Solved

ISA 2006 VPN + Active Directory Authentication

Posted on 2009-07-01
2
687 Views
Last Modified: 2012-05-07
Hi,

We've been testing ISA2006 for VPN access.  Its currently installed, and authentication VPN connections against a Radius server.

We can add users to a setup VPN Security group to allow them access and that works great.

What I'd like to do though, is when someone logs into the VPN have it run their Active Directory login script, so they receive their mapped drives automatically.  

I've also noticed that we try to map to UNC shares, it asks the user for their credentials, is there any way to get the VPN connection to cache the login credentials and use them?

Hope this makes sense.

Thanks
Paul
0
Comment
Question by:pmason08
2 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 24758375
When the users connect they need to be at the "Crl-Alt-Del" on their machine.  They need to check the checkbox that says "Log on using Dialup Connection" and choose the correct VPN Connection.  Their machines have to of course be Domain Members and they must be using Domain level user accounts.    This might let their login scripts run,..but if it doesn't then it just "ain't gonna happen". You will have to use a Batch file that is "shortcutted" into the Startup "folder" of the All Users Profile of the Start Menu so that it runs last after they are logged in.
Mapped drives,...well they are a thing of the past and you should get rid of them.  Using Shortcuts based on the UNC path is 100 time better and more dependable.  But if you feel you can't do without them, and the login scripts won't work then you will have to use a Batch file that is "shortcutted" into the Startup "folder" of the All Users Profile of the Start Menu so that it runs after they are logged in.  This batch file must first delete any mapped drive that might conflict, and then create the drives you want,...if you don't do that it will generate errors (which will confuse the users) if they run the batch file manually after it has already mapped the drives.
I don't know about the second "prompt" for credentials,..there are just too many different things that can cause that.  But one thing I do know is that I would get rid of the RADIUS Server in a heartbeat and run the ISA as a Domain Member and allow it to authenticate the users agains AD directly itself.  This article might be a good read for you.....
Debunking the Myth that the ISA Firewall Should Not be a Domain Member
http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html
 
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 24776896
I wouldn't go this path mapping network path while connecting via VPN.......it will only frustrate the user. Why, if the drives mapping have Gb in size, it will takes time for the VPN client to even view the folders let alone opening a file. Try enabling the offline files.

UNC path is also a tricky one and many admin get trap on this. To overcome this try running ISA log report where you can see the on time traffic, then do a UNC path from any machine, from the report watch which protocol is being requested (it is microsoft something like that), then stop the log, create a rule using that protocol then try again.
0

Join & Write a Comment

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now