Hi folks,
I've been tasked with resolving an issue that cropped up a couple months ago regarding Always On VPN. We have the VPN configured so that users can connect to the company network automatically on start-up. The primary purpose of this VPN is to allow access to company shares while working remotely. This VPN is deployed to our users via a powershell script that is run upon login via a GPO. The VPN itself appears to work just fine. People turn on their machines, connect to the VPN, and they can ping our network. There have been no changes to our network infrastructure in the past two months and our VPN's configuration and deployment has remained the same as it was 3 years ago. The server's VPN certificate and the client's are both valid.
Many of our network shares are already mapped via group policy, and there seems to be no issue with users being able to connect to those. However, some sites have their own network shares that are not mapped via GPO, and when they are mapped manually or reached by a UNC path, they are presented with a prompt for the user's domain credentials and error underneath stating:
"The system cannot contact a domain controller to service the authentication request. Please try again later."
If the user enters their credentials, 9 times out of 10, the drive is mapped and they can see the share, but if they log off or reboot, they have to go through this process again and remove the drive map before trying again.
Now, I'm pretty confused by the error, because in my testing, the client machine can ping our domain controllers both by name and IP, and resolution seems to be working in relation to the Group policy mapped drives. In my testing, I've collected some event logs while on a remote client machine, and the system logs that I have collected have the event ID's of 9, 1129, 40960, and 1048. These logs have to do with either DNS events about reaching the domain controller, or being unable to determine the the revocation status of the domain controller certificate used for authentication, but in light of my connectivity tests, I'm not sure they're related.
I'm looking for more ways to test and diagnose the issue, but part of me doesn't know where to start looking. If anyone has any ideas and can point me in the right direction, it'd be greatly appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 11%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECJ%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 11%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJZ%3C/text%3E%3C/svg%3E)