Remote users + VPN + Domain

Hey guys question if anyone can help or provide experience.

We have some remote users we need to get on to our domain at the office, we have loaded their remote machines with Sonicwall's VPN client, however this doesnt connect them to the VPN until after they are logged on to their machine. They can then browse some machines on the domain but arent logged in as an "authenicated" user.....

So trying to work for this, any help would be appreciated. I can provide more details if needed.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

sprkymrk

How are they authenticating with the domain? It sounds like they are using cached credentials or a local account to access the machine, then authenticating only with the sonic wall. No domain authentication is happening unless you left something out. You probably need to set up your sonic wall as a radius client to an IAS/RADIUS server. That way the users will log in to their computer with cached or local profiles, but when they connect with the VPN their credentials are based on the domain accounts (using RADIUS) that are passed from the sonic wall to the IAS server.

wizarddeath

I belive they are logging into their machine with cached credentials, but never authenicating with the domain controller(Im just starting my MCSA) so Im not 100% sure on how to authenicate. Someone told us we could use the "Dial up connection" option when they first log on, but im not sure if that would work either.

I assume we could run the RADIUS client on the DC also?

*Correction we are runnning RADIUS, Im checking now into log on scripts I guess...

sprkymrk

If you are using RADIUS the users should have the correct access and permissions on the network once they connect the VPN as they would have if they were physically on site and logged in.

The login script won't run though, because they have already logged in to the workstation/laptop before the authentication at the DC takes place.

wizarddeath

We arent the sharpest tools here at our job. After an hour on the phone with Sonicwall, we found out we need to be hitting the shares as //domain name instead of //computer name....Once we did this we are fine.

OUr strat is to take each machine and log on inside the network, and then take them remote. And log on using cached creds and then access the VPN.

However the only problem is if the cached creds ever expire would they be able to log in at there machine since there is no domain name untill the vpn is up?

sprkymrk

I'm not aware of any expiration for cached credentials based on time.
At work we have people gone for weeks ata time (up to 4 months) with no problem. At home, I used to have a W2K domain set up. Got rid of it over 2 years ago when the DC crapped out. My wife still logs into her computer with cached domain credentials.

wizarddeath

grrrr apparently they dont want this solution.

Anyone know of a command line or something to actually show the domain log in prompt or change users while in a domain without "logging off" ?

The point we are at is that the VPN client is authenticating to AD, however it wont push the account creds down to the machine....

shednik

One solution we use at work being that we use citrix heavily is our remote users connect via VPN using software called Citrix Access Gateway.

Now from there you have to options that users can do....

For out basic users they will goto our Citrix web interface to log in and access the published applications in there...

Or for the IT staff when working remotely they can RDP/VNC/etc... into their machine to access the domain...

Once connected to the CAG though you are able to browse shares as well by providing needed credentials...

Just figured i'd throw in our setup for our on sites

wizarddeath

Id love to have a easy simple solution to this like those, I dont see a problem with the customer clicking a few extra things but.....

There must be a way to execute a log on script when I connect tot he VPN to pull down my credentials to my machine. We tried starting the sonicwall vpn as a service but still doesnt get us connected before we log in unfornutely. Maybe running winlogon.exe after i establis the vpn will pull down my vpn log on settings?

sprkymrk

I think the Cisco VPN client will allow you to establish the VPN at login, so that the VPN starts first, sends your credentials immediately to the RADIUS client (the Cisco VPN concentrator or whatever) which then checks the IAS or RADIUS server and if authentication is successful it logs you into the computer and domain just as if you were physically there on the network. So you don't even get a desktop until all this happens (VPN, Authentication, login).

Unfortunately my Symantec VPN client won't do that either. I don't know about Microsoft's VPN client. I suspect it would work that way, but then you would need to create some rules on your firewall to allow VPN traffic to pass through seemlessly in order to authenticate. Either that or create a DMZ that has a bastion host that can do the RADIUS service.

TechJunky

IMO, you should be using a hardware VPN device on both sides and your problem would be solved...

That, or why not just have them use Terminal Services?

Dannybear

Citrix or TS would be the simplist option IMHO

wizarddeath

TechJunky wrote:

IMO, you should be using a hardware VPN device on both sides and your problem would be solved...

That, or why not just have them use Terminal Services?

Most of the users has a all-ways on connection so my sugguestion is going to be 2 a firewall at the home with a VPN built and just connect the machine to that. I belive this is more of a "test" exercise for me at this company also. Ive already put the writting that sonicwall put out stating there is "no way" to integrate their VPN client into the logon process.

blargoe

What resources exactly are trying to "connect" to?

If you are logging in to the computer with cached domain credentials, all you need to do in order to get your login script after you are connected to the VPN is run your login script. Put a shortcut on their desktop that will execute the script.

\\nameofdomaincontroller\NETLOGON\loginscript.bat

wizarddeath

blargoe wrote:

What resources exactly are trying to "connect" to?

If you are logging in to the computer with cached domain credentials, all you need to do in order to get your login script after you are connected to the VPN is run your login script. Put a shortcut on their desktop that will execute the script.

\\nameofdomaincontroller\NETLOGON\loginscript.bat

Basically we are trying to pull down the credentials with the user name and password used to log in to the vpn and not the local machine. Ive never actually wrote a batch file, Ill use the google for that, would the name of the file I make be called loginscript.bat or is that a pre-existing file?

Another option I just saw was Net logon service/command, will this pull down whatever account credentials I use?

Ahriakin

Maybe its just me but what do you mean by 'pull down the credentials'? Your users never pull anything credential wise from the DC, they always submit, all they get is a kerberos ticket in return (depending on the OS's involved and your authentication levels). If you mean you want them to have the same access from a remotely VPN'd system as they would if they were local to the domain then as long as they are logging into their machines with cached (and current, the passwords cannot have changed or be expired on the DC) domain credentials and not local then they should be fine. SSO enabled services should impersonate them with their cached credentials. Since you are using Radius then the VPN and domain credentials are the same, if they are not then something is very wrong in the setup.
You can use various methods (mapping drives with different credentials etc.) to access different resources but afaik there is no way to change the logged on credentials (and those forwarded by msoft SSO services) dynamically.

As for not wanting this solution they do know that there is a point where they do have to take responsibility for the technology they use right? IT can only be pushed so far