Windows VPN and locked out users

When using Windows VPN with ex. Cisco Meraki appliances or other devices, and you have not (For some unknown good reason 🙂 ) joined the VPN appliance to Azure AD or the local Active Directory, and have the same username in the VPN appliance as on the AD,  you will of course, have users that have differential passwords to the users, as time passes.

By default Windows VPN will, when connected, pass the VPN credentials to the network ressources for authentication, but when they are different, you will be locked out, when accessing network ressources, as in ex. network shares:

The solution is to set the WIndows VPN to NOT use the VPN credentials, but let Windows use it’s own, this can be achived by editing the rasphone.pbk file, which is a “phonebook” for you VPN profiles.

VPN connections on Windows have UseRasCredentials option which allow user on non-domain machine work with domain resources using his/her VPN credentials.

Under the hood, when this option is enabled, Windows creates stored credentials for a VPN session:

cmdkey /list
Currently stored credentials:
    Target: Domain:target=*Session
    Type: Domain Password
    User: dom\username
    Saved for this logon only

The VPN can be configured for all users of the PC, but also just for one user, choose the one that fit’s in your installation:
# For all-user connections
$PbkPath = Join-Path $env:PROGRAMDATA ‘Microsoft\Network\Connections\Pbk\rasphone.Pbk’
(Get-Content -path $PbkPath -Raw) -Replace ‘UseRasCredentials=1′,’UseRasCredentials=0’ | Set-Content -pat $PbkPath

# For single user connections
$PbkPath = Join-Path $env:APPDATA ‘Microsoft\Network\Connections\Pbk\rasphone.Pbk’
(Get-Content -path $PbkPath -Raw) -Replace ‘UseRasCredentials=1′,’UseRasCredentials=0’ | Set-Content -pat $PbkPath

Thanks to Nash for advising how to catch theese two configurations: Solved: Failed Logins on DC from Meraki VPN Client? – The Meraki Community

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.