Hi, On our network we use separate VPN credentials to enforce two factor authentication. Typically when we take a laptop out, we log on using the cached credentials for the domain account, then connect to the VPN using the VPN account. So each user has two accounts, but with the same username. Our environment: The wireless network is a public network not connected to our work network. If you undock your laptop and switch to wireless mode, you then need to VPN in to access any resources. All laptop users are running Windows 7 Pro. This has been working fine for 15 people for over 6 months. Then, we purchased a new Windows 7 laptop for a VP. On this laptop, when one connects in via VPN, the cached credentials are apparently not used. As soon as network resources are accessed, a notice pops up saying "System has detected that security may have been compromised.", and the users account is locked out in AD. If we reconnect the Ethernet connection to the laptop (after unlocking their account in AD), then everything works just fine. I have been able to reproduce this problem on a 2nd laptop, but have a dozen regular users who can VPN in without problems. Thank you!

Look at what is different between the old and new machines. Could be the new machines are missing some needed components. Are the new machines using a SYSPREP image of Windows? Windows MVP, XP, Vista, 7 and 8. More people have climbed Everest than having 3 MVP's on the wall. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews

The machines have not been sysprep'ed. We are a small outfit and just buy 1-2 laptops a year, so we just get the OEM version and just add Office and a few other apps. All the laptops are Dell. All are running the same version of Windows 7 Professional. The VPN connections are all Windows PPTP. I cannot explain why the users cached credentials are not being used when accessing network resources. Could there be some weird interaction with the RAS server?-.-

what are you using for a server? also who's RAS are you using? Windows MVP, XP, Vista, 7 and 8. More people have climbed Everest than having 3 MVP's on the wall. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews

We are using SBS 2008 with Windows RAS and NPS. The NPS policy is set to "Do not use VPN credentials" as part of the RADIUS setup.-.-

If you use an adequate password there is no need for RADIUS use the server user accounts with a strong password policy and use SSL with your VPN Windows MVP, XP, Vista, 7 and 8. More people have climbed Everest than having 3 MVP's on the wall. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews

I agree. However, to implement two-factor authentication using one time passwords, we need the RADIUS functionality to take care of the authentication. Thus, our situation today. I think it might be an issue with the Credential Manager on the laptop. When I look in the Credential Manager under the Control Panel, should I see an entry for the Windows cached credential? I do not see anything there, but one can definitely log into the laptop when it its off the work network.-.-

You can take advantage of the better general security with Windows Vista and up for remote access. XP is less secure. Given your shop is using Windows 7 the standard server authentication will be fine. Windows MVP, XP, Vista, 7 and 8. More people have climbed Everest than having 3 MVP's on the wall. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews

That is probably true. That is the way we were running before clients pushed us to go the extra step with OTP solutions. So, we cannot throw out the RADIUS solution. The question still remains: what could be causing these 1-2 laptops to not use the Windows cached credentials but instead use the VPN username/password when authenticating access to network resources? If it was an NPS setting change, then it should affect all users, which it does not. The VPN Connection config has been checked a few times to make sure the settings are the same as on a working laptop. Where would be the next place to look?-.-

RADIUS is old and better security models are now available. If you use a password to get onto the laptop then its able to keep the credential file secure. If you are using multiple servers and AD then its safe to also use BitLocker as an additional layer of security. Bitlocker is well suited for field use as this way a lost machine cannot be compromised. It can be wiped but the machine will need to have a fresh copy of Windows installed. No secure data is lost. Windows MVP, XP, Vista, 7 and 8. More people have climbed Everest than having 3 MVP's on the wall. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews

I appreciate your thoughts on alternative implementations for VPN security. However, I need to find the cause of this problem, not a replacement solution. Can you provide any insight into finding the root cause of this problem?-.-

I would need to have to have physical access to get any deeper into the issue. Windows MVP, XP, Vista, 7 and 8. More people have climbed Everest than having 3 MVP's on the wall. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews

I looked around on the Networking forum and came across a similar issue. The resolution proposed there was: The Credential Manager stores the VPN credentials as a Session entry. These credentials are then being used when accessing network resources. You can disallow the credential to be stored in the Credential Manager by setting the following registry entry to 1: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa Value Name: DisableDomainCreds Value Type: REG_DWORD Value: 1 I verified this seems to be happening on one of my failing laptops. As soon as I VPN in, an entry appears in the Credential Manager. If I access a network share, my account gets locked out. If I go into the Credential Manager and Edit the Session credential to have my correct Windows password, then I can browse network shares. If I set the reg entry to 1, then storing credentials is disabled in Credential Manager, and when I VPN in, my regular Windows credentials work. However, looking at a "working" laptop, the registry setting for DisableDomainCreds is set to 0. I still need to test and see what Credential Manager does on a working computer.-.-

I verified that on a working laptop, the VPN connection does NOT create an entry in the Credential Manager and the DisableDomainCreds registry setting is set to 0. So, its definitely something related to the Credential Manager.-.-

I finally found the answer under a similar post on the Networking forum: Problem was that the RASPHONE.PBK config file on these 2 laptops had UseRasCredentials set to 1 instead of 0 (like all the other laptops). Once I changed the setting back to 0, the lockout problem disappeared. I have no idea why the default PBK file on these computers had the setting =1. The PBK file is located in the %userprofile%\AppData\Roaming\Microsoft\Network\Connections\Pbk\ folder. One needs to check the user and Default User profiles for the setting. Problem Solved!!! -.-