none
PPTP-VPN login is overwriting Windows domain login RRS feed

  • Question

  • Hello all.
    We have Windows Server2003 on servers, windows xp on clients, protected by a watchguard firebox x550. VPN users authenticate to Firebox, not AD.
    I am trying to setup pptp-vpn on a new laptop, which has Windows 7 Pro. Here is what happens.
    I go outside the office, login to Windows laptop with the domain username and password. Then I fire up PPTP-VPN, login with the vpn username/password (leaving domain blank).
    VPN Login goes through fine, I can see and ping servers by name and by IP. However, when I try to browse to the network drives, it says username not found.
    I tried logging in with a different VPN/username, still the same thing. Not only that, but since that vpn/username matched a username on the domain, it actually locked that domain (not VPN) username out after a few clicks (group policy for domain users is set to 3 times the wrong password locks the account).
    So somehow, when I connect via PPTP-VPN on a Windows 7 laptop, the PPTP login overwrites the windows login. PPTP connection is setup with domain blank, and the box "Use windows domain/login" unchecked.
    The same PPTP-VPN, on a Windows XP laptop works fine, does not have that issue.

    Any thoughts would be appreciated.
    Thursday, December 16, 2010 3:09 PM

All replies

  • Hello,
     
    Thank you for your question.
     
    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
     
    Thank you for your understanding.
     
    Best Regards,
    Miya Yao
    TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com
     

    This posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Saturday, December 18, 2010 1:24 AM
    Moderator
  • M_Kou,

    What version of the Watchguard VPN client are you using?
    Also, do you see the same behavior if you enable the DisableDomainCreds registry key?
    This will not prevent you from logging into the system locally using cached credentials.

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

    Value Name: DisableDomainCreds

    Value Type: REG_DWORD

    Value: 1

    Regards,
    Clark Satter
    Microsoft Online Community Support

    Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

     

    Wednesday, January 19, 2011 9:01 PM
    Moderator
  • Hello Clark,

     

    I know that this is allready an older thread but I ran into a similar issue. I had the exact same problem without the domain account lockout. I tried the registry edit and the problem did not reoccur.

    I do have a question however. We have several customers with the same setup, being a SBS 2008 Domain with Windows 7 Professional clients. This problem exists with only one customer. The only difference is the firewall. The customer that is experiencing the problem usesa aXsGuard gatekeeper. on the other hand we use the same firewall and don't have the problem.

    Why would I need to adjust a registry setting to correct this? As I now face adjusting this setting on a lot of clients.

    I also noticed that after I provide the logon credentials these appear in the Credential Manager but since they are safed as being only persistant for the logon session they need to be provided every time I restart and connect with VPN to the company network.

    When connected inside the network I have no problems accessing the shared drive.

    Do you have any thoughts on that?

    Regards,

    Rolf Böhlke

    BS Support


    BS Support
    Wednesday, August 24, 2011 3:15 PM
  • old thread but i came over this and i have a useful information about this:

    by default when you create a pptp vpn connection there is a config-switch that will save the credentials for the pptp vpn in the windows credential manager.
    these credentials will then be used to access shared ressources, like shares and printers.
    if you have the same account name for the vpn connection and the windows user, but different passwords then this could lead into a password lockout.

    there is a possibility to change this behavier by editing your rasphone.pbk file.
    C:\Users\"username"\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk

    search for the vpn connection causing the problem and edit this line:
    UseRasCredentials=1
    change this to: UseRasCredentials=0

    the password will then no longer be saved to the windows credentials manager and you access the ressources with your normal domain oder local account.

    from my point of view, it would make more sense if this would be the default setting.

    this is for win7, don't know about other operating systems.

    • Proposed as answer by [OnyX] Saturday, August 8, 2015 10:16 AM
    Monday, September 2, 2013 3:46 PM
  • Confirm this solution as working on Windows 10
    Thursday, February 25, 2016 5:13 PM
  • We've done this successfully with Windows 10.  Previously I'd disabled the credentials manager service in Windows 7, in Windows 10 this does not correct the problem.  Editing the UseRasCredentials parameter has corrected the issue in Windows 7, 8, 8.1, and 10 so far.
    Thursday, March 30, 2017 4:35 PM
  • I confirm this works for me on windows 10, you saved me thank you 
    Wednesday, March 18, 2020 10:22 AM
  • Works like a charm on WIN10.

    Thank you.

    Tuesday, March 24, 2020 5:29 PM