Always on VPN - Internal sites ask for username and password

VPN
1

Hi,

We are moving from Directaccess to Always on VPN. Everything works fine beside that when we access internal sites that we are getting windows autentication prompt.

For example, we want to connect to a corporate network and access an internal website that requires Windows integrated authentication, it should be SSO but we are getting prompted

We have configured Site zone and added all the sites.

Devices are hybrid azure ad joined
Domain controllers have KDC certificate templates Kerberos auth

Anyone know what issue could be?

2

I’d start by forcing Kerberos to use TCP if you havent already, so many problem with fragmented UDP kerberos packets when working on a vpn.

3

Is the VPN subnet defined in AD? If using ADFS, make sure you are hitting the internal interface and not the WAP server.

4

Can you try setting the value of ‘UseRasCredentials’ in your rapshone.pbk file to ‘0’ and testing again? Curious to know if that helps.

5

Yes. I am suspect that we need to have device tunnel. Since using only Hybrid AADJ with user tunnel it logs in which cached credentials and that might cause problem.

6

It did not.
We had to implement device tunnel. The account used cached login when we only had user tunnel.

Once we implemented device tunnel, it worked!

7

I like to prefer the device tunnel and fall back to the user tunnel as IKEv2 is much faster than SSTP. I do this by setting the route metric lower on the device tunnel so if it’s up, it uses that. In cases where IKEv2 is blocked the device can fall back to SSTP user tunnel.

8

How do you control that? we are using Intune.
Seems like device tunnel is still up and running when we sign in as user tunnel. Which leads us not to reach any routes due to that we only allow DC access from Device tunnel.

Co-existence not running well :confused:

9

Add a the metric tag to your route in the XML. In Intune you will have to edit the XML directly; there is no GUI option for that. All my routes are at the end of the XML but inside the tag. I allow the same access on both profiles, I don’t see a benefit to limiting the device tunnel to DCs only. These are relational metrics, not absolute, meaning whatever number you put in the tag gets added to the route metric assigned by Windows, this does not end up with a metric of 2 or 3.

Device:

 <Route>
   <Address>10.0.0.0</Address>
   <PrefixSize>8</PrefixSize>
   <Metric>2</Metric>
 </Route>

User:

 <Route>
  <Address>10.0.0.0</Address>
  <PrefixSize>8</PrefixSize>
  <Metric>3</Metric>
 </Route>

Edit: Fixed code block

10

Do you Say that we can have same routes for user and device tunnel

11

Yes, I have the same routes listed in both Device and User tunnel. If you don’t set a metric then it will be random which tunnel gets used.

12

We are pushing out profile using GUI and as you say there is no option for metric. I guess I will to use both tunnel without metric change and see how it goes.

13

Here’s a link to Richard Hicks’ GitHub repository with a ton of AOVPN resources, including almost ready to go XMLs.

https://github.com/richardhicks/aovpn

His website offers some nice walkthroughs and resources as well.