How to get prompted for username/passwd

  • Thread starter Thread starter Rob Carroll IndusCom
  • Start date Start date
R

Rob Carroll IndusCom

Hey all,
I should probably know the answer to this, but it's eluding me.
Anyhow...

I've got a Win2K domain running in native mode. On the local LAN
everything works perfectly. No problems.

I also have a Cisco PIX, which is serving VPN, and IAS set up on my
DC. That all works... but I'm having a problem on the Windows side.

People can log onto the VPN (via the Cisco VPN client), get
authenticated and access "everyone" resources, such as printers, etc.
Users with Win9X or WinME can see whatever secured resources their
usernames are given permissions to. For NT-based OSs (XP, 2K), if the
person joins their home PC to the domain, they can log onto the domain
from home by launching the VPN before hitting CTL-ALT-DEL, and logging
on with their domain username and password (and, subsequently a
separate profile).

Therein lies my problem. I don't WANT people's home machines on my
domain. Moreover, I know most users won't want to go through the
whole rigmarole of setting it up, and having more than one profile,
etc.

So, my question is, how can Win2K/XP users log onto their machines
with their local profile, connect to the domain via the VPN (which
authenticates them against their AD account via IAS), and just get
prompted for their credentials when they try to access secured
resources? Or, better yet, already BE authenticated to see the
secured resources?

Have I articulated my question well, or is it confusing?

Thanks,
Rob
 
Rob,

If the users are not a member of the domain, when they browse for the
network resources on your machine, they should and will be prompted with a
username / password box. Just enter YourDomain\TheirUsername for the UN.

--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com
 
That's the problem. Your NT/2K/XP boxes want to use their DOMAIN-based
credentials to access network resources. Without using CONNECT AS and
specifying a domain account for that resource, your non-domain boxes will
get denied.

This is a feature of a Windows NT/2000/2003 domain in that NT kernel-based
PCs attached to that domain authenticate the user at login and cache that
access token for use on networks that they connect to. If your users' home
PCs connect to your network via VPN and are unsuccessful in accessing
resources, this is a GOOD thing.

The answer to your question is that the users can connect to the resources
that you want them to get to by a batch file that you can run after they
connect to your VPN.

The syntax would be simple...

net use g: \\server\share /user:username password
net use h: \\server2\share /user:username password
net use i: \\server3\share /user:username password

And so on.

--
Regards,

Jim Hungerford, A+, MCP
http://www.screenshotmovies.com
Screenshot FLASH movies for Technical Support
 
Actually, disabling the domain guest account fixed it. Now I can log
onto my home PC's local profile and turn on the VPN. When I go to
access the fileserver, it prompts me for the username and password.

I can't believe it took me like 2 weeks to figure that out.

Thanks for the help though,
Rob
 
Back
Top