New users on VPN clients

WS2003 SP1 RRAS L2TP/IPSEC VPN with WinXP SP2 VPN Clients. Client computers
are domain members and user accounts are domain accounts.

When a new user logs on to a VPN Client computer for the first time, there
are no cached credentials, which prevents the VPN connection from being made
that would allow those credentials to be cached.

I have created a script that uses Run As to launch a program under the new
user's domain credentials. That gets Windows to cache the credentials,
enabling the new user to log on thereafter, providing there's an account
with cached credentials already on the computer under which the script can
run. But, that's still not a very clean solution.

Is there any other way to do this without having the remote machine brought
in by the new user to the office and connected to the network for the first
logon, and without involving system admins or another user? Can the VPN
Client computer be configured to allow a VPN connection before the user
logon occurs?

--
Jeff Vandervoort
JRVsystems

On the Windows XP Machines, if you launch Network Connection Wizard and
select VPN connection it will prompt you enter your login and password. Is
this what you are looking for?

Hope this helps,
--
Louis Vitiello Jr.
------------------------------
MCSE, MCSA, MCP, A+/N+
ERCP XP Pro / Net Concepts


"Jeff Vandervoort" <jeffv @ jrvsystems dot com> wrote in message
news:(E-Mail Removed)...
> WS2003 SP1 RRAS L2TP/IPSEC VPN with WinXP SP2 VPN Clients. Client
> computers are domain members and user accounts are domain accounts.
>
> When a new user logs on to a VPN Client computer for the first time, there
> are no cached credentials, which prevents the VPN connection from being
> made
> that would allow those credentials to be cached.
>
> I have created a script that uses Run As to launch a program under the new
> user's domain credentials. That gets Windows to cache the credentials,
> enabling the new user to log on thereafter, providing there's an account
> with cached credentials already on the computer under which the script can
> run. But, that's still not a very clean solution.
>
> Is there any other way to do this without having the remote machine
> brought
> in by the new user to the office and connected to the network for the
> first
> logon, and without involving system admins or another user? Can the VPN
> Client computer be configured to allow a VPN connection before the user
> logon occurs?
>
> --
> Jeff Vandervoort
> JRVsystems
>
>
>

Have you looked at the "Login using a dialup connection" option on the
clients? This allows a domain login as part of the connection process. This
option is only available if the dialup/VPN connection has been configured to
allow any user to make a connection. Using the "this user only" option
disables it.

Jeff Vandervoort wrote:
> WS2003 SP1 RRAS L2TP/IPSEC VPN with WinXP SP2 VPN Clients. Client
> computers are domain members and user accounts are domain accounts.
>
> When a new user logs on to a VPN Client computer for the first time,
> there are no cached credentials, which prevents the VPN connection
> from being made that would allow those credentials to be cached.
>
> I have created a script that uses Run As to launch a program under
> the new user's domain credentials. That gets Windows to cache the
> credentials, enabling the new user to log on thereafter, providing
> there's an account with cached credentials already on the computer
> under which the script can run. But, that's still not a very clean
> solution.
> Is there any other way to do this without having the remote machine
> brought in by the new user to the office and connected to the network
> for the first logon, and without involving system admins or another
> user? Can the VPN Client computer be configured to allow a VPN
> connection before the user logon occurs?

Thanks, Bill & Louis, for your replies.

Yes, Log on using Dial Up Networking was my first guess, too. That's how I
found out cached credentials were a prerequisite. That and a Google search
that turned up the same question being asked but never answered!

The new user gets a message that they can't log on because the DC can't be
located. The DC can't be located because the computer tries to authenticate
the user before making the VPN connection. Catch-22.

We'd need a security policy or something like that to reverse the order of
the VPN logon and the local logon; I wasn't able to find one. Perhaps there
are security vulnerabilities if it's reversed, though I haven't figured out
what they'd be. Seems like it's as secure as the user's password either way,
like the local logon & VPN connection themselves. Or perhaps there's a
technical reason the local logon has to precede the network logon. Or maybe
Microsoft just didn't think it through carefully enough!

In fact, I've also demonstrated that more than just cached credentials are
required for a first logon. At least one that would do you any good.

As an experiment, I used RunAs /noprofile from another account already on
the machine to cache credentials without creating a profile. When I logged
on as the new user (with Log on using dialup networking), got the logon
message that says the local copy of the profile couldn't be loaded. It was a
few days ago and I haven't tried it again so don't consider what follows
authoritative, but my recollection is that the user got a temporary profile,
and until I used RunAs without /noprofile in order to create a local
profile, new user got the temp profile every time.

So what's really needed is for the VPN logon to come first, AND to have a
VPN-assisted first logon be able to simultaneously create a permanent local
profile. My guess is that there is not currently a solution that would be
transparent to the user and easy to support...but I'd love to be wrong.

--
Jeff Vandervoort
JRVsystems
"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> Have you looked at the "Login using a dialup connection" option on the
> clients? This allows a domain login as part of the connection process.
> This option is only available if the dialup/VPN connection has been
> configured to allow any user to make a connection. Using the "this user
> only" option disables it.
>
> Jeff Vandervoort wrote:
>> WS2003 SP1 RRAS L2TP/IPSEC VPN with WinXP SP2 VPN Clients. Client
>> computers are domain members and user accounts are domain accounts.
>>
>> When a new user logs on to a VPN Client computer for the first time,
>> there are no cached credentials, which prevents the VPN connection
>> from being made that would allow those credentials to be cached.
>>
>> I have created a script that uses Run As to launch a program under
>> the new user's domain credentials. That gets Windows to cache the
>> credentials, enabling the new user to log on thereafter, providing
>> there's an account with cached credentials already on the computer
>> under which the script can run. But, that's still not a very clean
>> solution.
>> Is there any other way to do this without having the remote machine
>> brought in by the new user to the office and connected to the network
>> for the first logon, and without involving system admins or another
>> user? Can the VPN Client computer be configured to allow a VPN
>> connection before the user logon occurs?
>
>

Thanks, Louis, but no, that's not what I'm looking for. The VPN connection
is already installed by CMAK, so the user doesn't need to create it. The
problem is...the new user can't log on to the computer at all if they've
never logged onto it while the computer had access to a DC.

--
Jeff Vandervoort
JRVsystems
"Louis Vitiello Jr." <louv-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On the Windows XP Machines, if you launch Network Connection Wizard and
> select VPN connection it will prompt you enter your login and password. Is
> this what you are looking for?
>
> Hope this helps,
> --
> Louis Vitiello Jr.
> ------------------------------
> MCSE, MCSA, MCP, A+/N+
> ERCP XP Pro / Net Concepts
>
>
> "Jeff Vandervoort" <jeffv @ jrvsystems dot com> wrote in message
> news:(E-Mail Removed)...
>> WS2003 SP1 RRAS L2TP/IPSEC VPN with WinXP SP2 VPN Clients. Client
>> computers are domain members and user accounts are domain accounts.
>>
>> When a new user logs on to a VPN Client computer for the first time,
>> there
>> are no cached credentials, which prevents the VPN connection from being
>> made
>> that would allow those credentials to be cached.
>>
>> I have created a script that uses Run As to launch a program under the
>> new user's domain credentials. That gets Windows to cache the
>> credentials, enabling the new user to log on thereafter, providing
>> there's an account with cached credentials already on the computer under
>> which the script can run. But, that's still not a very clean solution.
>>
>> Is there any other way to do this without having the remote machine
>> brought
>> in by the new user to the office and connected to the network for the
>> first
>> logon, and without involving system admins or another user? Can the VPN
>> Client computer be configured to allow a VPN connection before the user
>> logon occurs?
>>
>> --
>> Jeff Vandervoort
>> JRVsystems
>>
>>
>>
>
>

It isn't that complicated.

At the Crtl-Alt-Del prompt (after hitting it) under the boxes for the
username and password, there is a checkbox that says "Log on using dialup
connection".

Check the box.

You will be prompted for what dialup connection to use,...choose the correct
VPN connection.

The VPN connection will then be established *before* the user is
authenticated,..therefore the domain controller will be
available,...therefore the "new user" will authenticate just fine,...then
the profile will be created (it just takes longer over the slow VPN link).

Now the "cached account" will exist and it will no longer matter if you use
the checkbox again or not unless something happens to the cached account.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
" <jeffv @ jrvsystems dot com> wrote in message
news:(E-Mail Removed)...
> Thanks, Louis, but no, that's not what I'm looking for. The VPN connection
> is already installed by CMAK, so the user doesn't need to create it. The
> problem is...the new user can't log on to the computer at all if they've
> never logged onto it while the computer had access to a DC.

Thanks, Phillip.

Please see my response to Bill Grant to see what actually happens when I
check that checkbox.

--
Jeff Vandervoort
JRVsystems

"Phillip Windell" <@.> wrote in message
news:%23tWol%(E-Mail Removed)...
> It isn't that complicated.
>
> At the Crtl-Alt-Del prompt (after hitting it) under the boxes for the
> username and password, there is a checkbox that says "Log on using dialup
> connection".
>
> Check the box.
>
> You will be prompted for what dialup connection to use,...choose the
> correct
> VPN connection.
>
> The VPN connection will then be established *before* the user is
> authenticated,..therefore the domain controller will be
> available,...therefore the "new user" will authenticate just fine,...then
> the profile will be created (it just takes longer over the slow VPN link).
>
> Now the "cached account" will exist and it will no longer matter if you
> use
> the checkbox again or not unless something happens to the cached account.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> " <jeffv @ jrvsystems dot com> wrote in message
> news:(E-Mail Removed)...
>> Thanks, Louis, but no, that's not what I'm looking for. The VPN
>> connection
>> is already installed by CMAK, so the user doesn't need to create it. The
>> problem is...the new user can't log on to the computer at all if they've
>> never logged onto it while the computer had access to a DC.
>
>

As Phillip said it should just work. If it says that the DC cannot be
located I suspect that it is a DNS problem. You could try manually entering
the correct DNS address and DNS suffix for you domain in the connection
properties.

Jeff Vandervoort wrote:
> Thanks, Phillip.
>
> Please see my response to Bill Grant to see what actually happens
> when I check that checkbox.
>
>
> "Phillip Windell" <@.> wrote in message
> news:%23tWol%(E-Mail Removed)...
>> It isn't that complicated.
>>
>> At the Crtl-Alt-Del prompt (after hitting it) under the boxes for the
>> username and password, there is a checkbox that says "Log on using
>> dialup connection".
>>
>> Check the box.
>>
>> You will be prompted for what dialup connection to use,...choose the
>> correct
>> VPN connection.
>>
>> The VPN connection will then be established *before* the user is
>> authenticated,..therefore the domain controller will be
>> available,...therefore the "new user" will authenticate just
>> fine,...then the profile will be created (it just takes longer over
>> the slow VPN link). Now the "cached account" will exist and it will no
>> longer matter if
>> you use
>> the checkbox again or not unless something happens to the cached
>> account. --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>> " <jeffv @ jrvsystems dot com> wrote in message
>> news:(E-Mail Removed)...
>>> Thanks, Louis, but no, that's not what I'm looking for. The VPN
>>> connection
>>> is already installed by CMAK, so the user doesn't need to create
>>> it. The problem is...the new user can't log on to the computer at
>>> all if they've never logged onto it while the computer had access
>>> to a DC.

"Bill Grant" <not.available@online> wrote in message
news:eTdsNY%(E-Mail Removed)...
> As Phillip said it should just work. If it says that the DC cannot be
> located I suspect that it is a DNS problem. You could try manually
entering
> the correct DNS address and DNS suffix for you domain in the connection
> properties.

That's right.

Jeff,..you need to make sure that the VPN connection is properly giving the
user the correct DNS (maybe also WINS) when the connection is made.
Whatever they have on the "regular" connection is irrelevant,..it is the VPN
connection that takes over at this point and it needs to get the right
information. If it does not, and you can't correct that,...then statically
assign a DNS and WINS in the Dialup (VPN) Connection's Setting. You can
still use DHCP for the IP# and mask, statically assigning DNS & WINS won't
effect that.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com