VPN and RRAS in a test lab
Results 1 to 7 of 7

Thread: VPN and RRAS in a test lab

  1. #1
    Senior Member
    Join Date
    Oct 2004
    Posts
    183

    VPN and RRAS in a test lab

    Here's the scenario:

    W2K3 domain controller and an XP Pro client in a test lab. I've configured RRAS and can create the tunnel from the client to the DC using <VPNUser> and <Password>. A second ip address and adapter are visible on the client using <ipconfig /all> and the RRAS server confirms the connection. I've created a shared folder on the DC and assigned Share and NTFS permissions to allow <VPNUser> full access.

    Problem:

    I log into the client locally as Administrator, connect to the DC via the VPN tunnel and then try to access the shared folder via Windows Explorer (\\server\share). I receive a username and password dialog box. If I enter <VPNUser> and <Password>, I'm granted access.

    Is this normal behaviour? I entered the correct details when I made the VPN connection and I had expected these credentials to be used by the server when I wanted to access the shared folder. Is there any way to avoid having to enter them on a second occasion?

    I hope that I've explained the situation sufficiently.

    Thanks in advance.

  2. #2
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    Is the XP Pro Client machine a domain computer?
    Is the VPNUser a domain user?
    In God We Trust....Everything else we backup.

  3. #3
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    Yes, it is configured to be a member of the domain but I log on locally rather than to the domain.

    Yes, VPNUser is a domain user. I have configured it's properties (in ADUC) "Dial-in" tab to allow access, hence I can create the tunnel.

    BTW, I chose to log on locally because that's what I'd envisage doing in real life. If I'm at home, I log on locally, connect to the remote server via the VPN tunnel and access remote resources. I'm surprised that I'm asked to authenticate when I try to access the shared folder. When I've entered the details on the second occasion, I can read/write the shared folder.

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi Ignatius,

    Is this normal behaviour?
    I would guess that it is the default, and it is the way I have always seen it done. OK this is going back a while so the setup was different.

    I would login to my local network, connect to the remote server and login there, then login to the remote resources. I guess that was the security model?

    The environment was such that we were working both locally and remotely, so there would be times when we would have the remote connection open in the background, but would have logged out of the remote resources.

    I believe that it is intended to provide an extra layer of security at the remote resource end? Basically, someone might inherit my connection authority but they cannot actually do anything without authenticating to specific resources.

    It is a similar situation with local networks? you authenticate to the network but you need further authentication to individual resources/applications.
    Last edited by nihil; September 11th, 2009 at 08:30 AM.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #5
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    I believe this is occurring because the DC doesnt consider the connection to be trusted.

    You could change the workstation config to make the VPN connection at bootup and prior to you actually logging in to the workstation.
    Additionally, I believe you would need to log into the workstation with a domain account.
    In God We Trust....Everything else we backup.

  6. #6
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    Quote Originally Posted by nihil
    I believe that it is intended to provide an extra layer of security at the remote resource end? Basically, someone might inherit my connection authority but they cannot actually do anything without authenticating to specific resources.
    Yes, there's logic in that. I just wanted to be sure that it wasn't something to do with the way that I've configured it.

    Quote Originally Posted by Cheap Scotch Ron
    You could change the workstation config to make the VPN connection at bootup and prior to you actually logging in to the workstation.
    Additionally, I believe you would need to log into the workstation with a domain account.
    Hmm - I'll look into that.

    Thanks guys.

  7. #7
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    Use the rasdial command from a bat file to start vpn

    Here's how to run a bat file upon boot.
    http://support.microsoft.com/kb/243486/en-us
    In God We Trust....Everything else we backup.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •