How to Join a Microsoft Domain Behind a VPN

Join Us

I got my new corporate notebook a few days ago and I’m now busy with the setup (an article will follow soon).

I need to run a Windows XP guest in a VM. I’m a mobile user and never directly connected to the company LAN. I had to join the Microsoft domain remotely through a VPN connection.

Using the local administrator credentials, I had no problem to set up the VPN and join my company domain. But a problem ocurred when I rebooted the VM and tried to log on again using the newly created account:

The system cannot log you on now because the domain xxx 
is not available."

Of course, I was not yet logged in and my VPN client not started! No access to the Microsoft servers… In such case, Google is often your best friend: I found the following document which explains how to configure several VPN clients: Join a domain during Windows logon using a VPN client [pdf].

Nice! But I faced another blocking issue: We are using strong authentication with a token. It’s was impossible to configure the VPN for auto-logon! (a new token is generated every x minutes)

The next idea was to use the Fast User Switching feature of Windows XP. Helas, it’s not supported on machines with domain accounts!

Finally, I was able to log on for the first time using the method described below. [Note: This worked only because my domain user had local administrator rights]

  • Log on with your local administrator credentials;
  • Setup the VPN session;
  • Press Windows-L (You’ll be back to the logon screen with a “screen locked” message but the VPN session is still up);
  • Press CTRL-ALT-DEL and unlock the administrator with your domain credentials (don’t forget to select the domain install of the local workgroup!);
  • The administrator session is killed and you come back to the logon screen (the VPN session is killed);
  • Try again with your domain account. It works!

Once again, it worked for me because have local administrative rights via my domain user credentials! Time to go to bed now…

2 comments

  1. PsExec sounds interesting, thanks for the tip! The problem to automate the VPN session startup was the strong authentication: It wasn’t possible to store the login/password somewhere (even temporary). Anyway, your tool could be very interesting in other cases. I bookmarked it!

    I’ll have a look at your OpenID problem. I think that there are some incompatibilities between the OpenID and Sabre plugins. But Sabre was a requirement to keep bots away from here.

    Regards,
    Xavier

  2. Here are some ideas: maybe you could use PsExec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to launch the VPN client on the login desktop (with the -x switch).

    And to launch it at system startup, you could use either the buil-in task-scheduler or something like XYNTService (http://www.codeproject.com/KB/system/xyntservice.aspx).

    Hope this helps.

    PS. The blog seems to bork at my OpenID (http://hype-free.blogspot.com/). I authenticate successfully with my OpenID provider, but when I get back to the blog, it says something like “authorization denied”…

Leave a Reply

Your email address will not be published. Required fields are marked *