Windows 7 VPN Connection Locks AD Account

I have a notebook running Windows 7 Ultimate that I use at home and at my office. The notebook is a member of the domain at my office and of course I login to the domain with my user's account. I have a completely different domain at home. There is a Cisco PIX 501 firewall at my house that is configured to allow L2TP VPN connections. I have the notebook configured as a VPN client using the native Windows 7 VPN. I have no problem connecting to my home network through the VPN. Within seconds after connecting through the VPN to the home network, my user Active Directory account in the domain at the office becomes locked-out as if I had entered an invalid password several times.

The domain controllers at both the office and home are running Windows Server 2003.

Prior to Windows 7, my notebook was running Windows XP Professional. I had no lockout problems when running Windows XP. The lockout problem was first noticed after moving the notebook to Windows 7.

Any thoughts or help on how to prevent the lockout would be greatly appreciated!

Thanks,
ds
DennisStackleyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

andysappCommented:
Is it the same vpn client for your office and home? Are you using the same login name and password for both? Do you have the newest updated cisco vpn client installed?
0
zubairkCommented:
http://160.78.48.20/vpn/software/Windows/VersioniPiu'Aggiornate/vpnclient-win-msi-5.0.06.0160-k9.exe

thats the link for the latest VPN client. You should probably use that instead of the windows 7 vpn client and see if you still have the same issue. Correct me if I'm wrong but I do beleive there might be compatibility issues with Win7 and server 2003. Is both your servers up to date with the latest windows updates? Also make sure your windows 7 firewall is disabled along with windows defender(Causes alot of problems with cisco VPN recently)

0
DennisStackleyAuthor Commented:
The VPN client being used is the one created from within Windows 7. It is not a Cisco VPN client. While at the office, I use the Windows 7 VPN client to connect with the Cisco PIX at home. To keep things simple, yes - the login name and password are the same for both domains (office and home).

So the VPN connection appears within Windows on my notebook as just another network connection.

Thanks!
0
The Five Tenets of the Most Secure Backup

Data loss can hit a business in any number of ways. In reality, companies should expect to lose data at some point. The challenge is having a plan to recover from such an event.

1shopCommented:
We have the same issue.  Domain Member laptops with Windows 7 when taken out of the office and VPN in remotely immediately lock the domain user account.  Unlocking the user account is not successful as it locks within seconds if the Windows 7 machine is still connected with the user logged in.

Detail:
User working remotely logs into windows 7 laptop using the locally cached domain profile.  
User connects to the VPN
User account gets locked on the DC in the office
Unlocking the user account is successful however it locks within seconds if the laptop is still connected to VPN

VPN detail:
It's the windows build it VPN connection.
 - Network and shareing center>setup a new connection or network>Connect to a workplace
     Create a new connection
     Use my Internet connection
     Enter the IP, check 'don't connect now; just set it up so I can connect later
     Enter the credentails and check off Remember pass. (in our case this is not LDAP so just a unique user name and password)
     Click 'Create'

This same method works fine for XP and Vista.  It's only Windows 7 laptops that lock domain user accounts.
     
0
1shopCommented:
Found a fix...  This is specific to the issue I defined for Windows 7 VPN locks domain user account.

Try to do follow these steps:
1. Locate the .pbk file that contains the entry that you dial. To do so, click Start, type *.pbk in the search Bar, and then press Enter.
2. Open the file in Notepad.
3. Locate the following entry: UseRasCredentials=1
4. Modify the entry to the following: UseRasCredentials=0
5. On the File menu, click Save, and the click Exit.

It has fixed our issues for multiple machines...  Hope it helps you out.
0
DennisStackleyAuthor Commented:
Thanks for the information 1shop, but my situation is a little different with results being the same. I am not remoting into the office. Instead I am at the office trying to remote into my home network. I searched for any *.pbk files on the notebook and none were found.

I have examined the domain controller security log and have determined that the notebook PC is requesting a Kerberos ticket granting ticket from the office domain controller within seconds after the VPN connection is established with my home network. Using Wireshark to analyze the network traffic between the notebook and the office domain controller confirmed this. Within a matter of seconds, the notebook sends an AS-REQ packet with a number of encryption types possible and other info to the office domain controller. The office domain controller responds with a KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED packet. The notebook then sends another AS-REQ packet with additional information. The office domain controller responds with a KRB Error: KRB5KDC_ERR_PREAUTH_FAILED. These exchanges go on until the number of maximum bad password count is reached then the user account becomes locked.

I discovered that starting with Windows 7 and Server 2008 R2, encryption type DES is not enabled by default. I enabled the DES types but this did not resolve the problem.

I have another remote network that does not have a Microsoft Windows Domain. The Cisco PIX firewall is configured the same. Upon successful connection to the network via VPN, no Kerberos packets are sent to the office domain controller.

Why should the notebook PC send Kerberos AS-REQ packets to the office domain controller after successfully connecting to the home network over VPN? The notebook PC should already have the Kerberos tickets it needs for the office network.

Thanks!!
0
DennisStackleyAuthor Commented:
Problem Solved!

After establishing a VPN connection with the home network, which has a Windows domain the notebook is not a member of, a capture of packets at the home domain controller revealed that the notebook was connecting with it via tcp port 445. The notebook then established a connection with the home domain controller using tcp port 135.

I modified the Cisco PIX firewall to block all traffic between the VPN client (notebook) and the home network by removing the "sysopt connection permit-ipsec" statement from the config. I then added only the desired ports needed to the ACL for inbound traffic. After making these changes, I am now able to connect through the VPN without locking my Active Directory User account at work.

I tested further and discovered that by having tcp ports 445 or 139, the account gets locked. By blocking these ports, the account stays unlocked.

ds
0
kempeitIS AdminCommented:
Hello, I also have a problem relating to Windows 7 VPN's and AD accounts being locked.

I personally belive it is a bug in the Windows 7 VPN client & Credential Manager.

It seems that Windows 7 uses the VPN password to authenticate the user for AD instead of keeping the VPN credentials and the AD credentials seperate.

If the password is the same for the AD account and the VPN it works everything is fine.  This is a huge issue for me as I connect to many VPN's throught
my day, if i stop my account from being locked through GPO I am opening a huge security hole.

This happens for both me connecting to VPN's from my AD computer and from Notebooks connecting to work via the VPN.

I don't think blocking the ports for authentication or setting the VPN password the same as the AD account password is a solution.

Does anyone know of a solution to this?

Thank you.
0
kempeitIS AdminCommented:
Hello, I also have a problem relating to Windows 7 VPN's and AD accounts being locked.

I personally belive it is a bug in the Windows 7 VPN client & Credential Manager.

It seems that Windows 7 uses the VPN password to authenticate the user for AD instead of keeping the VPN credentials and the AD credentials seperate.

If the password is the same for the AD account and the VPN it works everything is fine.  This is a huge issue for me as I connect to many VPN's throught
my day, if i stop my account from being locked through GPO I am opening a huge security hole.

This happens for both me connecting to VPN's from my AD computer and from Notebooks connecting to work via the VPN.

I don't think blocking the ports for authentication or setting the VPN password the same as the AD account password is a solution.

Does anyone know of a solution to this?

Thank you.
0
1shopCommented:
Kemeit - please see my post above...  Sounds like your issue is the exact same as mine.

By default the Windows7 VPN connection config file gets set to use the VPN provided credentials for all post connection authentication...  This works great for AD authenticated VPN setups but not so good for more simple unique user ID and password VPN -- where the VPN credentials are different from the active directory account credentials.

The fix is actually really simple - provided you can find the *.pbk config file defining the settings for each VPN...  Note that the default search settings in Windows7 makes finding the *.pbk file difficult.

here is the default manual loaction (change the username to your own)
C:\Users\username\AppData\Roaming\Microsoft\Network\Connections\Pbk

** This is specific to the issue I defined for Windows 7 VPN locks domain user account in an earlier post above.

Try to do follow these steps:
1. Locate the .pbk file that contains the entry that you dial. To do so, click Start, type *.pbk in the search Bar, and then press Enter.
2. Open the file in Notepad.
3. Locate the following entry: UseRasCredentials=1
4. Modify the entry to the following: UseRasCredentials=0
5. On the File menu, click Save, and the click Exit.

It has fixed our issues for multiple machines...  Hope it helps you out
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DennisStackleyAuthor Commented:
Using the default path provided by 1shop, I was able to locate two *.pbk files. One appears to have been placed there by F5 Networks for my VPN connection to another corporate network. The other appears to have been placed there by PDANet for tethering with my DROID. I modifed both files so that UseRasCredentials=0 and rebooted the notebook for good measure. I returned the Cisco PIX to it's original state whereby all traffic from the notebook was allowed to flow across the VPN. The AD user account lockout problem returned.

I reset the Cisco PIX firewall so that all ports are blocked going across the VPN except those needed for pcAnywhere and Remote Desktop. No more AD user account lockout problem.

It would be nice to have all ports open, particularly those used for drive mapping, but for now I will restrict the flow.

Thanks,
ds
0
kempeitIS AdminCommented:
1shop: Thank you, so far so good, after the change I didn't have the issue over the whole weekend!

It would be nice if microsoft made a tickbox for this option instead of having to hack through the backend file :(

0
DennisStackleyAuthor Commented:
This solution did not resolve my problem but did help others.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.