Converting User Principal Name During IAS Authentication

  • Thread starter Thread starter Oleg Mukhin
  • Start date Start date
O

Oleg Mukhin

The goal is to provide an access to the shared folder in
intranet for VPN user. During the establishing the VPN
connection user enters his credentials in a form
username:USER password:PASSWORD. After the connection is
established the access to LAN shared resourses requires
aditional authentication. For example, trying to perform
the following command: NET USE J: \\WIN1\APPLIC user is
prompted to enter the password. It needs to open Network
Neibourhood, type in address line \\WIN1 and then enter
FQDN name like username:[email protected] password:PASSWORD.
After that it's possible to perform NET USE command. The
IAS Server is provided with the rule FIND: $ REPLACE:
@domain.com. But it doesn't help. The Event Viewer show
the following information:
User USER was granted access.
FQDN = domain.com/Users/USER.

Where do I make the mistake?
 
There is NO requirement for using the UPN on the "Net Use" line,
and it will not work with older clients (that is a fairly new extension
to Net Use syntax.)

I think this was only added in Win2000 (with the addition of the UPN
syntax in AD.)

Password has no keyword (just put it in, or better use a "*" and allow
the system to request it without disclosing the characters.)

You probably are not experiencing an IAS problem since it seems the
whole thing is working except for the authentication.
 
You need to note that authentication is only concerned with establishing
the VPN connection. It does not have any bearing on how the client accesses
resources after the connection is made. That depends entirely on the user's
logon credentials.

If the user has logged into the local domain or the local machine, these
are the credentials which will be used to try to access resources at the
remote site. (Only XP has modified code in the connection manager to handle
this differently and make it easier to send the correct domain credentials).
 
If the user has logged into the local domain or the local machine,
these
are the credentials which will be used to try to access resources at the
remote site. (Only XP has modified code in the connection manager to
Click to expand...
handle

Continuing what Bill said (and Oleg originally asked):

You are still free to authenticate EXPLICILTY using credentials in
tools such as Explorer, Net Use, and RunAs.....
 
Back
Top