This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
George_Ellis
Advisor
4 weeks ago

VPN Log in fails - Unknown User

We encountered a mystery this week.  Suddenly, clients that were working before could not log in.  There no faults on the VPN servers.  The client was getting a "negotiation failed" message.  Retries and reboots failed.

When you look at the VPN logs using this search string:  

action:"Failed Log In"

You will find fails and the Mobile Access Details will have:

Reason - Unknown user.

Cause: 
Dependencies:
1) The client is set to use Default Browser for authentication.  That appears to be the workaround by default for 89.00 to fix the issue with Win 11 2H25.  Or the browser has been set per sk180395.
2) The VPN is using SAML authentication

Either by design or user response, when asked if they wish to allow Network Access when they open the VPN site, they clicked Block.

Resolution:
1)  Extreme case, delete cookies and select Allow the next time you are challenged.
2)  For Edge, use this link to get to the setting and add the vpn urls to the allowed sites (something similar is used for Chrome.)
       edge://settings/privacy/sitePermissions/allPermissions/localNetworkAccess
3)  (Untested at this point YMMV) - For corporate sites with GPO management, add it as part of the policy.  The key is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\LocalNetworkAccessAllowedForUrls]
"1"="[*.]myvpn.mycompany.dotwhatever

Caution is required.  The index number, in this case, "1" will overwrite whatever is already "1".  Therefore, they need to correctly index that string with what they may already be doing.  The above is .reg file format.  You can make a .reg file to apply that with the reg header

Windows Registry Editor Version 5.00

If you are unsure of the index numbers, you can ask Grok to write a script to test for the values used and select the next.  Grok offered this yesterday for Powershell and I have NOT tested or tried it.  Buyer beware.

# Define the registry path and new URL(s) to add : From Grok on request
$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Edge\LocalNetworkAccessAllowedForUrls"
$newUrls = @(
    "https://your-vpn-site.example.com"  # Add more here if needed, one per line
    # "[*.]subdomain.example.com"
)

# Create the key if it doesn't exist
if (!(Test-Path $regPath)) {
    New-Item -Path $regPath -Force | Out-Null
}

# Get current values (sorted by name/index)
$existing = Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue | 
            Get-Member -MemberType NoteProperty | 
            Where-Object { $_.Name -match '^\d+$' } | 
            Sort-Object { [int]$_.Name }

# Determine the next starting index
$nextIndex = if ($existing) { [int]($existing[-1].Name) + 1 } else { 1 }

# Add new URLs starting from nextIndex
for ($i = 0; $i -lt $newUrls.Count; $i++) {
    $index = $nextIndex + $i
    Set-ItemProperty -Path $regPath -Name $index -Value $newUrls[$i] -Type String
}

Write-Output "Added $($newUrls.Count) URL(s) starting at index $nextIndex."


H/T to my co-worker Sunil Shivnani for finding the root cause.


(1)
1 Reply
the_rock
MVP Platinum
MVP Platinum
4 weeks ago

Very helpful @George_Ellis 

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events