KB:

RAS credentials are not being forwarded on to a remote server over a VPN connection


A:
 Problem: After upgrading to VPN-Q 2006 SP2 users on non domain joined machines are regularly prompted for credentials when accessing shares or resources on a remote server.

Cause: In Service Pack 2 for VPN-Q 2006 a change was made to the way credentials are used for establishing VPN connections. Prior to SP2, the username and password supplied to establish the VPN connection was automatically forwarded to a server over the VPN when accessing a server resource such as a file share. This is the default behavior of Windows based VPN connections. VPN-Q 2006 Service Pack 2 changed this behavior so that the credentials are NOT automatically forwarded on to servers over the VPN connection.  For details on why this change was made see the More information section below.

Workaround: Use the Windows credential manager to store the required  username and password for specific networks or servers. To use the Windows credential manager on the VPN client PC:

  1. Open control panel
  2. Select "User Accounts"
  3. Click the local Windows user account that is used when VPN connections are established
  4. Click "Manage my network passwords" from the "Related Tasks" side bar list
  5. Click the Add button
  6. Enter a remote server name, or domain name (e.g. *.mycompany.com) along with the username and password required for accessing the server and click OK.
  7. Click the Add button again to add more entries as required.
  8. Click Close when done

Once completed, establish a VPN connection and access to the remote server/servers should be seamless as expected.

Resolution: A patch is available from Winfrasoft which changes the behavior of this feature back to that of pre SP2, i.e. the RAS credentials WILL be auto forwarded to remote servers. NOTE: This patch should ONLY be used when there is a requirement to restore pre SP2 behavior in scenarios where non domain joined PC are being used as VPN clients, it is not required if VPN client are members of the Windows domain. This patch should NOT be used in conjunction with 2 factor authentication systems otherwise issues described in the More information section below may occur. This patch does not contain any other fixes, updates or changes from that found in SP2.

To install the patch:

  1. Backup the old client.exe file located in the C:\Program Files\VPN-Q 2006 folder on the VPN server.
  2. Download the patched SP2 client.exe file and copy it to the C:\Program Files\VPN-Q 2006 folder on the VPN server.
  3. Create and distribute a new VPN client setup package.

More information:

The change in SP2 was made to avoid situations where incorrect credentials were being automatically passed onto servers over the VPN connection. This often occurred when separate accounts databases are used for VPN and AD Domain logons, or 2 factor authentication system are in place where the passcode is added onto the end of the password. In the latter scenario the VPN server is able to decipher the passcode from the password, but when the combination is forwarded on to a remote server one or more of the issues could arise:

  • The domain user account is locked out user due to too many incorrect logons
  • Access Denied error messages appear when accessing remote shares and resources

If the remote client PC is a member of a Windows Domain, the user's Windows logon credentials will be automatically sent to servers over the VPN in the same way as a LAN based connection. Thus VPN-Q 2006 SP2 resolves the access error issues with non-standard authentication mechanisms while maintaining seamless resource access for domain joined machines.

However, this change in behavior adversely affects remote client PC's that are not domain joined. in this scenario, the user's Windows credentials will not be valid on the domain and because the RAS credentials are no longer forwarded there are no credentials available for connecting to remote resources such as file shares. in this cases Windows prompts the user for credentials to use to establish a connection to the server. While this does not limit access to any resources the behavior may be undesirable.

Service Pack 3 updated information:

Service Pack 3 revered to the behavior of pre-SP2. Separate authentication updates have been provided on the VPN-Q 2006 SP3 CD to support other authentication mechanisms where the setting discussed in this article has already been set appropriately.

Note: This behavior will be a fully configurable option in the next version VPN-Q.