AD domain authentication through VPN

From: napoleon (furbelly_at_undertow.net)
Date: 02/11/05

• Next message: GTS: "Re: Renaming computer error"
• Previous message: Steve Winograd [MVP]: "Re: How do you remove/uninstall a network?"
• Messages sorted by: [ date ] [ thread ]

Date: Fri, 11 Feb 2005 14:54:41 -0600

I am attempting to authenticate remote systems against my Windows 2000
domain. But before I go into details, let me lay out the setup:

Remote WinXP SP2 Laptop
  w/ Cisco VPN client 4.0.5
              |
              |
              |
Linksys 4-port 10/100 router
(PPTP passthrough enabled)
              |
              |
              |
       - - - - - - - - - - - - -
       | INTERNET |
       - - - - - - - - - - - - -
              |
              |
              |
     Cisco VPN Server
         on Subnet A
              |
              |
              |
Windows 2000 AD domain
        on Subnet B

In my corporate environment, the network department runs the vpn
server, top-level BIND DNS (non-dynamic) servers, and of course, the
network itself. I recently requested that they setup relaying for my
AD DNS servers as well as for my WINS server. This was in preparation
for authenticating my machines through the VPN against my domain DC's.

I installed the Cisco VPN client v4.0.5 (Rel) onto my Windows XP SP2
(firewall disabled) laptop. I configured the VPN client connection
for "Group Authentication" and the VPN client to start before logon.

I can connect via the VPN client to our corporate cisco vpn server.
However, it appears to me that the computer itself is not
authenticating against my AD domain, and hence not becoming a member
of the "domain computers" group. This causes problems because my
gpo-defined startup scripts reference directories on my domain
servers. These directories grant access based upon "domain computers"
group membership. The scripts run, but they encounter "access denied"
errors when they need to access server resources. To me it appears
that the machine account is not being authenticated against the AD
domain, but I am not 100% certain.

There could be many causes here. Perhaps the relaying for my AD DNS
and WINS servers is not functioning correctly. Perhaps a group policy
setting is hampering remote authentication. Perhaps it's something
else entirely.

I plan to ask the network department to verify the functionality of
the AD DNS and WINS relay. However, I can't continually ask them to
double-check their settings. So, what I need (in absence of an
outright solution) are some troubleshooting tips. The more
information I can verify myself, the less I have to bother others with
problems that are most likely mine to begin with.

Thanks for any and all suggestions.

  - Napoleon

• Next message: GTS: "Re: Renaming computer error"
• Previous message: Steve Winograd [MVP]: "Re: How do you remove/uninstall a network?"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint