Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3208
Views
0
Helpful
2
Replies

Anyconnect and Windows credentials (both directions)

cawst
Level 1
Level 1

‎03-18-2015 09:24 AM - edited ‎02-21-2020 08:08 PM

We have two different scenarios for our VPN access - people connecting using their work laptops from other locations (so joined to the domain, with their domain credentials), and people using their own machines to connect.  (The hookup from the ASA to Active Directory via LDAP is working just fine, to preface the two upcoming questions...)

 

re: the first case, I've been reading old threads and it looks like the cached Windows credentials cannot be passed to the AnyConnect login for SSL VPN (only for the web based clientless VPN).  Is that still correct with current versions?  If so, not a big deal - users are used to putting in their credentials again at this stage, but figured it didn't hurt to check.

 

On the second case, though - I was testing this last night.  I open AnyConnect, and put in my domain username and password.  It connects.  When I try to open up a network file share, though, it asks me for those Windows credentials again.  (I assume this is only happening in the second scenario with my own machine - haven't tested yet with a domain machine but I'd assume it would work fine at this point.)  Can those credentials I put into the VPN be used for anything accessed through the VPN?  That's how our old PPTP VPN worked, so that's definitely what users will expect.

 

Thank you!

Labels:
0 Helpful
2 Replies 2

johnd2310
Level 8
Level 8

‎03-18-2015 07:46 PM

Hi,

The credentials you type into anyconnect can not be passed to windows and visa versa. Depending on the version of windows and anyconnect, you can use the 'start before logon' feature. This allows you to logon to vpn first and then logon to windows so that you scripts and shares run. If you are not using the ' start before logon' feature you could do the following to get you mapped drive:

  • logon to anyconnect vpn
  • switch user  in windows and logon to domain

Thanks

John

**Please rate posts you find helpful**
0 Helpful

cawst
Level 1
Level 1
In response to johnd2310

‎03-19-2015 11:49 AM

Hmmm....unfortunately most of our users are connecting from quite remote areas with limited connectivity, so they generally want to connect to VPN as briefly as possible to do their task and then disconnect.  I think that wouldn't be compatible with the start before logon feature.

 

Right now the PPTP VPN we're using does pass the credentials to Windows, so they only have to enter their info the one time for VPN and all drive access.  The downside to it, and why we wanted to use AnyConnect instead, was that in some locations they've had issues with the PPTP ports being blocked, so using 443 seemed like a great alternative.  Before getting the ASA I did some tests with a Windows Server VPN over 443, and found people were indeed getting blocked less.  But that doesn't help our non-Windows users.

 

So the ideal solution uses 443, works on both Macs and Windows (and Linux would be nice but not necessary), and only has one login.  It sounds like any possible solution only has 2 of these three things.  Does that seem correct?

 

(We are playing with the Clientless web-based version as well, which is nice for some things, but not a 100% solution.)

0 Helpful
Customers Also Viewed These Support Documents