Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
963
Views
0
Helpful
3
Replies

Limitations on Windows and AnyConnect supplicants.

Go to solution
Antonio Macia
Level 3
Level 3

‎02-11-2019 04:47 AM

Hi there,

 

During our ISE deployment we are trying to fit two simple requirements: machine and user authentication as well as centralized Windows computer administration, however, it does not seem to be a standard way to meet such a simple scenario:

 

  • User authentication over RDP sessions: Not supported by the Windows supplicant, so we moved to AnyConnect, but then:
  • Force user log-off by administrators and Windows Remote Management (WRM) for troubleshooting purposes: Not supported by AnyConnect NAM. Any workaround like registry modification? and...
  • Avoid twice credentials prompt on RDP: AnyConnect drawback. Any workaround like registry modification?

Can't understand why such a simple scenario can't be met by a single supplicant. 

Any feedback?

 

Thanks in advance.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-11-2019 08:37 AM

Additional info that may assist you with your requirements:

 

You can add a reg hack to disable EnforceSingleLogon which will allow NAM to handle multiple users if needed.  Basically I can login using NAM, lock screen, switch user, and you can login.

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{B12744B8-5BB7-463a-B85E-BB7627E73002}

Add a DWORD named EnforceSingleLogon, and give it a value of 1 or 0. 1 enables it, and 0 disables it.

 

This isn't specifically for your RDP issues but I think it is good to know that you have this option. HTH!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
pan
Cisco Employee
Cisco Employee

‎02-11-2019 06:37 AM - edited ‎02-11-2019 06:38 AM

For Avoid twice credentials prompt on RDP please check below link. It's not drawback of AnyConnect.

 

https://blogs.msdn.microsoft.com/winsdk/2009/07/14/rdc-and-custom-credential-providers/

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-11-2019 08:37 AM

Additional info that may assist you with your requirements:

 

You can add a reg hack to disable EnforceSingleLogon which will allow NAM to handle multiple users if needed.  Basically I can login using NAM, lock screen, switch user, and you can login.

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{B12744B8-5BB7-463a-B85E-BB7627E73002}

Add a DWORD named EnforceSingleLogon, and give it a value of 1 or 0. 1 enables it, and 0 disables it.

 

This isn't specifically for your RDP issues but I think it is good to know that you have this option. HTH!

0 Helpful

Go to solution
Antonio Macia
Level 3
Level 3
In response to Mike.Cifelli

‎02-11-2019 09:02 AM

Thanks Mike,

I'll give it a try and let you know.
0 Helpful
Customers Also Viewed These Support Documents