[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OpenVPN and windows domain authentication

  • Subject: Re: [Openvpn-users] OpenVPN and windows domain authentication
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Mon, 28 May 2007 17:37:44 -0500
  • Z-usanet-msgid: XID799Lebwlt0344X28

Hash: SHA1

For access to domain resources to be transparent the OpenVPN process
will need to be started as a service when the system boots.  In this
mode, OpenVPN automatically connects to the office network before the
login prompt is shown to the laptop client, which allows domain
authentication to proceed and any network actions to take effect
during login (such as group policy, startup scripts, network drives,
etc.)  When running as a service with OpenVPN's public-key TLS
authentication, the private RSA key must either be unencrypted or the
password provided through the configuration since there will be no
option for user input of a passphrase.

The alternative is to keep the VPN disconnected until a user logs into
the computer and initiate the connection once logged in.  Although
this will provide office network access once the VPN is connected,
domain logins and any network-based login procedures will not work
because the VPN won't be started at that point.  Windows does cache
domain logins on the local computer, so you may still be able to log
into the PC using domain credentials of user who previously logged in,
but the access is not as seamless as it is when OpenVPN is run as a
system service.

Alastair Martin wrote:
> I'm using OpenVPN to provide TCP/IP access to a Windows network (server
> 2003).   The OpenVPN server sits on an intermediary Linux box.   I'd
> like to run a Windows application on my laptop that requires
> authentication from within the domain authenticated by the server that
> sits behind the VPN.   Everything else, including windows logon,
> startup, etc, should run within my normal, boring office domain.
> Is this possible

- --
Version: GnuPG v1.4.7 (GNU/Linux)


Openvpn-users mailing list