The internet is littered with questions about VPN connection and authentication issues as a result of using cached credentials.
- How can I automatically connect my Windows VPN at start up?
- Why do I have to re-enter my user credentials when connecting my corporate VPN?
- How do I get Group Policy to apply to VPN connected users?
- How do I use my work domain user account when I work from home using a VPN?
- Why won’t my logon script run when connecting by VPN?
You can connect from any PC using a VPN, but in most cases you do so after having logged onto the PC first. If this is a “domain joined” corporate PC, when you logon without the domain controller present, you are not authenticating to the domain but rather using the credentials cached on the local computer from a previous logon. As a result Group Policy cannot be updated, logon scripts are not applied, and most often you have to re-enter your user credentials when you do choose to connect to the office via VPN.
It is possible to connect to the VPN at logon resulting in an experience similar to that of the office, except of course for the reduced file transfer speed, However, there are few conditions that must be met to do so:
- This applies only to the Windows VPN client. Newer Cisco VPN clients and a few others do offer methods to connect the VPN before logon, but they use different processes.
- The computer must be a member of the domain, and therefore Pro, Ultimate, or Enterprise versions of the operating system. At logon you will be providing domain credentials which are automatically passed to the local logon, thus they must be the same. Using the same username and password is not enough as logon credentials include domain or computer names. Domain\JDoe is not the same as LocalPCname\JDoe. If the computer is not already a member of the domain, it is possible to join a remote domain using the VPN connection. To do so please see: https://blog.lan-tech.ca/2012/07/25/how-to-join-a-windows-domain-using-a-vpn/
- Should the PC not be domain joined and you wish to automate the VPN connection, after logon, please see: https://blog.lan-tech.ca/2013/06/08/rasdial-automate-vpn-connections/
- When you create the VPN connection you must check the box “allow other people to use this connection”.
Having met these conditions, at logon there is now an option to connect using the VPN during logon.
Windows Vista and Windows 7:
At logon select “Switch User” and a new blue icon will appear in the lower right next to the familiar red Shut Down icon.
Clicking the icon will allow you to use the VPN connection, and simultaneously connect and authenticate to the corporate domain, and log on to your local PC
At logon after pressing ctrl+alt+del, if you click the “Options” button there will new be a check box “Logon using Dial-up connection” which will use the VPN connection, and simultaneously connect and authenticate to the corporate domain, and log on to your local PC
Please see the more recent post to enable on a Win 8 PC
Depending on the performance of the VPN connection, it is sometimes necessary for the network administrator to “tweak” a few Group Policies for slow network detection. The following policies can assist with this:
Server 2008 / 2008 R2 / SBS 2008 / SBS 2011:
- Computer Configuration | Policies | Administrative Templates | System | Group Policy | Group Policy slow link detection
- Computer Configuration | Policies | Administrative Templates | System | Scripts | Run logon scripts synchronously
- Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow-link mode
- Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow link speed
Server 2003 / SBS 2003 / SBS 2003 R2:
- Computer Configuration | Administrative Templates | System | Logon | Always wait for the network at computer startup and login
- Computer Configuration | Administrative Templates | System | Group Policy | Group Policy slow link detection
- Computer Configuration | Administrative Templates | System | Scripts | Run logon scripts synchronously
- Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow-link mode
- Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow link speed
Network administrators may also want to considered creating a deployable VPN client for consistency, security, and with a company logo. An earlier post outlines how to do so in detail: