The internet is littered with questions about VPN connection and authentication issues as a result of using cached credentials.

  • How can I automatically connect my Windows VPN at start up?
  • Why do I have to re-enter my user credentials when connecting my corporate VPN?
  • How do I get Group Policy to apply to VPN connected users?
  • How do I use my work domain user account when I work from home using a VPN?
  • Why won’t my logon script run when connecting by VPN?

You can connect from any PC using a VPN, but in most cases you do so after having logged onto the PC first. If this is a “domain joined” corporate PC, when you logon without the domain controller present, you are not authenticating to the domain but rather using the credentials cached on the local computer from a previous logon.  As a result Group Policy cannot be updated, logon scripts are not applied, and most often you have to re-enter your user credentials when you do choose to connect to the office via VPN.

It is possible to connect to the VPN at logon resulting in an experience similar to that of the office, except of course for the reduced file transfer speed,  However, there are few conditions that must be met to do so:

  1. This applies only to the Windows VPN client. Newer Cisco VPN clients and a few others do offer methods to connect the VPN before logon, but they use different processes.
  2. The computer must be a member of the domain, and therefore Pro, Ultimate, or Enterprise versions of the operating system.  At logon you will be providing domain credentials which are automatically passed to the local logon, thus they must be the same.  Using the same username and password is not enough as logon credentials include domain or computer names.  Domain\JDoe is not the same as LocalPCname\JDoe.  If the computer is not already a member of the domain, it is possible to join a remote domain using the VPN connection.  To do so please see:  http://blog.lan-tech.ca/2012/07/25/how-to-join-a-windows-domain-using-a-vpn/
  3. Should the PC not be domain joined and you wish to automate the VPN connection, after logon, please see: http://blog.lan-tech.ca/2013/06/08/rasdial-automate-vpn-connections/
  4. When you create the VPN connection you must check the box “allow other people to use this connection”.

image

Having met these conditions, at logon there is now an option to connect using the VPN during logon.

Windows Vista and Windows 7:

At logon select “Switch User” and a new blue icon will appear in the lower right next to the familiar red Shut Down icon.

image

Clicking the icon will allow you to use the VPN connection, and simultaneously connect and authenticate to the corporate domain, and log on to your local PC

image

Windows XP:

At logon after pressing ctrl+alt+del, if you click the “Options” button there will new be a check box “Logon using Dial-up connection” which will use the VPN connection, and simultaneously connect and authenticate to the corporate domain, and log on to your local PC

image

Windows 8:

Please see the more recent post to enable on a Win 8 PC

Slow Links:

Depending on the performance of the VPN connection, it is sometimes necessary for the network administrator to “tweak” a few Group Policies for slow network detection.  The following policies can assist with this:

Server 2008 / 2008 R2 / SBS 2008 / SBS 2011:

  • Computer Configuration | Policies | Administrative Templates | System | Group Policy | Group Policy slow link detection
  • Computer Configuration | Policies | Administrative Templates | System | Scripts | Run logon scripts synchronously
  • Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow-link mode
  • Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow link speed

Server 2003 / SBS 2003 / SBS 2003 R2:

  • Computer Configuration | Administrative Templates | System | Logon | Always wait for the network at computer startup and login
  • Computer Configuration | Administrative Templates | System | Group Policy | Group Policy slow link detection
  • Computer Configuration | Administrative Templates | System | Scripts | Run logon scripts synchronously
  • Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow-link mode
  • Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow link speed

Client Deployment:

Network administrators may also want to considered creating a deployable VPN client for consistency, security, and with a company logo.  An earlier post outlines how to do so in detail:

http://blog.lan-tech.ca/2012/01/30/windows-vpn-client-deployment/

Comments on: "Connect to Windows VPN at Logon" (14)

  1. how about windows 8 and this feature ?

    i miss it and cant find it.

  2. […] year I did an article entitled “Connect to a Windows VPN at logon”.  Rather than duplicate, please refer to that article for details, but It has been pointed […]

  3. […] can logon to the VPN in Windows 7 (before user logon) Connect to Windows VPN at Logon | LAN-Tech Network Management Reply With […]

  4. Howdy! I could have sworn I’ve visited this site before but after looking at a few of the
    articles I realized it’s new to me. Nonetheless, I’m certainly pleased I
    came across it and I’ll be bookmarking it and checking
    back regularly!

  5. Brittny said:

    Hey there, You’ve done a great job. Thanks.

  6. VPN Before WINDOW LOG IN VPN SET UP ROUTER !!!
    Hello i Successfully Set up a VPN on my router and everthing is working Good:)!! but i have small problem i trying to make it where you can log in the VPN BEFORE window load up useing the the switch user and then you click the vpn button in the lower right hand corner of the screen but when i put my user name and password in.IT ” says bad usernames and password” but i can mannual put in inside window and it work fine and everthing work but i cant put it in before the window log in screen and i need to be able to get other account that are located on my domain now again my VPN is set up on my router NOT my Server which i dont think that would make a differences but i dont know !! Now i already made and sure and it checked the box that say ” Allow other Users on this computer to use this VPN COnnect’ i checked that box and i was also reading on other forms where people were saying if the date and time was not in sync with the server or whatever then that would mess it up so i made sure all the computer well sync together ( Date and time) and that didnt help see when i put my user name and password in the window log in screen trying to get into the VPN it will all the passed the register computer with network and then it will show ” welcome and then it bring up the message log into failed wrong username or bad password when i just litterally just use it to mannual log into the vpn through inside window i dont know…. i need help please thank you have a great day
    and i forgot to add i am useing Window OS default VPN software NOT useing 3rd party

    • The connect to VPN before logon option uses active directory for authentication, thus it cannot work with a router based VPN. If the router actually integrates with AD for authentication, which most business class routers like Cisco, Juniper, etc. can do it should work, but I have not tried it and if you had a router such as that it would be better security to use their VPN client. Let me know if I can help further.

  7. thank you for replying i have asus router with dd wrt that the VPN is set up on and all i want to do is to be able to log on to my domain through VPM BEFORE window log in screen and i will be happy LOL so i can get my user account and policy gpo etc so will you please tell me what i need to buy/do to get this going by the way the server is handed DHCP,DNS,AD AND IT A DC.

    • AND one more question if i set rras on my server 2012 will that let me log in BEFORE window log on useing VPN??

      • Yes, the solution is to configure RRAS to allow VPN access and do not use the router’s VPN capability, just port forward the appropriate VPN ports on the router. As mentioned the ability to connect to the VPN before logon is a Windows solution requiring RRAS, a domain joined machine, and a Windows VPN client. It will not authenticate to the router, or work with other VPN clients. Having said that please keep in mind the Windows VPN solution is not overly secure by today’s standards.

  8. this is for lab testing not to worry about lol so can you please tell me step by step what to do please cause i really want to get this going please
    and by the way do you mind if i have your email to email back and fourth please

  9. concepcionreinhart said:

    This article is really helps.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Tag Cloud

Follow

Get every new post delivered to your Inbox.

Join 114 other followers