When using Windows VPN with ex. Cisco Meraki appliances or other devices, and you have not (For some unknown good reason 🙂 ) joined the VPN appliance to Azure AD or the local Active Directory, and have the same username in the VPN appliance as on the AD, you will of course, have users that have differential passwords to the users, as time passes.
By default Windows VPN will, when connected, pass the VPN credentials to the network ressources for authentication, but when they are different, you will be locked out, when accessing network ressources, as in ex. network shares:
The solution is to set the WIndows VPN to NOT use the VPN credentials, but let Windows use it’s own, this can be achived by editing the rasphone.pbk file, which is a “phonebook” for you VPN profiles.
VPN connections on Windows have UseRasCredentials option which allow user on non-domain machine work with domain resources using his/her VPN credentials.
Under the hood, when this option is enabled, Windows creates stored credentials for a VPN session:
cmdkey /list
Currently stored credentials:
Target: Domain:target=*Session
Type: Domain Password
User: dom\username
Saved for this logon onlyThe VPN can be configured for all users of the PC, but also just for one user, choose the one that fit’s in your installation:
# For all-user connections
$PbkPath = Join-Path $env:PROGRAMDATA ‘Microsoft\Network\Connections\Pbk\rasphone.Pbk’
(Get-Content -path $PbkPath -Raw) -Replace ‘UseRasCredentials=1′,’UseRasCredentials=0’ | Set-Content -pat $PbkPath
# For single user connections
$PbkPath = Join-Path $env:APPDATA ‘Microsoft\Network\Connections\Pbk\rasphone.Pbk’
(Get-Content -path $PbkPath -Raw) -Replace ‘UseRasCredentials=1′,’UseRasCredentials=0’ | Set-Content -pat $PbkPath
Thanks to Nash for advising how to catch theese two configurations: Solved: Failed Logins on DC from Meraki VPN Client? – The Meraki Community