[isapros] Re: OT: Vista VPN Client Credentials
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Thu, 25 Jan 2007 11:47:18 -0800
No change. Already did that.
t
On 1/25/07 11:25 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to
all:
> What happens if you set the primary DNS suffix for the non-domain VPN
> client to the internal domain name? Maybe the lack of a correct DNS
> suffix is causing the NetBIOS broadcasts?
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
>
>
>
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>> (Hammer of God)
>> Sent: Thursday, January 25, 2007 1:13 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: OT: Vista VPN Client Credentials
>>
>> Well now, isn't that interesting. When limiting VPN clients
>> to CIFS only
>> for share access, XP clients work just fine as they will use
>> CIFS by default
>> for both domain members and non-domain members. I did notice that the
>> non-domain member broadcasts NBT (if allowed) where the
>> domain member does
>> not, but I think that's because I've set TCP broadcast to hybrid (or
>> whatever I did) in DHCP for the domain, but not for the
>> stand-alone box.
>> Regardless, XP works fine with CIFS only.
>>
>> However, it seems that Vista VPN clients won't use CIFS even
>> if forced. I
>> don't know that for sure, but that is definitely the behavior
>> I have seen
>> now. If I open up NetBios name server, datagram and session
>> protocols, the
>> Vista client now authenticates as the VPN user silently.
>> Otherwise, it
>> either times out or sends local creds (yet to be verified)
>> but prompts for
>> username and password. Seems like a sneaky way to make a client send
>> interactive logon infoz if I can get them to connect to my
>> VPN. Easy enough
>> to do, tho... Hmmm.
>>
>> t
>>
>>
>> On 1/25/07 10:28 AM, "Thomas W Shinder"
>> <tshinder@xxxxxxxxxxx> spoketh to
>> all:
>>
>>> Maybe they thought interactive credentails were less likely
>> to be domain
>>> credentails, so it's more secure to blast them than your domain
>>> credentails.
>>>
>>> Heck, makes about as much sense as the rationale they used to hork
>>> NAT-T.
>>>
>>> Thomas W Shinder, M.D.
>>> Site: www.isaserver.org
>>> Blog: http://blogs.isaserver.org/shinder/
>>> Book: http://tinyurl.com/3xqb7
>>> MVP -- Microsoft Firewalls (ISA)
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>>>> (Hammer of God)
>>>> Sent: Thursday, January 25, 2007 11:51 AM
>>>> To: isapros@xxxxxxxxxxxxx
>>>> Subject: [isapros] Re: OT: Vista VPN Client Credentials
>>>>
>>>> Yes, clearly more secure. Connect up to a hotspot connection
>>>> and have your
>>>> interactive credentials automatically and silently basted
>>>> downrange to any
>>>> service that asks for it :-/
>>>>
>>>> t
>>>>
>>>>
>>>> On 1/25/07 9:55 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>>>> spoketh to
>>>> all:
>>>>
>>>>> OK, just testing you :)
>>>>>
>>>>> Since Vista is more secure, this must be a security issue ;))
>>>>>
>>>>> Security is inversely proportional to functionality.
>>>>>
>>>>> Thomas W Shinder, M.D.
>>>>> Site: www.isaserver.org
>>>>> Blog: http://blogs.isaserver.org/shinder/
>>>>> Book: http://tinyurl.com/3xqb7
>>>>> MVP -- Microsoft Firewalls (ISA)
>>>>>
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>>>>>> (Hammer of God)
>>>>>> Sent: Thursday, January 25, 2007 11:41 AM
>>>>>> To: isapros@xxxxxxxxxxxxx
>>>>>> Subject: [isapros] Re: OT: Vista VPN Client Credentials
>>>>>>
>>>>>> No less than 1 million times ;)
>>>>>>
>>>>>> For years and years I've been logging in from non-domain XP
>>>>>> boxes as unique
>>>>>> local users and VPN'ing in to remote networks with completely
>>>>>> different
>>>>>> usernames/passwords and directly accessing network resources
>>>>>> silently as the
>>>>>> VPN user, not the local interactive user.
>>>>>>
>>>>>> I know I could join the domain and/or pair up usernames and
>>>>>> passwords, but I
>>>>>> never do that. I wouldn't have usernames and passwords on a
>>>>>> laptop that
>>>>>> matched usernames and passwords on my domain- that's
>> just silly ;)
>>>>>>
>>>>>> t
>>>>>>
>>>>>>
>>>>>> On 1/25/07 9:42 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>>>>>> spoketh to
>>>>>> all:
>>>>>>
>>>>>>> Tim,
>>>>>>>
>>>>>>> Are you sure it actually ever worked the way you thought it
>>>>>> did? That is
>>>>>>> to say, did it actually work where where you log in
>>>>>> interactively with
>>>>>>> one set of local non-domain credentails, and then create a
>>>>>> remote access
>>>>>>> VPN client connection using a second set of credentials and
>>>>>> then have
>>>>>>> the dial-in credentials sent to the remote file servers?
>>>>>>>
>>>>>>> I think in order for that scenario to possibly work, you
>>>>>> have to dial-in
>>>>>>> via dial-up networking during interactive logon. Try that
>>>>>> with the Vista
>>>>>>> client.
>>>>>>>
>>>>>>> Worst comes to worst, you can mirror your credentials on
>>>>>> the non-domain
>>>>>>> client with the domain accout.
>>>>>>>
>>>>>>> Tom
>>>>>>>
>>>>>>> Thomas W Shinder, M.D.
>>>>>>> Site: www.isaserver.org
>>>>>>> Blog: http://blogs.isaserver.org/shinder/
>>>>>>> Book: http://tinyurl.com/3xqb7
>>>>>>> MVP -- Microsoft Firewalls (ISA)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>>>>>>>> (Hammer of God)
>>>>>>>> Sent: Thursday, January 25, 2007 11:26 AM
>>>>>>>> To: isapros@xxxxxxxxxxxxx
>>>>>>>> Subject: [isapros] Re: OT: Vista VPN Client Credentials
>>>>>>>>
>>>>>>>> Hi Ara- thanks for checking. Yes, if the system is a domain
>>>>>>>> member, it
>>>>>>>> works as you describe. The point is that remote systems
>>>>>>>> should not need to
>>>>>>>> be domain members in order to VPN into a network and
>> have the VPN
>>>>>>>> credentials used for access to that network's resources.
>>>>>>>>
>>>>>>>> A laptop user should not have to move around using cached
>>>>>>>> domain credentials
>>>>>>>> to log on to their system as a domain member... More
>>>>>>>> importantly, the local
>>>>>>>> users' interactive credentials should not automatically be
>>>>>>>> sent to a remote
>>>>>>>> host on a dial-up/VPN connection. That is a security issue
>>>>>>>> in itself...
>>>>>>>>
>>>>>>>> t
>>>>>>>>
>>>>>>>>
>>>>>>>> On 1/25/07 8:59 AM, "Ara Avvali" <Ara.Avvali@xxxxxxxxxxxxx>
>>>>>>>> spoketh to all:
>>>>>>>>
>>>>>>>>> I did a test myself last night from Vista. It dials in with
>>>>>>>> no problem,
>>>>>>>>> outlook opens fine, and I can go to
>>>> \\servername\sharename and no
>>>>>>>>> problem. One thought, I have the firewall client for vista
>>>>>>>> installed and
>>>>>>>>> laptop is a domain member which is going back and forward
>>>>>> work/home
>>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>>>>>>>>> On Behalf Of Thor (Hammer of God)
>>>>>>>>> Sent: Thursday, January 25, 2007 7:08 AM
>>>>>>>>> To: isapros@xxxxxxxxxxxxx
>>>>>>>>> Subject: [isapros] Re: OT: Vista VPN Client Credentials
>>>>>>>>>
>>>>>>>>> Anyone? Bueller? Anyone?
>>>>>>>>>
>>>>>>>>> Is there anyone out there who is VPN'ing into a network on
>>>>>>>> a non-domain
>>>>>>>>> machine with Vista? Is it time to post to the
>> Focus-MS list???
>>>>>>>>>
>>>>>>>>> t
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 1/24/07 12:36 PM, "Thor (Hammer of God)"
>>>> <thor@xxxxxxxxxxxxxxx>
>>>>>>>>> spoketh
>>>>>>>>> to all:
>>>>>>>>>
>>>>>>>>>> Greetings... I'm hoping this something stupid that
>> I'm just not
>>>>>>>>> seeing, but
>>>>>>>>>> I'm having an issue automatically authenticating to a
>>>>>>>> remote network
>>>>>>>>> under
>>>>>>>>>> my VPN credential in Vista (x64).
>>>>>>>>>>
>>>>>>>>>> With XP, on a non-domain, standalone workgroup box, I
>>>>>> can create a
>>>>>>>>> standard
>>>>>>>>>> VPN client and log on to the remote network using my user
>>>>>>>> account on
>>>>>>>>> remote
>>>>>>>>>> network domain. Though I'm logged on interactively as a
>>>>>>>> local user on
>>>>>>>>> that
>>>>>>>>>> XP box, when I go to \\host.domain.com, my VPN
>> credentials are
>>>>>>>>> automatically
>>>>>>>>>> used to access shared resources on the remote network.
>>>>>> Same thing
>>>>>>>>> with
>>>>>>>>>> connecting to a remote SQL box (requiring integrated
>> auth). No
>>>>>>>>> problems at
>>>>>>>>>> all with XP, been doing it for years.
>>>>>>>>>>
>>>>>>>>>> However, with Vista, the credentials I use to log onto
>>>> the remote
>>>>>>>>> network
>>>>>>>>>> are NOT being used when I access resources on the
>>>> remote network.
>>>>>>>>> Browsing
>>>>>>>>>> to the share point results in a logon box being
>>>> displayed. If I
>>>>>>>>> attempt to
>>>>>>>>>> connect to a SQL box, it says "not a trusted connection"
>>>>>>>> (as it would
>>>>>>>>> if my
>>>>>>>>>> local user is being used.) WTF? I've looked through and set
>>>>>>>>> everything
>>>>>>>>>> that I can, including setting the location as "Work" and
>>>>>>>> "Home." I do
>>>>>>>>> NOT
>>>>>>>>>> want to have to join the box to the remote domain.
>>>>>>>>>>
>>>>>>>>>> Anyone know what I'm doing wrong?? Thanks.
>>>>>>>>>> t
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>
>
>
Other related posts:
