SoftEther VPN AD 身份验证仅适用于通配符用户

tag-icon tag-icon windows-server-2008-r2 vpn windows-sbs-2011 l2tp softether
SoftEther VPN AD 身份验证仅适用于通配符用户

我在 SBS2011 上使用 SoftEther,使用 L2TP/IPSec 协议。我的初始客户端是内置 L2TP/IPSec 协议的 Windows 10。

在我的 SoftEther 用户中,如果我添加通配符 (*) 用户并选择“NT 域身份验证”,我的用户就可以连接。请注意,在客户端上,指定用户时没有任何域信息。SoftEther 设置了默认集线器,因此用户名无需指定集线器名称即可使用。

在这种配置下,使用通配符用户,我的安全日志显示......

2018-11-22 15:42:42.059 The connection "CID-65-75130DACDA" (IP address: 79.77.X.X, Host name: 79-77-xxx-x.dynamic.dsl.as9105.com, Port number: 1701, Client name: "L2TP VPN Client - Microsoft", Version: 4.28, Build: 9669) is attempting to connect to the Virtual Hub. The auth type provided is "External server authentication" and the user name is "vluk\spencer.wood".
2018-11-22 15:42:42.059 Connection "CID-65-75130DACDA": Successfully authenticated as user "domain\domainuser".
2018-11-22 15:42:42.059 Connection "CID-65-75130DACDA": The new session "SID-DOMAIN\DOMAINUSER-[L2TP]-12" has been created. (IP address: xx.xx.237.6, Port number: 1701, Physical underlying protocol: "Legacy VPN - L2TP")
2018-11-22 15:42:42.059 Session "SID-DOMAIN\DOMAINUSER-[L2TP]-12": The parameter has been set. Max number of TCP connections: 1, Use of encryption: Yes, Use of compression: No, Use of Half duplex communication: No, Timeout: 20 seconds.
2018-11-22 15:42:42.059 Session "SID-DOMAIN\DOMAINUSER-[L2TP]-12": VPN Client details: (Client product name: "L2TP VPN Client - Microsoft", Client version: 428, Client build number: 9669, Server product name: "SoftEther VPN Server (64 bit)", Server version: 428, Server build number: 9669, Client OS name: "L2TP VPN Client - Microsoft", Client OS version: "-", Client product ID: "-", Client host name: "pcname.hostname", Client IP address: "xx.xx.237.6", Client port number: 1701, Server host name: "192.168.X.X", Server IP address: "192.168.X.X", Server port number: 1701, Proxy host name: "", Proxy IP address: "0.0.0.0", Proxy port number: 0, Virtual Hub name: "VPN", Client unique ID: "04CB9F2131DABA5XXXXF85C77D68E48D")

如果我删除通配符用户并添加名为“域名”的特定用户,则该用户无法连接。

2018-11-22 15:43:38.344 The connection "CID-66-5B8386C5FC" (IP address: 79.77.X.X, Host name: 79-77-X-X.dynamic.dsl.as9105.com, Port number: 1701, Client name: "L2TP VPN Client - Microsoft", Version: 4.28, Build: 9669) is attempting to connect to the Virtual Hub. The auth type provided is "External server authentication" and the user name is "domain\domainuser".
2018-11-22 15:43:38.344 Connection "CID-66-5B8386C5FC": User authentication failed. The user name that has been provided was "domain\domainuser".

用户是否需要属于域中的特定组?我不这么认为,因为当使用通配符用户进行身份验证时,同样的用途就无法实现。

我可能做错了什么?

答案1

获得“Tumbleweed”徽章促使我发布了自己的答案(或者更确切地说,非最佳的解决方法)

问题是由于尝试通过 VPN 连接的用户以非管理员用户身份登录 PC 造成的。一旦我将他们的帐户更改为本地管理员,一切就都正常了。

我无法对此提出合理的解释,特别是为什么非管理员用户可以工作,只要他们通过 softEther 通配符用户进行身份验证。

如果有人可以解释,我会改变接受的答案。

相关内容