none
Switch User Disconnects VPN - How can we prevent this behavior? RRS feed

  • Question

  • We need a way to be able to "switch user" on remote PCs connected to VPN for those rare times we need to logon with admin rights to uninstall software.  We use Remote Assistance most of the time to support off-site systems and it works for everything except uninstalling since a UAC prompt will pause the RA session per Microsoft as expected behavior at https://technet.microsoft.com/en-us/library/ee844127%28v=ws.10%29.aspx.  If we RDP to a system that is logged onto VPN we can get logged on, but during the process of "switch user" the VPN connection will drop.  Windows 7 appears to treat the RDP connection (while someone else is logged on) just like a regular "switch user" -- these both drop the VPN connection.

    A fair number of articles say the VPN connection needs to have its properties configured to "Allow other people to use this connection" so that the connection will not drop.  Perhaps this worked years ago when Windows 7 was a little bit younger, but it does NOT work today. Is there a solution to this issue that does not involved a 3rd party VPN solution?

    Thursday, April 28, 2016 10:38 PM

Answers

  • the solution would be to implement direct access on the remote machines so that they 'appear' to be on the network at all times.

    since the authentication will happen with the computer accounts, so long as the computer has an internet connection they will be on the network, and fully managed, you should then be able to RDP to the machine even when the user is logged off and you can log in with your administration account, heck, you wouldn't even need to use the local admin account to do the lifting.

    edit: while it may not be the solution you would want, as there is a lot of work involved in setting this up including the introduction of a direct access server, implementing IPV6 roll out and likelihood upgrading your router to an IPV6 compatible router. 

    Wednesday, May 4, 2016 3:37 PM

All replies

  • Hi Eddie78701,

    Are you using wireless or wired connection when connecting VPN?

    If you are using the wireless network, Windows need to first verify your local account and then makes the network connection available, as wireless connection is considered not secure.

    In addition, please also take a look at the steps listed by Kate Li in the thread below:

    https://social.technet.microsoft.com/Forums/windows/en-US/d059b84c-d71e-4d03-ae83-46653e406ee6/vpn-automatically-disconnects-when-switching-users-windows-10?forum=win10itprogeneral

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, April 29, 2016 8:33 AM
    Moderator
  • I am working on the issue with a wired connection (we do not have wireless in the office).

    Friday, April 29, 2016 4:08 PM
  • Why can't you drop the VPN connection and log in as another user?

    Best regards, George

    Friday, April 29, 2016 4:58 PM
  • The user is the one who is remote so when you switch user the VPN connection drops so I can no longer see the PC since it is off the network. 

    One option would be to have the user connect to VPN prior to logging onto Windows, but we use an encryption product that logs you into Windows with your credentials automatically.  So when you start the VPN connection it logs you into Windows automatically (which prevents users from having to logon their PCs twice).

    Sunday, May 1, 2016 3:48 PM
  • Hi Eddie,

    Might a Startup Script for VPN connection works here?

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, May 4, 2016 5:03 AM
    Moderator
  • Since you're using a third party product (which you should have mentioned originally) you cannot expect Windows Operating System to go your way as well.

    Best regards, George

    Wednesday, May 4, 2016 3:18 PM
  • the solution would be to implement direct access on the remote machines so that they 'appear' to be on the network at all times.

    since the authentication will happen with the computer accounts, so long as the computer has an internet connection they will be on the network, and fully managed, you should then be able to RDP to the machine even when the user is logged off and you can log in with your administration account, heck, you wouldn't even need to use the local admin account to do the lifting.

    edit: while it may not be the solution you would want, as there is a lot of work involved in setting this up including the introduction of a direct access server, implementing IPV6 roll out and likelihood upgrading your router to an IPV6 compatible router. 

    Wednesday, May 4, 2016 3:37 PM