Dave Heavy Industries - A journal of tech-findings and ramblings

28 May 2020

SSTP/PPTP VPN using VPN credentials instead of windows to access remote resources

I had to get an emergency vpn up and running as our Palo Alto GlobalProtect vpn had a few issues that were tricky to overcome. The VPN I settled on was terminated to a mikrotik via SSTP and bridged to the lan interface, so we’d end up on the side of our network where our computers would normally be. This is not best-practice or what I’d normally do, I usually like to drop vpn clients into an isolated subnet and manage access explicitly. But given these covid-times I wanted to have these users have “office” access across all of our environments.

So, we had a SSTP vpn dropped to mikrotik, with it’s own usernames and password that do not refer to radius or sync to our AD in any way.

They connected, they could reach everything they had to… success he thought. WRONG.

The login is from an untrusted domain and cannot be used with Windows authentication. (Microsoft SQL Server, Error: 18452)

I debugged the auth, and found that the connection from the domain joined, logged in domain user, was using the VPN credentials to try to reach the SQL server. I can kind of see why you might like to do that, there are certainly reasons why that would be handy - but for us, we manage our own auth - and we absolutely were not trusting the auth scope from the mikrotik.

Good news is it’s a very easy fix https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1590625767&rver=6.7.6640.0&wp=MBI_SSL&wreply=https:%2F%2Fsocial.technet.microsoft.com%2Fforums%2Fen-US%2Fitprovistanetworking%2Fthread%2F275599f0-6239-46a5-8245-50a5c13a2713%2F%3FstoAI%3D10&id=254354

Edit the file here - C:\Users{WindowsLogin}\AppData\Roaming\Microsoft\Network\Connections\Pbk - mine was called rasphone.pbk

Find the Line with

UseRasCredentials=1

change to

UseRasCredentials=0

reconnect, done!

comments powered by Disqus