0

just setup site2site vpn, hardwarebased. site 1 winxp, site2 sbs2k3. site 1 192.168.1.0/24 site 2 192.168.0.0/24

site 2 user can authenticate into site 1 xp computer network share using local user account on site 1 computer. winxp prompts for auth, un & pwd entered, share works!

site1 user tries to connect to site 2 share, auth pops up, enter credentials, but not working :(

from my research, i think the SBS2k3 server needs to have the subnet of site 1 added to it's subnets (AD Site & Services MMC, sites > Subnets), so I have added that subnet.

Question 1: I also added site 2 subnet to it also. not sure if that is correct to have both in there. Both subnets site value = Default-First-Site-Name

Authentication from Site 1 to Site 2 share still not working. When prompted for credentials I am entering 192.168.0.4\username@smallbusiness.local and the password, which I have created inside SBS Server Management MMC, advanced Mgmt ? AD U & C > smallbusiness.local > Users, but it just keeps reprompting me to authenticate again. Local users at Site 2 using win x machine on local network can access share, auth works for them.

Question 2: Do I need to do something with Inter-Site Transports? My research make it seem like that is for replication between sites, and I don't think I need that?

Question 3: Do any ports in the firewall need to be open for authenticate to work? It works from Site 2 -> Site 1 without any open ports, so I think this is a SBS2k3 issue...

thanks

Steve Wasiura
  • 141
  • 1
  • 9
  • I just tried to access the default web site on the sbs server at site 2, from site 1, and it said your ip address is not allowed. so i went into IIS, added my 192.168.1.0/24 address, apply, try again, this time it prompted for login, i used admin acct & pwd, and it showed me the default sbs website. but file sharing still not working, still prompted for auth over & over. don't know if that info helps – Steve Wasiura Jul 29 '11 at 18:21

1 Answers1

1

AD Sites and Subnets doesn't have anything to do with authentication in the sense that you think it does. The fact that you have or don't have anything set up in ADS&S isn't why your authentication is failing. Your authentication is failing because you're using the wrong credentials. If you set up a user in AD then you can authenticate as that user via the pre-Windows 2000 logon name (domain\username) or via the UPN (username@domainSuffix). It looks like you're trying to combine the two. Pick one.

In addition, make sure that the user that you're authenticating as has the appropriate permissions on the resource that you're authenticating against (Share permissions and NTFS permissions).

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • thanks, but I originally tried the UPN, then the Dm\Un, and finally the combination. I also went onsite, and successfully logged onto the server from other pc on the LAN using the credentials (simply username & pwd, no @suffic nor domain prefix, so I know the user account exists and the password is correct. I'm really stumped here :( – Steve Wasiura Aug 01 '11 at 14:32
  • Does the user you're authenticating as have appropriate Share and NTFS permissions on the share that you're trying to access? – joeqwerty Aug 01 '11 at 17:17
  • yes, accessing the share from inside the network works quickly & perfectly. read & write verified. thanks – Steve Wasiura Aug 02 '11 at 02:03
  • Are there any restrictions for traffic transiting the VPN? Is it possible that the authentication traffic is being blocked? – joeqwerty Aug 02 '11 at 12:20
  • hmm, I don't know. Is htere a port or service I need to be aware of for authenticating? I haven't explicitly blocked anything on the firewall device, but maybe I have to open something up to allow it? – Steve Wasiura Aug 05 '11 at 02:45
  • This document tells you what's needed (it's for W2K but is applicable for W2K3 and W2K8 as well). http://www.microsoft.com/download/en/confirmation.aspx?id=16797 – joeqwerty Aug 05 '11 at 03:07
  • The relevant portion is: A user network logon across a firewall uses the following: • Microsoft-DS traffic (445/tcp, 445/udp) • Kerberos authentication protocol (88/tcp, 88/udp) • Lightweight Directory Access Protocol (LDAP) ping (389/udp) • Domain Name System (DNS) (53/tcp, 53/udp) – joeqwerty Aug 05 '11 at 03:08