AD Authentication for Remote Users

So, I have been googling trying to find a decent solution for this, and im not really finding anything. Im not sure if that is because there isnt a decent solution for it, or because the keywords I am using are coming up with different stuff. So hopefully someone out there knows of something, I cant imagine im the first person looking to do this.

We run an Active Directory Domain (Server 2008 R2 Domain Controllers across the board), in 4 locations (Chicago, San Francisco, Germany, London). We also have several employees who work from home (Sales People and such). I am looking for a decent solution that would allow the work from home people and traveling people to be able to authenticate against our Active Directory Domain Controller. Currently we just set the travelling people's AD Account passwords to never expire because they have no way of changing them while they are on the road. This creates problems when they forget their password and we cant reset it for them because they are in Texas (We could reset it, but their computer would have no way of knowing that we changed their password).

So, I am looking for a secure solution that would allow users to authenticate against AD while outside of our network. And if that is not possible, then is there a recomended solution for resetting AD Passwords while on the road? Like some kind of web portal or something?
LVL 4
Grasty86Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nick RhodeIT DirectorCommented:
There is a feature with the cisco VPN to connect before login.  So the user would connect to the VPN tunnel so when they login they are authenticating against active directory through it.
0
Grasty86Author Commented:
our VPN requires domain credentials to connect. Would it then take the credentials you are supplying to your laptop and use those to connect to VPN and then to AD? or would it have to be pre-connected somehow?
0
Emmanuel AdebayoGlobal Windows Infrastructure Engineer - ConsultantCommented:
Hi,

Do you have VPN solution in place?

How are your users currently authenticate to office from home to access the network resources.?

If you can provide more information about your existing VPN Solution, that would make us to look at what you have and see if there is modification can be make or proposed new solutions entirely.

I look forward to reading from you.

Regards
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Grasty86Author Commented:
We provide some of our users with VPN Access using the Cisco VPN Client. We provide it the Host address of our ASA. When connecting it prompts the user for a username and password (Their AD Credentials). Beyond that we pre-configure the VPN Client with a group authentication username and password.

Also @NRhode. Im not seeing any options in the Cisco VPN Client for connecting at logon.
0
Emmanuel AdebayoGlobal Windows Infrastructure Engineer - ConsultantCommented:
Ok, the group authentication occur first and if the user belong to this group the Radius server check the authentication again your AD.

Is this what is happening?

Regards
0
Nick RhodeIT DirectorCommented:
This is it:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809f0d75.shtml

They will get a box that pops up to allow them to connect to the VPN before actually signing in on their system.  This means they are connected to the network when they actually login so it will authenticate to the domain (offsite)
0
Emmanuel AdebayoGlobal Windows Infrastructure Engineer - ConsultantCommented:
0
Grasty86Author Commented:
ok, thanks for the info, but the problem still exists that if they forget their ad password then they are SOL. we wouldn't be able to reset it for them because they need their ad credentials to connect.

Is there anything else besides what you have suggested?

And yes @giveandtake that is my understanding of what happens
0
Grasty86Author Commented:
@give

You posted that while i was posting, I'm at lunch right now, I'll review it when i get back
0
Nick RhodeIT DirectorCommented:
They wont be SOL on password change because then they would be signing in to the VPN with their updated credentials and then loging to their system with them as well because the VPN is established so they are then connected to the network.
0
Grasty86Author Commented:
You are correct, my mistake
0
Cliff GaliherCommented:
DirectAccess is designed for these types of scenarios. Since he macho e establishes a metwork connection BEFORE logon, cached credentials are no longer an issie. Plus there is a myriad of other benefits as well.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Grasty86Author Commented:
Looking at some info on DirectAccess it appears to be the best option. Thanks cgaliher

Thanks for all the info regarding the VPN Stuff, but we are a little concerned about the User Experience of seeing multiple logins every time they bootup as well as the pain of getting the SBL stuff enabled for remote users but not for non traveling users, and easily switching back and forth as internal users visit customer sites and such. Sounds like a bit of a mess.
0
Grasty86Author Commented:
Thanks for the info
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.