Recently one of my users was having trouble printing from remote workstations. In this scenario, the user needed to print some reports from a system that resided on a client’s network. She would start up the Windows 7 VPN client, provide credentials, and once connected to the client’s network through VPN, she would start the Microsoft Terminal Services Client and login to the system she needed to print reports from. During this time, the printers on our network (managed by a domain-wide printserver; mapped to workstations via GPO) would become inaccessible. The printers would “show up” on the remote side (as TS Session Printers) as they should, but they just would not accept print jobs.
After some troubleshooting, I found that this only happened when she was connected to the VPN. Whenever I tried to access the print server through a UNC path (i.e., \\printserver\printer ) a username/password box would appear, asking for her domain credentials — but here’s the kicker: the username field would be pre-filled with the username she used to login to the VPN. After some more digging, I came across this blog post and it immediately solved the problem. This was such a pain in the ass that I’ve decided to recreate the text of the resolution here, just in case that post should disappear for whatever reason:
- Locate the .pbk file (VPN session file) for the session you want to fix
- Windows Vista/7: C:\Users\\AppData\Roaming\Microsoft\Network\Connections\Pbk
- Windows XP: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk
- Open the file in notepad and search for the following text: UseRasCredentials=1
- Change the “1” to a “0”, save, exit.
This tells the operating system not to rely on the RAS credentials that get cached upon initiating the VPN session. In Windows Vista / 7, this option is enabled by default; it wasn’t in Windows XP. I have yet to see/hear a good explanation for why it was changed.