Active-Directory

VPN 到其他域導致本地域身份驗證停止工作

  • March 20, 2022

我有一個本地域(我們稱之為mycorp.local)。

在一台電腦上,我設置了一個到遠端域的 VPN 連接(假設它的 DNS 後綴是remote.local)。

一旦我建立遠端連接,本地域身份驗證就會停止工作。例如,我嘗試使用集成身份驗證連接到 SQL 伺服器,但失敗並出現以下錯誤:

登錄失敗。登錄來自不受信任的域,不能用於 Windows 身份驗證。(Microsoft SQL Server,錯誤:18452)

如果我斷開 VPN,我可以再次登錄 SQL。

兩個域都沒有信任關係。

我的第一個猜測是 VPN 連接優先於本地 DNS。這就是我遵循這個答案的原因:VPN 連接導致 DNS 使用錯誤的 DNS 伺服器。基本上,答案允許改變介面的順序來嘗試dns解析。

我假設 DNS 設置是正確的,因為在建立 VPN 時我可以ping sql 和 ad 電腦。

是否有任何參數/配置可應用以確保在正確的域上進行身份驗證?


如果有幫助,以下是有關我的設置的一些詳細資訊:

  • 2個網卡

    • 1個可以訪問AD網路的
    • 1 可以上網
  • 本地子網:192.168.10.0/24。指標設置為 1

  • 第二張卡的子網:192.168.66.0/24。指標設置為 100

  • VPN 連接的子網:172.16.0.0/16。指標設置為 9999

在所有情況下,ping sqlping sql.mycorp.localping adping ad.mycorp.local正確解析 IP 地址(當然有一些ipconfig /flushdns可以確定)。

的完整輸出ipconfig /all是:

Windows IP Configuration

  Host Name . . . . . . . . . . . . : mycomputer
  Primary Dns Suffix  . . . . . . . : mycorp.local
  Node Type . . . . . . . . . . . . : Hybrid
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No
  DNS Suffix Search List. . . . . . : mycorp.local
                                      remote.local

Ethernet adapter Local:

  Connection-specific DNS Suffix  . : mycorp.local
  Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter #3
  Physical Address. . . . . . . . . : 00-15-5D-14-20-0D
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : fe80::d117:9048:ce1c:1422%16(Preferred) 
  IPv4 Address. . . . . . . . . . . : 192.168.10.30(Preferred) 
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 
  DHCPv6 IAID . . . . . . . . . . . : 385881437
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-8B-E5-3D-00-15-5D-14-20-0F
  DNS Servers . . . . . . . . . . . : fe80::80ce:dc9d:37c5:39f3%16
                                      192.168.10.10
  NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter RJ45:

  Connection-specific DNS Suffix  . : 
  Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter #2
  Physical Address. . . . . . . . . : 00-15-5D-14-20-0E
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  IPv6 Address. . . . . . . . . . . : 2a01:e35:8a84:7240:c0eb:c8d1:9c3f:8fc0(Preferred) 
  Link-local IPv6 Address . . . . . : fe80::c0eb:c8d1:9c3f:8fc0%13(Preferred) 
  IPv4 Address. . . . . . . . . . . : 192.168.66.11(Preferred) 
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Lease Obtained. . . . . . . . . . : lundi 12 août 2013 13:06:28
  Lease Expires . . . . . . . . . . : jeudi 22 août 2013 13:06:28
  Default Gateway . . . . . . . . . : fe80::207:cbff:fe3c:5b7f%13
                                      192.168.66.254
  DHCP Server . . . . . . . . . . . : 192.168.66.254
  DNS Servers . . . . . . . . . . . : fe80::80ce:dc9d:37c5:39f3%13
                                      192.168.10.10
  NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Wifi:

  Connection-specific DNS Suffix  . : 
  Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
  Physical Address. . . . . . . . . : 00-15-5D-14-20-0F
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : fe80::c551:f03f:7557:9b17%11(Preferred) 
  Autoconfiguration IPv4 Address. . : 169.254.155.23(Preferred) 
  Subnet Mask . . . . . . . . . . . : 255.255.0.0
  Default Gateway . . . . . . . . . : 
  DHCPv6 IAID . . . . . . . . . . . : 234886493
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-8B-E5-3D-00-15-5D-14-20-0F
  DNS Servers . . . . . . . . . . . : fe80::80ce:dc9d:37c5:39f3%11
                                      192.168.10.10
  NetBIOS over Tcpip. . . . . . . . : Enabled

PPP adapter VPN remote:

  Connection-specific DNS Suffix  . : remote.local
  Description . . . . . . . . . . . : VPN remote
  Physical Address. . . . . . . . . : 
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  IPv4 Address. . . . . . . . . . . : 172.16.110.243(Preferred) 
  Subnet Mask . . . . . . . . . . . : 255.255.255.255
  Default Gateway . . . . . . . . . : 
  DNS Servers . . . . . . . . . . . : 172.16.100.47
                                      172.16.100.43
  Primary WINS Server . . . . . . . : 172.16.100.47
  Secondary WINS Server . . . . . . : 172.16.122.100
  NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{DEFE2CAC-D001-4E79-A33F-AD95A8106CA8}:

  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix  . : 
  Description . . . . . . . . . . . : Microsoft ISATAP Adapter
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix  . : 
  Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{2AE1C64F-102F-48B4-A60A-AA28461A96EF}:

  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix  . : 
  Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.remote.local:

  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix  . : remote.local
  Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.mycorp.local:

  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix  . : mycorp.local
  Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes

完整route print命令的輸出是:

===========================================================================
Interface List
16...00 15 5d 14 20 0d ......Microsoft Hyper-V Network Adapter #3
13...00 15 5d 14 20 0e ......Microsoft Hyper-V Network Adapter #2
11...00 15 5d 14 20 0f ......Microsoft Hyper-V Network Adapter
28...........................VPN Remote
 1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
         0.0.0.0          0.0.0.0   192.168.66.254    192.168.66.11    100
   77.245.100.10  255.255.255.255   192.168.66.254    192.168.66.11    101
       127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
       127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
 127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
     169.254.0.0      255.255.0.0         On-link    169.254.155.23    261
  169.254.155.23  255.255.255.255         On-link    169.254.155.23    261
 169.254.255.255  255.255.255.255         On-link    169.254.155.23    261
      172.16.0.0      255.255.0.0   172.16.110.240   172.16.110.243  10000
  172.16.110.243  255.255.255.255         On-link    172.16.110.243  10255
    192.168.10.0    255.255.255.0         On-link     192.168.10.30    257
   192.168.10.30  255.255.255.255         On-link     192.168.10.30    257
  192.168.10.255  255.255.255.255         On-link     192.168.10.30    257
    192.168.66.0    255.255.255.0         On-link     192.168.66.11    356
   192.168.66.11  255.255.255.255         On-link     192.168.66.11    356
  192.168.66.255  255.255.255.255         On-link     192.168.66.11    356
       224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
       224.0.0.0        240.0.0.0         On-link     192.168.10.30    257
       224.0.0.0        240.0.0.0         On-link     192.168.66.11    356
       224.0.0.0        240.0.0.0         On-link    169.254.155.23    261
       224.0.0.0        240.0.0.0         On-link    172.16.110.243  10255
 255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
 255.255.255.255  255.255.255.255         On-link     192.168.10.30    257
 255.255.255.255  255.255.255.255         On-link     192.168.66.11    356
 255.255.255.255  255.255.255.255         On-link    169.254.155.23    261
 255.255.255.255  255.255.255.255         On-link    172.16.110.243  10255
===========================================================================
Persistent Routes:
 None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
13    356 ::/0                     fe80::207:cbff:fe3c:5b7f
 1    306 ::1/128                  On-link
13    108 2a01:e35:8a84:7240::/64  On-link
13    356 2a01:e35:8a84:7240:c0eb:c8d1:9c3f:8fc0/128
                                   On-link
16    257 fe80::/64                On-link
13    356 fe80::/64                On-link
11    261 fe80::/64                On-link
13    356 fe80::c0eb:c8d1:9c3f:8fc0/128
                                   On-link
11    261 fe80::c551:f03f:7557:9b17/128
                                   On-link
16    257 fe80::d117:9048:ce1c:1422/128
                                   On-link
 1    306 ff00::/8                 On-link
16    257 ff00::/8                 On-link
13    356 ff00::/8                 On-link
11    261 ff00::/8                 On-link
===========================================================================
Persistent Routes:
 None

**$$ Edit $$**跟進 TheCleaner 的評論。

klist purge
klist

輸出:

Current LogonId is 0:0x6a9a3
   Deleting all tickets:
   Ticket(s) purged!
Current LogonId is 0:0x6a9a3
Cached Tickets: (0)

啟動程序並嘗試連接(Sql Management Studio)。成功,然後:

sqlcmd -S sql -E -Q "select getdate()"    
klist

輸出:

Current LogonId is 0:0x6a9a3
Cached Tickets: (0)

建立 VPN 連接,然後:

sqlcmd -S sql -E -Q "select getdate()"    
klist

輸出:

Sqlcmd: Error: Microsoft SQL Server Native Client 11.0 : Login failed. The login is from an untrusted domain and cannot be used with Windows authentication..    

目前登錄 ID 為 0:0x6a9a3

Cached Tickets: (1)

#0>     Client: steve @ mycorp.LOCAL
   Server: krbtgt/mycorp.LOCAL @ mycorp.LOCAL
   KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
   Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
   Start Time: 8/12/2013 15:14:22 (local)
   End Time:   8/13/2013 1:14:22 (local)
   Renew Time: 8/19/2013 15:14:22 (local)
   Session Key Type: RSADSI RC4-HMAC(NT)

$$ Edit 2 $$啟動 kerberos 事件日誌後,我得到一個特定的事件日誌:

A Kerberos Error Message was received:
on logon session 
Client Time: 
Server Time: 19:18:33.0000 8/12/2013 Z
Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error: 
Client Realm: 
Client Name: 
Server Realm: remote.LOCAL
Server Name: MSSQLSvc/sql:1433
Target Name: MSSQLSvc/sql:1433@remote.LOCAL
Error Text: 
File: 9
Line: f09
Error Data is in record data.

如果你看境界,你會看到境界是無mycorp.localremote.local

我終於找到了一個簡單的方法來解決這個問題。

解決方案取自這個 technet 執行緒

在 VPN 連接文件 ( ) 中將UseRasCredentials參數設置為解決了該問題。0``.pbk

我扣除這個參數告訴windows不要使用VPN連接的憑據。然後,每次我連接到遠端網路中的某個東西時,我都必須輸入我的登錄名/密碼,但我可以接受。

正如文章所說,請注意使用 GUI 編輯連接會將此參數重置為 1。

您的提示使我們找到了解決方案:CMDKEY /del /ras

在通過 Clavister OneConnect 連接 VPN 的 SQL SRV PC 上,同一域上的任何其他 PC 都無法訪問 SQL Server(與您相同的身份驗證錯誤)。斷開 VPN(在 SQL SRV PC 上)並立即再次訪問。但是,由於 Clavister OneConnect 不使用 rasdial/rasphone / *.rpb,我們必須使用CMDKEY基於解決方案的解決方案。

引用自:https://serverfault.com/questions/530391