I recently deployed a new remote access VPN system at my company, using a Cisco ASA 5510 as the concentrator. The protocol is L2TP-over-IPsec for maximum compatibility across clients, and authentication is handled by an RSA SecurID appliance. Everything works really well, except in one particular scenario:
- User's workstation is a domain member
- User is logging in to the local workstation as a domain user
- User is connecting to the VPN using the same user name as the logged-in account
- User attempts to access network resources, such as file shares or Microsoft Exchange
In this case, the user's account is locked in Active Directory almost immediately after attempting to connect to a network resource (i.e. opening Outlook).
I believe the issue is that Windows is attempting to use the credentials provided for connecting to the VPN. Because the username matches but the password does not, since it is actually a one-time password generated by the SecurID token, the authentication fails. Continuous attempts result in the account being locked out.
Is there any way to tell Windows to stop doing this? I've tried disabling the "Client for Microsoft Networks" option in the VPN properties, but it didn't help.