Welcome to ISAserver.org

VPN OK - logon prompt for further access

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN OK - logon prompt for further access

Page: [1]

Message

<< Older Topic Newer Topic >>

VPN OK - logon prompt for further access - 7.Jun.2005 5:23:00 PM

mkitchen

Posts: 4
Joined: 7.Jun.2005
Status: offline

Our new (Microsoft) VPN terminates on our (new) ISA 2004 firewall. We can ping devices on the internal network.

Using "network places" - we can see the domains, but can't navigate beyond that. We can map to shares etc via start run. Net view <server name> also returns the shares

Attempting to access external websites via our proxy we are required to provide credentials (the same credentials used to create the VPN tunnel). However, these do not "take" and access is denied.

From a high level, it's almost as if the credentials are being blocked - somewhere / somehow.

Connecting using MS-CHAP / MS-CHAPv2 (each is selected on the VPN client)

The firewall admin doesn't see anything being blocked (so it could be elsewhere on the network).

any suggestions etc would be appreciated

mike

Post #: 1

Featured Links*

RE: VPN OK - logon prompt for further access - 8.Jun.2005 2:38:00 AM

ClintD

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline

Are these WinXP clients?

Ask the firewall admin to check the Security Event Logs on the ISA Server to see if it indicates a problem with the authentication request.

If the client is WinXP, go to Start\Run and type in "control keymgr.dll" and remove any cached credentials in this list and see if it helps.

[ June 08, 2005, 02:39 AM: Message edited by: ClintD ]

(in reply to mkitchen)

Post #: 2

RE: VPN OK - logon prompt for further access - 16.Jun.2005 5:02:00 AM

Andy2Long

Posts: 16
Joined: 7.Oct.2003
From: Torrance, CA
Status: offline

You might also try this KB article's fix:

How to force Kerberos to use TCP instead of UDP in Windows Server 2003, in Windows XP, and in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q244474

Andy

(in reply to mkitchen)

Post #: 3

RE: VPN OK - logon prompt for further access - 22.Jun.2005 6:47:00 PM

Guest

Have you had any luck resolving this problem? I am facing the same thing.

It does not seem to be related to the firewalls.

(in reply to mkitchen)

Post #: 4

RE: VPN OK - logon prompt for further access - 22.Jun.2005 7:03:00 PM

mkitchen

Posts: 4
Joined: 7.Jun.2005
Status: offline

no luck yet - posted a slightly different post with more info - we're using Clearswift's minesweeper for web product (coz we have to, so using MS proxy isn't an option). We got no help from our local Clearswift agent.

We also cannot turn off the proxy on the ISA FW

We're trying to tap the brain of an MS server expert when he's here later today (if he has time). If anything it'll give us guidance on whether our technical approach is valid or not. (the VPN itself works - so is a "server or network" issue). I'll put reply after we see him

mike

(in reply to mkitchen)

Post #: 5

RE: VPN OK - logon prompt for further access - 27.Jun.2005 9:31:00 PM

mkitchen

Posts: 4
Joined: 7.Jun.2005
Status: offline

apologies for the delay in an update. the ms guys where a few days late.

after checking various logs, our problem is due to the ISA server running a web proxy. Easist fix would be to turn the webproxy off - in our case we need the web proxy for the "LAN" based clients so not an option. A post has been made inside MS re how to turn off the web proxy for just the VPN client network.

if that doesn't work, we need to redesign the way our remote stuff comes in.

(in reply to mkitchen)

Post #: 6

RE: VPN OK - logon prompt for further access - 29.Jun.2005 6:11:00 PM

Guest

I am not sure if you have already solved this problem, but check your XP clients for entries with event ID 40961 in the events log. If you find instances of this event ID, the following articles might help.

http://support.microsoft.com/search/default.aspx?mode=s&cat=false&query=event+40961&srch=sup&x=4&y=14

Forcing Kerberos authentication to use TCP resolved my problem. I hope this helps.

(in reply to mkitchen)

Post #: 7