PPTP VPN Connection and Domain Security

[mike16]

Hi there,

First off I'd just like to say that I'm a huge fan of AutoIt. I can't even count the number of ways that it's made my life easier over the past two years : )

That being said, I'm currently having a problem that I don't quite know where to being to try and solve.

First the background:

At our company one of the programs that is used on multiple computers is not installed. Instead the files are copied to the machine and run from that location. The major problem with this was whenever there was an update to the program (which there was quite often... bunch of code monkeys : ) ) the files had to be copied down to each machine again (we're talking about 30 machines in total). The files we're too large to copy using a log on script (because then everyone would be downloading 2.5GB of files all at once in the morning). So the solution... enter AutoIt.

I wrote a script that takes a zip file stored on an internal server, downloads it to the users computer, extracts the files, sets up the proper security permissions using the domain (server 2003) and so on. I compiled it as an exe and now the users can run it on their own (thus staggering the downloads from the server). It's working wonderfully and has cut an upgrade down from 45 minutes per computer to 10 minutes per computer (which I don't have to be involved with).

Now the problem:

I now have a user that has to be joined to another domain. This domain is not trusted with our domain (and might not be), but the user has to access this program that is on our domain (with domain security permissions). I tried to run my program on the computer while it was connected to our VPN, but the credentials would not translate. When the program tried to access the shares it would take the domain logon credentials of the computer instead of the credentials used when connecting to the VPN. I know this because I tried to hit one of the internal server shares that the program uses and it asked for a username and password.

Anyway, I could transfer the files to the computer manually (like the old days) and put the right permissions on the folder with the computer connected to the VPN (just to get it working), but I'm wondering if there's anyway to solve this problem in my AutoIt program (for future use). Maybe even create a separate deploy program for VPN use only.

I can post my current code if needed (minus some bits due to security reasons), I'm just posting from another computer at the moment so I can't get it right now. If anyone has any ideas though, that would be greatly appreciated.

Sorry about the long post, but I like to include as much information as possible when trying to solve a problem : )

Thanks,

Mike

[WiSp]

What about creating a service user account on your domain and give it read only access to the one share where you download the files from. Then, put in your script a "runas" command running as this limited user. As long as you maintain access control on the shares and directories, this should provide sufficient restrictions.

[mike16]

I forgot to include this in my post, which should be relevant to your reply. The program has two components. The initial "launch" program, and the program that does the actual work. The launch program runs the second program as a user with elevated privileges on the domain so that it has the security permissions needed to copy files to the C: Drive. This elevated user already has access to the share where the files are downloaded from, so everything in this program is already running as a user with access. It just seems like that access is not translating across the VPN connection.

I realize now that my point about it not using the users vpn credentials actually doesn't matter at this point, as the program runs as a different user. And trying to hit the share while outside of AutoIt also isn't a good test as again, it's not using the credentials that the AutoIt program is running with. My mistake on that one, it's been a long day : P

Mike

[psynegy]

Have you added the VPN user/group to the list of people that can access the installation files?

I believe Windows will by default use your VPN logon details for any network resource connection you make.

Hope that helps...?

[mike16]

Tried that a few minutes ago. Still no go. I'm not entirely sure of where it's failing, so I'll do some testing with output messages in my code and see if I can track it down. I'll be back with the results.

Mike