Using Azure VPN Point To Site can not access to shares in remote VNet

Gabriel González S 1 Reputation point
2021-06-30T20:04:19.997+00:00

Hi ,

I have a successfully connected a device (Windows 10 - 19042.1052) with an Azure VM (Domain controller - Windows Server 2019) located in VNet through VPN Point to site. The VPN authentication is certificate-based and protocols are IKEv2 + SSTP.

The following tests were performed but some failed, then I need your help to solve them:

Tests from device:

  • Ifconfig (i can see the VPN IP address assigned to my device and DNS) ... it works
  • Nslookup (i can query the domain controller in Azure) ... it works
  • Ping from device to Azure VM IP address located in VNet ... it works!

But:

1) Ping from device to Azure VM using FQDN ... it does not work
The error is: Ping request could not find host **"fqdn". Please check the name and try again.**

It happens in most client devices (4 of 5 devices tested).

2) When VPN P2S is conected, all tested devices can see the shares (netlogon and sysvol) in the Azure VM Domain Controller but credentials are requested to access. them I type right credentials but it does not work, asking them again and again. Then I can not make group policy works because device can not query the sysvol folder.

I checked the following link about VPN P2S issues and solutions but none of them solved my issue

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems

110696-error2.png

Any help would be appreciated

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,374 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. GitaraniSharma-MSFT 47,011 Reputation points Microsoft Employee
    2021-07-07T12:13:36.29+00:00

    Hello @GS-1345 ,

    Apologies for the delay in response.

    1) Ping from device to Azure VM using FQDN does not work:
    In order to resolve Azure hostnames from on-premises computers, you need to forward queries to your own managed DNS proxy server in the corresponding virtual network, so that the proxy server can forward queries to Azure for resolution.
    Refer : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances

    112591-image.png

    2) When VPN P2S is connected, you can not access to shares in remote VNet:
    As mentioned here, when the connection is initiated, the VPN client adds the session credentials and the failure occurs. After the connection is established, the client is forced to use the cache credentials for Kerberos authentication. To work around the problem, disable the caching of domain credentials from the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\DisableDomainCreds - Set the value to 1  
    

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.