Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 13397 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ADDS users locked out when connected via L2TP or PPTP RAS

dmuller

Hi there,

we have several domain-joined Windows 7 PCs for home office which connect via Sophos RAS (pptp & L2TP). The VPN user is authenticated against a radius Server (RSA Token) behind the UTM 9.

All connections over the VPN  in our domain work well without any hassles, but as soon as a user opens a network path  e.g \\dc\netlogon the user is locked out within seconds. This happens only when the VPN is used. Same PCs connected directly to the LAN have no problems at all. I tried a bunch of tools to log kerberos traffic but have no clue whats going on. I dont see any firewall issue (eg TCP 88 UDP  blocked). Other PCs which are not domain members dont show this behaviour.

Firmwareversion:  9.304-9  Patternversion:  93760 

Your help is highly appreciated!



This thread was automatically locked due to age.
  • 0
    Assuming your using MS IAS/RADIUS for authentication, I would turn on extensive security logging on the DC and then look for account locked entries. That will tell you the source machine that is causing the lockout. Once you know that you can go to that machine, probably the RADIUS server, and start looking at why it's attempting so many logins and what credentials it's trying to send.
  • 0 in reply to hgriffith
    Hi hgriffith,

    thank you so much for your suggestion.

    Our radius server is RSA, origin of the lockouts is always a Windows 7 Client, not the radius server. I thought the lockouts come from cached bad passwords, but that is not the case. Authentication doesnt result in lockouts but connections to the DC.
  • 0 in reply to dmuller
    In the past I've seen Outlook do this. And you're correct in that cached credentials usually causes the issue. But since you say it only happens via VPN, I would think it might be something to do with the credentials being used for the VPN itself. Maybe Windows is trying to use the VPN credentials for apps or the OS when trying to connect and that's causing the issue?
  • 0 in reply to hgriffith
    Windows 7 tries to use the VPN credentials as domain-login. The credential manager stores the VPN credentials as a session entry. These credentials are then being used when accessing network resources. You can disallow the credential to be stored in the Credential Manager by setting the following registry entry to 1:community.sophos.com/.../73895
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
    Value Name: DisableDomainCreds
    Value Type: REG_DWORD
    Value: 1

    That seems to work! Thank you!

    Not a Sophos related issue at all!
  • 0 in reply to dmuller
    Thanks for posting back the solution!
Unfiltered HTML