Share via

Windows VPN Passing VPN Credentials to File Server

Marica Khatijah 156 Reputation points
2022-10-21T01:31:03.117+00:00

I have a situation where domain users are trying to access a file server. When they're local to the domain, no problem. When they're off-site and they're using a VPN, I found that the credential being passed to the Server is the one for the Windows built-in VPN client, NOT the domain credential.

When I go into Windows Credential Manager under "Windows Credentials," I find *session. The "*session" credential is the username and password that they use to log into the VPN that we're using, and that's the credential that's being used to try and authenticate to the file server.

For now, I've been able to keep things moving along by manually entering their Windows credential for our fileserver in the Credential Manager, but I'd like to find a better way for Windows to pass the domain credential, not the VPN one.

This happens on both Windows 10 pro and 11 pro machines. Our servers are all Server 2019.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,569 questions
Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,301 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,820 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gary Nebbett 5,846 Reputation points
    2022-10-21T06:12:38.223+00:00

    Hello Marica,

    To suppress creation of this session wildcard credential, set UseRasCredentials to zero in the appropriate entry in the %APPDATA%\Microsoft\Network\Connections\Pbk\rasphone.pbk file (by default, the UseRasCredentials key is present and set to one when a new entry is created); search the Internet for more information on UseRasCredentials.

    Gary

    0 comments
  2. Limitless Technology 44,081 Reputation points
    2022-10-24T08:16:34.333+00:00

    Hello there,

    There is a security policy setting that you can use: Network access: Do not allow storage of passwords and credentials for network authentication https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd349805(v=ws.10)#network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication

    By enabling this setting, VPN credentials are not stored and therefore are not used to attempt to authenticate to network resources like shared files and Exchange.

    You can get some workaround from here where similar topic were discussed https://social.technet.microsoft.com/Forums/windows/en-US/0204464d-e32d-4584-966b-60788cce0d6f/disable-creation-of-vpn-quotsessionquot-credential-in-credential-manager-without-disabling-all?forum=winserversecurity

    --------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments