Windows server AD/DC

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Joeideal
Posts: 3
Joined: Sun Sep 19, 2021 7:52 am

Windows server AD/DC

Post by Joeideal » Sun Sep 19, 2021 8:13 am

Hi all.
I have a very strange issue with softether. Regarding AD security.
We have a small office with a running an AD/DC directory and Windows 2019. We are new to Windows Server and Domains.
On site network, We have group folders restricted to certain staff, some staff have access to other folders and files, some staff do not have access to some folders or files and works absolutely perfect. A typical server setup.
I have setup Softether server on the Server 2019 machine with a separate offsite test client machine and created a genuine test user with file and folder restrictions on Server 2019 and using this user logging in with Softether Ad authentication.
I have Setup SE in Virtual hub mode, single Ethernet cards Bridged, Nat enabled.
Connection to domain is OK

Now here is the problem and I’m not sure if this is typical.
When I login with AD user authentication I can access all AD folders with no restrictions. It is like Softether is not respecting the AD rules and restrictions unique to each active directory users account.
Because of above I then tried my own AD account and exactly the same issue, I can open every shared folder and drive and view all files.
I have tried all sorts of settings and still same issue.

Has anyone got a solution to this, is there settings I need to set on the Windows server domain, or is this a feature of SE.

Thanks

nobody12
Posts: 139
Joined: Sat Feb 13, 2021 10:22 pm

Re: Windows server AD/DC

Post by nobody12 » Sun Sep 19, 2021 10:12 am

It is very unlikely that SE is able to work around the Windows permissions model.
Please give a detailed example of a:
share permission
folder permissions inside this share
and a sample user and its group memberships.
What other roles beside hosting the SE Server does the Server 2019 fulfill?

Btw. why did you enable NAT? The good thing (if you have a small scale setup) of softether is the LAyer2 integration of the VPN client. After connection is up it works like it would be in the office network. If you put a layer of Nat or routing between the network and the VPN clients you might have a few problems like not beeing able to manage a VPN client because Nat will block access from teh office network to the VPN clients Network.

Joeideal
Posts: 3
Joined: Sun Sep 19, 2021 7:52 am

Re: Windows server AD/DC

Post by Joeideal » Sun Sep 19, 2021 5:42 pm

Hi there

many thanks for replying below is basically setup


The AD/DC is for file sharing and storing only
Example. Folder shared for 4 users in AD.
Gerry, Thomas, Linda and Jane
Gerry is Accounts, Linda and Jane office admins and Thomas Manager

Network Drive shared Folders called Accounts, 1 x folder Called Office Admin, 1 x Folder Manager all folders on network however

Inside Accounts is a private folder for Gerry plus An Admin accounts folder and a Folder that the Manger Thomas and Gerry only can view and use.
Gerry can access the three folders inside his Accounts however he cannot see Linda and Janes Private folders nor Managers folder plus they are forbidden for him to access even if he could view them.
Linda and Jane have private folders and can see and use Admin folder plus Manager folder.
Linda and Jane can also pass files to and from each other.
Thomas can view and has access to all folders.

With Softether I can open every network shared folder regardless of which domain user I was logging in with.
This seems to only happen If I login for the first time after setup with Janes account for instance ,I cannot at this point access other user folders I get restricted message.
If I then logout Janes and login with Linda’s , I can access Linda’s files and access Janes files too.
I logout and login with Manager I can access all files.
I then logout then log back in as Jane and have access to all files and folders including the managers with no restrictions.

I’m not sure if this has anything to do with this issue, but I have been trying from a single offsite computer, could it be Softether is storing the settings somehow for previous user login “ I am logging in with Ad Domain auth” on all accounts.

Honestly I thought this would be a simple case of connect to company network and all restrictions folder access network folders etc would remain.
But it seems this is not the case.

It’s driving me nuts looking for the solution. I believe there has to be one but I could be wrong.

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: Windows server AD/DC

Post by eddiewu » Mon Sep 20, 2021 1:25 am

I am not sure I understand your situation correctly.
But make sure you know that the account used to login the vpn has nothing to do with your access right on the target domain. No matter you login with which account, to the domain you are still the same person from that client you are logged in.

nobody12
Posts: 139
Joined: Sat Feb 13, 2021 10:22 pm

Re: Windows server AD/DC

Post by nobody12 » Mon Sep 20, 2021 7:26 am

Change the authentication mode from NT domain authentication to password authentication (the default).
That way the login for the VPN will be different from your Windows credentials. It also give you an additional layer of security - you can use simple passwords for your Domain login because the VPN is protected with a strong password.
Then check again what happens.

Regarding the examples: if the above does not fix the problem, please give real examples with screenshots. You wrote what you planned and that is of course ok, however when implementing the share and folder rights you might have overseen something.

Joeideal
Posts: 3
Joined: Sun Sep 19, 2021 7:52 am

Re: Windows server AD/DC

Post by Joeideal » Mon Sep 20, 2021 9:15 pm

Hi everyone thank you for helping
Tried all options below and still the same.

I removed Soft-ether server and re-installed. And what I found was that the first user “ Accounts “ I logged in with worked absolutely perfect access to Accounts folder all ok . Other user Folders restricted etc.
However when I logout of Softether client and login with another Username “ Jane “ then she has access to Accounts folder and restrictions with no access on her own and others.

I removed Softether server again, reinstalled and logged in with a a different first user “ Jane “ and she had access to her correct folder and no access to other folders. Just like previous. However logout of client then login with another user “ Accounts “ and they have aces to Janes folder and not they’re own, other folders were restricted.

I removed Softether server for a third time and once again using a different user worked perfect until you change user.

I have come to the conclusion that Softether server is storing the very first login somewhere, and not releasing the first account. Maybe there is a setting in config, I don’t know.

Another thing I noticed was when first logging into a fresh install Softether server you are presented with a typical windows credentials login. However after the first User Login of Softether server you do not get the credentials login screen again. Even when changing users.
If you uninstall and re-install the softether server then log back in, once again the credentials appears for the login username you are using.

Ps: I tried every login , Password, radius, ad auth . Everything and this phenomenon is still existing. Until you uninstall and re-install the SE server

Can anybody think if there is a setting or what is going on.

One other thing I suspect that on separate computers this phenomenon may not exist, as each user will login with they’re details. However if another users wishes to vpn login on a computer they have not logged onto for the first time then they will not have access to they’re files but another staff members.

Thank you everyone for helping, highly appreciated.

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: Windows server AD/DC

Post by eddiewu » Tue Sep 21, 2021 2:00 am

As I said, logging into the vpn with user a does not log user a into the domain. They are two separate things. That’s why you are presented a windows login dialog.

nobody12
Posts: 139
Joined: Sat Feb 13, 2021 10:22 pm

Re: Windows server AD/DC

Post by nobody12 » Tue Sep 21, 2021 8:11 am

"Another thing I noticed was when first logging into a fresh install Softether server you are presented with a typical windows credentials login. However after the first User Login of Softether server you do not get the credentials login screen again. Even when changing users.
If you uninstall and re-install the softether server then log back in, once again the credentials appears for the login username you are using."

You mean: when someone has sucessful connected to the VPN and then wants to open a share one the server?

There should be no second login if the setup ist made correct.
If you remove that "Secure-NAT" your clients will see the net work as the domain network (if they were able to recognize this before). No second login.
Instead you will be authenticated authomatically with the users credentials which is currently logged in on the computer (I assume this user is a member of the Domain).
Dont forget to delete all login credentials which maybe are saved in the windows password store (controlpanel, accounts, saved passwords), otherwise the computer might use something from there and not the current logged in users credentials.

Post Reply