Do not use VPN credentials to connect to network resources?
Solution 1:
There is a security policy setting that does specifically what I am looking for: Network access: Do not allow storage of passwords and credentials for network authentication. By enabling this setting, VPN credentials are not stored and therefore are not used to attempt to authenticate to network resources like shared files and Exchange.
Since the issue only affects domain-member workstations, applying this setting to all of them is a simple matter of setting it with Group Policy.
Solution 2:
I know this is an old question, but I believe there is a better answer in that it doesn't require any server-side changes: edit the VPN settings to not use the VPN credentials when authenticating to network servers. This setting is not exposed through Windows' UI, so you need to locate the .pbk file associated with your VPN connection (%AppData%\Roaming\Microsoft\Network\Connections\PBK\rasphone.pbk
for user VPNs) or (%ProgramData%\Microsoft\Network\Connections\Pbk\rasphone.pbk
for system VPNs).
- Right click on the VPN's .pbk file and open it with Notepad. (Remember to untick 'Always use this program for this file type')
- Roughly 5 lines down will be an entry 'UseRasCredentials=1'
- Change this to 'UseRasCredentials=0'
- Save the file.
I sourced these instructions are from: https://social.technet.microsoft.com/Forums/windows/en-US/0204464d-e32d-4584-966b-60788cce0d6f/disable-creation-of-vpn-session-credential-in-credential-manager-without-disabling-all-of