Hello, One of my clients have Windows 7 Pro based laptops that they use to access the company network via PPTP VPN connections. The VPN connections are provided by a Draytek 2820 router. The laptops are a mix of x86 and x64 architectures. The issue is that when connected to the VPN the users cannot access drives mapped to DFS shares. When attempting to access a DFS share the users receive a "The user name could not be found" message. The users can connect to shared folders on the servers by using \\server\share. The issue is caused by the Credential Manager that shows "*Session" when the VPN connection is active. If these credentials are manually removed from the Credential Manager then the user can access DFS shares no problem. However, the credentials re-appear on the next connection. I know that some people have worked around this issue by editing the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds registry key, however, this client uses the BPOS suite and it seems that the Sign In Tool depends heavily on the credential manager. Setting this registry key stops the sign in tool working. It seems that this is a fairly common problem that was introduced in Vista and still exists in Win 7. Can anyone suggest a fix/workaround that won't have a negative impact on the BPOS sign in tool? Thanks, David

Hi David, This is expected behavior if you use the same user name for the VPN connection as you use to logon to the local domain, but have different passwords for the VPN. When a VPN connection is established, Windows 7 will cache those credentials. When this is done, it then will use the cached credentials for accessing local resources as well if the username is the same. Since the cached password is not correct for the domain, it results in access denied for the local resources. This is expected behavior in such a situation, and the recommended way of addressing this is to not use the same user ID on multiple, untrusted (i.e. domains that do not trust each other) resources. There are some workaround for this: 1. take the steps in the KB 822707 to resolve it: 1). Locate the .pbk file that contains the entry that you dial. To do so, click Start, click Search, type *.pbk in the All or part of the file name box, and then click Search. 2). Open the file in Notepad. 3). Locate the following entry: UseRasCredentials=1 4). Modify the entry to the following: UseRasCredentials=0 5). On the File menu, click Save, and the click Exit. 2. Use different user name for the remote VPN connection than is used for the local domain. This is recommended as most secure. 3. Use the same user name and password for the VPN and the local domain (NOT RECOMMENDED and definitely a security risk to do so.) Regards, Sabrina This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Sabrina, Thanks very much for your response. However, the VPN user names are not the same as the domain user names so your reasoning isn't quite right and option 2 won't help. The modification of the .pbk file you mention sounds like a probable workaround - I'll give that a go. Regards, David

Hello again, Modifying the UseRasCredentials value has done the trick. Is there any way I can apply this setting via group policy rather than modifying each computer manually? Thanks, David

Hi David, Thank you for your post. I think we cannot use the group policy to achieve this. I will report this issue to our related department. Thank you for your effort. Regards, Sabrina This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hello, Sabrina We have same problem, VPN users with Windows Vista & 7 cannot access DFS resources. modifying of *.pbk files don't give us any result. \\DFS-share shows namespaces, but not all. Direct links like \\file-server\backups$ are permited, but DFS links are invisible or denided