Solved

Windows password strategy - remote users over VPN

Posted on 2006-06-21
10
242 Views
Last Modified: 2007-08-27
Hi all,

I have a client using Windows Small Business Server 2000 who has a number of remote users. These users predominantly have laptop machines, all of which are on the SBS Windows 2000 domain, the users logging into their machines using a cached domain profile, and connecting to the office LAN over VPN (currently a Linux-based Smoothwall implementation, soon to be Cisco PIX). They authenticate to the VPN using signed certificates and then authenticate to Windows resources on the LAN using the credentials cached when they logged onto the laptop.

Currently the users have static passwords, i.e. password expiry is NOT enabled on the domain. The client wants to move to a more secure environment, in other words to enable password expiry, but in the past I have had problems when the domain account password expired and the machines were remote; the user would be able to log into the laptop (as it was off the LAN, the machine was unaware of the expired pw) and connect to the VPN, but then there would be a password mismatch and the user would be unable to get to networked resources. All of this would happen in quite an ugly way, in other words no nice dialogue popping up telling the user that their pw had expired and they needed to change it.

So I guess my question is, how can this be achieved without the aforementioned ugliness? I can't put that in as a solution as the users wouldn't be able to handle it.

Thanks!
0
Comment
Question by:georgemason
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 16950577
Some VPN client software allow a complete domain login via VPN, that means the tunnel is established right on from the logon screen and the user credentials are verified against the AD, also allowing the user to change the password when required.
I'm not sure if you can do this with your VPN software, i.e. by using the dial-up network to establish the tunnel from the logon screen...
0
 
LVL 1

Author Comment

by:georgemason
ID: 16950657
Not possible I'm afraid, not at the moment anyway.

The client is using the ZyWALL IPSec client at the moment, which doesn't include that functionality, and I'm pretty sure the Cisco VPN client doesn't either.
0
 
LVL 28

Accepted Solution

by:
Michael Pfister earned 250 total points
ID: 16951003
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_data_sheet0900aecd801a9de9.html

FEATURES AND BENEFITS
:
• Support for Microsoft network login (all platforms)
:

So it should be able to do it.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 9

Expert Comment

by:NYtechGuy
ID: 16951450

yes, once the PIX VPN is setup you can have the VPN client startup before login.

/justin
0
 
LVL 1

Expert Comment

by:grigory7811
ID: 16951464
You can use e-mail notification for users about password expiration before password really expires
0
 
LVL 1

Author Comment

by:georgemason
ID: 16951794
Very interesting! Now I definitely have a motive to install the PIX sooner rather than later.

It's a bit off the original topic but does anyone know how one gets the Cisco VPN client to start up before logon?
0
 
LVL 13

Expert Comment

by:marine7275
ID: 16951810
If you would have used a juniper or watchguard firewall, you would not be in this mess. Just playing.

Have you ever thought about using a ssl vpn?
0
 
LVL 1

Author Comment

by:georgemason
ID: 16951846
Hadn't thought about it, no. Not against the idea although for this implementation the device will be a PIX - partly because I like them, more because I've already bought it and I don't need another one!!

I don't follow how an SSL VPN would solve this issue though? Of Windows password synchronisation I mean?
0
 
LVL 13

Expert Comment

by:marine7275
ID: 16951991
using an ssl vpn would negate you having to mess with VPN clients. You would only have to worry about Windows pws.
0
 
LVL 1

Author Comment

by:georgemason
ID: 16952025
The VPN clients aren't causing a problem here though. The clients authenticate using certificates at the moment, so no problem. The only problem I guess is the fact that I need the tunnel up before they log on, which seems do-able with the Cisco offering, so no worries.

All I need to find out is how to do it!
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Hello I read in a discussion about a person who configured a very simple mirror RAID with two hard drives; the system and data were on the same partition. He asked how to repair the system as it was not booting up anymore. In his case running …
Windows 10 is here and for most admins this means frustration and challenges getting that first working Windows 10 image. As in my previous sysprep articles, I've put together a simple help guide to get you through this process. The aim is to achiev…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question