ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    MS VPN connection; Account locked

    Scheduled Pinned Locked Moved IT Discussion
    aducsecurityaccount lockoutssurfacepro3surface pro 3laptop
    18 Posts 7 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      This isn't very normal AFAIK, so I think getting to the bottom of the account problem is the place to start.

      momurdaM 1 Reply Last reply Reply Quote 0
      • momurdaM
        momurda @scottalanmiller
        last edited by

        @scottalanmiller I agree.

        @gjacobse What type of vpn connection? Domain functional level? Does this only happen with people using wifi to connect to vpn? Are these workstations domain members?
        Is there possibly replication issues, so that Account lockouts aren't being replicated to the dc youre checking in a timely manner?
        Are there any errors on the file server or dc or workstation about bad username/pw?

        gjacobseG 1 Reply Last reply Reply Quote 0
        • gjacobseG
          gjacobse @momurda
          last edited by

          @momurda said in MS VPN connection; Account locked:

          @scottalanmiller I agree.

          @gjacobse What type of vpn connection? Domain functional level? Does this only happen with people using wifi to connect to vpn? Are these workstations domain members?
          Is there possibly replication issues, so that Account lockouts aren't being replicated to the dc youre checking in a timely manner?
          Are there any errors on the file server or dc or workstation about bad username/pw?

          Generally we get them sign on while on the Domain network. After such the sign into the computer, then connect to the VPN with Static Creds.

          AD applies to the computer then. These computers are Domain Joined, but at remote , random locations.

          scottalanmillerS 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @gjacobse
            last edited by

            @gjacobse said in MS VPN connection; Account locked:

            @momurda said in MS VPN connection; Account locked:

            @scottalanmiller I agree.

            @gjacobse What type of vpn connection? Domain functional level? Does this only happen with people using wifi to connect to vpn? Are these workstations domain members?
            Is there possibly replication issues, so that Account lockouts aren't being replicated to the dc youre checking in a timely manner?
            Are there any errors on the file server or dc or workstation about bad username/pw?

            Generally we get them sign on while on the Domain network. After such the sign into the computer, then connect to the VPN with Static Creds.

            AD applies to the computer then. These computers are Domain Joined, but at remote , random locations.

            I'm not following. How do they sign on to the domain if the VPN isn't up?

            gjacobseG 1 Reply Last reply Reply Quote 0
            • gjacobseG
              gjacobse @scottalanmiller
              last edited by

              @scottalanmiller said in MS VPN connection; Account locked:

              @gjacobse said in MS VPN connection; Account locked:

              @momurda said in MS VPN connection; Account locked:

              @scottalanmiller I agree.

              @gjacobse What type of vpn connection? Domain functional level? Does this only happen with people using wifi to connect to vpn? Are these workstations domain members?
              Is there possibly replication issues, so that Account lockouts aren't being replicated to the dc youre checking in a timely manner?
              Are there any errors on the file server or dc or workstation about bad username/pw?

              Generally we get them sign on while on the Domain network. After such the sign into the computer, then connect to the VPN with Static Creds.

              AD applies to the computer then. These computers are Domain Joined, but at remote , random locations.

              I'm not following. How do they sign on to the domain if the VPN isn't up?

              Windows Cached Credentials.

              scottalanmillerS momurdaM 2 Replies Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @gjacobse
                last edited by

                @gjacobse said in MS VPN connection; Account locked:

                @scottalanmiller said in MS VPN connection; Account locked:

                @gjacobse said in MS VPN connection; Account locked:

                @momurda said in MS VPN connection; Account locked:

                @scottalanmiller I agree.

                @gjacobse What type of vpn connection? Domain functional level? Does this only happen with people using wifi to connect to vpn? Are these workstations domain members?
                Is there possibly replication issues, so that Account lockouts aren't being replicated to the dc youre checking in a timely manner?
                Are there any errors on the file server or dc or workstation about bad username/pw?

                Generally we get them sign on while on the Domain network. After such the sign into the computer, then connect to the VPN with Static Creds.

                AD applies to the computer then. These computers are Domain Joined, but at remote , random locations.

                I'm not following. How do they sign on to the domain if the VPN isn't up?

                Windows Cached Credentials.

                That's not signing into the domain. That's signing onto the laptop. There is a big difference.

                1 Reply Last reply Reply Quote 1
                • scottalanmillerS
                  scottalanmiller
                  last edited by

                  To sign into the domain, your VPN goes up first. To sign into the laptop, you sign in cached and then fire up the VPN. There is a reason that VPN-first systems like OpenVPN, Pertino, ZeroTier, etc. are so important. They let you do things like central revocation because they always get updates from AD.

                  JaredBuschJ gjacobseG 2 Replies Last reply Reply Quote 0
                  • momurdaM
                    momurda @gjacobse
                    last edited by

                    @gjacobse said in MS VPN connection; Account locked:

                    @scottalanmiller said in MS VPN connection; Account locked:

                    @gjacobse said in MS VPN connection; Account locked:

                    @momurda said in MS VPN connection; Account locked:

                    @scottalanmiller I agree.

                    @gjacobse What type of vpn connection? Domain functional level? Does this only happen with people using wifi to connect to vpn? Are these workstations domain members?
                    Is there possibly replication issues, so that Account lockouts aren't being replicated to the dc youre checking in a timely manner?
                    Are there any errors on the file server or dc or workstation about bad username/pw?

                    Generally we get them sign on while on the Domain network. After such the sign into the computer, then connect to the VPN with Static Creds.

                    AD applies to the computer then. These computers are Domain Joined, but at remote , random locations.

                    I'm not following. How do they sign on to the domain if the VPN isn't up?

                    Windows Cached Credentials.

                    I would think the problem lies here with old cached creds.
                    Control Panel >user Accounts> View your credentials

                    There are probably old/expired creds here for connecting to the file server.
                    The script youre using to get by this gets info from the server and works because the info (username/pw the user needs to reenter to get mapped drives) is current.

                    1 Reply Last reply Reply Quote 2
                    • JaredBuschJ
                      JaredBusch @scottalanmiller
                      last edited by

                      @scottalanmiller said in MS VPN connection; Account locked:

                      To sign into the domain, your VPN goes up first. To sign into the laptop, you sign in cached and then fire up the VPN. There is a reason that VPN-first systems like OpenVPN, Pertino, ZeroTier, etc. are so important. They let you do things like central revocation because they always get updates from AD.

                      Correct. this is the problem. always.

                      1 Reply Last reply Reply Quote 1
                      • Mike DavisM
                        Mike Davis
                        last edited by

                        @JaredBusch said in MS VPN connection; Account locked:

                        @scottalanmiller said in MS VPN connection; Account locked:

                        To sign into the domain, your VPN goes up first. To sign into the laptop, you sign in cached and then fire up the VPN. There is a reason that VPN-first systems like OpenVPN, Pertino, ZeroTier, etc. are so important. They let you do things like central revocation because they always get updates from AD.

                        Correct. this is the problem. always.

                        How does that work when they are on a wifi connection that doesn't connect until after they log in to their laptop?

                        JaredBuschJ GreyG scottalanmillerS 3 Replies Last reply Reply Quote 0
                        • gjacobseG
                          gjacobse @scottalanmiller
                          last edited by

                          @scottalanmiller said in MS VPN connection; Account locked:

                          To sign into the domain, your VPN goes up first. To sign into the laptop, you sign in cached and then fire up the VPN. There is a reason that VPN-first systems like OpenVPN, Pertino, ZeroTier, etc. are so important. They let you do things like central revocation because they always get updates from AD.

                          Following up

                          how do you do that if the location you are at (hotel) requires pre-auth prior to accessing the internet? That Captive Portal page will kill that.

                          JaredBuschJ 1 Reply Last reply Reply Quote 0
                          • JaredBuschJ
                            JaredBusch @Mike Davis
                            last edited by

                            @Mike-Davis said in MS VPN connection; Account locked:

                            @JaredBusch said in MS VPN connection; Account locked:

                            @scottalanmiller said in MS VPN connection; Account locked:

                            To sign into the domain, your VPN goes up first. To sign into the laptop, you sign in cached and then fire up the VPN. There is a reason that VPN-first systems like OpenVPN, Pertino, ZeroTier, etc. are so important. They let you do things like central revocation because they always get updates from AD.

                            Correct. this is the problem. always.

                            How does that work when they are on a wifi connection that doesn't connect until after they log in to their laptop?

                            It doesn't. That is generally a large problem.

                            1 Reply Last reply Reply Quote 0
                            • JaredBuschJ
                              JaredBusch @gjacobse
                              last edited by

                              @gjacobse said in MS VPN connection; Account locked:

                              @scottalanmiller said in MS VPN connection; Account locked:

                              To sign into the domain, your VPN goes up first. To sign into the laptop, you sign in cached and then fire up the VPN. There is a reason that VPN-first systems like OpenVPN, Pertino, ZeroTier, etc. are so important. They let you do things like central revocation because they always get updates from AD.

                              Following up

                              how do you do that if the location you are at (hotel) requires pre-auth prior to accessing the internet? That Captive Portal page will kill that.

                              Yes, and that kills all sorts of things. When doing this, you can generally just reboot again and the hotel wifi still has you authorized.

                              If it doens't you are relying on pure luck that all the right kerberos pieces are still valid.

                              1 Reply Last reply Reply Quote 0
                              • GreyG
                                Grey @Mike Davis
                                last edited by

                                @Mike-Davis said in MS VPN connection; Account locked:

                                @JaredBusch said in MS VPN connection; Account locked:

                                @scottalanmiller said in MS VPN connection; Account locked:

                                To sign into the domain, your VPN goes up first. To sign into the laptop, you sign in cached and then fire up the VPN. There is a reason that VPN-first systems like OpenVPN, Pertino, ZeroTier, etc. are so important. They let you do things like central revocation because they always get updates from AD.

                                Correct. this is the problem. always.

                                How does that work when they are on a wifi connection that doesn't connect until after they log in to their laptop?

                                You said these are surfaces devices, and that makes me presume that they're Windows 10. If you STOP and LOOK at your login screen, you'll see that you can connect to wifi before logging in.

                                I looked over the thread seeking information on the VPN and didn't see what kind of vpn you're using. Is it MS? Cisco? OpenVPN? Do these VPN tools that you're using allow you to connect at sign-in? If you're using MS VPN, did you consider using DirectAccess?

                                gjacobseG coliverC 2 Replies Last reply Reply Quote 1
                                • gjacobseG
                                  gjacobse @Grey
                                  last edited by

                                  @Grey said in MS VPN connection; Account locked:

                                  @Mike-Davis said in MS VPN connection; Account locked:

                                  @JaredBusch said in MS VPN connection; Account locked:

                                  @scottalanmiller said in MS VPN connection; Account locked:

                                  To sign into the domain, your VPN goes up first. To sign into the laptop, you sign in cached and then fire up the VPN. There is a reason that VPN-first systems like OpenVPN, Pertino, ZeroTier, etc. are so important. They let you do things like central revocation because they always get updates from AD.

                                  Correct. this is the problem. always.

                                  How does that work when they are on a wifi connection that doesn't connect until after they log in to their laptop?

                                  You said these are surfaces devices, and that makes me presume that they're Windows 10. If you STOP and LOOK at your login screen, you'll see that you can connect to wifi before logging in.

                                  I looked over the thread seeking information on the VPN and didn't see what kind of vpn you're using. Is it MS? Cisco? OpenVPN? Do these VPN tools that you're using allow you to connect at sign-in? If you're using MS VPN, did you consider using DirectAccess?

                                  Title: MS VPN Connection ~
                                  Computer: Various: Surface / Laptops (dell)
                                  Hardware: - UBNT EdgeRouter

                                  1 Reply Last reply Reply Quote 0
                                  • coliverC
                                    coliver @Grey
                                    last edited by

                                    @Grey said in MS VPN connection; Account locked:

                                    @Mike-Davis said in MS VPN connection; Account locked:

                                    @JaredBusch said in MS VPN connection; Account locked:

                                    @scottalanmiller said in MS VPN connection; Account locked:

                                    To sign into the domain, your VPN goes up first. To sign into the laptop, you sign in cached and then fire up the VPN. There is a reason that VPN-first systems like OpenVPN, Pertino, ZeroTier, etc. are so important. They let you do things like central revocation because they always get updates from AD.

                                    Correct. this is the problem. always.

                                    How does that work when they are on a wifi connection that doesn't connect until after they log in to their laptop?

                                    You said these are surfaces devices, and that makes me presume that they're Windows 10. If you STOP and LOOK at your login screen, you'll see that you can connect to wifi before logging in.

                                    I looked over the thread seeking information on the VPN and didn't see what kind of vpn you're using. Is it MS? Cisco? OpenVPN? Do these VPN tools that you're using allow you to connect at sign-in? If you're using MS VPN, did you consider using DirectAccess?

                                    DirectAccess is really nice... but if you're not deploying Win10 Enterprise then you can't use it on your clients.

                                    1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Mike Davis
                                      last edited by scottalanmiller

                                      @Mike-Davis said in MS VPN connection; Account locked:

                                      @JaredBusch said in MS VPN connection; Account locked:

                                      @scottalanmiller said in MS VPN connection; Account locked:

                                      To sign into the domain, your VPN goes up first. To sign into the laptop, you sign in cached and then fire up the VPN. There is a reason that VPN-first systems like OpenVPN, Pertino, ZeroTier, etc. are so important. They let you do things like central revocation because they always get updates from AD.

                                      Correct. this is the problem. always.

                                      How does that work when they are on a wifi connection that doesn't connect until after they log in to their laptop?

                                      You have cached creds for that. Log in, connect, reboot.

                                      1 Reply Last reply Reply Quote 0
                                      • 1 / 1
                                      • First post
                                        Last post