No change. Already did that. t On 1/25/07 11:25 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all: > What happens if you set the primary DNS suffix for the non-domain VPN > client to the internal domain name? Maybe the lack of a correct DNS > suffix is causing the NetBIOS broadcasts? > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > > > >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >> (Hammer of God) >> Sent: Thursday, January 25, 2007 1:13 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: OT: Vista VPN Client Credentials >> >> Well now, isn't that interesting. When limiting VPN clients >> to CIFS only >> for share access, XP clients work just fine as they will use >> CIFS by default >> for both domain members and non-domain members. I did notice that the >> non-domain member broadcasts NBT (if allowed) where the >> domain member does >> not, but I think that's because I've set TCP broadcast to hybrid (or >> whatever I did) in DHCP for the domain, but not for the >> stand-alone box. >> Regardless, XP works fine with CIFS only. >> >> However, it seems that Vista VPN clients won't use CIFS even >> if forced. I >> don't know that for sure, but that is definitely the behavior >> I have seen >> now. If I open up NetBios name server, datagram and session >> protocols, the >> Vista client now authenticates as the VPN user silently. >> Otherwise, it >> either times out or sends local creds (yet to be verified) >> but prompts for >> username and password. Seems like a sneaky way to make a client send >> interactive logon infoz if I can get them to connect to my >> VPN. Easy enough >> to do, tho... Hmmm. >> >> t >> >> >> On 1/25/07 10:28 AM, "Thomas W Shinder" >> <tshinder@xxxxxxxxxxx> spoketh to >> all: >> >>> Maybe they thought interactive credentails were less likely >> to be domain >>> credentails, so it's more secure to blast them than your domain >>> credentails. >>> >>> Heck, makes about as much sense as the rationale they used to hork >>> NAT-T. >>> >>> Thomas W Shinder, M.D. >>> Site: www.isaserver.org >>> Blog: http://blogs.isaserver.org/shinder/ >>> Book: http://tinyurl.com/3xqb7 >>> MVP -- Microsoft Firewalls (ISA) >>> >>> >>> >>>> -----Original Message----- >>>> From: isapros-bounce@xxxxxxxxxxxxx >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >>>> (Hammer of God) >>>> Sent: Thursday, January 25, 2007 11:51 AM >>>> To: isapros@xxxxxxxxxxxxx >>>> Subject: [isapros] Re: OT: Vista VPN Client Credentials >>>> >>>> Yes, clearly more secure. Connect up to a hotspot connection >>>> and have your >>>> interactive credentials automatically and silently basted >>>> downrange to any >>>> service that asks for it :-/ >>>> >>>> t >>>> >>>> >>>> On 1/25/07 9:55 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> >>>> spoketh to >>>> all: >>>> >>>>> OK, just testing you :) >>>>> >>>>> Since Vista is more secure, this must be a security issue ;)) >>>>> >>>>> Security is inversely proportional to functionality. >>>>> >>>>> Thomas W Shinder, M.D. >>>>> Site: www.isaserver.org >>>>> Blog: http://blogs.isaserver.org/shinder/ >>>>> Book: http://tinyurl.com/3xqb7 >>>>> MVP -- Microsoft Firewalls (ISA) >>>>> >>>>> >>>>> >>>>>> -----Original Message----- >>>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >>>>>> (Hammer of God) >>>>>> Sent: Thursday, January 25, 2007 11:41 AM >>>>>> To: isapros@xxxxxxxxxxxxx >>>>>> Subject: [isapros] Re: OT: Vista VPN Client Credentials >>>>>> >>>>>> No less than 1 million times ;) >>>>>> >>>>>> For years and years I've been logging in from non-domain XP >>>>>> boxes as unique >>>>>> local users and VPN'ing in to remote networks with completely >>>>>> different >>>>>> usernames/passwords and directly accessing network resources >>>>>> silently as the >>>>>> VPN user, not the local interactive user. >>>>>> >>>>>> I know I could join the domain and/or pair up usernames and >>>>>> passwords, but I >>>>>> never do that. I wouldn't have usernames and passwords on a >>>>>> laptop that >>>>>> matched usernames and passwords on my domain- that's >> just silly ;) >>>>>> >>>>>> t >>>>>> >>>>>> >>>>>> On 1/25/07 9:42 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> >>>>>> spoketh to >>>>>> all: >>>>>> >>>>>>> Tim, >>>>>>> >>>>>>> Are you sure it actually ever worked the way you thought it >>>>>> did? That is >>>>>>> to say, did it actually work where where you log in >>>>>> interactively with >>>>>>> one set of local non-domain credentails, and then create a >>>>>> remote access >>>>>>> VPN client connection using a second set of credentials and >>>>>> then have >>>>>>> the dial-in credentials sent to the remote file servers? >>>>>>> >>>>>>> I think in order for that scenario to possibly work, you >>>>>> have to dial-in >>>>>>> via dial-up networking during interactive logon. Try that >>>>>> with the Vista >>>>>>> client. >>>>>>> >>>>>>> Worst comes to worst, you can mirror your credentials on >>>>>> the non-domain >>>>>>> client with the domain accout. >>>>>>> >>>>>>> Tom >>>>>>> >>>>>>> Thomas W Shinder, M.D. >>>>>>> Site: www.isaserver.org >>>>>>> Blog: http://blogs.isaserver.org/shinder/ >>>>>>> Book: http://tinyurl.com/3xqb7 >>>>>>> MVP -- Microsoft Firewalls (ISA) >>>>>>> >>>>>>> >>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >>>>>>>> (Hammer of God) >>>>>>>> Sent: Thursday, January 25, 2007 11:26 AM >>>>>>>> To: isapros@xxxxxxxxxxxxx >>>>>>>> Subject: [isapros] Re: OT: Vista VPN Client Credentials >>>>>>>> >>>>>>>> Hi Ara- thanks for checking. Yes, if the system is a domain >>>>>>>> member, it >>>>>>>> works as you describe. The point is that remote systems >>>>>>>> should not need to >>>>>>>> be domain members in order to VPN into a network and >> have the VPN >>>>>>>> credentials used for access to that network's resources. >>>>>>>> >>>>>>>> A laptop user should not have to move around using cached >>>>>>>> domain credentials >>>>>>>> to log on to their system as a domain member... More >>>>>>>> importantly, the local >>>>>>>> users' interactive credentials should not automatically be >>>>>>>> sent to a remote >>>>>>>> host on a dial-up/VPN connection. That is a security issue >>>>>>>> in itself... >>>>>>>> >>>>>>>> t >>>>>>>> >>>>>>>> >>>>>>>> On 1/25/07 8:59 AM, "Ara Avvali" <Ara.Avvali@xxxxxxxxxxxxx> >>>>>>>> spoketh to all: >>>>>>>> >>>>>>>>> I did a test myself last night from Vista. It dials in with >>>>>>>> no problem, >>>>>>>>> outlook opens fine, and I can go to >>>> \\servername\sharename and no >>>>>>>>> problem. One thought, I have the firewall client for vista >>>>>>>> installed and >>>>>>>>> laptop is a domain member which is going back and forward >>>>>> work/home >>>>>>>>> >>>>>>>>> -----Original Message----- >>>>>>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] >>>>>>>>> On Behalf Of Thor (Hammer of God) >>>>>>>>> Sent: Thursday, January 25, 2007 7:08 AM >>>>>>>>> To: isapros@xxxxxxxxxxxxx >>>>>>>>> Subject: [isapros] Re: OT: Vista VPN Client Credentials >>>>>>>>> >>>>>>>>> Anyone? Bueller? Anyone? >>>>>>>>> >>>>>>>>> Is there anyone out there who is VPN'ing into a network on >>>>>>>> a non-domain >>>>>>>>> machine with Vista? Is it time to post to the >> Focus-MS list??? >>>>>>>>> >>>>>>>>> t >>>>>>>>> >>>>>>>>> >>>>>>>>> On 1/24/07 12:36 PM, "Thor (Hammer of God)" >>>> <thor@xxxxxxxxxxxxxxx> >>>>>>>>> spoketh >>>>>>>>> to all: >>>>>>>>> >>>>>>>>>> Greetings... I'm hoping this something stupid that >> I'm just not >>>>>>>>> seeing, but >>>>>>>>>> I'm having an issue automatically authenticating to a >>>>>>>> remote network >>>>>>>>> under >>>>>>>>>> my VPN credential in Vista (x64). >>>>>>>>>> >>>>>>>>>> With XP, on a non-domain, standalone workgroup box, I >>>>>> can create a >>>>>>>>> standard >>>>>>>>>> VPN client and log on to the remote network using my user >>>>>>>> account on >>>>>>>>> remote >>>>>>>>>> network domain. Though I'm logged on interactively as a >>>>>>>> local user on >>>>>>>>> that >>>>>>>>>> XP box, when I go to \\host.domain.com, my VPN >> credentials are >>>>>>>>> automatically >>>>>>>>>> used to access shared resources on the remote network. >>>>>> Same thing >>>>>>>>> with >>>>>>>>>> connecting to a remote SQL box (requiring integrated >> auth). No >>>>>>>>> problems at >>>>>>>>>> all with XP, been doing it for years. >>>>>>>>>> >>>>>>>>>> However, with Vista, the credentials I use to log onto >>>> the remote >>>>>>>>> network >>>>>>>>>> are NOT being used when I access resources on the >>>> remote network. >>>>>>>>> Browsing >>>>>>>>>> to the share point results in a logon box being >>>> displayed. If I >>>>>>>>> attempt to >>>>>>>>>> connect to a SQL box, it says "not a trusted connection" >>>>>>>> (as it would >>>>>>>>> if my >>>>>>>>>> local user is being used.) WTF? I've looked through and set >>>>>>>>> everything >>>>>>>>>> that I can, including setting the location as "Work" and >>>>>>>> "Home." I do >>>>>>>>> NOT >>>>>>>>>> want to have to join the box to the remote domain. >>>>>>>>>> >>>>>>>>>> Anyone know what I'm doing wrong?? Thanks. >>>>>>>>>> t >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >> >> >> >> >> > > >