?
Solved

ISA 2006 VPN + Active Directory Authentication

Posted on 2009-07-01
2
Medium Priority
?
744 Views
Last Modified: 2012-05-07
Hi,

We've been testing ISA2006 for VPN access.  Its currently installed, and authentication VPN connections against a Radius server.

We can add users to a setup VPN Security group to allow them access and that works great.

What I'd like to do though, is when someone logs into the VPN have it run their Active Directory login script, so they receive their mapped drives automatically.  

I've also noticed that we try to map to UNC shares, it asks the user for their credentials, is there any way to get the VPN connection to cache the login credentials and use them?

Hope this makes sense.

Thanks
Paul
0
Comment
Question by:pmason08
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 2000 total points
ID: 24758375
When the users connect they need to be at the "Crl-Alt-Del" on their machine.  They need to check the checkbox that says "Log on using Dialup Connection" and choose the correct VPN Connection.  Their machines have to of course be Domain Members and they must be using Domain level user accounts.    This might let their login scripts run,..but if it doesn't then it just "ain't gonna happen". You will have to use a Batch file that is "shortcutted" into the Startup "folder" of the All Users Profile of the Start Menu so that it runs last after they are logged in.
Mapped drives,...well they are a thing of the past and you should get rid of them.  Using Shortcuts based on the UNC path is 100 time better and more dependable.  But if you feel you can't do without them, and the login scripts won't work then you will have to use a Batch file that is "shortcutted" into the Startup "folder" of the All Users Profile of the Start Menu so that it runs after they are logged in.  This batch file must first delete any mapped drive that might conflict, and then create the drives you want,...if you don't do that it will generate errors (which will confuse the users) if they run the batch file manually after it has already mapped the drives.
I don't know about the second "prompt" for credentials,..there are just too many different things that can cause that.  But one thing I do know is that I would get rid of the RADIUS Server in a heartbeat and run the ISA as a Domain Member and allow it to authenticate the users agains AD directly itself.  This article might be a good read for you.....
Debunking the Myth that the ISA Firewall Should Not be a Domain Member
http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html
 
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 24776896
I wouldn't go this path mapping network path while connecting via VPN.......it will only frustrate the user. Why, if the drives mapping have Gb in size, it will takes time for the VPN client to even view the folders let alone opening a file. Try enabling the offline files.

UNC path is also a tricky one and many admin get trap on this. To overcome this try running ISA log report where you can see the on time traffic, then do a UNC path from any machine, from the report watch which protocol is being requested (it is microsoft something like that), then stop the log, create a rule using that protocol then try again.
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses
Course of the Month12 days, 13 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question