I recently deployed a new remote access VPN system at my company, using a Cisco ASA 5510 as the concentrator. The protocol is L2TP-over-IPsec for maximum compatibility across clients, and authentication is handled by an RSA SecurID appliance. Everything works really well, except in one particular scenario:
- User's workstation is a domain member
- User is logging in to the local workstation as a domain user
- User is connecting to the VPN using the same user name as the logged-in account
- User attempts to access network resources, such as file shares or Microsoft Exchange
In this case, the user's account is locked in Active Directory almost immediately after attempting to connect to a network resource (i.e. opening Outlook).
I believe the issue is that Windows is attempting to use the credentials provided for connecting to the VPN. Because the username matches but the password does not, since it is actually a one-time password generated by the SecurID token, the authentication fails. Continuous attempts result in the account being locked out.
Is there any way to tell Windows to stop doing this? I've tried disabling the "Client for Microsoft Networks" option in the VPN properties, but it didn't help.
There is a security policy setting that does specifically what I am looking for: Network access: Do not allow storage of passwords and credentials for network authentication. By enabling this setting, VPN credentials are not stored and therefore are not used to attempt to authenticate to network resources like shared files and Exchange.
Since the issue only affects domain-member workstations, applying this setting to all of them is a simple matter of setting it with Group Policy.
I know this is an old question, but I believe there is a better answer in that it doesn't require any server-side changes: edit the VPN settings to not use the VPN credentials when authenticating to network servers. This setting is not exposed through Windows' UI, so you need to locate the .pbk file associated with your VPN connection (
%AppData%\Roaming\Microsoft\Network\Connections\PBK\rasphone.pbk
for user VPNs) or (%ProgramData%\Microsoft\Network\Connections\Pbk\rasphone.pbk
for system VPNs).I sourced these instructions are from: https://social.technet.microsoft.com/Forums/windows/en-US/0204464d-e32d-4584-966b-60788cce0d6f/disable-creation-of-vpn-session-credential-in-credential-manager-without-disabling-all-of