• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 628
  • Last Modified:

Companyweb prompting for Login from Remote Locations connected via Multitech VPN Routers

We have a client that has multiple sites throughout town.  We have set up a hub and spoke toplogy with the SBS 2003 server located at a central location.  Each site has a an AD replicating all of the information locally from across the WAN. The sites are connected via a Multitech RF550VPN router.  Connectivity, DNS, and email are working with no issue throughout the sites.  Even connectcomputer works at a remote location.  The issue currently is that when a user attempt to open companyweb from a remote site, you are prompted for a login.  If you give your domain login, you have access to the site.  

Here are some facts:
1 - http://companyweb resolution works with no issue from each site, ping and via IE
2 - All computers are members of the domain and users are logging in with their domain credentials
3 - All users are listed in the companyweb site as users of the companyweb site with proper permissions
4 - Each remote location IP scheme has already been granted access to the Companyweb virtual directory
5 - The clients have IE enabled for integrated windows authentication in the Internet Options - > Advanced -> Security section
6 - http:// companyweb had been added to the trusted site list on each computer.
7 - Companyweb from the main location works with no authentication required
8 - Companyweb works with no issues from the remote location, once the user had entered their credentials

I am having a hard time determining the reason that the credentials, which are already there because the user is logged in to the domain, are not being passed to IE for companyweb authentication.  I do not want to open up the companyweb for anonymous access and then have the user log in when they hit something that is locked down.

Thanks in advance for your help....

Nick Hemmert
0
abilityto
Asked:
abilityto
  • 10
  • 7
1 Solution
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Check to see if they don't get prompted for credentials if you use http://companyweb.domain.local instead of just the http://companyweb.  If this works, it's an issue with the DNS suffix search order.  You don't mention if the remote workstations are receiving their network settings via DHCP, but if they were the DNS suffix of domain.local would be configured for them.

Jeff
TechSoEasy
0
 
abilitytoAuthor Commented:
Jeff -

Thanks for the quick response.  Each remote location has a w2k3 standard server that is hosting Active Directory, serving DHCP for that location, file sharing, my documents redirection,  and DNS.  

I went out to http://companyweb.domain.local at 2 of the sites.  Still getting prompted for a login.

Thanks,
Nick
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Can you then please post an IPCONFIG /ALL from a remote workstation as well as from the SBS?  Thanks.

Jeff
TechSoEasy
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
abilitytoAuthor Commented:
Remote server...Also can't open Companyweb without login
Windows IP Configuration

   Host Name . . . . . . . . . . . . : fkcsrvr2
   Primary Dns Suffix  . . . . . . . : FAH.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : FAH.local

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-13-72-14-A5-B2
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.4.2.41
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.4.2.1
   DNS Servers . . . . . . . . . . . : 10.4.2.40
                                       192.168.2.10
                                       10.4.2.1
   Primary WINS Server . . . . . . . : 10.4.2.40
   Secondary WINS Server . . . . . . : 192.168.2.10


SBS Server
Windows IP Configuration

   Host Name . . . . . . . . . . . . : FAH-SBS
   Primary Dns Suffix  . . . . . . . : FAH.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : FAH.local

PPP adapter RAS Server (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
   Physical Address. . . . . . . . . : 00-53-45-00-00-00
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.2.123
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Lan:

   Connection-specific DNS Suffix  . : fah.local
   Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network Connection
   Physical Address. . . . . . . . . : 00-11-11-2D-A2-52
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.2.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.2.1
   DNS Servers . . . . . . . . . . . : 192.168.2.10
   Primary WINS Server . . . . . . . : 192.168.1.10
   Secondary WINS Server . . . . . . : 10.4.2.20


At another remote facility yesterday where clients were able to open companyweb(see details below):

Windows IP Configuration

   Host Name . . . . . . . . . . . . : FVSRVR1
   Primary Dns Suffix  . . . . . . . : FAH.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : FAH.local

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-13-72-13-89-AE
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.4.1.40
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.4.1.1
   DNS Servers . . . . . . . . . . . : 10.4.1.40
                                       192.168.2.10
                                       10.4.1.1
   Primary WINS Server . . . . . . . : 10.4.1.40
   Secondary WINS Server . . . . . . : 192.168.2.10

We were migrating the data for users from the facility with the SBS server to this new facility.  There is 5 laptops and 1 desktop.  Before a roaming profile was sent to the 1 desktop yesterday, The machine was a part of the domain and I was logging in with the admin account and Companyweb did not come up without login.  The profile for the user was migrated over the WAN, 20 minutes and I didnt know the user was going to login, we then rebooted the machine.  When the machine came back online, logged in with the user account, companyweb came up with no login.  I then went over to the 5 laptops, not a roaming profile, but all originated at the location that where the SBS server is and they can all open companyweb with no login.

After doing this, I was even more confused on the issue, so I went to the server at this location, FVSRVR1, and opened companyweb, got the login.  This makes me think that there is a file or something that is on those machines that is allowing the credentials to be passed.  The server has the settings in IE to integrate login.  

I then went over to the other site just to confirm that the issue is still happening, that would be the first IPCONFIG above, and it is still happening on clients and the server.  These clients were never located at the main office where the SBS server is and never had a roaming profile come across the wire.

Thanks,
Nick
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Yep... when you add a computer to an SBS domain you use the http://<servername>/connectcomputer method (or at least you're supposed to).  But that method does not work over a VPN because of the potential to crash the VPN because one of connectcomputer's tasks is to upgrade an XP machine to SP2 if it isn't already.

So, what exactly does connectcomptuer do?  For one, it installs the SBS's certificate on the workstation -- which can easily be installed remotely quite easily by going to https://<servername>/remote and then viewing the certificate and installing to the default path.  Or while on the VPN you can go to \\<servername>\clientapps\SBScert and double clicking on the certificate to install.

Connectcomputer also does all of this stuff:  http://sbsurl.com/connectcomputer

Jeff
TechSoEasy
0
 
abilitytoAuthor Commented:
Jeff -

I am not sure you are replying to my post here.  My issue isn't with connect computer.

Nick
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, yes it is, because you didn't use it.  And, since you can't use it over a VPN you need to replicate what it does, or take each machine back to where the SBS is and join it to the domain while it's there.

Jeff
TechSoEasy
0
 
abilitytoAuthor Commented:
Jeff -

Actually it was ran at the remote locations. See my first post "Even connectcomputer works at a remote location."  Every machine was run successfully via connect computer.

What are the items that cause a machine to not look at the cached credentials from the domain and pass them to the browser?  Something is causing each machine to not pass the credentials.  I mentioned it being a file or something like that in my last post, because machines that were located at the main location and then were moved to a new location recently are all able to pull up companyweb.  The only machines at that location that cannot is the server which was never plugged in at the main location.

Nick
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
My post at http:Q_21852462.html#16702966 provided you with the item which is probably not installed on the workstation and is causing credentials to be requested again.  However, I seriously doubt that connectcomputer was successfully run while a computer was connected via VPN because SBS inhibits that behavior.

Jeff
TechSoEasy
0
 
abilitytoAuthor Commented:
Jeff -

I went ahead and installed the certificate onto one of the servers at a remote location and it is still prompting for the credentials.  I installed the cert from both the UNC path in clientapps and from going to remote web workplace.  I then did the cert install on a client at a location, and still the credentials.  There should not be a need for a reboot?

Also, just to be clear, we are not using the connection manager VPN.  We have a VPN tunnel from our main location to the remote locations.

Thanks Jeff....
Nick

0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
In reviewing your IPCONFIG's again, it seems as though you have an error in your SBS WINS IP:
Primary WINS Server . . . . . . . : 192.168.1.10

I believe that should be 192.168.2.10

Truthfully, I am not a good source for answers to complex routing issues... but I do know where to find good answers about this, and I have always followed this guide when deploying extended SBS networks:

http://www.microsoft.com/technet/itsolutions/network/evaluate/technol/tcpipfund/tcpipfund_ch14.mspx

I think you'll find a lot of info there about the passthrough authentication issues.

Regarding your user profiles: how do you have Roaming Profiles configured???  Are you using DFS to store the profiles?  If not, you really should be with this type of decentralized configuration.  You'll find all the info about this at http://sbsurl.com/postinstall (look at both the Roaming Profiles and Distributed File System sections).

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
You probably also want to look at the very last posting in this forum thread:
http://episteme.arstechnica.com/groupee/forums/a/tpc/f/469092836/m/584006448731

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I also happened upon this thread...http://groups.google.com/group/microsoft.public.windows.server.sbs/browse_frm/thread/54862527a64e27af

Further thinking about your roaming profiles.  I would NOT use roaming profiles at all until you get your DNS and routing under control.  Roaming profiles are actually not usually recommended with SBS anyhow... they tend to overcomplicate things and much of what a roaming profile accomplishes can be done in other ways.

But at least try NOT using them until you get this other part resolved.

Jeff
TechSoEasy
0
 
abilitytoAuthor Commented:
Jeff -

We definately do not do roaming profiles between sites.  That would be business suicide.  We dont have enough bandwidth and our customer would not like that.  My statement was that we HAD a roaming profile going between sites, it was after the profile copied, then I turned it off, that companyweb didnt require the login anymore.  It was something in that profile that is allowing the credentials to pass.

I will review the above google entry.  Please let me know if you have any other ideas.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Can you confirm that you haven't modified the default Active Directory Structure?  Are all users in the \MyBusiness\Users\SBSUsers OU?  

Did you create ALL users with the Add-User wizard applying one of the default User Templates?

Jeff
TechSoEasy
0
 
abilitytoAuthor Commented:
Yes all users how up in that view in AD.  I also  verified that all users are listed in the Users area of server management, since that just reads that view.

The only thing that stuck out in the documents on that google entry was that we use a hardware firewall in the multitech as opposed to routing and remote access.  But that should not cause credentials to not be passed.

To add to this, we place a brand new laptop into one of the locations yesterday and after "successfully" running connect computer, companyweb came up with no login.  We ran connect computer on the other clients at this location 2 weeks ago and they are still having issues.  As you mentioned before you don't think that connectcomputer successfully finished.  So we are still missing the one component that allows this to happen.

Nick
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Since you have successfully joined the new laptop, you proabably should unjoin, rename and rejoin the other workstations to achieve the same result.  Please follow these steps:

The following needs to be done with the client machine:
1.  Log in with THAT machine's LOCAL administrator account.
2.  Unjoin the domain into a WORKGROUP
3.  Change the name of the computer
4.  Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients if it exists
5.  Ensure that DHCP is enabled and there are  no manually configured network settings
6.  Reboot

Then on the server, from the Server Management Console:
1.  Remove the client computers if it still shows in the Client Computer screen on the Server Management Console
2.  Add the client with it's NEW name using the Add Computer wizard

Then, go back to the client machine and join the domain by opening Internet Explorer and navigating to http://servername/connectcomputer

Obviously, unless you have your remote DC configured correctly, http://servername/connectcomputer will not resolve.

Jeff
TechSoEasy
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 10
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now