none
Windows 8.1 Connect VPN before domain logon

    Question

  • I have successfully configured Windows 8.1 Pro with a VPN connection (using "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)"). I can successfully connect to my VPN when logged onto the computer with cached domain credentials or a local user account.

    During creation of the connection, I made certain to select the option to "Allow other people to use this connection" and I have tested the VPN connection using multiple accounts.

    The following has been resolved - see additional post below: [However, the VPN connection is not listed on the Networks screen available at the logon screen. It displays the available wireless connections, but not the VPN connection. Does anyone have any ideas as to how I can get the VPN connection to be displayed on the Networks screen so the computer can be connected to the VPN prior to a user logging on to the computer?]

    I would like the computer to check-in with the domain and give Group Policy a chance to run prior to a domain user getting logged onto the computer.

    Thank you in advance.


    Brian



    Tuesday, August 18, 2015 11:49 PM

Answers

  • Making progress...

    Two-factor authentication is required to make a VPN connection. The solution requires the use of a USB key that places additional security characters at the end of the password. When already logged on to the computer, this works without any issue. However, when attempting to make the VPN connection prior to logging onto the computer, Windows 8.1 uses the logon credentials to both make the VPN connection AND to log onto the local computer. Of course, the additional characters added to the password are not in Active Directory, so the authentication fails even though the connection to the VPN was successful.

    I have verified this as fact after issuing a temporary security token to a user not assigned a USB key and adding these additional token characters to the end of the account password in Active Directory. Using this information allowed the Windows 8.1 machine to both make the VPN connection and log onto the computer.

    So... Trying to figure this out for a user with a security token. When attempting to use the option to "use a smart card" I get the message Error 691: The remote connection was denied because the user name and password combination...".

    I am thinking this may be more of a problem with our two-factor authentication system than with Windows, so I am going to seek help from the vendor. I will update this ticket if a solution is discovered in case some poor soul finds this post in the future.

    SOLUTION:  Evidently, we were missing a couple of steps in the preparation of this client with regards to the two-factor authenticatino system. The vendor is providing me with the missing pieces, which will allow our 2FA solution to allow the VPN connection to occur prior to the logging onto the computer with a domain account.


    Brian


    Thursday, August 20, 2015 3:48 PM

All replies

  • Hi Brian Johanpeter,

    We need to configure the Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options | Interactive logon: Do not require CTRL+ALT+DEL group policy to get the "Network" option.
    Here is a link for reference:
    Windows 8 connect to VPN before logon
    http://blog.lan-tech.ca/2013/03/02/windows-8-connect-to-vpn-before-logon/
    NOTE: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites.

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, August 20, 2015 7:25 AM
    Moderator
  • MeipoXu,

    Thank you. Those steps have been completed. Now, after log off or reboot, the VPN connection is available from the logon screen, as expected, when you click on the "Network Sign-in" icon in the bottom right corner (after selecting the option to switch users).

    However, when attempting to connect to the VPN this way, the VPN connection messages that come up on the screen make it look like the VPN connection is successful, but the final message received is "Invalid user name or password". I think it is the local machine that is rejecting the logon credentials.

    If I go ahead and log onto the machine with cached credentials, I am able to successfully connect to the VPN, but this defeats the original purpose.

    I am confused as to why this does not work.


    Brian


    Thursday, August 20, 2015 2:59 PM
  • Making progress...

    Two-factor authentication is required to make a VPN connection. The solution requires the use of a USB key that places additional security characters at the end of the password. When already logged on to the computer, this works without any issue. However, when attempting to make the VPN connection prior to logging onto the computer, Windows 8.1 uses the logon credentials to both make the VPN connection AND to log onto the local computer. Of course, the additional characters added to the password are not in Active Directory, so the authentication fails even though the connection to the VPN was successful.

    I have verified this as fact after issuing a temporary security token to a user not assigned a USB key and adding these additional token characters to the end of the account password in Active Directory. Using this information allowed the Windows 8.1 machine to both make the VPN connection and log onto the computer.

    So... Trying to figure this out for a user with a security token. When attempting to use the option to "use a smart card" I get the message Error 691: The remote connection was denied because the user name and password combination...".

    I am thinking this may be more of a problem with our two-factor authentication system than with Windows, so I am going to seek help from the vendor. I will update this ticket if a solution is discovered in case some poor soul finds this post in the future.

    SOLUTION:  Evidently, we were missing a couple of steps in the preparation of this client with regards to the two-factor authenticatino system. The vendor is providing me with the missing pieces, which will allow our 2FA solution to allow the VPN connection to occur prior to the logging onto the computer with a domain account.


    Brian


    Thursday, August 20, 2015 3:48 PM