Issues accessing network resources over VPN
Monday, 21 September 2009 03:16 | 
Author: Arun Nair | 
Lot of VPN users who work from home face trouble accessing the network resources. Listed below are very common scenarios that I hear from the users.
- Unable to access the shared folders (which are located on Windows servers)
- Unable to access sharepoint sites
- Network drive mapping fails
- Unable to print and lot more…
If you could notice, all these resources that they are not able to access will be integrated with the active directory and requires the authentication from the AD.
Why?
All organizations have password policies that are set to expire within certain number of days. Users will get the password expiry reminder few days prior to the password expiration when they try to login to a computer that is connected to the domain. “Your password will expire in 7 days. Do you want to change it now? ” – you should be familiar with this annoying prompt.
But users connecting through VPN do not get this reminder unless they take Remote Desktop of a machine in the network and try to login. They will not be aware even after their password gets expired. They will still be able to get connected to the network through VPN because in most of the cases, the VPN user accounts are not authenticated from AD. Many companies nowadays use RSA servers to authenticate the VPN users. These users will not be able to access any shared folders that are hosted on Windows servers, Sharepoint sites that are usually integrated with active directory, network printers and few other resources after the domain password gets expired. I have underlined the word Windows servers because they will be able to access the shared folders on a Unix or a Linux server to which they have permission as they do not authenticate using the active directory.
2 different ways VPN users login to the laptops:
VPN users usually login to the laptop in 2 ways,
- The first category of users login with a local username that would have been created by their system administrators. They then connect to the VPN and access the resources. This is inconvenient most of the times as it will prompt of the domain username and password everytime you access a shared drive or a resource that gets authenticated by the AD.
- The second category of users will login with the domain user account. On these laptops the local cache memory for storing the passwords will be enabled by setting the option “Interactive logon: Number of previous logons to cache (in case domain controller is not available)” to any number above zero. This option can be found in the Group Policy editor (gpedit.msc) under Computer configuration -> Windows Settings -> Security settings -> Local Policies -> Security Options.
The Big mess – Passwords not synchronized on the local cache and the domain controller:
The second category of users will not be prompted for any domain credentials when accessing the network resources to which they have access. They will have no issues as long as they reset the password on a regular basis from the same computer by pushing Ctrl+Alt+Del while they are connected to the VPN. But they will end up in a big mess if they reset the password from a different computer either when they goto the office or when they connect to another desktop through Remote Desktop (RDP). This is what happened to one of the users, she was not aware that her password was about to expire and she connected to a machine through remote desktop where it prompted to change the password and she changed. Now the password on the domain controller is different from that in the local cache. Every time she tries to access any link on the sharepoint site, any shared drive she will be prompted for the username and password. I had the user to connect to the VPN and then walked her through to reset the password by pushing ctrl+alt+del but it popped up with an error “The password does not meet the password policy requirements…” This is because the user reset the password 2 days ago and the password policy is set to have a minimum password age of 14 days. I tried to reset the password from the AD with the option “User must change password at next logon” enabled but still it popped up with the same error when tried to reset. Then I worked out in a different way as mentioned below which resolved the situation.
How to Synchronize the passwords stored in the local cache and the domain controller:
- Open the Cisco VPN client.
- Navigate to Options -> Windows logon properties.
- Check “Enable start before logon” and “Allow launching of applications before logon” and click OK.
- Then restart the laptop.
- Once it is restarted and when you try to login by pushing ctrl+alt+del, the cisco VPN client opens up before even you login to the machine. Connect to the VPN as you usually do.
- Reset the user’s password from Active Directory users and computers console with the option “User must change password at next logon” enabled and provide it to the user.
- Now when the user tries to login with the new password you provided, he/she will be prompted to change the password.
Now the user can successfully change the password and the passwords in the domain controller and the local cache gets synchronized.
1) Connect via VPN.
2) Let timeout happen.
3) Use new password at login screen.
I did it by accident while reading these instructions and getting distracted!