locked
UAG. Access to internal network resources through the SSTP VPN RRS feed

  • Question

  • Good day! 

    I have config SSTP VPN on UAG 2010. VPN connection is established successfully. I get is IP address , Pings go through. But when I try to access network resources via \ \ 192.168.0.x asks for a password. How to make sure that no password is requested, but immediately went to the resource. When prompted for a password, it is clear that the default credentials are used by which I logged on a computer, not the credentials by which I came to the portal. 

    Thanks

    Wednesday, August 3, 2011 10:27 AM

Answers

  • Hi Andrey,

    based on my observation and understanding of the UAG SSTP i believe that your requirement wouldn't work. I hope someone at Microsoft could confim this?

    My Understanding:

    Although the UAG SSTP VPN connection relies on the legacy Windows Phonebook Dial Up Service (which supports your requested scenario), it handles the user authentication on a very different way.

    With a legacy VPN Connection Profile you will most likely enter your Window network credentials during dial-up. On this way, the Dial Up Service could push your credentials to the Windows Credential Manager  to get a smooth single-sign-on when accessing internal network ressources (its controlled by the PBK Option "UseRASCredentials=1").

    The difference in UAG is, that the SSTP connection won't use your "network" credentials during logon. Instead of that, UAG uses a proprietary mechanism which involves the use of a RRAS admin plug-in to let UAG control which user is allowed to dial in.

    The decision for using this proprietary mechanism was most likely, to ensure that the SSTP connection can be "One-Click" initiated, regardless of the initial portal authentication method used (e.g. Smart Cards, RSA, ADFS, etc.)

    -Kai



    • Proposed as answer by Kai Wilke Sunday, August 14, 2011 12:05 AM
    • Marked as answer by Erez Benari Friday, August 26, 2011 10:41 PM
    Wednesday, August 3, 2011 5:36 PM

All replies

  • Hi Amig@. I guess this has more to do with cached credentials than with SSTP. The logon with cached credentials not always grants access to other resources (for example with Kerberos based authentication).

    Regards


    // Raúl - I love this game
    Wednesday, August 3, 2011 3:26 PM
  • Hi Andrey,

    based on my observation and understanding of the UAG SSTP i believe that your requirement wouldn't work. I hope someone at Microsoft could confim this?

    My Understanding:

    Although the UAG SSTP VPN connection relies on the legacy Windows Phonebook Dial Up Service (which supports your requested scenario), it handles the user authentication on a very different way.

    With a legacy VPN Connection Profile you will most likely enter your Window network credentials during dial-up. On this way, the Dial Up Service could push your credentials to the Windows Credential Manager  to get a smooth single-sign-on when accessing internal network ressources (its controlled by the PBK Option "UseRASCredentials=1").

    The difference in UAG is, that the SSTP connection won't use your "network" credentials during logon. Instead of that, UAG uses a proprietary mechanism which involves the use of a RRAS admin plug-in to let UAG control which user is allowed to dial in.

    The decision for using this proprietary mechanism was most likely, to ensure that the SSTP connection can be "One-Click" initiated, regardless of the initial portal authentication method used (e.g. Smart Cards, RSA, ADFS, etc.)

    -Kai



    • Proposed as answer by Kai Wilke Sunday, August 14, 2011 12:05 AM
    • Marked as answer by Erez Benari Friday, August 26, 2011 10:41 PM
    Wednesday, August 3, 2011 5:36 PM