ssmith764
asked on
XP Credentials do not pass through correctly using VPN
Hi, I have a strange problem with Windows XP. Here is the setup:
Windows 2003 domain, XP Clients.
Outlook in cached mode, My documents redirected to their home drive and synchronizing at logon and logoff.
Remote users have ADSL / Broadband and connect to the office using SonicWall VPN Client. Nearly all users connect successfully and work on shared files, Outlook etc with no problems. 3 Users have the following problem:
They connect the VPN connection successfully.
Outlook does not connect. After about 5 minutes a login prompt appears from the Exchange server. If the user inputs their credentials they receive a message stating that this combination of username/password has already been tried. They get the same message when trying mapped drives.
I have got all three users to login at the office and they have no problems. Their passwords are set to never expire.
Now the really weird bit - At the office I have a separate ADSL line for testing purposes. I connect these users machines on this line, connect the vPN client and everthing works fine. The users take the machines home and have the same problems. From their homes with the VPN connected they can ping any server by IP address or FQDN. I can make Remote desktop connections to them and remote connections from the clients to the servers. If they map a drive from their machine the same password problem occurs but if I enter different credentials the mapping works fine.
All three users are using different ISP's. One is AOL, one is cable (telewest) the other is ADSL from a BT reseller.
Any ideas anyone?
Thanks
Stewart
Windows 2003 domain, XP Clients.
Outlook in cached mode, My documents redirected to their home drive and synchronizing at logon and logoff.
Remote users have ADSL / Broadband and connect to the office using SonicWall VPN Client. Nearly all users connect successfully and work on shared files, Outlook etc with no problems. 3 Users have the following problem:
They connect the VPN connection successfully.
Outlook does not connect. After about 5 minutes a login prompt appears from the Exchange server. If the user inputs their credentials they receive a message stating that this combination of username/password has already been tried. They get the same message when trying mapped drives.
I have got all three users to login at the office and they have no problems. Their passwords are set to never expire.
Now the really weird bit - At the office I have a separate ADSL line for testing purposes. I connect these users machines on this line, connect the vPN client and everthing works fine. The users take the machines home and have the same problems. From their homes with the VPN connected they can ping any server by IP address or FQDN. I can make Remote desktop connections to them and remote connections from the clients to the servers. If they map a drive from their machine the same password problem occurs but if I enter different credentials the mapping works fine.
All three users are using different ISP's. One is AOL, one is cable (telewest) the other is ADSL from a BT reseller.
Any ideas anyone?
Thanks
Stewart
ASKER
Where would I set the MTU. On the router or the client?
ASKER
Ok, just read the page from the link. I will try this.
IF the issue is fragmentation and solved by MTU, then you know that the router is the problem, but you tweak the situation to your benefit on the workstation.
By the router is the problem I mean the router at the remote location not the sonicwall.
ASKER
Hi Carl,
I have tried this on 2 of the users machines but it still does not work. Telewest, NTL and AOL have also been no help at all. I saw an article which suggested that the MTU when using VPN's on AOL should be 1400. I have tried this but still no joy. Also the user that I thought was using ADSL is actually on NTL cable and I think that NTL and Telewest are now the same company. We have approx 20 remote users who connect with no problem at all most of them use ADSL.
I have tried this on 2 of the users machines but it still does not work. Telewest, NTL and AOL have also been no help at all. I saw an article which suggested that the MTU when using VPN's on AOL should be 1400. I have tried this but still no joy. Also the user that I thought was using ADSL is actually on NTL cable and I think that NTL and Telewest are now the same company. We have approx 20 remote users who connect with no problem at all most of them use ADSL.
ASKER
Update on this question:
I have tried the the following-
Created a test user - joe bloggs - and logged in to each affected users machine as this user and created an outlook profile. Tested this user on the ADSL line in the office. All 3 users have then tried to connect from home as this user. They are ABLE to connect as this user with outlook and mapped drives with no login prompts.
I have deleted their profiles from the machines and re-added them. They still cannot connect.
I have deleted their user accounts and mailboxes and recreated them. This still does not work. I have given a user a brand new laptop out of the box and set them up on it and he cannot connect using this either.
All users work fine on the ADSL line in the office. The problem seems to point to their ISP's but if this is the case why does the test user work on all their home connections?
Help!
I have tried the the following-
Created a test user - joe bloggs - and logged in to each affected users machine as this user and created an outlook profile. Tested this user on the ADSL line in the office. All 3 users have then tried to connect from home as this user. They are ABLE to connect as this user with outlook and mapped drives with no login prompts.
I have deleted their profiles from the machines and re-added them. They still cannot connect.
I have deleted their user accounts and mailboxes and recreated them. This still does not work. I have given a user a brand new laptop out of the box and set them up on it and he cannot connect using this either.
All users work fine on the ADSL line in the office. The problem seems to point to their ISP's but if this is the case why does the test user work on all their home connections?
Help!
ASKER
I have now opened a case with Microsoft and will post the results here.
ASKER
Here's the fix if anyones interested:
Kerberos packets are sent as UDP by default. Certain users Kerberos packets can exceed the Windows 2003 limit of 1465 bytes and will be fragmented. These will be dropped if they arrive out of order. The fix is to force Kerberos to use TCP so any dropped packets will be re-sent.
http://support.microsoft.com/?id=244474
Kerberos packets are sent as UDP by default. Certain users Kerberos packets can exceed the Windows 2003 limit of 1465 bytes and will be fragmented. These will be dropped if they arrive out of order. The fix is to force Kerberos to use TCP so any dropped packets will be re-sent.
http://support.microsoft.com/?id=244474
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
go right for the vugular and set it to 1300, see if it helps, then bump up in increments of 40
http://www.dslreports.com/drtcp