[pptp-server] NT Domain Logon via VPN

Christopher Kalos ckalos at gothambroadband.com
Wed Oct 3 14:15:27 CDT 2001

	What about the user himself?  Is there any way to authenticate him to the
NT domain from an arbitrary system on the VPN, provided the VPN *server* is
on the domain (which it is?)  I know I'm getting into much hairier stuff now
in regards to what systems are trusted on a domain and which are not, but
it's going to prove difficult to add some of these systems to the domain
over the 3000+ miles that we're currently separated by anyway.

Complexities abound,
Christopher Kalos

-----Original Message-----
From: pptp-server-admin at lists.schulte.org
[mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Cowles, Steve
Sent: Wednesday, October 03, 2001 3:07 PM
To: Poptop Mailing List
Subject: RE: [pptp-server] NT Domain Logon via VPN

> -----Original Message-----
> From: Christopher Kalos [mailto:ckalos at gothambroadband.com]
> Sent: Wednesday, October 03, 2001 11:48 AM
> To: Poptop Mailing List
> Subject: [pptp-server] NT Domain Logon via VPN
> 	I know I've seen this under some implementation of the
> VPN client for Windows 2000, and I'm wondering how (or if!)
>.. it's possible with PoPToP and Samba.  After the initial
> connection, it should be possible with the MS VPN Server to
> force the Win2000 client to return a login dialog requiring
> the user to enter their NT username, password, and domain.
> 	Is there a way to enable this for the PPTP server so
> that VPN systems are also part of the Windows Domain and
> Domain users can log on with full rights, regardless of the
> system that they connect from?

Conceptually, not a bad idea. And I'm sure someone could write a program to
prompt for the username/password/domain after the PPTP session is
established. But you will still be faced with the problem of how the PPTP
client will "first" join that domain. i.e. Without first joining the domain
(SID), your domain logon credentials (rights) are meaningless.

FWIW: I have been successful at joining an MS domain across a PPTP session,
but then I also had admin rights to do so. This is where the real problem
lies in what you are proposing for your average user, or better yet,
maintaining a decent security model.

Steve Cowles
pptp-server maillist  -  pptp-server at lists.schulte.org
--- To unsubscribe, go to the url just above this line. --

More information about the pptp-server mailing list