How to Login into NT with a tunneled connection

One of the most difficult tasks when using EnterNet or TunnelBuilder is to login to the Microsoft Windows Networking services over a tunnel.  This can be difficult using any VPN or distributed network solution over a router, because VPN essentially consists of a routed virtual network.  This article attempts to simplify the networking task over VPN using EnterNet.

Users can connect into an NT domain over dialup modems, PPPoE sessions, or (most commonly) a VPN session using the Point to Point Protocol (PPTP).  In all cases, the user is assigned a WINS address at connection time.  This may also be possible using the non-Microsoft VPN clients over EnterNet.

Users logging into Microsoft Networking are typically being authenticated by an NT Domain Controller.  For this you need the name of the NT Domain, a NetBIOS Name Server or WINS address to map the Windows NetBIOS names to an IP address, and a user name and password for that NT Domain.   This is typically different from your VPN server or ISP's username and password.

You will need a NetBIOS Name service (NBNS), either from the NT WINS service or the NTS IPserver to begin with. 

Its main purpose is to map a NetBIOS computer name, group name, or username to an IP address for routing purposes.  The WINS  address will be supplied to you when the tunnel is established.  If your IPConfig does not show a WINS address, you won't be able to connect into an NT domain.

Note: This document refers to both NBNS and WINS using the more common term of NBNS.

There is a lot of information on the Microsoft web site explaining how to access Windows networking over routers (VPN is essentially a router).  Siemensis unable to offer support for this complicated task - we recommend you check with your network administrator for information on this subject.  Nevertheless, we can offer this as a starting ground:

• The first step is to set up your connection.  If connecting into an NT PPTP service using EnterNet, you may need to supply the NT Domain Name.  This is normally necessary if the Domain Controller is separate from the VPN Service.  If connecting into any other VPN server such as TunnelMaster, the NT Domain is not needed.

• The second task is to verify that the Tunnel connection is successful.  You should be able to ping your private network destinations as well as browse to web servers over the tunnel.  This means that the IP (internet protocol) access is working successfully.  After establishing your tunnel, use the EnterNet PING application to verify that you can reach:

• the NT WINS server or NTS Shadow IPserver address
• the addresses  of any File sharing servers on the network

• Check your Details after the connection to verify you have a valid NBNS address over the Tunnel.  This will be assigned by your NT or TunnelMaster server. If you don't see a valid NBNS Address, then your Network Neighborhood won't show anything.

• After verifying your NBNS Address is correct, go to the NT WINS Server or Shadow IPserver and verify that your remote user's computer name and User name for logging into NT has registered itself with the WINS Database or Shadow Netbios Database.  Also verify that the NT Master Browser services and Primary Domain Controller have registered their names with the database.

• You also need to have each remote user configured to log into an NT Domain on your private network. This domain must be accessible to the NT WINS service or Shadow IPserver. The next few images can be seen by clicking Start -> Settings -> Control Panel -> Networks. Then double-click the Client for Microsoft Networks

• If using File Sharing with your EnterNet client, you may need to disable the Browsemaster capability on the Windows File and Print Sharing Service for each remote user.  This is generally only necessary if the remote user has a local LAN connection for EnterNet as well as a dialup connection.

• If the remote user is connecting over a dialup modem, you should verify that the Dialup Networking Properties is set to NOT log on to the network after dialup - you need to defer the login until after you establish the tunnel instead:

• If using a Lan based Tunnel, then you may need to disable the the bindings of the Windows Networking components over the TCP/IP protocol the runs over the clear ethernet adapter. This means you won't be able to log into an NT without first establishing a tunnel  After your Tunnel is built, you will be prompted to login to your NT system.

To unbind the File and Print sharing and MS Networking client from the clear MS TCP over Ethernet, PPPoE, or dialup adapter. Click on Control Panel -> Network, then select the TCP/IP protocol running over your Ethernet adapter, which represents the clear TCP stack. Click Properties to disable the NetBIOS binding over the clear path.  Select the Bindings Tab to disable binding for each service over the MS TCP over ethernet. Click OK.

For NT, the ethernet or PPPoE adapter would look like this:

For Windows 2000 systems the configuration would resemble this. You will want to disable the NetBIOS transport over the ethernet TCP from the WINS tab:

• Now verify that the Network bindings are enabled over the EnterNet TCP stack. Look at the Binding properties for the EnterNet TCP stack from the Network Properties: Network TeleSystems TCP (Private) -> EnterNet VPN Adapter:

• You next need to ensure that your system is configured to log into an NT Domain.  For Windows 2000 users you would change the Network Identification from the Network Properties:

• If your network requires the ComputerName to be registered with the Domain Controller, you may need to request this from your Network Administrator.
• At this point, you have everything you need in place to log into the network, as long as the NT Primary Domain Controller (the service responsible for authenticating user logins) is also registering with the WINS or Shadow IPserver. You will need to reboot for these network modifications to be loaded. Then click on your tunnel, log in to NT, and check your Network Neighborhood.
• What happens when you're able to login to NT, but the browsing still shows up empty? This is unfortunately a common problem with Windows NT networking. These are the following common problems with Windows Networking:

• Check to see if you have the latest NT service packs and Windows 95 Dialup Networking, redirectors, and winsock updates installed.  Windows 98 seems to have addressed most of the bugs in the Windows95 networking components.
• Verify that the NT Master Browser services and Primary Domain Controller have registered their names with the WINS or Shadow database.
• Verify that the VPN service that you're connecting to has an NT Server on that subnet.  For WINS to work correctly, you need an NT Server on every subnet to pass the SMB broadcasts over to the NT Domain Controller.

The hardest problem to deal with when the browsing fails is a rogue Master Browser showing up on your network. In this case, a starting NT server comes up with no network activity and elects itself as the Master Browser, seeing that no other server can answer the requests. Later when the network is restored, the rogue server continues by itself until the next election.  This usually clears up in 10 to 30 minutes and the rest of the neighborhood should show up fine.

Logging into NT Domains from an NT or Windows 2000 without a connection

How does one Log into NT without logging out first?  Using Regedit, Add a new string value named KeepRasConnections to the following registry key:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Add the string value of KeepRasConnections and set it with avalue of 1.  Then logout and logon as a user on your private network. Your connection should stay active.

You will need to weigh these disadvantages against the advantages of the user friendliness of providing Windows Networking to your remote users.  As software upgrades and high-speed access become more common, we believe that Windows Networking will become more important to users.  Hopefully this article will be able to save you some time in setting up a secure, reliable network.