AD credentials refresh after login

Question

Hi,

We are implementing an AD infrastructure, and we ran into an issue with remote colleagues: they login remotely (so with stored ad credentials), and after that they open a VPN to the office. When they try to access shared resources, they get denied, as thy are not actually logged in to the domain.

The only way I found so far is to login to the VPN, logoff from Windows and login again while the VPN is up. We use a 3rd party VPN solution, so we can't implement always ON VPN, or at least we don't have another dedicated Windows server to implement VPN.

Is there any way they can actually refresh their AD login after connecting to the VPN, from a script or something?

Thank you,

Alex

Answer 1

Hello @Alexandru ,

Thank you for posting here.

To better understand your question, please confirm the following information at your convenience.

1.Which domain does the machine belong to(such as domain 1), and then the user logs in to initiate a remote using stored AD credentials?

2.Which domain account does the user belong to (such as domain 1), and then the user logs in to initiate a remote using stored AD credentials?

3.Which domain does the stored AD credentials belong to (such as domain 2)?

4.Based on "and after that they open a VPN to the office. When they try to access shared resources, they get denied, as thy are not actually logged in to the domain." Is there a credential dialog box popping up for you to provide credentials when they try to access shared resources?

5.If so, what domain credential did you provide (such as domain credential in domain 2)?

6.Would you please provide the screenshot with error message when they get denied?

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

Answer 2

Thank you for the answer Daisy!

We have a single domain. The computer is registered to the domain, but as the colleague is not in the office, he/she logins as offline. Then she connects to the VPN so reaches the office network. The NAS shared folder is mapped as a network drive and fails to connect.

If she connects to the VPN, logs off, and back in (so the VPN is active), everything works ok. This is getting frustrating though, as the VPN may disconnect during the day, so they need to close all opened files and apps in order to log back in.
I attached the requested screenshot.

Thank you,
Alex

Answer 3

Hello @Alexandru ,

Thank you for your update.

We can run the following commands to see if it helps.

klist purge and klist purge -li 0x3e7

nltest /sc_verify:domain name

Nltest
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)

Best Regards,
Daisy Zhou

Answer 4

Hi,

I tried the commands, but there's no change.
PS C:\Windows\system32> klist purge

Current LogonId is 0:0xf91c9b
Deleting all tickets:
Ticket(s) purged!
PS C:\Windows\system32> klist purge -li 0x3e7

Current LogonId is 0:0xf91c9b
Targeted LogonId is 0:0x3e7
Deleting all tickets:
Ticket(s) purged!

PS C:\Windows\system32> klist purge -li 0xf91c9b

Current LogonId is 0:0xf91c9b
Deleting all tickets:
Ticket(s) purged!
PS C:\Windows\system32> nltest /sc_verify:ad.sipstatus.com
Flags: b0 HAS_IP HAS_TIMESERV
Trusted DC Name \SSTADDC2.ad.sipstatus.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully
PS C:\Windows\system32>

I noticed here that the trusted DC is the backup domain controller (ADDC1 is the master). No tsure if this has any impact, but I seemed strange.

Thank you,
Alex

Answer 5

Hello @Alexandru ,

Thank you for your update.

If it does not work above, I think we should connect VPN and after connecting to VPN ,sign out and sign in again to connect to the domain as you mentioned in the original post.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou