[neora]

Hi,

I'm very new to system administration and my first assignment is to make the network drives available over VPN. I ahve VPN set up all fine. When the user connects over the VPN he has to remap the network drives to use them again... Ans when he comes back to the office network(LAN) he has to remap the network drives again... I have made a bat file with net use commands for this. The problem now is that the solution is not consistent and today the user cannot log in at all.. when using netuse to map the network drives it's asking for a log on and when given, it is rejected. But the user can reach the resources thru network places. Another thing is that since the server could not be reached using the servername, therefore I had tried to use the UNC pathname to map drives. But anyways.. ryt now... nothing's working and i'm going crazy. This has been an on going process... myself and the user trying to fix the problem. Is WINS a solution??? If yes.. how do i go about enabling that??

Any help would be appreciated with utmost gratitude... really....

Thanks a lot.

Neora

ps: server=win2k3, client=winxp

Edited by neora, 11 October 2006 - 06:11 AM.

[Advertisements]

hope somebody is working on it... hmmmmm i've been pulling my hair on this for days now.... there is something really stupid that i'm doing or not going... hmmmmmm

[neora]

hope somebody is working on it... hmmmmm i've been pulling my hair on this for days now.... there is something really stupid that i'm doing or not going... hmmmmmm

[dsenette]

usually when a drive mapping asks for a username /password the credentials need to be supplied in the domain\username fashion

so it would be
domain\bob
for the username
then their standard password

could you describe your vpn in a little more detail? what vpn client? how are you managing authentication on the vpn? what's changed between working and not working?

[neora]

hi dsenette..

Thanx again....

i do give domain\username when it is asked... there is nothing much changed except for the user coming to office and taking the laptop home and connecting via VPN... both used to work before and suddenly it doesnt.

VPN client is 'safenet softremote' and AD user authentication later...

well... if the user can access the the resources through my network places or through the explorer means that the authentication is fine ryt??? please correct me if i am wrong. but when we try to synchronize the mirrored drives or trying to remap the drives using net use it would prompt for username and pasword... we give it... and it does not take it and prompts again....(this was when the laptop was connected to the network directly... not over VPN)

after posting the first post something weird happened.. the drives could be mapped and the username and password was accepted...everything works absolutely fine and nothing was done to make it work.... do u have any idea what it could be??? this is what's driving me nuts...and i feel like a fool...

aaaaaargh!

thanx

[neora]

The above post does not mean that everything is fine and I dont need help k? The problem itself if that.. It works at times and other times it does not work. it is not stable at all. With your help I am trying to find out what could be the cause of all these problems...


Thanks...

(edited for grammar)

Edited by neora, 12 October 2006 - 02:58 AM.

[dsenette]

i know that your last post wasn't terribly pushy but....keep in mind that not only do you have an odd problem with a complex system....but...i do have a job and a life outside of that job...you'll reallyl need to be patient with us please...

you say that it's using AD authentication once the vpn connects....but how is that managed...are you using a radius server or AAA or what?

[neora]

Oh I'm so terribly sorry if u felt that i was being even slightly pushy.. cus i was not... i was just reading the post before that again and again just to get my thought process running... and felt that it sounded as if the problem was solved. That's why i sent the next post just to let u guys know that it's not solved yet and to give it a thot when u get time in your busy schedules.. I know how busy all of you are...

sorry again....

I myt have sounded frustrated ... but that's cus i am....

ours in a very small setup. Before i join this organization 2 months ago it was managed by a couple of technically savvy users. So we do not have radius server or tacacs or anything for AAA.

It is very simple. There are folders in the file server(which is also the AD server..i know i know...). These folders have securityand share settings depending on the who needs access to it. then these folders are mapped to the user PCs. Most of the the folders have access to all the users except for the users home drive(to which only that specific user has access).

Users log into their PC using the AD username and password. This network user is also made to be the local administrator of the PC(the users are developers and they need admin access).

For mobile users.. their home drive is made available offline so that they could work offline.. Now i have configured the VPN so that they could backup their work(to the fileserver in the office) even when they are offsite.

the thing is when they are offsite they had to connect to VPN and then access the shared folders by giving the \\10.x.x.x(the IP address of the server) in start->run, which would promt for a log in. When that's successful they could map the network drives using the bat file with net use commands. Same process when they are back in office.

The fact that they had to give the UNC itself was annoying because it would be too much for the non-technical users. But the net use commands itself would prompt for login which used to work fine.

Now the user can access the folder thru my network places. But when trying to map using the batch file it prompts for username and password and it says bad username or password .. or user already logged on errors...

on the server side i couldnt see a session from that user. later when i checked i notice a session from the user and asked him to try mapping the drives... it worked fine....

note that the user was already logged into the computer using the same AD user account(which is also local administrator).

Hope this explain the problem better.

Thanks a lot and sorry again for the misunderstanding.

[dsenette]

quote]note that the user was already logged into the computer using the same AD user account(which is also local administrator).[/quote]
just to ask a silly question does this mean that there is a local admin account with the same name as the domain account...or is the user logging in with the domain account which has administrative permissions

[neora]

there is a local admin account with the same name as the domain account... or rather... when the PC was in the domain the domain account domainname\username was made the local administrator of the machine.

this domain user does not have administrative privileges in the domain.

[dsenette]

of course they do not...here's what my theory is...and this is ONLY a theory...
you should be able to accomplish all the tasks that the user needs by making their DOMAIN account part of the LOCAL administrators group (go to control pannel > users> set them to administrator)...this SHOULD give them enough rights on the local machine to do their development.. then when they are in a remote site they should be logging onto the machien (laptop i assume) as their DOMAIN user not the local admin user of the same name...this MAY do it

i think what's going on here is the lack of a radius/tacacs/etc.. server that forces authentication upon remote access...what i THINK is going on is that since they are logging on as a local user instead of a domain user...then they aren't truley authenticating to the domain...which would explain the request for a PW on all drive maps and also may explain why you're not seeing the session.

[neora]

of course they do not...here's what my theory is...and this is ONLY a theory...
you should be able to accomplish all the tasks that the user needs by making their DOMAIN account part of the LOCAL administrators group (go to control pannel > users> set them to administrator)...this SHOULD give them enough rights on the local machine to do their development.. then when they are in a remote site they should be logging onto the machien (laptop i assume) as their DOMAIN user not the local admin user of the same name...this MAY do it

this exactly what i've done... and on the remote site the user logs in as domain user... they never use a local account. now u know my source of confusion.

edit: infact none of the users use the local account in the PC...

Edited by neora, 12 October 2006 - 09:31 AM.

[dsenette]

hmmm....funky issue indeed....

so as a recap...normal domain lan setup with a DC (that's also a file server...not the best practice but...you use what you've got)...all regular domain users etc...the users are configured locally to be members of the local administrator group...they take the pc home and fire up the vpn client which initiates the connection to the domain....once connected...the drives won't map...but they CAN go through network places to do what they need to do....

i'm still not 100% sure what's controlling authentication to the VPN...because something has to....the sporatic working/not working of the drive mappng is suggesting that this is an authentication issue for sure...

have you done any research into radius or tacacs? (i prefer radius as it's a little easier)...what kind of firwall/router are you using to control the vpn access?

[neora]

i've done tacacs and radius on cisco routers...

but we use a netgear FVS318 firewall/router... too many eggs... i know.... we're planning on changing it though... depends on what my boss lets me buy... anyways.... safenet softremote vpn client....

but i think there is not much authentication here other than the one provided by the AD and windows file system security and sharing.

sometimes everything works so fine and start breathing normally and there you go...we are back to square 1 trying to authenticate... not panicing... just disappointed.....

and i've finished work and leaving for home now.... anyways i'll check back when i reach home...

thanks a lot

hmmm mebbe i'm missing something silly and important part here... hmm there's gonna be a lot of hair pulling until i find it i guess

cheers..

[neora]

Today morning's scenario.... In run i used \\servername and it went it fine.... but when i used \\10.x.x.x(ip address of the same server) it asked for a log in and did not let the user in....

does that ring any bells??? hmmmm not for me...


edit: this is happening when the user is at work... as a trial i had put 2 shortcuts on the desktop. one with the servername and one with the ip address of the server... even here the one with the servername works fine and one with the ipaddress asks for a password and would not let in.. obviously... the user is already logged on(that's why the servername version worked ryt?)... but why is the ipaddr version of the path of the same server asking for the login again?

Edited by neora, 13 October 2006 - 03:18 AM.

[dsenette]

wow....that's usually the opposite....usually the ip will work and the servername wont....what the huh?...i'm actually gonna ask for some extra eyes