VPN user restricted login to workstations cannot login to VPN serverSonicwall VPN site unable to communicate...
What are these green text/line displays shown during the livestream of Crew Dragon's approach to dock with the ISS?
Can I become debt free or should I file for bankruptcy? How do I manage my debt and finances?
When was drinking water recognized as crucial in marathon running?
How to count occurrences of Friday 13th
When should a commit not be version tagged?
Series pass transistor, LM7812
Does music exist in Panem? And if so, what kinds of music?
I can't die. Who am I?
Difference between 小吃 and 零食
How to mitigate "bandwagon attacking" from players?
Has the Isbell–Freyd criterion ever been used to check that a category is concretisable?
What's the difference between a cart and a wagon?
Why does the 31P{1H} NMR spectrum of cis-[Mo(CO)2(dppe)2] show two signals?
Accessing something inside the object when you don't know the key
Why does Starman/Roadster have radial acceleration?
Why is working on the same position for more than 15 years not a red flag?
Did Amazon pay $0 in taxes last year?
Hacker Rank: Array left rotation
What is this waxed root vegetable?
What can I substitute for soda pop in a sweet pork recipe?
What do the pedals on grand pianos do?
Can chords be played on the flute?
Is divide-by-zero a security vulnerability?
Pure Functions: Does "No Side Effects" Imply "Always Same Output, Given Same Input"?
VPN user restricted login to workstations cannot login to VPN server
Sonicwall VPN site unable to communicate with Windows PDCSonicwall vpn user cannot be accessed by VPN tunnelTwo email servers behind Sonicwall unable to communicate with each otherAuthenticate VPN with Active Directory and Sonicwall TZ 200 Device?Restrict VPN user to Remote Desktop only with SonicwallActive RDP session over VPN getting disconnectedMysterious Bandwidth UsageSSL VPN connection to SonicWall firewall using only the native Windows VPN client?User cannot connect windows server 2012 shares over vpnCan the SonicWall SRA Virtual Appliance (SonicOS SSL-VPN 6.0.0.0) use Gmail for SMTP?
We have a vendor that requires Domain Admin access on the servers where their software is deployed. (Obviously we want to restrict them to only being able to login to the servers where their software is deployed.) In AD, we have used the "Log On To..." to restrict that user to those particular servers.
However, our VPN (Sonicwall NSA 2400) cannot authenticate the user when restricted servers are set. It returns: "80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 531, v1db1". According to this, the error is that the Sonicwall is not a permitted workstation. I have added the IP of the Sonicwall to the allowed workstations, but it has not removed the error. When I change the logon restriction to all workstations, the user is allowed to login to the VPN and the Sonicwall says login successful.
Is there a way I can get the Sonicwall to authenticate the user while still keeping the restricted login? I am open to alternatives to our method.
active-directory vpn sonicwall
edited May 23 '17 at 12:41
Community♦
1
asked Jul 26 '13 at 15:04
AWipplerAWippler
87511128
bumped to the homepage by Community♦ 3 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
We have a vendor that requires Domain Admin access on the servers where their software is deployed. (Obviously we want to restrict them to only being able to login to the servers where their software is deployed.) In AD, we have used the "Log On To..." to restrict that user to those particular servers.
However, our VPN (Sonicwall NSA 2400) cannot authenticate the user when restricted servers are set. It returns: "80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 531, v1db1". According to this, the error is that the Sonicwall is not a permitted workstation. I have added the IP of the Sonicwall to the allowed workstations, but it has not removed the error. When I change the logon restriction to all workstations, the user is allowed to login to the VPN and the Sonicwall says login successful.
Is there a way I can get the Sonicwall to authenticate the user while still keeping the restricted login? I am open to alternatives to our method.
active-directory vpn sonicwall
edited May 23 '17 at 12:41
Community♦
1
asked Jul 26 '13 at 15:04
AWipplerAWippler
87511128
bumped to the homepage by Community♦ 3 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
We have a vendor that requires Domain Admin access on the servers where their software is deployed. (Obviously we want to restrict them to only being able to login to the servers where their software is deployed.) In AD, we have used the "Log On To..." to restrict that user to those particular servers.
However, our VPN (Sonicwall NSA 2400) cannot authenticate the user when restricted servers are set. It returns: "80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 531, v1db1". According to this, the error is that the Sonicwall is not a permitted workstation. I have added the IP of the Sonicwall to the allowed workstations, but it has not removed the error. When I change the logon restriction to all workstations, the user is allowed to login to the VPN and the Sonicwall says login successful.
Is there a way I can get the Sonicwall to authenticate the user while still keeping the restricted login? I am open to alternatives to our method.
active-directory vpn sonicwall
edited May 23 '17 at 12:41
Community♦
1
asked Jul 26 '13 at 15:04
AWipplerAWippler
87511128
We have a vendor that requires Domain Admin access on the servers where their software is deployed. (Obviously we want to restrict them to only being able to login to the servers where their software is deployed.) In AD, we have used the "Log On To..." to restrict that user to those particular servers.
However, our VPN (Sonicwall NSA 2400) cannot authenticate the user when restricted servers are set. It returns: "80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 531, v1db1". According to this, the error is that the Sonicwall is not a permitted workstation. I have added the IP of the Sonicwall to the allowed workstations, but it has not removed the error. When I change the logon restriction to all workstations, the user is allowed to login to the VPN and the Sonicwall says login successful.
Is there a way I can get the Sonicwall to authenticate the user while still keeping the restricted login? I am open to alternatives to our method.
active-directory vpn sonicwall
active-directory vpn sonicwall
edited May 23 '17 at 12:41
Community♦
1
asked Jul 26 '13 at 15:04
AWipplerAWippler
87511128
edited May 23 '17 at 12:41
Community♦
1
asked Jul 26 '13 at 15:04
AWipplerAWippler
87511128
edited May 23 '17 at 12:41
Community♦
1
edited May 23 '17 at 12:41
Community♦
1
edited May 23 '17 at 12:41
Community♦
1
1
asked Jul 26 '13 at 15:04
AWipplerAWippler
87511128
asked Jul 26 '13 at 15:04
AWipplerAWippler
87511128
asked Jul 26 '13 at 15:04
AWipplerAWippler
87511128
87511128
bumped to the homepage by Community♦ 3 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 3 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Sounds like the reason it can't authenticate is because that user can't authenticate against the DC as it's not one of the servers you've allowed access to.
If you allow the connection across the board as you've suggested and then limit the access for that user to only allow remote access to specific servers on the individual servers in question then he should be able to auth against the DC but not log into it.
Hope that made sense.
answered Jul 26 '13 at 15:37
WelshnameWelshname
1114
I have added the user to allow login to the Domain controller that authenticates the VPN connections. This is allowing access, but would like to limit the user to not even be able to remote to the domain controller.
– AWippler
Jul 26 '13 at 15:46
If you go onto the domain controller and navigate to Control Panel > System and Security> System. Click remote settings, at the bottom go to select users and make sure he's not in that list, and is not a member of an AD group that is in that list.
– Welshname
Jul 26 '13 at 15:52
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f526564%2fvpn-user-restricted-login-to-workstations-cannot-login-to-vpn-server%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sounds like the reason it can't authenticate is because that user can't authenticate against the DC as it's not one of the servers you've allowed access to.
If you allow the connection across the board as you've suggested and then limit the access for that user to only allow remote access to specific servers on the individual servers in question then he should be able to auth against the DC but not log into it.
Hope that made sense.
answered Jul 26 '13 at 15:37
WelshnameWelshname
1114
I have added the user to allow login to the Domain controller that authenticates the VPN connections. This is allowing access, but would like to limit the user to not even be able to remote to the domain controller.
– AWippler
Jul 26 '13 at 15:46
If you go onto the domain controller and navigate to Control Panel > System and Security> System. Click remote settings, at the bottom go to select users and make sure he's not in that list, and is not a member of an AD group that is in that list.
– Welshname
Jul 26 '13 at 15:52
add a comment |
Sounds like the reason it can't authenticate is because that user can't authenticate against the DC as it's not one of the servers you've allowed access to.
If you allow the connection across the board as you've suggested and then limit the access for that user to only allow remote access to specific servers on the individual servers in question then he should be able to auth against the DC but not log into it.
Hope that made sense.
answered Jul 26 '13 at 15:37
WelshnameWelshname
1114
I have added the user to allow login to the Domain controller that authenticates the VPN connections. This is allowing access, but would like to limit the user to not even be able to remote to the domain controller.
– AWippler
Jul 26 '13 at 15:46
If you go onto the domain controller and navigate to Control Panel > System and Security> System. Click remote settings, at the bottom go to select users and make sure he's not in that list, and is not a member of an AD group that is in that list.
– Welshname
Jul 26 '13 at 15:52
add a comment |
Sounds like the reason it can't authenticate is because that user can't authenticate against the DC as it's not one of the servers you've allowed access to.
If you allow the connection across the board as you've suggested and then limit the access for that user to only allow remote access to specific servers on the individual servers in question then he should be able to auth against the DC but not log into it.
Hope that made sense.
answered Jul 26 '13 at 15:37
WelshnameWelshname
1114
Sounds like the reason it can't authenticate is because that user can't authenticate against the DC as it's not one of the servers you've allowed access to.
If you allow the connection across the board as you've suggested and then limit the access for that user to only allow remote access to specific servers on the individual servers in question then he should be able to auth against the DC but not log into it.
Hope that made sense.
answered Jul 26 '13 at 15:37
WelshnameWelshname
1114
answered Jul 26 '13 at 15:37
WelshnameWelshname
1114
answered Jul 26 '13 at 15:37
WelshnameWelshname
1114
answered Jul 26 '13 at 15:37
WelshnameWelshname
1114
1114
I have added the user to allow login to the Domain controller that authenticates the VPN connections. This is allowing access, but would like to limit the user to not even be able to remote to the domain controller.
– AWippler
Jul 26 '13 at 15:46
If you go onto the domain controller and navigate to Control Panel > System and Security> System. Click remote settings, at the bottom go to select users and make sure he's not in that list, and is not a member of an AD group that is in that list.
– Welshname
Jul 26 '13 at 15:52
add a comment |
I have added the user to allow login to the Domain controller that authenticates the VPN connections. This is allowing access, but would like to limit the user to not even be able to remote to the domain controller.
– AWippler
Jul 26 '13 at 15:46
If you go onto the domain controller and navigate to Control Panel > System and Security> System. Click remote settings, at the bottom go to select users and make sure he's not in that list, and is not a member of an AD group that is in that list.
– Welshname
Jul 26 '13 at 15:52
I have added the user to allow login to the Domain controller that authenticates the VPN connections. This is allowing access, but would like to limit the user to not even be able to remote to the domain controller.
– AWippler
Jul 26 '13 at 15:46
I have added the user to allow login to the Domain controller that authenticates the VPN connections. This is allowing access, but would like to limit the user to not even be able to remote to the domain controller.
– AWippler
Jul 26 '13 at 15:46
If you go onto the domain controller and navigate to Control Panel > System and Security> System. Click remote settings, at the bottom go to select users and make sure he's not in that list, and is not a member of an AD group that is in that list.
– Welshname
Jul 26 '13 at 15:52
If you go onto the domain controller and navigate to Control Panel > System and Security> System. Click remote settings, at the bottom go to select users and make sure he's not in that list, and is not a member of an AD group that is in that list.
– Welshname
Jul 26 '13 at 15:52
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f526564%2fvpn-user-restricted-login-to-workstations-cannot-login-to-vpn-server%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
