cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

115
Views
0
Helpful
3
Replies
Beginner

Limitations on Windows and AnyConnect supplicants.

Hi there,

 

During our ISE deployment we are trying to fit two simple requirements: machine and user authentication as well as centralized Windows computer administration, however, it does not seem to be a standard way to meet such a simple scenario:

 

  • User authentication over RDP sessions: Not supported by the Windows supplicant, so we moved to AnyConnect, but then:
  • Force user log-off by administrators and Windows Remote Management (WRM) for troubleshooting purposes: Not supported by AnyConnect NAM. Any workaround like registry modification? and...
  • Avoid twice credentials prompt on RDP: AnyConnect drawback. Any workaround like registry modification?

Can't understand why such a simple scenario can't be met by a single supplicant. 

Any feedback?

 

Thanks in advance.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Enthusiast

Re: Limitations on Windows and AnyConnect supplicants.

Additional info that may assist you with your requirements:

 

You can add a reg hack to disable EnforceSingleLogon which will allow NAM to handle multiple users if needed.  Basically I can login using NAM, lock screen, switch user, and you can login.

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{B12744B8-5BB7-463a-B85E-BB7627E73002}

Add a DWORD named EnforceSingleLogon, and give it a value of 1 or 0. 1 enables it, and 0 disables it.

 

This isn't specifically for your RDP issues but I think it is good to know that you have this option. HTH!

3 REPLIES 3
pan Cisco Employee
Cisco Employee

Re: Limitations on Windows and AnyConnect supplicants.

For Avoid twice credentials prompt on RDP please check below link. It's not drawback of AnyConnect.

 

https://blogs.msdn.microsoft.com/winsdk/2009/07/14/rdc-and-custom-credential-providers/

Enthusiast

Re: Limitations on Windows and AnyConnect supplicants.

Additional info that may assist you with your requirements:

 

You can add a reg hack to disable EnforceSingleLogon which will allow NAM to handle multiple users if needed.  Basically I can login using NAM, lock screen, switch user, and you can login.

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{B12744B8-5BB7-463a-B85E-BB7627E73002}

Add a DWORD named EnforceSingleLogon, and give it a value of 1 or 0. 1 enables it, and 0 disables it.

 

This isn't specifically for your RDP issues but I think it is good to know that you have this option. HTH!

Highlighted
Beginner

Re: Limitations on Windows and AnyConnect supplicants.

Thanks Mike,

I'll give it a try and let you know.