How to Prevent Windows from Using VPN Credentials for Network Resource Authentication in L2TP/IPSec Environments


2 views

We recently implemented a secure remote access solution using Cisco ASA 5510 as the VPN concentrator with L2TP-over-IPsec and RSA SecurID authentication. While the setup works perfectly in most cases, we encountered a specific issue when:

  1. The client machine is domain-joined
  2. The user logs in with domain credentials
  3. The same username is used for VPN connection
  4. The user attempts to access network resources (file shares, Exchange, etc.)

In these cases, Windows automatically attempts to use the VPN credentials (username + OTP) for network resource authentication, causing rapid account lockouts in Active Directory due to repeated failed attempts.

Windows has a credential caching mechanism that tries to reuse credentials across network connections. When it sees the same username being used for multiple purposes (local login, VPN, network resources), it attempts to streamline authentication by reusing cached credentials.

Here's what happens technically:


1. User establishes VPN connection with username + SecurID OTP
2. Windows caches these credentials
3. When accessing \fileserver\share, Windows sends:
   - Username: domain\user
   - Password: [cached SecurID OTP] instead of actual domain password
4. DC rejects authentication
5. Process repeats rapidly → account lockout

Option 1: Modify Registry to Prevent Credential Forwarding

Add this registry entry to disable credential forwarding:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"DisableDomainCreds"=dword:00000001

This tells Windows not to automatically forward credentials to network resources.

Option 2: Use PowerShell to Adjust Network Provider Order

Run this script to reorder network providers:

$providers = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name "ProviderOrder").ProviderOrder
$newOrder = $providers -replace "MSClient", "" | Where-Object { $_ -ne "" }
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name "ProviderOrder" -Value $newOrder

Option 3: Group Policy Configuration

For enterprise deployments, configure these GPO settings:

  1. Computer Configuration → Administrative Templates → System → Credentials Delegation
  2. Enable "Allow Default Credentials with NTLM-only Server Authentication"
  3. Set "Allow Default Credentials" to Disabled

Modify the VPN connection properties:

1. Open Network Connections
2. Right-click VPN connection → Properties
3. Networking tab → Uncheck "Client for Microsoft Networks"
4. Security tab → Advanced settings:
   - Enable "Use Extensible Authentication Protocol (EAP)"
   - Select "Secured password (EAP-MSCHAP v2)"

After implementing any of these solutions, you can verify proper behavior by:

nltest /sc_verify:yourdomain.com

Check Event Viewer for Security logs showing successful network resource authentication without account lockout events.

For more robust solutions consider:

  • Implementing Always On VPN with device tunnel configuration
  • Using certificate-based authentication instead of username/password
  • Deploying DirectAccess for domain-joined machines
  • Configuring conditional access policies in Azure AD

After implementing an L2TP-over-IPsec VPN solution with Cisco ASA 5510 and RSA SecurID authentication, we encountered a specific authentication conflict:

// Pseudo-code representing the authentication flow
if (user.loggedInDomainAccount == user.vpnCredentials.username) {
    attemptAuthentication(user.vpnCredentials); // Fails because OTP != domain password
    accountLockoutCounter++;
}

Windows automatically attempts to use VPN credentials for network resource access when:

  • The workstation is domain-joined
  • The VPN username matches the logged-in domain account
  • Network resources are accessed immediately after VPN connection

Add this registry key to prevent credential pass-through:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13]
"CredentialsDialogueDisabled"=dword:00000001

For enterprise environments, implement these Group Policy settings:

<GroupPolicy>
    <ComputerConfiguration>
        <AdministrativeTemplates>
            <Network>
                <WindowsConnectionManager>
                    <ProhibitUseOfInternetConnectionSharing>Enabled</ProhibitUseOfInternetConnectionSharing>
                    <ProhibitConnectionToNonDomainNetworks>Enabled</ProhibitConnectionToNonDomainNetworks>
                </WindowsConnectionManager>
            </Network>
        </AdministrativeTemplates>
    </ComputerConfiguration>
</GroupPolicy>

For large-scale deployment, use this PowerShell script:

# Disable credential pass-through for all VPN connections
$vpnConnections = Get-VpnConnection
foreach ($connection in $vpnConnections) {
    Set-VpnConnection -Name $connection.Name -RememberCredential $false
    Set-VpnConnection -Name $connection.Name -SplitTunneling $true
}

# Apply registry setting
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13" 
    -Name "CredentialsDialogueDisabled" -Value 1 -PropertyType DWORD -Force

After implementation, verify with these commands:

# Check VPN connection properties
Get-VpnConnection | Select-Object Name, RememberCredential, SplitTunneling

# Verify registry setting
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13" 
    -Name "CredentialsDialogueDisabled"