question

ThiesLytix avatar image
0 Votes"
ThiesLytix asked ThiesLytix commented

Windows 10 20h2 Kerberos problem via VPN

Hello,

we've got a business environment (Active directory) with two Domain Controller (both running Win Server 2016, 1607; but latest Updates). Our clients are still on Windows 10 1903. Now we want to upgrade the clients to Windows 10 20h2.
The upgrade process works fine and being in the LAN we can connect to all file server, sql server, ... . But when we are working remote via VPN (Microsoft Azure Always On) we can't connect to the server. The authentication the servers doesn't seem to work (the VPN authentication works).

In Windows Explorer the users gets the error message:
"Microsoft Windows Network: The user name could not be found" (translated from German)

In SQL Management Studio (SQL Server) the user gets the error message:
"The target Principal Name is incorrect. The SSPI context could not be generated).

Can anyone give us a hint where we could look for the error?

windows-serverwindows-10-network
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @ThiesLytix,

Can you post the text of the messages in German too? I suspect that the first message might be "Microsoft Windows Network: The network name cannot be found" ("Der Netzwerkname wurde nicht gefunden", error code 67, symbolic name ERROR_BAD_NET_NAME) - the name here is referring to a UNC path (not a user name).

Gary

0 Votes 0 ·

Hello @ThiesLytix,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
GaryNebbett avatar image
1 Vote"
GaryNebbett answered ThiesLytix commented

Hello @ThiesLytix,

Try issuing the command cmdkey /delete:Domain:target=*Session and then checking whether you can access resources in the domain. The credentials used to authenticate with the VPN server are being used, for the duration of the logon session, to authenticate with resources in the domain.

Gary

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hey @GaryNebbett
this seems to be the right track. If we delete this entry, we can access the resources with an active VPN connection.
But the entry reappears when we disable and enable the VPN session.

Is there somewhere a setting for this?

Thanks,
Thies

2 Votes 2 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered ThiesLytix commented

Hello @ThiesLytix,

Thank you for posting here.

Please troubleshoot as below:

1.Based on "The user name could not be found", did you use the domain user name? If so, check if the user name is indeed in the AD domain.

2.Check for the same domain-joined machine (upgraded Windows 10 20h2), if you change a domain user name in Windows Explorer, did you receive the same error message.

3.For Windows 10 1903 (everything should be working fine on Windows 10 1903), check if all users receive the same error message in Windows Explorer.

From three point above, please check if the issue occurs on all upgraded Windows 10 20h2 machines or only one machine or several machines.

Please check if one user or all users will receive the same error message on all upgraded Windows 10 20h2 machines or only one machine.

4.Please check if DNS is working fine on the upgraded Windows 10 20h2 machine.


After you confirm the issue scope, you can try to capture the netnom trace based on working case and non-working case.

I assume users on Windows 10 1903 is working fine, but users on the upgraded Windows 10 20h2 is not working fine.

On Windows 10 1903(working)

1.Choose the version for your system to download, install it as typical:
https://www.microsoft.com/en-US/download/details.aspx?id=4865
2.Run Network Monitor as administrator.
3.In the bottom left-hand, choose the NIC or NICs you want to capture.
4.Then click New Capture and Start button,.
5.Run command: run command ipconfig /flushdns to clean DNS cache, run command nbtstat -RR to clean NETBIOS cache, and run command klist purge to clear credential cache.

6.In Windows Explorer, reproduce the issue (working case).
Then go back to network monitor tool, click "Stop" on the Capture menu, and click "File"->"Save as" to save the captured files (Tip: Please remember the IP address, computer name of the source machine and target machine, the time that the issue reoccurs).


On the upgraded Windows 10 20h2(non-working)

1.Choose the version for your system to download, install it as typical:
https://www.microsoft.com/en-US/download/details.aspx?id=4865
2.Run Network Monitor as administrator.
3.In the bottom left-hand, choose the NIC or NICs you want to capture.
4.Then click New Capture and Start button,.
5.Run command: run command ipconfig /flushdns to clean DNS cache, run command nbtstat -RR to clean NETBIOS cache, and run command klist purge to clear credential cache.

6.In Windows Explorer, reproduce the issue (non-working case).
Then go back to network monitor tool, click "Stop" on the Capture menu, and click "File"->"Save as" to save the captured files (Tip: Please remember the IP address, computer name of the source machine and target machine, the time that the issue reoccurs).

Please Compare the working capture and non-working capture ( view the log at the point in time when the problem occurred ).


Tip: As security or privacy information may be involved, the forum does not collect any logs and network packets. It is recommended that you or your team try to compare and analyze the network packets to see if you can find any clues.


Thank you for your understanding and support.

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.



Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @DaisyZhou-MSFT
thank you very much for your detailed answer.

Weirdly we have got now one working machine in our network. The working and non working ones are on the same Windows version 19042.1052.
On both machines I'm logged in with the same AD user.

After the installation of the latest update I received a new message in explorer when opening a network share.
"The share "X" cannot be accessed. The given account is not available."

The mentioning of DNS brought us to the idea to test it with active VPN:
net view \\ServerName.Domain.local works fine

but
net view \\ServerName doesn't work. We get a "system error 5. Access denied" message here. But this works fine while being in the LAN.

Best regards

0 Votes 0 ·

Hello @ThiesLytix,

This looks like another mix-up in the translation. I guess that you are seeing "Der angegebene Netzwerkname ist nicht mehr verfügbar" (error code 64, symbolic name ERROR_NETNAME_DELETED) and translating that as "The given account is not available" when the actual translation is "The specified network name is no longer available".

Thinking that there is a problem with account names may be leading your troubleshooting in the wrong direction...

Gary

0 Votes 0 ·

Hello @DaisyZhou-MSFT and @GaryNebbett
sorry, I was on vacation therefore I couldn't reply earlier. We did have a look into the Network Monitor and found two differences in the authentication. Both logs were recorded on the DomainController.
One successful authentication was/is with the computer cname, the failed authentication communicates with the cname username. I attached one screenshot.

(Both computers were run with the same user). We don't know why the authentication type is different.

Further the error messages are:
"Auf I:\ (network share name) kann nicht zugegriffen werden. Das angegebene Konto ist nicht vorhanden"
"Fehler bei der erneuten Verbindungsherstellung von I: mit \\domain.local\name\
Microsoft Windows network: Der Benutzername konnte nicht gefunden werden. Die Verbindung wurde nicht wiederhergestellt."

Thanks in advance.

0 Votes 0 ·
Show more comments
GaryNebbett avatar image
0 Votes"
GaryNebbett answered ThiesLytix commented

Hello @ThiesLytix,

The following text, taken from https://docs.microsoft.com/en-us/windows/security/identity-protection/vpn/vpn-conditional-access, might be relevant:

Currently, it is required that certificates used for obtaining Kerberos tickets must be issued from an on-premises CA, and that SSO must be enabled in the user’s VPN profile. This will enable the user to access on-premises resources.

In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the Rasphone.pbk on the client by changing the entry UseRasCredentials from 1 (default) to 0 (zero).

Gary



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hey @GaryNebbett
when editing the Rasphone.pbk file the VPN connection works without any problems.

We'll look into our VPN configuration and deploy new Rasphone.pbk files to the clients.

Thank you very much for your support and patience!

0 Votes 0 ·