How to Join a Microsoft Domain Behind a VPN

Join Us

I got my new corporate notebook a few days ago and I’m now busy with the setup (an article will follow soon).

I need to run a Windows XP guest in a VM. I’m a mobile user and never directly connected to the company LAN. I had to join the Microsoft domain remotely through a VPN connection.

Using the local administrator credentials, I had no problem to set up the VPN and join my company domain. But a problem ocurred when I rebooted the VM and tried to log on again using the newly created account:

The system cannot log you on now because the domain xxx 
is not available."

Of course, I was not yet logged in and my VPN client not started! No access to the Microsoft servers… In such case, Google is often your best friend: I found the following document which explains how to configure several VPN clients: Join a domain during Windows logon using a VPN client [pdf].

Nice! But I faced another blocking issue: We are using strong authentication with a token. It’s was impossible to configure the VPN for auto-logon! (a new token is generated every x minutes)

The next idea was to use the Fast User Switching feature of Windows XP. Helas, it’s not supported on machines with domain accounts!

Finally, I was able to log on for the first time using the method described below. [Note: This worked only because my domain user had local administrator rights]

  • Log on with your local administrator credentials;
  • Setup the VPN session;
  • Press Windows-L (You’ll be back to the logon screen with a “screen locked” message but the VPN session is still up);
  • Press CTRL-ALT-DEL and unlock the administrator with your domain credentials (don’t forget to select the domain install of the local workgroup!);
  • The administrator session is killed and you come back to the logon screen (the VPN session is killed);
  • Try again with your domain account. It works!

Once again, it worked for me because have local administrative rights via my domain user credentials! Time to go to bed now…


  1. PsExec sounds interesting, thanks for the tip! The problem to automate the VPN session startup was the strong authentication: It wasn’t possible to store the login/password somewhere (even temporary). Anyway, your tool could be very interesting in other cases. I bookmarked it!

    I’ll have a look at your OpenID problem. I think that there are some incompatibilities between the OpenID and Sabre plugins. But Sabre was a requirement to keep bots away from here.


  2. Here are some ideas: maybe you could use PsExec ( to launch the VPN client on the login desktop (with the -x switch).

    And to launch it at system startup, you could use either the buil-in task-scheduler or something like XYNTService (

    Hope this helps.

    PS. The blog seems to bork at my OpenID ( I authenticate successfully with my OpenID provider, but when I get back to the blog, it says something like “authorization denied”…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.