Vista + VPN = Locked Domain Account

calendar Posted on December 31, 2007   comments 6 Comments

Here’s a fun little feature with Microsoft Vista. All you need is a Vista machine and a VPN connection. If you get lucky, it’ll be an easy and instant way to repeatedly lockout your domain account!

First, from your Vista machine create a VPN connection to a non windows-authenticated VPN — for instance, at the office we use a Cisco appliance with non-domain username/password. Connect to it with your Vista machine. At first, things may seem fine. But at some point, you’ll find that every time you connect to the VPN, your domain account gets locked out!

Here’s what I know so far:

  1. It only happens to folks establishing the VPN connection from a Vista machine
    1. Doesn’t happen to folks running XP (seems obvious, but I’ll state it)
  2. Everything is fine initially with no lockout issues. I’m not sure when the trouble begins, but it seems to be one of the following:
    1. We changed our Active Directory domain passwords
    2. A recent windowsupdate within the past few weeks

Unfortunately, the two “possibles” pretty much coincide as far as timing goes, so I’m not sure which, but my gut tells me it’s the first one and related to caching passwords somewhere.

We don’t cache our VPN passwords. We don’t use offline folders (to my knowledge) which I believe do cache.

If not careful, I can repeatedly lock my account out every time I try and access a file share. The only cure I know is to do the following after the initial VPN connection:

  1. Go to the Control Panel
  2. Click on “User Accounts”
  3. Click on “User Accounts” again (on the next screen)
  4. Click on “Manage Your Network Passwords” under Tasks in the left sidebar.
  5. Select “<dialup session>” and click “Remove”

After following those steps, [and] once I get my domain account unlocked, it’ll stay unlocked. Fortunately, I’m the domain admin so I can just remote in and fix it, but geeze… Every time I connect to the VPN, it stores a new <dialup session> that I have to remember to go delete. Maddening!

More and more folks are getting Vista machines at home. I really don’t want to teach everyone at the office that 5 step dance from above followed by “then call Chris to reset your account”. That would suck.

Thus far, my web searches have been fruitless. If anyone has found a working fix to this, I’m all ears!

tags Tags: , , , , ,

Related Posts Possibly Related Posts

Comments

6 Responses to “Vista + VPN = Locked Domain Account”

  1. Alisha on January 2nd, 2008 12:59 pm

    Wow, I wish that was the reason why I can’t connect to the VPN from Vista! My problem happens to be that the VPN requires MSCHAPv1 and no matter what I do in Vista, it doesn’t work.

    If it wasn’t for VMWare running XP, I wouldn’t be using Vista.

  2. Chris Kasten on January 4th, 2008 8:34 pm

    Hi Alisha. I still like Vista, in general, but there are a few little annoyances that become tedious…

  3. Rob on June 4th, 2008 11:06 am

    We have the same problem and its very frustrating. It problem seems to start when outlook is opened.

  4. Karsten Jakobsen on July 3rd, 2008 10:26 am

    I have solved this by setting the policy “Security Settings\Local Policies\Security Options\Network access: Do not allow storage of credentials or .NET Passports for network authentication” = Enabled. Then Vista do not store the “” at all, and it seems like the user is no longer locked out :-)

  5. Chris on July 5th, 2008 7:30 pm

    I ended up solving it by going back to XP for the work machine. ;-)

    Good tip there Karsten. I will definitely give it a shot on the next go around!

  6. Peter Muller on September 9th, 2008 11:04 am

    Hi,

    had the same problem. this here is the solution:

    http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3806154&SiteID=17

Leave a Reply




Have you read the Comments section on the Disclaimer page?

About

Wandering the Internet, looking at all things bright and shiny. Playing with many, writing about some. More …

Recent Posts

Recent Comments: