Announcement

Collapse
No announcement yet.

Domains and authentication problems

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Domains and authentication problems

    Hi all,

    Right, Users in India using VPN to get to our network here in England.

    The VPN itself works fine. They can ping all PCs in our office, but can only connect (map drives) to all machines apart from the domain controllers.

    If I connect over dial up myself (laptop running XPPro) I have no problems. I've been looking at this most of the day, and am completely lost as to why authentication is failing to our PDC (well, a Win2k3 AD). What happens is that when you do Start->Run->< server name > or map a drive, you are repeatedly asked to log in, as if you username or password were wrong. Looking at the logs though show successful authentication!

    It must be some security issue on their PCs - we've been playing with one of them, removing it from their domain etc, but still can't get it to login to these servers. The two PCs I've been looking at today of theirs - one's a win2k pro box and the other a win2k3 enterprise server.

    Anyone any ideas?

    Cheers,
    Steve
    Tags: None
  • #2
    What sort of authentication are you using? Is the client set to use the same authentication as the server expects?
    [size=1]D3/\/7YCR4CK3R
    Ryzen: Asrock B450M Pro4, Ryzen 5 2600, 16GB G-Skill Ripjaws V Series DDR4 PC4-25600 RAM, 1TB Seagate SATA HD, 256GB myDigital PCIEx4 M.2 SSD, Samsung LI24T350FHNXZA 24" HDMI LED monitor, Klipsch Promedia 4.2 400, Win11
    Home: M1 Mac Mini 8GB 256GB
    Surgery: HP Stream 200-010 Mini Desktop,Intel Celeron 2957U Processor, 6 GB RAM, ADATA 128 GB SSD, Win 10 home ver 22H2
    Frontdesk: Beelink T4 8GB

    Comment

    • #3
      I was thinking can YOU tunnel in to the VPN over the internet? If you can then it may be that you need their machines' vpn connection to be setup just as yours is. ALso, ensure that they have proper permission to access the resources you say they can't
      [size=1]D3/\/7YCR4CK3R
      Ryzen: Asrock B450M Pro4, Ryzen 5 2600, 16GB G-Skill Ripjaws V Series DDR4 PC4-25600 RAM, 1TB Seagate SATA HD, 256GB myDigital PCIEx4 M.2 SSD, Samsung LI24T350FHNXZA 24" HDMI LED monitor, Klipsch Promedia 4.2 400, Win11
      Home: M1 Mac Mini 8GB 256GB
      Surgery: HP Stream 200-010 Mini Desktop,Intel Celeron 2957U Processor, 6 GB RAM, ADATA 128 GB SSD, Win 10 home ver 22H2
      Frontdesk: Beelink T4 8GB

      Comment

      • #4
        sounds like a forest permission issue
        Better to let one think you are a fool, than speak and prove it


        Comment

        • #5
          are the users in india getting an ip on your network, or do they have a subnet that is tunneled to yours.

          Your Domain Controlers will only broadcast correctly to their network, in that case.

          From pre coffee memory you will need a wins forwarding server. Terminology escapes me early on a sat morning with hangover.
          Juu nin to iro


          English doesn't borrow from other languages. It follows them down dark alleys, knocks them over, and goes through their pockets for loose grammar.

          Comment

          • #6
            The users in India get the same IP address subnet as I do here when I dial up and come in over the VPN.

            The VPN software (NetScreen/SafeNet) is the same there as it is here for me too.

            Comment

            • #7
              Is there any chance they have a different set of IP ports open than you do?

              Is there anything in the domain controller policy (computer configuration/windows settings/security settings/local policies/user rights assignment) restricting their group from access the computer over the network? Look at "access this computer from the network" and "deny access to this computer from the network".

              Can the users ping the domain controllers?

              Is there any kind of IPSec policy on the DCs that the users don't have themselves?

              That's all I can think of at the moment. Make sure you check everything in the DC policy to see if anything is restricting access to them.
              Lady, people aren't chocolates. Do you know what they are mostly? Bastards. Bastard coated bastards with bastard filling. But I don't find them half as annoying as I find naive, bubble-headed optimists who walk around vomiting sunshine. -- Dr. Perry Cox

              Comment

              • #8
                Could be something their ISP is doing I had a problem connecting up some home workers using Linksys VPN routers, the ones on ADSL and Blueyonder all worked fine, the two on NTL had problems. They could initialise a VPN connection to the office Ok, PING and NBTSTAT worked fine but like you mapping drives failed. Trying to connect to Exhange via Outlook either timed out or took forever and a day
                When you own your own business you only have to work half a day. You can do anything you want with the other twelve hours.

                Comment

                • #9
                  Where's the VPN endpoint? In your domain or outside? Did you check the firewall rules (assuming you have one)?

                  Comment

                  • #10
                    Ahhh ... brings back such memories. I was looking at this stuff over five years ago and I haven't thought much about it since. Guess I'll start playing with the AD implementation now that its been out a while. I hope it holds up (wasn't NDS strength architecture).

                    Can you change permissions on a user and they'll still have access until they reboot? It was originally architected in such a way that allowed this.
                    <TABLE BGCOLOR=Red><TR><TD><Font-weight="+1"><font COLOR=Black>The world just changed, Sep. 11, 2001</font></Font-weight></TR></TD></TABLE>

                    Comment

                    • #11
                      I can't see how it can be any setting on the DCs or on our network because I can externally dial up and connect over the same VPN with same user profiles, usernames and passwords and it works perfectly for me.

                      Comment

                      • #12
                        Is your laptop a member of the domain? I assume they are not, coming from India. To do a true test, you would need to try your dialup with a machine not already a member of the domain.
                        "I dream of a better world where chickens can cross the road without having their motives questioned."

                        Comment

                        • #13
                          Nope - tried from two laptops now, neither are members of any domain.

                          Comment

                          • #14
                            Found this and thought of you: http://www.greyware.com/software/dom...ct/w32time.asp
                            Gigabyte P35-DS3L with a Q6600, 2GB Kingston HyperX (after *3* bad pairs of Crucial Ballistix 1066), Galaxy 8800GT 512MB, SB X-Fi, some drives, and a Dell 2005fpw. Running WinXP.

                            Comment

                            • #15
                              To save everybody time

                              "NET TIME doesn't work well with laptops and remote offices.
                              The login script problems mentioned above are magnified dramatically if you're using a laptop or workstation remotely, since the workstation may or may not actually authenticate with an NT domain when dialing in (if you're using a PPP dial-in service, or over the Internet using a third-party VPN, for example).

                              Also, a workstation with a NET TIME command scheduled to run on a schedule (such as the NT AT command) can cause a system using Dial-Up networking to attempt to dial the remote network when it tries to run. "

                              So it might be a time synchro problem...

                              Comment

                              Previous template Next
                              Working...
                              X