Issue Accessing Network shares over Always On VPN

Cameron James 0 Reputation points
2024-06-28T18:05:09.0033333+00:00

Hi folks,

I've been tasked with resolving an issue that cropped up a couple months ago regarding Always On VPN. We have the VPN configured so that users can connect to the company network automatically on start-up. The primary purpose of this VPN is to allow access to company shares while working remotely. This VPN is deployed to our users via a powershell script that is run upon login via a GPO. The VPN itself appears to work just fine. People turn on their machines, connect to the VPN, and they can ping our network. There have been no changes to our network infrastructure in the past two months and our VPN's configuration and deployment has remained the same as it was 3 years ago. The server's VPN certificate and the client's are both valid.

Many of our network shares are already mapped via group policy, and there seems to be no issue with users being able to connect to those. However, some sites have their own network shares that are not mapped via GPO, and when they are mapped manually or reached by a UNC path, they are presented with a prompt for the user's domain credentials and error underneath stating:

"The system cannot contact a domain controller to service the authentication request. Please try again later."

If the user enters their credentials, 9 times out of 10, the drive is mapped and they can see the share, but if they log off or reboot, they have to go through this process again and remove the drive map before trying again.

Now, I'm pretty confused by the error, because in my testing, the client machine can ping our domain controllers both by name and IP, and resolution seems to be working in relation to the Group policy mapped drives. In my testing, I've collected some event logs while on a remote client machine, and the system logs that I have collected have the event ID's of 9, 1129, 40960, and 1048. These logs have to do with either DNS events about reaching the domain controller, or being unable to determine the the revocation status of the domain controller certificate used for authentication, but in light of my connectivity tests, I'm not sure they're related.

I'm looking for more ways to test and diagnose the issue, but part of me doesn't know where to start looking. If anyone has any ideas and can point me in the right direction, it'd be greatly appreciated.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,625 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Jing Zhou 5,210 Reputation points Microsoft Vendor
    2024-07-03T09:29:23.7533333+00:00

    Hello,

     

    Thank you for posting in Q&A forum. This issue usually comes from SMB configuration or domain connection. Please kindly troubleshoot the issue following below steps:

    1.Open PowerShell window and run command: Get-smbclientconfiguration on your client.

    2.Open PowerShell window and run command: Get-smbclientconfiguration on the issed SMB server.

    3.Compare the SMB configuration and check if there's any difference between SMB client and server.

    4.Open CMD window and run command telnet SMB servert IP : 445 to check the TCP connection on tcp port 445.

    5.Reproduce the issue and capture a network trace by wireshark or network monitor to check on which step the SMB connection failed. 6.Clear the DNS cache on both of SMB client and SMB server.

     

    Best regards,

    Jill Zhou

     


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments