Network guru's - VPN up before login

stoofa · 16 Aug 2006 at 12:57

So I've got this user out in HK who has taken on a laptop that did belong to another user.
When we purchase a new laptop we wire it into our main network, setup the local user etc and then get the machines out to people in HK.

They always log into the machine using the same username & password regardless of if they are attached to our network or not - if they aren't attached they are of course using cached credentials.
Now this new user is attempting to log into the laptop and of course because he has never done so before his credentials are not cached.
Because he is in HK and not attached to our network he gets the message "Domain not available" as there is nothing to authenticate him - be it Domain Controller or cache.

Is there any way that a WinXP Professional laptop can bring up a VPN connection PRIOR to the login phase?
I remember in the old WinNT 4 days there was a "Remote Login" option from the login page and when configured correctly I think I was able to do something similar to this with a dial-up connection.

Basically I'd like the following to happen (at least once, just so I can get this new users credentials cached).

Switch on Laptop and get to WinXP login screen
VPN connection to our network is bought up (standard Windows VPN client connection)
User attempts to login to laptop
User will be authenticated by one of our DC's (down the VPN connection)
Log into Windows
Users credentials will now be cached.

Anybody know if this is possible at all?

The_KiD · 16 Aug 2006 at 13:16

Depends what you are using for your VPN?

We use a Cisco based VPN and on the laptops we use the Cisco VPN client which has an option to create VPN tunnel before Windows Login.

aix0 · 16 Aug 2006 at 13:27

Could you not get him to login to the machine locally as administrator, setup a VPN connection and then get him to connect to your domain. And then I think you would be able to do a right click (on notepad for instance)/ run as user, and use his own credentials which will then be cached locally.

Haven't tried it, but it could work. Not that much hassle really.

And what is HK?

zetec452 · 16 Aug 2006 at 13:33

aix0 said:
And what is HK?

Hong kong I think.

stoofa · 16 Aug 2006 at 13:43

Thanks for the replies.

HK=Hong Kong

We are based here in the UK where the majority of our network sits.
We have a persistent VPN tunnel to the US using the FreeSwan VPN software.
Also in the US they have a Windows DC sat at the end of their connection.

This gives us basically a very "flat" network however it covers both the UK and the US.
In HK they really only have a few remote users.

For remote users we have a Windows 2000 server here in the UK and another one in the US.
These are the VPN servers and users simply use the VPN client built into Windows XP to connect to those VPN servers.
These do the job very well to be honest - it was a cheaper option than getting Cisco kit in for our VPN's for remote users as we already had the Windows servers in place so all we needed to do was set up some NAT.

I can get the user to log into the laptop using the local administrator account.
We can then create the VPN connection and he can then log into either the VPN server in the UK or the US.
That isn't a problem - access to the VPN connection is limited to people in an AD group called "VPN Users" so he can use his own username & password to log into the VPN.
I'm guessing because the VPN connection is authenticating against a DC here at the server end of the connection.
However that doesn't in turn cache his credentials locally for login purposes.
As soon as he then disconnects, logs off the laptop and logs back in as himself it reports back with "Domain Not Available" - indicating lack of cached information again.

aix0 · 16 Aug 2006 at 13:50

What I meant was, once connected through the VPN. Get the bloke to right click on notepad or whatever and do a "run as", choose the "this user" option and use his own credentials. That should cause him to be authenticated and his credentials to be cached.

aix0 · 16 Aug 2006 at 21:52

Out of curiosity, did that work?

starscream · 16 Aug 2006 at 22:48

Great idea! I think that would work. If not, how about logging him on locally, connecting over the VPN and remote desktop his PC. I reckon if you logged in as him, that would authenticate against the DC and create him a profile.

aix0 · 16 Aug 2006 at 23:01

Yeah, that would work too. It's just a case of using his own credentials for a service available on his own laptop, whilst being able to authenticate against the DC.

Does that mean we qualify as Network Guru's?

lol

starscream · 16 Aug 2006 at 23:29

aix0 said:
Does that mean we qualify as Network Guru's? lol