isapros@xxxxxxxxxxxxx
> >>>>>> Subject: [isapros] Re: OT: Vista VPN Client Credentials
> >>>>>>
> >>>>>> Hi Ara- thanks for checking. Yes, if the system is a domain
> >>>>>> member, it
> >>>>>> works as you describe. The point is that remote systems
> >>>>>> should not need to
> >>>>>> be domain members in order to VPN into a network and
> have the VPN
> >>>>>> credentials used for access to that network's resources.
> >>>>>>
> >>>>>> A laptop user should not have to move around using cached
> >>>>>> domain credentials
> >>>>>> to log on to their system as a domain member... More
> >>>>>> importantly, the local
> >>>>>> users' interactive credentials should not automatically be
> >>>>>> sent to a remote
> >>>>>> host on a dial-up/VPN connection. That is a security issue
> >>>>>> in itself...
> >>>>>>
> >>>>>> t
> >>>>>>
> >>>>>>
> >>>>>> On 1/25/07 8:59 AM, "Ara Avvali" <Ara.Avvali@xxxxxxxxxxxxx>
> >>>>>> spoketh to all:
> >>>>>>
> >>>>>>> I did a test myself last night from Vista. It dials in with
> >>>>>> no problem,
> >>>>>>> outlook opens fine, and I can go to
> >> \\servername\sharename and no
> >>>>>>> problem. One thought, I have the firewall client for vista
> >>>>>> installed and
> >>>>>>> laptop is a domain member which is going back and forward
> >>>> work/home
> >>>>>>>
> >>>>>>> -----Original Message-----
> >>>>>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> >>>>>>> On Behalf Of Thor (Hammer of God)
> >>>>>>> Sent: Thursday, January 25, 2007 7:08 AM
> >>>>>>> To: isapros@xxxxxxxxxxxxx
> >>>>>>> Subject: [isapros] Re: OT: Vista VPN Client Credentials
> >>>>>>>
> >>>>>>> Anyone? Bueller? Anyone?
> >>>>>>>
> >>>>>>> Is there anyone out there who is VPN'ing into a network on
> >>>>>> a non-domain
> >>>>>>> machine with Vista? Is it time to post to the
> Focus-MS list???
> >>>>>>>
> >>>>>>> t
> >>>>>>>
> >>>>>>>
> >>>>>>> On 1/24/07 12:36 PM, "Thor (Hammer of God)"
> >> <thor@xxxxxxxxxxxxxxx>
> >>>>>>> spoketh
> >>>>>>> to all:
> >>>>>>>
> >>>>>>>> Greetings... I'm hoping this something stupid that
> I'm just not
> >>>>>>> seeing, but
> >>>>>>>> I'm having an issue automatically authenticating to a
> >>>>>> remote network
> >>>>>>> under
> >>>>>>>> my VPN credential in Vista (x64).
> >>>>>>>>
> >>>>>>>> With XP, on a non-domain, standalone workgroup box, I
> >>>> can create a
> >>>>>>> standard
> >>>>>>>> VPN client and log on to the remote network using my user
> >>>>>> account on
> >>>>>>> remote
> >>>>>>>> network domain. Though I'm logged on interactively as a
> >>>>>> local user on
> >>>>>>> that
> >>>>>>>> XP box, when I go to \\host.domain.com, my VPN
> credentials are
> >>>>>>> automatically
> >>>>>>>> used to access shared resources on the remote network.
> >>>> Same thing
> >>>>>>> with
> >>>>>>>> connecting to a remote SQL box (requiring integrated
> auth). No
> >>>>>>> problems at
> >>>>>>>> all with XP, been doing it for years.
> >>>>>>>>
> >>>>>>>> However, with Vista, the credentials I use to log onto
> >> the remote
> >>>>>>> network
> >>>>>>>> are NOT being used when I access resources on the
> >> remote network.
> >>>>>>> Browsing
> >>>>>>>> to the share point results in a logon box being
> >> displayed. If I
> >>>>>>> attempt to
> >>>>>>>> connect to a SQL box, it says "not a trusted connection"
> >>>>>> (as it would
> >>>>>>> if my
> >>>>>>>> local user is being used.) WTF? I've looked through and set
> >>>>>>> everything
> >>>>>>>> that I can, including setting the location as "Work" and
> >>>>>> "Home." I do
> >>>>>>> NOT
> >>>>>>>> want to have to join the box to the remote domain.
> >>>>>>>>
> >>>>>>>> Anyone know what I'm doing wrong?? Thanks.
> >>>>>>>> t
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >>
> >>
> >
> >
> >
>
>
>
>
>
Other related posts:
