Results 1 to 10 of 10
  1. #1
    Master Untangler engine411's Avatar
    Join Date
    Dec 2008
    Posts
    269

    Default OpenVPN, updated, can't connect on Untangle 15.0

    Untangle 15.0 (not 15.1). I did the recommended routine for OpenVPN to address the MD5 issue: wipe the app, reinstall, send out new client configs for my clients. That all was fine and easy.
    Now, some workers with personal laptops can't login to their work computers. They can connect to the computer, but not login. Personal laptops are not on the corporate Windows domain, work computers are. This wasn't a problem up until now; in the Remote Desktop dialog, we added the domain name to the computer name and it worked fine.

    The issue ONLY surfaced since I've changed the OpenVPN. I've tried the connection exe generated from Untangle, I tried the OpenVPN app 2.4.9, and I tried the Connect v3 app too. They all connect to the Untangle easily, and I can start the Remote Connection process to the computer - it connects to the computer and gives me the signin prompt - but after entering username and password (including with the domain name prefixed to the username), it always gives the error (I think from the Windows side) "a user account restriction is preventing you from signing on".

    Ideas?
    Last edited by engine411; 07-09-2020 at 01:25 PM.
    Lonnie, in Bird-in-Hand, Pennsylvania, a Firefighter to the Core (i7)
    Owner - Kauffman's Fruit Farm & Market

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,523

    Default

    haven't had time to grok it,

    but start the client "Run as administrator" on windows?

  3. #3
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,298

    Default

    While I'd expect a different symptom if this were the issue, do you have OpenVPN NAT enabled? That's the only thing I can think of that could be different. I tend to doubt it actually has anything to do with OpenVPN, I suspect you'll eventually find something else changed around the same time.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,093

    Default

    Not on the domain clients connecting to domain devices need to use domain\username syntax when accessing domain resources.

    The only other thing I can think of is they're not actually connecting because in the nuke and pave you forgot to push DNS settings that work for AD DNS. That's not automatic!

    There are more settings in that module than just the clients themselves!
    Last edited by sky-knight; 07-09-2020 at 07:06 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,298

    Default

    Quote Originally Posted by sky-knight View Post
    The only other thing I can think of is they're not actually connecting because in the nuke and pave you forgot to push DNS settings that work for AD DNS. That's not automatic!
    he seems to be getting the basic RDP port 3389 connection, otherwise where is the "user account restriction" message coming from? but then my suggestion about OpenVPN NAT doesn't make sense either, unless there's a security policy somewhere that would differentiate between a rdp logon from the local lan IP (NAT on) vs a foreign IP (NAT off).

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,093

    Default

    Quote Originally Posted by johnsonx42 View Post
    he seems to be getting the basic RDP port 3389 connection, otherwise where is the "user account restriction" message coming from? but then my suggestion about OpenVPN NAT doesn't make sense either, unless there's a security policy somewhere that would differentiate between a rdp logon from the local lan IP (NAT on) vs a foreign IP (NAT off).
    You're right that specific error message comes about due to one thing and one thing only... the account being used to access the machine lacks the rights to access the machine.

    It's all local security policy, which is either handled via membership in the remote desktop users group, or group policy. None of it has anything to do with OpenVPN, and I haven't a clue how replacing the module has triggered this condition. The authentication event and user rights assignment is done separately.

    Unless perhaps there's an OpenVPN site-to-site tunnel separate of all this that isn't working correctly? A member server or workstation that's a domain member that cannot locate a domain controller MIGHT present that error. But that's stretching...
    Last edited by sky-knight; 07-09-2020 at 08:35 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,523

    Default

    Passwords expired at some time while the previously established connections were nailed-down?

    I am still grasping at straws.

  8. #8
    Master Untangler engine411's Avatar
    Join Date
    Dec 2008
    Posts
    269

    Default

    Great suggestions guys, thank you all.

    I tried it again on a domain laptop, using wifi on my phone like I'd be at a coffee shop. Everything works perfectly.
    The personal laptop (non domain) that I was using yesterday had a Gmail account on it. Maybe the Gmail account is screwing this up. I used the "Other Signin" option on the RDP dialog and I used the domain credentials like DOMAIN\COMPUTER and DOMAIN\USER.

    • @rob There is no site-to-site VPN here. The user DOES have rights to the computer. The user can login to the work computer perfectly from a domain laptop - same as I described above. When we try doing this from the personal laptop, the VPN connects, we can hit the computer, but the user can't login.
    • @rob As far as DNS, I pushed the client exe and then I add this to the config: dhcp-option DNS 10.41.1.20. This lets us use hostname to connect rather than IP of the computer. Do I need more than this in the config?
    • @jim NAT OpenVPN traffic is on. Box is checked. You're saying it should be OFF?
    Lonnie, in Bird-in-Hand, Pennsylvania, a Firefighter to the Core (i7)
    Owner - Kauffman's Fruit Farm & Market

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,093

    Default

    The 2nd two points you bring up here are arguably flak...

    DNS resolution simply enables the use of names instead of IP addresses. If you're testing with IP addresses that entire set of variables is removed. OpenVPN and RDP simply do not care about DNS, but the human does because dns names are easier to remember, not to mention can deal with IP address changes that happen over time. So this is a separate issue.

    If you're getting an error mentioning user rights, that means the user is connecting successfully, and they are authenticating successfully, and yet they do not have rights. If you're reporting this same user can use another laptop and connect just fine then the rights are certainly present but there's something wrong with the RDP client on the machine in question that's not connecting. On that unit, I'd try searching for credential manager in the search box, hitting Windows Credentials. The very top section for Windows Credentials is going to have some TERMSRV entries nuke them and try again.
    engine411 likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Master Untangler engine411's Avatar
    Join Date
    Dec 2008
    Posts
    269

    Default

    Hi all,
    I think we solved this. The issue turned out to be the TERMSRV entries in the Credential Manager. So I was wrong in stating, or at least implying, that OpenVPN was the issue. I found on two other domain laptops that the new VPN version both installed without complaint *and* operated without complaint. Next time, I will test the issue/symptoms on more computers to weed out the one (in this case, one laptop) odd offending device.
    Many thanks to all on this thread.
    Jim.Alles likes this.
    Lonnie, in Bird-in-Hand, Pennsylvania, a Firefighter to the Core (i7)
    Owner - Kauffman's Fruit Farm & Market

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2