Recently we have implemented Meraki VPN client and have noticed a massive change of failed logins in the event log on the domain controller (ID: 4625) that display the users meraki email/username (which is different from the users samaccount) as the failed login account.
Any ideas why the VPN credentials are being sent to the DC?
VPN Client authentication is using Meraki Cloud.
Solved! Go to solution.
Windows will use your VPN credentials by default to authenticate to network resources, unless you disable it. That's probably why you are seeing that.
You can change it by editing a value in the phonebook.
My scripty thing will do it automatically on setup, because I hate fixing stuff after the fact.
Basic PowerShell command is:
# For all-user connections $PbkPath = Join-Path $env:PROGRAMDATA 'Microsoft\Network\Connections\Pbk\rasphone.Pbk' (Get-Content -path $PbkPath -Raw) -Replace 'UseRasCredentials=1','UseRasCredentials=0' | Set-Content -pat $PbkPath # For single user connection PbkPath = Join-Path $env:APPDATA 'Microsoft\Network\Connections\Pbk\rasphone.Pbk' (Get-Content -path $PbkPath -Raw) -Replace 'UseRasCredentials=1','UseRasCredentials=0' | Set-Content -pat $PbkPath
This edits your phonebook to change that variable to 0, thus forcing Windows to use the Windows credential to log into server resources.
If your using Meraki Cloud authentication, pretty sure nothing is supposed to be using your AD at all.
Is it possible maybe the end user accidentally put their Meraki credentials into maybe something else that is relying on AD to authentication?
My thoughts exactly.
The event logs are showing 100's of attempts from a few users within the same time the event is logged, so there must be some sort of service or dependency that is attempting to use this VPN credential somewhere...
Windows will use your VPN credentials by default to authenticate to network resources, unless you disable it. That's probably why you are seeing that.
You can change it by editing a value in the phonebook.
My scripty thing will do it automatically on setup, because I hate fixing stuff after the fact.
Basic PowerShell command is:
# For all-user connections $PbkPath = Join-Path $env:PROGRAMDATA 'Microsoft\Network\Connections\Pbk\rasphone.Pbk' (Get-Content -path $PbkPath -Raw) -Replace 'UseRasCredentials=1','UseRasCredentials=0' | Set-Content -pat $PbkPath # For single user connection PbkPath = Join-Path $env:APPDATA 'Microsoft\Network\Connections\Pbk\rasphone.Pbk' (Get-Content -path $PbkPath -Raw) -Replace 'UseRasCredentials=1','UseRasCredentials=0' | Set-Content -pat $PbkPath
This edits your phonebook to change that variable to 0, thus forcing Windows to use the Windows credential to log into server resources.
Thanks @Nash
Just so i fully understand you, do i need to run that on every workstation that uses the VPN?
Kind regards,
Phill
Every workstation that is having problems, yes. If you can deploy a PS script through a tool, it'll suck less. Otherwise it will need to be individually applied to each workstation.
Every time a VPN is created on that workstation, you'll need to modify the variable as well.
That's why I got lazy and baked it into our deployment process.
Aw, thanks, @Phill1. Despite not being an end user person, the one thing I am very good at is making the Meraki client VPN work in Windows. Especially on Windows 10, with its weird overlay on top of rasphone.