RRAS, DUN, and the disappearing login script

  • Article

Dear Mole,

We have discovered that our Windows NT® login scripts don't run on our Windows NT 4.0 Workstations when dialing in using RAS unless you choose the option to connect to the network using RAS from the login screen. Most of our users connect to the network after logging in and stay connected only as long as needed. They learned this from using Windows 95.

Is there a way to get login scripts to run in this situation? Is this problem fixed in any of the Windows NT 4 Service Packs and is it fixed in Windows® 2000?

Thanks,
Patrick Mitchell

divider

Patrick,

How can Mole help thee? Let him count the ways. Login scripts are one of those crazy instances where any number of things could be sludging up the works. Think of it as the Misconfiguration Domino Effect. (Note that since this is not officially a technical term, it has no acronym.) Anyhow, let's consider the possibilities.

First, let's recap your problem. You've logged into your machine locally. Then you initiate a Dial Up session to the RAS server. You pass through the Windows NT gate just fine, but your login script doesn't run. Gotcha. Patrick, this is a timing issue. The RAS server will wait 5 seconds for a response from a Domain Controller for authentication. If authentication is not received in that time, RAS will use the cached credentials from the workstation to validate the logon. Bingo. You're in, no running the login script.

Of course, Mole confesses to being a little bit curious about what's in that login script you just can’t live without. Assuming its stuff you truly want or need, the best suggestion he can give you is to use User Profiles to achieve the same ends. Not only does this work, it's actually the method recommended by Microsoft.

An alternative to the User Profile approach is to put a Domain Controller on the same subnet as the RAS server. This makes for a faster authentication response from the Domain Controller, and since the logon scripts will be replicated to that machine, they should run. This would make everything a lot simpler.

Mole's last and most labor-intensive idea is to run a script file that contains the items in the logon script. You can automate this by modifying the Dial-Up shortcut you create and place on the user’s desktop. Here’s how:

First, create the Dial-Up Phonebook Entry as you normally would by selecting Start, Programs, Accessories, Dial-Up Networking. When you’re done creating the Phonebook entry and before clicking that final OK box, click the More button and choose “Create shortcut to entry.”

Dd316337.11700g1(en-us,TechNet.10).gif

Then, from the shortcut on the desktop, right click on shortcut icon and select “Edit entry and modem settings.” Select the Script tab. You should see something like this:

Dd316337.11700g2(en-us,TechNet.10).gif

As you can see, you can specify a script to run after dialing in (or before dialing in if you click the “Before dialing” button.) Point to the script you want to run and that should do it. Please note: When you click on Edit Script, you will be presented with a document that states:

"This file provides sample logon scripts for connections to remote computers. Connections to Windows NT RAS computers do not use this file, so this file is used only for connecting to non-Microsoft computers.

Dial-Up Networking now supports the Windows 95 scripting language, which you may find easier to use than SWITCH.INF scripts. The language is described in script.doc located on the <winnt>\system32\ras\ directory."

The basic form of a script for Dial-Up Networking follows:

; A comment begins with a semi-colon and extends to
; the end of the line.

proc main

; A script can have any number of variables and commands
variable declarations
command block
endproc

Here is a simple example of a script using the Windows 95 scripting language:

waitfor "Login:"

waitfor "Password?", matchcase

waitfor "prompt>" until 10

waitfor

"Login:" then DoLogin, "Password:" then DoPassword, "BBS:" then DoBBS, "Other:" then DoOther until 10

Is this the worst solution? Yeah, probably. But it's your choice.

Of saved passwords and service packs

There's a problem that bears a family resemblance to yours, Patrick that can appear on networks to which Windows NT Service Pack 4 has not yet been applied. Mole quotes here from Knowledge Base article “DUN Credentials Cached When Save Password Not Selected with RAS.” The problem description is:

When you have Routing and Remote Access Service for Windows NT 4.0 installed on your computer and you are using the Dial-Up Networking client software to connect to a server, a dialogue box requests the user's User ID and password for the server. In the same dialogue box is the Save Password check box, which is intended to provide the user with the option to cache their security credentials if desired. However, the implemented client functionality actually caches the user's credentials regardless of whether the check box is selected or not.

If you have Service Pack 3 or lower installed, Mole recommends that you obtain, download, test, and then install Windows NT Service Pack version 6a.

You asked about Windows 2000...

Windows 2000 offers some improvements to this situation through the use of Group Policies. (Actually, it improves a lot of situations with Group Policies. Mole thinks you'll like em a lot. ) But we were talking about your login script. When a slow link is detected, the default behavior is as follows:

Policies that are applied by default:

  • Registry settings (from administrative templates) must always be applied--this cannot be changed

  • Security policies must always be applied (this cannot be changed)

  • EFS recovery policy

  • IP security

Policies that are not applied:

  • Application Deployment

  • Scripts

  • Folder Redirection

  • Disk Quotas

The administrator can change the default behavior on workstations by modifying or creating a Group Policy Object (GPO) to define the types of Group Policy that should be applied. See Knowledge Base article “Default Behavior for Group Policy Extensions with Slow Link” for more information.

Gee, is this more answer than you wanted?
Mole

His Point-to-Point Tunnel is stuffed up

We have set up VPN successfully on our network, and with testing we have found that it will be a very beneficial aspect of our network. Only problem: the only ISP connection that I can successful log into my network with from the Internet is AOL.

I am running a Windows 98 from home and I’ve tried several other ISP's, and have not been successful with the connection. If I use AOL, I log in fine, the password gets validated and I can see my network. I use, say earthlink and it won't even dial the IP address - I get an error stating that the adaptor is in use please restart computer and try again. Why will the adaptor work with AOL but not with any other Dial up networking connections?

Any answers? I would appreciate it.

Thank you and have a nice day.
Anthony Giannattasio

divider

Hi Anthony.

As is often the case, Mole's answer starts with a question. It's one you have to ask your ISP of choice, or each ISP you'd like to be able to use to connect to your VPN. The question is, Do you support PPTP? Mole hopes the response you receive does not involve the word Huh?

This is where the tunnel branches, depending on the answer you receive.

Tunnel One: Your ISP does provide PPTP service.

Tunnel Two: Your ISP does not provide PPTP service.

Once again, see if the ISP has any good advice for your situation. Hey, it never hurts to ask. If they merely shrug, it's back to the library, with a different reading list this time.

Between these two, you should find enough information to build yourself a good solution.

Here's a neat trick

You can create a batch file that will automatically make your dial up connections between ISP and corporate PPTP server. Saves time. Saves cycles. Makes you feel smart. Read on: “Automating PPTP Connection Via ISP Connection.”

For all that spare time: Your own PPTP background reading list

VPNCon: Go to California. Learn. Tan. You obviously see the benefits of Virtual Private Networking for your company. Do you also see the benefits of a four-day conference in San Jose, just when the snow's getting dirty in New England, hurricane season is setting in on the Gulf Coast, and mildew in the Pacific Northwest has become life threatening? Mole thought so. Check this out.

Don't Miss the Virtual Private Networking Conference (VPNCon)!
VPNcon is a focused conference with exhibits designed to show customers how to implement VPNs. The conference concentrates on new Virtual Private Networking technologies, products, and services. There are three major tracks for this conference: Network Administration, Security and Standards, and Business.

One last small crumb, this courtesy of one of Mole's colleagues, who observes that whenever the prefix is "Virtual," what follows is a lie.

Keep smiling.
Mole

More RRAS and PPTP (CMAK makes it sexy)

Dear Mole,

I have a question to you regarding solution-design I am working on. We already use several RRAS server running SP5 supporting 10 remote offices around the world where we run LAN to LAN VPN using RRAS/PPTP. In addition these RRAS servers takes calls from all our traveling notebook users using I-Pass and MCM/PPTP.

Now we are extending the model to include home-offices based on VPN with pure Microsoft Windows NT4 and 3COM ISDN routers.

The 3COM ISDN router supports PPTP through NAT and makes it possible to use a single-user free subscription for our home-offices. On the inside we use a Windows NT4 workstation setup with RAS/PPTP and SP5 connected via 10baseT to the 3COM router. We have everything working with the NT4WS a member of our domain for logon.

My question is how we can make the logon as transparent as possible to the users, and make it look like it does in the office.

  1. The user press ctrl-alt-delete and gets logon box, here we have locked the "use dial-up networking" button so that is forced and fine, this we found in TechNet.

  2. Then there is a new prompt for which phone-number etc to dial and the user must click "dial".

Thanks for your attention. We really hope this could be solved, as we then would have a very nice and sexy Windows NT4 package for home-office.

Thanks & Best Regards
Geir A.
IT Comm. Manager

divider

Hello Geir,

Sexy home office...hmmmmm. No. Mole will not forward links from his Favorites file. He will congratulate you, though. You're just a whisker away from implementing what you want, in the purely technological sense. In fact, you're only missing one last, essential acronym. That's CMAK.

CMAK stands for Connection Manager Administration Kit, which has several components. CMAK uses a wizard to create user-specific connection information. The connection information, called a service profile, along with some other stuff, makes up the Installation Package. Combined with the resident Connection Manager (CM), it provides a versatile client dialer for connecting to network resources on public networks, or securely connecting to private networks via the Internet. CM sits on top of Dial up Networking. Its job is to provide your users a hassle-free network connection experience.

Here's some of what you can do with CMAK.

Connection Status Configure the interface to keep your users informed about their connection status.

Automatic Password Specify if end users' passwords are to be saved for accessing the network(s) in question. You can enable or disable this service, depending on the security policy of the company or the Internet Service Provider

Assignment of Secure Connections With each POP phone number, CMAK can associate a Point-to-Point Tunneling Protocol (PPTP) configuration.

Check out CMAK in the Internet Explorer 5 Resource Kit. Click to Part 3, Chapter 14.

Find planning information in the Connection Manager Administration Kit Guide.

That should do it, Geir.

Regards,
Mole

P.S. Update your Windows NT 4.0 Service Pack to version 6a. Please. You’ll thank me.

But the guy at the mall said it would crash!

Mole,

I use Windows 3.1 on a 586-100 system. I never have had the need to upgrade and one program we use for a home business was installed on Windows 3.1. The program writer "thinks" it will work OK in an operating system upgrade from Windows 3.1 to Win95 or Win98, but they are not sure since most users installed in the 95 or 98 mode.

I have not been too concerned until yesterday when a tech at a local chain store that sells computers, TVs, and fax machines said that Windows 3.1 was not Y2K compliant and "would not even boot" no matter what was loaded behind it. I have not been able to find anything on the Internet about 3.1 and Y2K. I have done the "time" and "date" change to 12-31-1999 at 11:59pm and every thing clicks over OK and everything seems to work OK but...?

Any info on Windows 3.1? I really don't want to upgrade unless it’s necessary due to possible problems with the business program, but I also can't afford downtime or loss of information on the system.

Thanks for any help.
Everett B.

divider

Everett,

Okay, this question may seem just a little bit retroactive, since 1/1/2000 has come and gone and your computer is no doubt still running just fine. But there are several reasons Mole wants to take it on. The first is that it lets him observe that you will always get more reliable info from Mole (and from TechNet in general) than from the guy in the computer chain store at the Mall. You can take this to the bank. Guaranteed.

Point two, about that programmer you've hired. You know what Mole would do? Ask the guy to do more than guess whether his program has any problems running on a machine that has been upgraded from Win 3.1 to Win9x. It's his program and it seems to the Mole that it's his responsibility to verify whether the program works in different scenarios. Remember, too, you can push back on him if you decide to upgrade Windows. (Please alter the foregoing pronouns appropriately if the program writer happens to be female.)

This should satisfy you that there aren't any insurmountable problems with Win 3.1 and Y2K -- in fact, the "compliance rating" is "The product is compliant with recommended customer action." That could be anything from reading a document to loading a software update. Mole bets you’re up to it. It says absolutely nothing like "Upgrade now or lose the farm."

If you're happy with Win 3.1, Mole sees no reason to change. Although he does find himself wondering what sort of person is able so staunchly to resist all the bells and whistles that have been offered since……

Yours,
Mole

You saw it here first. Or maybe second...

In a recent column, Mole addressed the issue of conflicting DLL versions in DLL Heck. Our friends at Microsoft Developer’s Network have just published an article that provides a great background on the whole problem, what Windows 2000 is doing about it, and future directions. Most interesting. To read the article, click HERE.

Backtalk!

Singin' those old multi-boot blues

Mole, that Adobe guy who wanted to have 4 partitions might have a problem (really?). I've used Partition Magic and the old OS/2 Boot Manager and they limit you to 4 partitions, which is actually a limit imposed on us by how these silly disks are fdisked. One of those partitions will have to be the "Boot Partition" which will present a menu pointing at the 3 boot choices. A method I often use is have 2 boot partitions and a third partition for data that can be seen from either boot partition.

Love your column, later
Keith Shelley

divider

Thanks Keith!

Love you too, man.
Mole

Got questions? Got answers? Share.

Communicate with Mole at [closed account].

Send him your toughest questions.

And if you think you have a better answer than Mole's, or a different one, send that along, as well. Please include the following:

  • Your name

  • Your title

  • Your company

  • Your email address

  • Your question/solution/compliment

Credits: Lon, Lon, Lon.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.