Failed Logins on DC from Meraki VPN Client?

SOLVED
Phill1
Conversationalist

Failed Logins on DC from Meraki VPN Client?

Recently we have implemented Meraki VPN client and have noticed a massive change of failed logins in the event log on the domain controller (ID: 4625) that display the users meraki email/username (which is different from the users samaccount) as the failed login account.

 

Any ideas why the VPN credentials are being sent to the DC?

 

VPN Client authentication is using Meraki Cloud.

1 ACCEPTED SOLUTION
Nash
Kind of a big deal

Windows will use your VPN credentials by default to authenticate to network resources, unless you disable it. That's probably why you are seeing that.

 

You can change it by editing a value in the phonebook.

 

My scripty thing will do it automatically on setup, because I hate fixing stuff after the fact.

 

Basic PowerShell command is:

 

 

# For all-user connections
$PbkPath = Join-Path $env:PROGRAMDATA 'Microsoft\Network\Connections\Pbk\rasphone.Pbk'

(Get-Content -path $PbkPath -Raw) -Replace 'UseRasCredentials=1','UseRasCredentials=0' | Set-Content -pat $PbkPath

# For single user connection

PbkPath = Join-Path $env:APPDATA 'Microsoft\Network\Connections\Pbk\rasphone.Pbk'

(Get-Content -path $PbkPath -Raw) -Replace 'UseRasCredentials=1','UseRasCredentials=0' | Set-Content -pat $PbkPath

 

 

This edits your phonebook to change that variable to 0, thus forcing Windows to use the Windows credential to log into server resources.

View solution in original post

7 REPLIES 7
NolanHerring
Kind of a big deal

If your using Meraki Cloud authentication, pretty sure nothing is supposed to be using your AD at all.

 

Is it possible maybe the end user accidentally put their Meraki credentials into maybe something else that is relying on AD to authentication?

Nolan Herring | nolanwifi.com
TwitterLinkedIn

My thoughts exactly.

 

The event logs are showing 100's of attempts from a few users within the same time the event is logged, so there must be some sort of service or dependency that is attempting to use this VPN credential somewhere...

Nash
Kind of a big deal

Windows will use your VPN credentials by default to authenticate to network resources, unless you disable it. That's probably why you are seeing that.

 

You can change it by editing a value in the phonebook.

 

My scripty thing will do it automatically on setup, because I hate fixing stuff after the fact.

 

Basic PowerShell command is:

 

 

# For all-user connections
$PbkPath = Join-Path $env:PROGRAMDATA 'Microsoft\Network\Connections\Pbk\rasphone.Pbk'

(Get-Content -path $PbkPath -Raw) -Replace 'UseRasCredentials=1','UseRasCredentials=0' | Set-Content -pat $PbkPath

# For single user connection

PbkPath = Join-Path $env:APPDATA 'Microsoft\Network\Connections\Pbk\rasphone.Pbk'

(Get-Content -path $PbkPath -Raw) -Replace 'UseRasCredentials=1','UseRasCredentials=0' | Set-Content -pat $PbkPath

 

 

This edits your phonebook to change that variable to 0, thus forcing Windows to use the Windows credential to log into server resources.

Phill1
Conversationalist

Thanks @Nash 

 

Just so i fully understand you, do i need to run that on every workstation that uses the VPN?

 

Kind regards,

Phill

Nash
Kind of a big deal

Every workstation that is having problems, yes. If you can deploy a PS script through a tool, it'll suck less. Otherwise it will need to be individually applied to each workstation.

 

Every time a VPN is created on that workstation, you'll need to modify the variable as well.

 

That's why I got lazy and baked it into our deployment process.

Phill1
Conversationalist

Thanks @Nash - your a legend

Nash
Kind of a big deal

Aw, thanks, @Phill1. Despite not being an end user person, the one thing I am very good at is making the Meraki client VPN work in Windows. Especially on Windows 10, with its weird overlay on top of rasphone.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels