-2

I am trying to setup a basic PPTP VPN connection using Forefront TMG 2010. Whenever I try to connect to the VPN connection from my Windows 7 machine, I get an error related to unauthorized access.

So went on to reconfigure allowed users for VPN.

Here is I found which might explain the problem:

As you can see in the image above, the Group name is no longer Remote Users but rather a long string. And the Domain is missing entirely.

Could you please help me figure out the reason for it?

I would really appreciate any help you can provide me :)

Thanks a lot for looking into it.

Moon
  • 119
  • 1
  • 6
  • 1
    That's the [Security IDentifier (SID)](http://technet.microsoft.com/en-us/library/cc961998) of the group. Usually, the SID will be displayed when the domain is unable to resolve the object's name. From the snip, the column is truncated, yours appears to possibly be a domain SID. Is this group from the local domain or a external/trusted domain? – jscott Jul 15 '12 at 16:51
  • @jscott: it is from a local domain. – Moon Jul 15 '12 at 17:17
  • @jscott: I have added a snip of full group SID – Moon Jul 15 '12 at 17:30
  • @Moon Showing the whole SID won't do much. There are two parts to a SID, a Domain Identifier which is unique to your AD domain, and a Relative Identifier which is unique within your domain. Basically, providing us with the SID and expecting it to help us track down your problem isn't going to work. You have a connectivity/availability issue somewhere. You need to do some basic troubleshooting on your own and if you hit a dead end, post what you've done and ask for help in a new question. At this point, though, you need to do some basic legwork yourself. – MDMarra Jul 15 '12 at 17:45

3 Answers3

5

What you are seeing is a SID (Security Identifier). This is a unique identifier. Every AD object has a SID, and internally, the SID is always referenced, not the name. This is why you can change a user/group name and not break anything - the SID is what's referenced behind the scenes.

When you inspect an object, the SID is usually replaced with the object's name, so that it's more easily readable by humans. In the event that a Domain Controller is unavailable to do this translation, you will be shown the SID instead.

Basically, you have a connectivity/availability problem from the machine looking at the SID and the Domain Controllers for your domain. Track down this issue and you'll be fine. 9 times out of 10, it's a DNS problem, so start there.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • I think the TMG server is able to talk to the DNS. I am able to ping the DC/DNS fine. And as you can see, I was able to resolve proper group `Remote Users` when I typed `remote` in the `Object Name` box and clicked on the `Check Name` button. I might be wrong though, perhaps this information is cached on the local machine? – Moon Jul 15 '12 at 17:57
  • Are you using your DC's for DNS servers or are you using something else? If for example you are using your router or google DNS, then machines will be able to resolve internet addresses, but those DNS servers will have no knowledge of machines on your LAN which will seriously hinder communication. – Robin Gill Jul 15 '12 at 20:48
  • @RobinGill: I am using my DC as DNS. – Moon Jul 15 '12 at 22:28
  • @Moon: eewww, TMG. I feel your pain. Might want to make sure TMG isn't misdirecting your internal DNS traffic, or temporarily take it out of the middle to narrow down the problem. I've had nothing but problems with ISA/TMG in the environments I admin that insist on running it. – HopelessN00b Jul 17 '12 at 14:51
0

I faced the similar issue I tried a lot of things but at the end it come out VM cloning issue. I had cloned my primary domain controller machine for TMG before configuring it as domain controller.

I rebuilt TMG server from Scratch rather than cloning everything working fine.

in case of physical server u might be using operating system that might be a restore of any other server in your domain.

Sabir Awan
  • 1
0

What worked for me (same issue) was creating an access rule to allow all traffic between forefront and the domain controllers group. That resolved the issue so fine tuning that rule would be the next step.

Rob
  • 1