Solved: Re: ISE Retail Customer - MS Fast User Switching Thoughts

ketigges · ‎05-09-2016

Have a retail customer in the middle of an ISE deployment w/AnyConnect NAM. Their current retail workflow utilizes Microsoft’s fast user switching to allow them to move quickly between open applications and users. As the documentation states, the AnyConnect NAM does not support this, and actually disables the capability as a result of the install. There is a work around published to re-emable fast user switching via registry change, but the issue with this work around, and even utilizing the native Windows supplicant is that there isn’t an event triggered from the supplicant that initiates a new user login, and from a session perspective the original user’s sessions is carried across.

While I understand that the preferred and most logical method is to change workflows to log off and back on again, the customer is concerned that this additional delay will reduce the productivity of the employees and is pushing back. We have informed them that from our research, there are no other work arounds other than Machine validation only, or disabling fast user switching.

I’m looking for comments on validating that this is an accurate understanding of the documentation as I have read it and what we typically see for larger retail customers from a deployment perspective, or if there have been other solutions that have been provided that we can use to our advantage here. Customer is pushing back saying they can’t be the only one that has run into this before.

Thank you for any info

thomas · ‎05-10-2016

Kevin,

While Fast User Switching is not explicitly mentioned in the AnyConnect Admin Guide, the behavioral implications of this Microsoft option is detailed in the section Single Sign On “Single User” Enforcement. Our developer said that when Fast User Switching is enabled, the OS does not send a notification of a logoff and logon of the new user to AnyConnect which is why we are unable to enforce the user change and therefore re-authenticate when switching between users.

Your customer will need to choose between any perceived productivity gains and enhanced security in this scenario if machine authentication is not sufficient.

View solution in original post

thomas · ‎05-10-2016

Kevin,

While Fast User Switching is not explicitly mentioned in the AnyConnect Admin Guide, the behavioral implications of this Microsoft option is detailed in the section Single Sign On “Single User” Enforcement. Our developer said that when Fast User Switching is enabled, the OS does not send a notification of a logoff and logon of the new user to AnyConnect which is why we are unable to enforce the user change and therefore re-authenticate when switching between users.

Your customer will need to choose between any perceived productivity gains and enhanced security in this scenario if machine authentication is not sufficient.

ketigges · ‎05-19-2016

Understood and thank you for the follow up. I figured as much, customer is just looking for as much "Best Practice" as possible to make a decision. From our other engineers, we are seeing a majority of folks fall back on Machine Auth IF they can not get past the workflow modifications of FUS.

I've see several TAC cases that suggest Microsoft recommends against FUS in this type of environment, but I've not been able to find any specific "Microsoft" official documentation. Only the information similar to the post below. Any thoughts on MS viewpoint. Again, Not asking for support, just looking for ammunition for the customer. Thanks

hslai · ‎05-10-2016

FUS has other implementations. After reading this post Controlling Windows 7 Logon Options, it would be very difficult to provision proper network postures even if Windows were able to notify AnyConnect NAM.