Re: RAS and etokens

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: William Wang[MSFT] (v-rxwang_at_online.microsoft.com)
Date: 03/29/04 

Date: Mon, 29 Mar 2004 05:38:25 GMT

Hi Stan,

Thanks for letting me know this issue was resolved. Let's follow up the
issue relates to "trust relationships" in the
<microsoft.public.windowsnt.domain> newsgroup.

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>From: "stan" <no@email.com>
>References: <#IUQbi2DEHA.3748@TK2MSFTNGP11.phx.gbl>
<oasr50pq8vv9jb73h253qbbvs72fl1u4v3@4ax.com>
<#Tql9P4DEHA.3372@TK2MSFTNGP10.phx.gbl>
<1CZT5DCEEHA.1196@cpmsftngxa06.phx.gbl>
<#2cTAhHEEHA.2628@TK2MSFTNGP11.phx.gbl>
<EZbPqcaEEHA.1196@cpmsftngxa06.phx.gbl>
<yjoFlv8EEHA.1988@cpmsftngxa06.phx.gbl>
>Subject: Re: RAS and etokens
>Date: Sat, 27 Mar 2004 19:49:04 -0500
>Lines: 228
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <uhQp9vFFEHA.1452@TK2MSFTNGP09.phx.gbl>
>Newsgroups: microsoft.public.win2000.ras_routing
>NNTP-Posting-Host: host-24-225-238-137.patmedia.net 24.225.238.137
>Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
phx.gbl
>Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.ras_routing:11558
>X-Tomcat-NG: microsoft.public.win2000.ras_routing
>
>Running a sonicwall which was breaking the GRE packet. They have no
>direction option to pass this packet but I worked with their tech support
to
>resolve the issue. Thanks for the followup. You're looking into my other
>issue from another group "domains" realted to this project.
>
>Need to have users login to domain a which hosts the VPN server and access
>drives etc in domain b (their home domain) without having to submit
username
>and password each time the map a drive etc. Have already setup 2way trust
to
>no avail. Isn't this the whole idea behind trusts?
>
>"William Wang[MSFT]" <v-rxwang@online.microsoft.com> wrote in message
>news:yjoFlv8EEHA.1988@cpmsftngxa06.phx.gbl...
>> Hi Stan,
>>
>> I'm just checking to see if disabling the firewall made any difference.
If
>> you have any questions or concerns, please don't hesitate to let us know.
>>
>> Sincerely,
>>
>> William Wang
>> Microsoft Online Support Engineer
>>
>> Get Secure! - www.microsoft.com/security
>> =====================================================
>> When responding to posts, please "Reply to Group" via
>> your newsreader so that others may learn and benefit
>> from your issue.
>> =====================================================
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>rights.
>> --------------------
>> >X-Tomcat-ID: 405066828
>> >References: <#IUQbi2DEHA.3748@TK2MSFTNGP11.phx.gbl>
>> <oasr50pq8vv9jb73h253qbbvs72fl1u4v3@4ax.com>
>> <#Tql9P4DEHA.3372@TK2MSFTNGP10.phx.gbl>
>> <1CZT5DCEEHA.1196@cpmsftngxa06.phx.gbl>
>> <#2cTAhHEEHA.2628@TK2MSFTNGP11.phx.gbl>
>> >MIME-Version: 1.0
>> >Content-Type: text/plain
>> >Content-Transfer-Encoding: 7bit
>> >From: v-rxwang@online.microsoft.com (William Wang[MSFT])
>> >Organization: Microsoft
>> >Date: Wed, 24 Mar 2004 13:51:32 GMT
>> >Subject: Re: RAS and etokens
>> >X-Tomcat-NG: microsoft.public.win2000.ras_routing
>> >Message-ID: <EZbPqcaEEHA.1196@cpmsftngxa06.phx.gbl>
>> >Newsgroups: microsoft.public.win2000.ras_routing
>> >Lines: 145
>> >Path: cpmsftngxa06.phx.gbl
>> >Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.ras_routing:11458
>> >NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
>> >
>> >Hi Stan,
>> >
>> >Thanks for your update. I'd like to disable the firewall on the clients
>> and
>> >servers temporarily to test the problem. Does it make any difference?
>> >
>> >Sincerely,
>> >
>> >William Wang
>> >Microsoft Online Support Engineer
>> >
>> >Get Secure! - www.microsoft.com/security
>> >=====================================================
>> >When responding to posts, please "Reply to Group" via
>> >your newsreader so that others may learn and benefit
>> >from your issue.
>> >=====================================================
>> >
>> >This posting is provided "AS IS" with no warranties, and confers no
>rights.
>> >--------------------
>> >>From: "stan" <no@email.com>
>> >>References: <#IUQbi2DEHA.3748@TK2MSFTNGP11.phx.gbl>
>> ><oasr50pq8vv9jb73h253qbbvs72fl1u4v3@4ax.com>
>> ><#Tql9P4DEHA.3372@TK2MSFTNGP10.phx.gbl>
>> ><1CZT5DCEEHA.1196@cpmsftngxa06.phx.gbl>
>> >>Subject: Re: RAS and etokens
>> >>Date: Mon, 22 Mar 2004 21:00:42 -0500
>> >>Lines: 115
>> >>X-Priority: 3
>> >>X-MSMail-Priority: Normal
>> >>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>> >>Message-ID: <#2cTAhHEEHA.2628@TK2MSFTNGP11.phx.gbl>
>> >>Newsgroups: microsoft.public.win2000.ras_routing
>> >>NNTP-Posting-Host: host-24-225-238-137.patmedia.net 24.225.238.137
>> >>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
>> >>Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.ras_routing:11419
>> >>X-Tomcat-NG: microsoft.public.win2000.ras_routing
>> >>
>> >>Actually I am still having issues. Using an etoken, I have sert server
>> >setup
>> >>etc. enrollment station issuing smart card certs. I can apply for and
>> >>receive certificates not problem
>> >>
>> >>I create a VPN sonnection and initially select do not use smart card.
>> >>Configuser username and password and then select properties...use my
>smart
>> >>card. I can acess my usb token containing my keys but the
authentication
>> >>times out as the verifying username and passoword. Only event log reads
>> the
>> >>authentication did not complete in a timely fashion or something to
that
>> >>affect.
>> >>
>> >>If i deselect smart card logon and go in straight with username and
>> >>password, it connects and authenticates without issue. I'm stumped.
>> >>
>> >>
>> >>"William Wang[MSFT]" <v-rxwang@online.microsoft.com> wrote in message
>> >>news:1CZT5DCEEHA.1196@cpmsftngxa06.phx.gbl...
>> >>> Hi Stan,
>> >>>
>> >>> Thanks for your posting and thanks for Peter's help. I'm writing to
>> check
>> >>> if Peter's suggestion helps. Please feel feel free to let us know if
>you
>> >>> would like further assistance.
>> >>>
>> >>> Sincerely,
>> >>>
>> >>> William Wang
>> >>> Microsoft Online Support Engineer
>> >>>
>> >>> Get Secure! - www.microsoft.com/security
>> >>> =====================================================
>> >>> When responding to posts, please "Reply to Group" via
>> >>> your newsreader so that others may learn and benefit
>> >>> from your issue.
>> >>> =====================================================
>> >>>
>> >>> This posting is provided "AS IS" with no warranties, and confers no
>> >>rights.
>> >>> --------------------
>> >>> >From: "stan" <no@email.com>
>> >>> >References: <#IUQbi2DEHA.3748@TK2MSFTNGP11.phx.gbl>
>> >>> <oasr50pq8vv9jb73h253qbbvs72fl1u4v3@4ax.com>
>> >>> >Subject: Re: RAS and eTokens
>> >>> >Date: Sun, 21 Mar 2004 15:52:05 -0500
>> >>> >Lines: 50
>> >>> >X-Priority: 3
>> >>> >X-MSMail-Priority: Normal
>> >>> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>> >>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>> >>> >Message-ID: <#Tql9P4DEHA.3372@TK2MSFTNGP10.phx.gbl>
>> >>> >Newsgroups: microsoft.public.win2000.ras_routing
>> >>> >NNTP-Posting-Host: host-24-225-238-137.patmedia.net 24.225.238.137
>> >>> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
>> >>> >Xref: cpmsftngxa06.phx.gbl
microsoft.public.win2000.ras_routing:11377
>> >>> >X-Tomcat-NG: microsoft.public.win2000.ras_routing
>> >>> >
>> >>> >Thanks.....I had MSCHAP deselected. With our token you had to first
>> >setup
>> >>> >your account without smartcard, set username and password and then
>> >select
>> >>> >smartcard authentication.
>> >>> >
>> >>> >"Peter och Maria Rydqvist" <anonymous@telia.com> wrote in message
>> >>> >news:oasr50pq8vv9jb73h253qbbvs72fl1u4v3@4ax.com...
>> >>> >> On Sun, 21 Mar 2004 12:36:03 -0500, "stan" <no@email.com> wrote:
>> >>> >>
>> >>> >> >Hello All:
>> >>> >> >
>> >>> >> >Experiencing an issue trying to implement 2 factor authentication
>> >>using
>> >>> >> >etokens. Have the CA set up and the certificate end is fine. The
>> >>problem
>> >>> >> >arises trying to authenticate using the usb token. I can connect
>to
>> >>the
>> >>> >VPN
>> >>> >> >server but it sits at the verifying username and password screen
>> >>until
>> >>> >it
>> >>> >> >times out. Disabling the token login and I can vpn just fine.
>> >>> >> >
>> >>> >> >Did 2 seperate packet captures -
>> >>> >> >
>> >>> >> >First with tokens enabled and I see LDAP packets being passed and
>> >then
>> >>> it
>> >>> >> >timesout
>> >>> >> >Second without tokens and I don't see any LDAP packets and the
>> >>> connection
>> >>> >is
>> >>> >> >fine.
>> >>> >> >
>> >>> >> >Any thoughts on this would be appreciated.
>> >>> >> >
>> >>> >>
>> >>> >> I use eTokens with my RAS (VPN/PPTP).
>> >>> >>
>> >>> >> The first you should check is the properties for the RAS server
>under
>> >>> >> the tab Security.
>> >>> >>
>> >>> >> There you need to activate the authentication method "Extensible
>> >>> >> authentication protocol (EAP)".
>> >>> >>
>> >>> >> Then, under your remote access policy you need to select the
>provider
>> >>> >> "Smart Card or other certificate" under Authentication in the
>> profile.
>> >>> >>
>> >>> >> If you haven't issued a certificate for the server, I think you
>will
>> >>> >> be able to ask for one at this point (it's quite a while ago I did
>> >>> >> this).
>> >>> >>
>> >>> >> Then you should be set. You will get a question at connect time if
>> you
>> >>> >> would like to accept the server certificate.
>> >>> >>
>> >>> >> /Peter
>> >>> >
>> >>> >
>> >>> >
>> >>>
>> >>
>> >>
>> >>
>> >
>> >
>>
>
>
>

Relevant Pages

  • Re: Not able to establish trust with another window 2003 domain
    ... Use conditional forwarding and make sure that both ends can resolve ... on both sides of the trust need to be able to resolve one another. ... to a much too low of a number and it would affect your network performance. ... Then i try to establish the trust but still fail. ...
    (microsoft.public.windows.server.active_directory)
  • Re: DNS for TRUST Creation
    ... > I am trying to configure a two trust betrween a W2K forest and W2K3 ... > is to say that dc.olddom.com cannot resolve the newdom.corp domain ... capable of creating a forest trust as Win2003 is. ... Microsoft MVP - Windows Server Directory Services ...
    (microsoft.public.windows.server.dns)
  • Re: Cross Forest Trust
    ... So if I do an nsloookup from my domain trying to resolve for the domain I'm ... trying to create the trust with should it resolve to thier DC's as well? ... Would I need to do a zone transfer in DNS from thier windows DNS to our UNIX ... TCP port 135: ...
    (microsoft.public.win2000.active_directory)
  • Re: RPC Server is unavailable
    ... the trust. ... What name resolution are you using and what versions of Windows? ... In 2003 you can use conditional forwarding to resolve the opposite SRV ...
    (microsoft.public.windows.server.active_directory)
  • RE: havent a clue!
    ... <trust> Element can only be set to five kinds of levels: ... Full, High, Medium, Low, Minimal ... Luke ... Microsoft Online Support ...
    (microsoft.public.dotnet.framework.aspnet.security)