General discussion

Locked

See network over VPN to access NT shares

By sharonty ·
I am receiving the following error message after logging into the VPN running on a NT domain.

(No Domain controller is available to validate your password. You may not be able to access some network resources.)

I can load any applications that are configured to run across the LAN but I can not see any network shares to map drives.

Has anyone seen this or know why this is happening?

This conversation is currently closed to new comments.

12 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

See network over VPN to access NT shares

by kybertech In reply to See network over VPN to a ...

Your client computer is not finding the NT domain controller. Have you configured your client computer to "Logon to WindowsNT domain" in the properties of Client for Microsoft Networks? Can you go to the Find tool and find your server by computer name? Is the VPN running on your Domain Controller, or do you have VPN on a firewall or appliance?

Collapse -

See network over VPN to access NT shares

by sharonty In reply to See network over VPN to a ...

The question was auto-closed by TechRepublic

Collapse -

See network over VPN to access NT shares

by Steve Elky In reply to See network over VPN to a ...

A common problem when dealing with Windows networking and a VPN or firewall is that your workstation cannot access the domain controller. Not having all the details, I'll try to address the problem in general.

Windows systems register themselveswith the WINS database when they boot up. The WINS server is usually inside your firewall/VPN. Until you dial-in and start the VPN client, you do not have access to the WINS server. This keeps the workstation from registering with the WINS server. This can cause difficulties.

Once the VPN tunnel is established, as long as your WINS server entry is correct, the workstation should be able to look up a list of domain controllers from the WINS server. At this point, you will be able to logon to the domain.

A workaround for NT is to take the workstation on site and logon to the domain without the VPN. This will cache a copy of your domain credentials on the local workstation. In the future, when you logon, it will use the cached credentials (though it will still complain) to access domain resources.

Now, you also may be experiencing a problem with the Windows browser (not web browser) service. This is what lists computers and shares in the GUI when you map a drive. This system is complex and VERY slow to converge. I wouldn't depend on it if you don't have to. Map shares by explicitly typing in the share name. Batch files can handle this for end users.

There is more but I'm afraid I'm running out of room. If you can be more specific in your question, I may be able to answer better.

Collapse -

See network over VPN to access NT shares

by sharonty In reply to See network over VPN to a ...

The question was auto-closed by TechRepublic

Collapse -

See network over VPN to access NT shares

by sharonty In reply to See network over VPN to a ...

Additional Note on Question:
The client OS is Win 98 SE and the MS Client for Networks is set to Logon to a NT Domain and is the Primary Windows Logon. I have added the PDC,& WINS IPs addresses in the hosts & lmhosts files. I am typing in the samelogin name/password that is valid on the NT domain. The DUN connection is set to Log on to Network using TCPIP.
When I try to ping an IP address, it will timeout on the first try. Second attempt, the ICMP packets fail at 25% or 50% of the time. The third attempt and any ping after that are successful at 100%. I am using Checkpoint VPN on Firewall 1... I have 1 ethernet 10/100 switch with all servers and hubs attached directly to it.

Collapse -

See network over VPN to access NT shares

by Steve Elky In reply to See network over VPN to a ...

Part I

This is certainly the problem with WINS registration and resolution when there is a Firewall-1/VPN-1 firewall/VPN in the mix.

This is a chicken and egg scenario. You can't logon to the domain until you have logged on locally on the 98 machine, dialed in and started the VPN client (SecuRemote/SecureClient) but you want to Log on to the network using TCP/IP. I'll admit that I've never worked this one out with 98, but I've dealt with it in Windows NT.

The root of the problem is that you can't access or resolve the domain controller when you are logging on because you have no VPN tunnel to your WINS server or your domain controllers. The initial WINS registration happens when the machine boots, long before you are able to start the VPN client.

Continued in Part II...

Collapse -

See network over VPN to access NT shares

by sharonty In reply to See network over VPN to a ...

The question was auto-closed by TechRepublic

Collapse -

See network over VPN to access NT shares

by Steve Elky In reply to See network over VPN to a ...

Part II:

Anyway, a solution is to use pass-through authentication. This entails creating a local user (on the 98 machine) with the same name and password as on the NT domain. Then log on locally and ignore the message saying no domain controller is available. Once you dial in and start the VPN client, you can map drives (using Explorer or the net use command) to your NT servers in the domain. The workstation wil automatically pass the authentication credentials to the domain (or to anything.)

You may need to setup permanent connections in Explorer or use a script to map the drives. Browsing computers through Explorer will be problematic and it will take you 5-15 minutes before you actually get a browse list. This stems from thefact that you didn't register with WINS upon startup (because you don't have a VPN connection.)

While this should work, it is a slight security risk. Windows 98 will have a locally stored password and username that are identical to the domain credentials. I'm not sure how strong the password hashing on 98 is. If it is the old style Lan Manager (LM) hash, anyone who can get access to that machine will be able to copy off the password hash and brute force the password at their leisure. If you can force 98 to use an NTLMv2 hash, use this instead.

A site to check for Checkpoint information is: http://support.checkpoint.com/service/publisher.asp?id=55.0.4222079.2607206

Collapse -

See network over VPN to access NT shares

by sharonty In reply to See network over VPN to a ...

The question was auto-closed by TechRepublic

Collapse -

See network over VPN to access NT shares

by Shanghai Sam In reply to See network over VPN to a ...

You need to be using Firewall-1 4.1 SP1 or higher and SecuRemote Build 4157 or higher to resolve these and other VPN client related issues. If you are already at the above rev levels then you need to enable the SDL and SSO features to solve your stated problems. As long as you have a valid software subscription, you will be able to get the upgraded software for free.

Hope this helps. Drop me an e-mail if you need anymore clarification or help to resolve this problem.

Back to Security Forum
12 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums