VPN Single Sign On with Windows 7
In the good old days of Windows XP, businesses that needed to enable their mobile users to be able to establish a VPN connection to the corporate network prior to interactively logging on to their laptop computers needed to use third-party VPN client software to accomplish this. Typically, businesses would purchase VPN client software such as Cisco AnyConnect VPN Client and configure the VPN client on the user's laptop. Then, when the time came and the user was on the road and needed to connect to resources on the corporate network, the user would begin by providing his domain logon credentials to the VPN client. The VPN client would then establish a VPN connection to the corporate network, authenticate the user's credentials against Active Directory, and interactively log the user on to his Windows desktop. The user could then browse shared resources on the corporate network and perform work with documents stored on those shares.
All this was possible only because Microsoft allowed Cisco to modify how the GINA.DLL of Windows XP worked to enable Cisco's VPN client to work like this by installing the CSgina.dll which implemented the Start Before Login feature of the Cisco AnyConnect VPN Client. In other words, CSgina.dll enables the user's computer to establish an authenticated VPN connection to the corporate network before the user is logged on to Windows. If it's configured right, the user only has to provide his domain credentials once, and these credentials are then used first to authenticate the VPN connection attempt in Active Directory and then re-used to interactively log the user on to his computer once the VPN connection has been established.
The type of business scenario where this kind of solution is frequently needed is where a company has a large number of remote users who rarely need to connect directly to the corporate network. They rarely come into the office to connect their laptop to a LAN drop. Instead, they are usually on the road and need to be able to VPN into corpnet when they need access.
What many IT shops don't realize is that if some of their users fit this kind of scenario then you don't need third-party VPN client software to do this anymore. That's because beginning with Windows Vista native functionality is now included that allows a user to establish a VPN connection to corpnet before being interactively logged on to his desktop. This article demonstrates in detail how to configure VPN Single Sign On in Windows 7 since this procedure is not well documented on Microsoft TechNet.
In Windows XP this approach used a feature that was previously known as a Pre-Logon Access Provider (PLAP) but beginning with Windows Vista this feature is known as Single Sign-On (SSO). For under-the-hood information see the article SSO and PLAP in the MSDN Library.
Configuring Windows 7 for VPN Single Sign On
Let's begin with a computer that has Windows 7 installed and is not yet domain-joined. Begin by logging on using the credentials of a local administrator on the computer:
Figure 1: Step 1 of configuring Windows 7 for VPN Single Sign On
Once you are interactively logged on to the Windows desktop, open the Network and Sharing Center. The next step is to create your VPN connection, and you begin doing this by clicking the Set Up A New Connection Or Network link circled in red below:
Figure 2: Step 2 of configuring Windows 7 for VPN Single Sign On
In the Set Up A Connection Or Network wizard, click the Connect To A Workplace option as shown below. If the user of the computer is going to be using a dial-up modem connection instead of a VPN tunnel over the public Internet, select the fourth option in this wizard page instead and proceed similarly to the steps that follow.
Figure 3: Step 3 of configuring Windows 7 for VPN Single Sign On
In the Connect To A Workplace wizard, click the Use My Internet Connection (VPN) option as shown next:
Figure 4: Step 4 of configuring Windows 7 for VPN Single Sign On
On the next wizard page, specify a FQDN or IP address for the VPN server the user will use to connect to the corporate network, and type a friendly name for this connection as shown below. Also be sure to select the Allow Other People To Use This Connection checkbox as shown below. Selecting that checkbox is important since it makes the System built-in identity the owner of the VPN connection and not the user (Karen) who is configuring the connection on the computer, and that will allow other users of the computer to perform VPN SSO logon. And if the user of the computer will be using his smart card for logging in, be sure to select the Use A Smart Card checkbox as well. Finally, if the computer you are configuring is not currently connected to the Internet, you can select the Don't Connect Now option which will set up the new VPN connection but not initiate it until you manually choose to do so later.
Figure 5: Step 5 of configuring Windows 7 for VPN Single Sign On
On the next wizard page, type the credentials that will be used for logging on to the domain. In this case, Karen Berg is configuring the computer for her own personal use, so she enters her own credentials here.
Figure 6: Step 6 of configuring Windows 7 for VPN Single Sign On
Finish the wizard to set up the new VPN connection. Once this is done, the user can click the Network icon in the notification area of the taskbar, and a popup window will appear showing the newly created VPN connection:
Figure 7: Verifying the VPN connection.
To complete setting up her computer, Karen now joins her computer to the domain. If she is in the office, she can do this by connecting the computer to a LAN drop, clicking Start, and right-clicking Computer to open the System Control Panel item. Then she clicks Change Settings and join her computer to the domain the usual way. If she is on the road sitting in a hotel somewhere, she would first use a LAN drop in a hotel room or a secure wireless hotspot to gain Internet access and then click the Network icon in the notification area, click My VPN Connection in the popup window, click the Connect button, provide her domain credentials when prompted to do so, establish a VPN connection to the corporate network, finish logging on to her desktop, and then join her computer to the domain in the usual way.
Logging On using VPN SSO
Now Karen is on the road and she needs to access shared resources on her company's internal network over a VPN connection. To do this, she turns on her computer and waits until the logon screen appears:
Figure 8: Step 1 of logging on using VPN SSO
Karen then presses Ctrl+Alt+Del and sees the usual logon screen as shown next:
Figure 9: Step 2 of logging on using VPN SSO
Instead of typing her password, Karen clicks the Switch User button, and an additional blue button now appears near the bottom right of her screen. This button is circled in red in the next figure, and if Karen hovers her mouse over this button a tooltip saying "Network Logon" appears:
Figure 10: Step 3 of logging on using VPN SSO
Karen clicks the blue Network Logon button, and this opens a new logon screen called My VPN Connection (this was the friendly name that Karen gave to the VPN connection she created earlier). Karen now types her username and password (if she uses a smartcard then she selects the checkbox instead):
Figure 11: Step 4 of logging on using VPN SSO
After entering her credentials, Karen presses Enter and a dialog box appears indicating that the VPN connection is being established with the remote network:
Figure 12: The VPN connection is being established
Once the VPN connection has been established, the credentials Karen specified will automatically be used to log her on to the desktop of her computer. Once her desktop has appeared, she can browse shared resources on the corporate network over the VPN connection, upload and download files, and perform her work.
This article has demonstrated how to set up Windows 7 so that a mobile user can enter their domain credentials once to first establish a VPN connection to the corporate network and then interactively log on to their computer. This feature of being able to VPN using Single Sign On is a useful feature of Windows 7 that may save your company money by making it unnecessary to purchase third-party VPN client software for this purpose.