shivranjini
asked on
Network Drive map authentication Problem
Hi all,
I have an interesting problem and quite urgent. I'm pretty new to this field so please bear with me.
I am in the process of setting up(or already done and troubleshooting) VPN access for the road warriors. The VPN gateway is netgear firewall/router and the VPN client is safenet softremote on winxp. VPN works fine.
I noticed that the network drives mapped in the local network does not work when the user tries to access through VPN. It seems to be a common problem(why?) and thus made a batch file with net user commands to remap the drives.
Since we couldnt map the drives thru VPN using the servername(win2k3) we decided we'll use the UNC path to map the drives in the LAN and thru VPN. It worked fire once or twice. But now when the user comes to office network and tries to map the drives it asks for a log in... when given it says the user is already logged in. If the user is already logged in then why would it ask for a login.
The user is logged in as the network user. The network user is also the administrator of the laptop. Always the network user account is used to log in to the laptop. but if the ser waits for sometime(an hour or so) then he would be able to map the drives and logs in fine.
Can anybody please guide me on how to solve this haunting problem or a better way to do this?
Thank you in advance. :)
I have an interesting problem and quite urgent. I'm pretty new to this field so please bear with me.
I am in the process of setting up(or already done and troubleshooting) VPN access for the road warriors. The VPN gateway is netgear firewall/router and the VPN client is safenet softremote on winxp. VPN works fine.
I noticed that the network drives mapped in the local network does not work when the user tries to access through VPN. It seems to be a common problem(why?) and thus made a batch file with net user commands to remap the drives.
Since we couldnt map the drives thru VPN using the servername(win2k3) we decided we'll use the UNC path to map the drives in the LAN and thru VPN. It worked fire once or twice. But now when the user comes to office network and tries to map the drives it asks for a log in... when given it says the user is already logged in. If the user is already logged in then why would it ask for a login.
The user is logged in as the network user. The network user is also the administrator of the laptop. Always the network user account is used to log in to the laptop. but if the ser waits for sometime(an hour or so) then he would be able to map the drives and logs in fine.
Can anybody please guide me on how to solve this haunting problem or a better way to do this?
Thank you in advance. :)
Hi
Turn off the firewalls and then check it once
Turn off the firewalls and then check it once
ASKER
Thanks Stekman99... i will try the making the changes in the registry as you suggested.
thanks jalilthe1...the only firewall in the client machine is the one that came with the VPN client and it is always disable when in the office network... otherwise we wouldnt be able to access anythign.
Thank you for ur fast response...
thanks jalilthe1...the only firewall in the client machine is the one that came with the VPN client and it is always disable when in the office network... otherwise we wouldnt be able to access anythign.
Thank you for ur fast response...
ASKER
Stefan, i have made tha changes in the registry as u mentioned. The user will have to go home and come back to the network to try it out.. So we will know the results of the registry changes by then.
The problem is still not over cus then VPN is not much of a use because the user cannot access the network drives using the servername when connected thru the VPN. But it can access the services(like CVS and project central) in other servers in the same network using the server name.
Thanks a lot again.
The problem is still not over cus then VPN is not much of a use because the user cannot access the network drives using the servername when connected thru the VPN. But it can access the services(like CVS and project central) in other servers in the same network using the server name.
Thanks a lot again.
This is a silly question. Is there any types of Offline files, or Folder redirection or roaming profiles in place?
Instead of mapping to \\server\share, will ti work using \\servers FQDN\share, or \\serversIP\share?
If there is any redirection going on, then the laptops *could be in an offline state until they reconnect via the CSC subsystem. (Client Side Caching, or Offline files and folders).
To force a reconnect, type mobsync /logon at the run command, that syncs, and forces a server reconnect.
I know this sounds off the wall, but if you try to access a server that the laptop thinks is offline, you will not be able to reach it (cannot find teh specified path) by \\UNC NAME. Only \\FQDN and \\IP, until it reconnects to an online mode. It is by design from M$.
Instead of mapping to \\server\share, will ti work using \\servers FQDN\share, or \\serversIP\share?
If there is any redirection going on, then the laptops *could be in an offline state until they reconnect via the CSC subsystem. (Client Side Caching, or Offline files and folders).
To force a reconnect, type mobsync /logon at the run command, that syncs, and forces a server reconnect.
I know this sounds off the wall, but if you try to access a server that the laptop thinks is offline, you will not be able to reach it (cannot find teh specified path) by \\UNC NAME. Only \\FQDN and \\IP, until it reconnects to an online mode. It is by design from M$.
Hi again,
Not really sure about that one because limited info about your configuration but you could try this:
Configure the default Remote Access Policy for "No encryption" in the security.
1. Launch the Routing and Remote Access MMC (Start\Programs\Administra
Tools\Routing and Remote Access).
2. Expand the tree for Routing and Remote Access and click on "Remote Access
Policies"
3. Right click on the default policy and select "Properties".
4. Click the "Edit profile" button and click the "Encryption" tab.
5. Make certain that the "No encryption" box is selected and click OK until you are
out of the properties page.
6. Check correct operation of VPN clients
Not really sure about that one because limited info about your configuration but you could try this:
Configure the default Remote Access Policy for "No encryption" in the security.
1. Launch the Routing and Remote Access MMC (Start\Programs\Administra
Tools\Routing and Remote Access).
2. Expand the tree for Routing and Remote Access and click on "Remote Access
Policies"
3. Right click on the default policy and select "Properties".
4. Click the "Edit profile" button and click the "Encryption" tab.
5. Make certain that the "No encryption" box is selected and click OK until you are
out of the properties page.
6. Check correct operation of VPN clients
ASKER
Hi Johnb6767,
that does make sense because the user does have offline files and that is why we want to use one kind of network path. cus hte OS keeps different copies of offline files for different pathname(IP or servername) to the same share. This log in problem is also there when the offline files try to sync.. They prompt for login(we used to use the IP in the path) and it does not let the user in and keeps asking the passsword. at that point it would let in if we used the servername. But then the offline files would be different.
are you saying that in the scenario i mentioned if i give the mobsync /logon it would solve the problem??
thanks again for being patient with me. :)
that does make sense because the user does have offline files and that is why we want to use one kind of network path. cus hte OS keeps different copies of offline files for different pathname(IP or servername) to the same share. This log in problem is also there when the offline files try to sync.. They prompt for login(we used to use the IP in the path) and it does not let the user in and keeps asking the passsword. at that point it would let in if we used the servername. But then the offline files would be different.
are you saying that in the scenario i mentioned if i give the mobsync /logon it would solve the problem??
thanks again for being patient with me. :)
If it is prompting for a login, it is reaching the share, btu authentication is failing...Try domain\username and the password. The scenario I suggested shouldnt display that type of behaviours, it wouldnt be able to find the paths at all..
And teh problem is nto with offline files in that scenario, but with cached profiles primarily...
You coujld always give it a try though, may solve some other problems, like when yopu go to teh offline files and dont see everything, then run the command and see if it all pops up....
And teh problem is nto with offline files in that scenario, but with cached profiles primarily...
You coujld always give it a try though, may solve some other problems, like when yopu go to teh offline files and dont see everything, then run the command and see if it all pops up....
Hi shivranjini,
Your user's drives not being mapped sounds normal to me as they are probably mapped through a policy. Since they are not within the IP address range, the policy will not run for them. Stekmann99's suggestion should help.
If you go into properties for the IP for the VPN, (Cisco?), what is your DNS setting?
If it is blank you will not be able to resolve the server names.
cheers,
frankco
Your user's drives not being mapped sounds normal to me as they are probably mapped through a policy. Since they are not within the IP address range, the policy will not run for them. Stekmann99's suggestion should help.
If you go into properties for the IP for the VPN, (Cisco?), what is your DNS setting?
If it is blank you will not be able to resolve the server names.
cheers,
frankco
ASKER
Thanks john.. i think the problem is with authentication and cached profiles.. we alays use the domain\username to log in :(
Franco... the drives are not mapped thru a policy.. it is mapped manually using a batch file since the user has to log into the comp then connect to the internet.. then connect the VPN then run the batch file to get the drive maps. it is then that the drives are not mapped using the servername but lets the Ip address... I dont know if it's a name resolution problem because the the user can access CVS and project central using the servername(different server) in the paths...
Stefan... i really dunno what the routing and remote access mmc really does(i fairly new to system administration :D)... is it to impose policies during remote login? so many things to learn :)
anyways i have asked the user to see if he can atlease ping the server in question by its name... will know the results tomo. Sorry for the late reply. Had to go fix somehting else.
thanks a lots ppl :)
Franco... the drives are not mapped thru a policy.. it is mapped manually using a batch file since the user has to log into the comp then connect to the internet.. then connect the VPN then run the batch file to get the drive maps. it is then that the drives are not mapped using the servername but lets the Ip address... I dont know if it's a name resolution problem because the the user can access CVS and project central using the servername(different server) in the paths...
Stefan... i really dunno what the routing and remote access mmc really does(i fairly new to system administration :D)... is it to impose policies during remote login? so many things to learn :)
anyways i have asked the user to see if he can atlease ping the server in question by its name... will know the results tomo. Sorry for the late reply. Had to go fix somehting else.
thanks a lots ppl :)
ASKER
Hi
i was off sick and that is why the delay. The user can connect to VPN fine and ping the server by it's name. But when trying to map the drive using the Net use command then it gives the following error.
C:\Documents and Settings\user>ping servername
Pinging tollie.ecebs.com [aaa.bbb.ccc.xxx] with 32 bytes of data:
Reply from aaa.bbb.ccc.xxx: bytes=32 time=50ms TTL=127
Reply from aaa.bbb.ccc.xxx: bytes=32 time=48ms TTL=127
Reply from aaa.bbb.ccc.xxx: bytes=32 time=55ms TTL=127
Reply from aaa.bbb.ccc.xxx: bytes=32 time=55ms TTL=127
Ping statistics for aaa.bbb.ccc.xxx:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 48ms, Maximum = 55ms, Average = 52ms
C:\Documents and Settings\user>net use L: \\servername\library
System error 53 has occurred.
The network path was not found.
i was off sick and that is why the delay. The user can connect to VPN fine and ping the server by it's name. But when trying to map the drive using the Net use command then it gives the following error.
C:\Documents and Settings\user>ping servername
Pinging tollie.ecebs.com [aaa.bbb.ccc.xxx] with 32 bytes of data:
Reply from aaa.bbb.ccc.xxx: bytes=32 time=50ms TTL=127
Reply from aaa.bbb.ccc.xxx: bytes=32 time=48ms TTL=127
Reply from aaa.bbb.ccc.xxx: bytes=32 time=55ms TTL=127
Reply from aaa.bbb.ccc.xxx: bytes=32 time=55ms TTL=127
Ping statistics for aaa.bbb.ccc.xxx:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 48ms, Maximum = 55ms, Average = 52ms
C:\Documents and Settings\user>net use L: \\servername\library
System error 53 has occurred.
The network path was not found.
What about mapping with using either IP or FQDN...
C:\Documents and Settings\user>net use L: \\server's IP\library
C:\Documents and Settings\user>net use L: \\servername.com\library
??
C:\Documents and Settings\user>net use L: \\server's IP\library
C:\Documents and Settings\user>net use L: \\servername.com\library
??
ASKER
did u mean \\servername.domainname.co
i will ask the user to try it out.
i will ask the user to try it out.
Yes sorry, wasnt sure what your fqdn was gonna be, so just did the short version....
Hi,
I did some research.. Seems to be a server security issue. Try this:
The relevant registry key is "RequireSecuritySignature"
HKLM\System\CurrentControl
changed the default from 0 to 1 in Server 2003. If you can tolerate
the (relatively minor) security implications, you can change it back
and get things working right away.
Cheers,
Stefan
I did some research.. Seems to be a server security issue. Try this:
The relevant registry key is "RequireSecuritySignature"
HKLM\System\CurrentControl
changed the default from 0 to 1 in Server 2003. If you can tolerate
the (relatively minor) security implications, you can change it back
and get things working right away.
Cheers,
Stefan
ASKER
It's k john i was just confirming.
Stefan,
I will try this out anyway to see if there is any difference. It would be helpful if you could tell me or point me to a resource which would explain the secrity implications of this. Thanks a lot. I will try this out and get back.
Have a nice weekend.
Cheers,
Shiv
Stefan,
I will try this out anyway to see if there is any difference. It would be helpful if you could tell me or point me to a resource which would explain the secrity implications of this. Thanks a lot. I will try this out and get back.
Have a nice weekend.
Cheers,
Shiv
ASKER
Hi Stefan,
I changed the registry settings the way u suggested. The user went offsite and tried the VPN and mapped the network drives without the server asking for a login. Everything looked promising until when he tried it again.
When the user tried \\servername the window showed only the three shared folders that are mirrored. In My Computer there were only local copies of mirrored drives. net use script failed. And when the user tried to synch there was a login prompt, and when trying to log in the message received was " LOGON unsuccessful Username already taken".
This does sound like the problem due to SMB signing... But i did change the reg settings for that.... hmmmmmm
Any more ideas?
I changed the registry settings the way u suggested. The user went offsite and tried the VPN and mapped the network drives without the server asking for a login. Everything looked promising until when he tried it again.
When the user tried \\servername the window showed only the three shared folders that are mirrored. In My Computer there were only local copies of mirrored drives. net use script failed. And when the user tried to synch there was a login prompt, and when trying to log in the message received was " LOGON unsuccessful Username already taken".
This does sound like the problem due to SMB signing... But i did change the reg settings for that.... hmmmmmm
Any more ideas?
ASKER
Hi again,
I just realised why it is not working... the changes that i did to the registry does not seems to be staying. ie; i changed 'RequireSecuritySignature'
I would be thankful for any help.
Cheers,
Shiv
I just realised why it is not working... the changes that i did to the registry does not seems to be staying. ie; i changed 'RequireSecuritySignature'
I would be thankful for any help.
Cheers,
Shiv
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Stefan,
Thank you. I checked the link the very same day u posted it and changed the policy setting that reflects the registry changes. Now the regitry settings are staying. But our core problem still has not been solved.. I was so hoping it did. The user tested it by accessing the resources after connecting to the VPN from home. Since he couldnt map the network drives(the bat file with net use commands) he tried to access the resources directly from the server(it both the file server and a DC.. i know it's not a good practice.. but that's all we've got now)... so he tried... //servername in run and he's prompted for a login. He gives his username and password and it seems it says "the user cannot be logged in because it is already in use". Now i see this DWORD in HKLM\System\CurrentControl
Hope we're not back to square one. I am getting tired of this problem. :( Thanks for your patient help.
Thanks everybody..
Hoping to find a solution soon.
Cheers,
Shiv
Thank you. I checked the link the very same day u posted it and changed the policy setting that reflects the registry changes. Now the regitry settings are staying. But our core problem still has not been solved.. I was so hoping it did. The user tested it by accessing the resources after connecting to the VPN from home. Since he couldnt map the network drives(the bat file with net use commands) he tried to access the resources directly from the server(it both the file server and a DC.. i know it's not a good practice.. but that's all we've got now)... so he tried... //servername in run and he's prompted for a login. He gives his username and password and it seems it says "the user cannot be logged in because it is already in use". Now i see this DWORD in HKLM\System\CurrentControl
Hope we're not back to square one. I am getting tired of this problem. :( Thanks for your patient help.
Thanks everybody..
Hoping to find a solution soon.
Cheers,
Shiv
The AutoDisconnect value should only affect mapped drives from being automatically disconnected..... XP disconnects them at this specified interval (15 minutes default)...
Where do you stand with the problems now? What are the symptoms, has anything changed?
Where do you stand with the problems now? What are the symptoms, has anything changed?
Try this, it might solve your problem. Backup your registry so you can easily undo the changens.
On the client machine which the user is logging on to force Kerberos to use TCP
instead of UDP
1. Start Registry Editor.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\
If the Parameters key does not exist, create it now.
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type MaxPacketSize , and then press ENTER.
5. Double-click MaxPacketSize, type 1 in the Value data box, click to select the
Decimal option, and then click OK.
6. Quit Registry Editor.
7. Restart your computer.
Good luck,
Stefan