cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10442
Views
0
Helpful
4
Replies

Anyconnect VPN with SingleLocalLogon +Allow Remote users Condition on windows10RS3

Niranjani
Level 1
Level 1

Hi experts,

Recently, I have tested Anyconnect Build with Singlelocal Logon + allow Remote users condition for VPN.

Below are the steps followed to test the “Singlelocal Logon + allow Remote users “scenario

1) Installed VPN with DART for AC build
2) VPN profile is pushed from ASDM
3) VPN profile has basic configuration with split include enabled
4) Singlelocal logon + allow remote users conditions are enabled
5) Created 2 users on windows10RS3
6) Enabled RDP on the Endclient

7) Logged through 1st user & connected the VPN
8) Parallely, tried to connect to the 2nd user using RDP(using ip)

9) Unable to connect via RDP saying that already one user is logged in.

 

PFA screenshot for the same. 

I am getting the same result for Singlelogon+ Allow remote users as well. No difference seen b/w singlelogon Vs singlelocallogon with allow remote user.

 

Plz clarify

 

 

 

 

2 Accepted Solutions

Accepted Solutions

I do not believe that this is an issue with AnyConnect Single Local Logon but rather an issue with Windows 10.  From my understanding, Windows 10 license only allows one user to be logged on at a time.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Again, Windows 7 also does not permit multiple RDP sessions to the computer, only a Windows server does not have this limitation.  I recommend you test this towards a server. 

There are workarounds and I will post one here.  

TRY THIS WORKAROUND AT YOUR OWN RISK.  I do not recommend downloading patch files and messing with registry keys to get this working.

 

https://www.serverwatch.com/server-tutorials/how-to-enable-concurrent-remote-desktop-sessions-in-windows.html

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

4 Replies 4

Bogdan Nita
VIP Alumni
VIP Alumni

I came across a similar issue once.

I was trying to get the 2nd user to rdp in over the anyconnect vpn.
The explication in the cisco documentation for the feature lead me to be believe that this may be possible, but from the tests I've done it's not.
The following explication made the most sense to me at that time:
https://supportforums.cisco.com/t5/vpn/anyconnect-windows-profile-settings-mandate-a-single-local-user/td-p/2241735
, but the cisco documents states otherwise:
"a local user can establish a VPN connection while one or more remote users are logged on to the client PC"


Windows Logon Enforcement—Allows a VPN session to be established from a Remote Desktop Protocol (RDP) session. Split tunneling must be configured in the group policy. AnyConnect disconnects the VPN connection when the user who established the VPN connection logs off. If the connection is established by a remote user, and that remote user logs off, the VPN connection terminates.

Single Local Logon (Default)—Allows only one local user to be logged on during the entire VPN connection. Also, a local user can establish a VPN connection while one or more remote users are logged on to the client PC. This setting has no effect on remote user logons from the enterprise network over the VPN connection.
Note: If the VPN connection is configured for all-or-nothing tunneling, then the remote logon is disconnected because of the resulting modifications of the client PC routing table for the VPN connection. If the VPN connection is configured for split-tunneling, the remote logon might or might not be disconnected, depending on the routing configuration for the VPN connection.

Single Logon—Allows only one user to be logged on during the entire VPN connection. If more than one user is logged on, either locally or remotely, when the VPN connection is being established, the connection is not allowed. If a second user logs on, either locally or remotely, during the VPN connection, the VPN connection terminates. No additional logons are allowed during the VPN connection, so a remote logon over the VPN connection is not possible.
Note: Multiple simultaneous logons are not supported.

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html

 

HTH

Bogdan

I do not believe that this is an issue with AnyConnect Single Local Logon but rather an issue with Windows 10.  From my understanding, Windows 10 license only allows one user to be logged on at a time.

--
Please remember to select a correct answer and rate helpful posts

Today, I have checked with Win7(64 bit) machine. Getting same results as Win10RS3. Unable to Login through RDP (user2) when User1(local user-administrator) is already logged in.

Again, Windows 7 also does not permit multiple RDP sessions to the computer, only a Windows server does not have this limitation.  I recommend you test this towards a server. 

There are workarounds and I will post one here.  

TRY THIS WORKAROUND AT YOUR OWN RISK.  I do not recommend downloading patch files and messing with registry keys to get this working.

 

https://www.serverwatch.com/server-tutorials/how-to-enable-concurrent-remote-desktop-sessions-in-windows.html

--
Please remember to select a correct answer and rate helpful posts