Cisco Support Community
Community Member

Establishing a VPN with a Digital Cert to recieve Domain Credentials!??


I was wondering if somebody could shed some light and or point me in the right direction to my following VPN problem.

At work I have recently installed a Cisco 3000 VPN concentrator. To connect to the concentrator to establish a secure VPN we use digital certificates, tokens. Currently a client establishes a VPN by logging onto a laptop (using cached credentials) then starts the cisco VPN dialer. The VPN dialer will fire up a dial-up connection to the RAS and then authenticates the user and the client PC to the concentrator via a digital certificate which is stored on a token. Upon authorisation the IPSec VPN is established and full network access is granted through the Firewalls.

This method works fine in most cases however there is now a business need to have a client authorised to the domain BEFORE a client logs on to initiate the VPN. For example: it is common place for a pool of laptops to exist. A user may sign out a laptop and take it off site for use (remote support, emergency response, etc). If the user had not logged onto the laptop and authenticated to the domain then the user will not be able to use the VPN (using the current method) since the VPN cannot even be initiated.

I have noticed that the VPN client provides a facility to allow VPN establishment before windows logon. This is exactly what is required however because we utilise digital certificates on a token to authenticate a user to the concentrator, the certificate is NOT available to the system before windows logon (it is stored in the Microsoft Crypto API). I understand that you can achieve the VPN method required by utilising the 'cisco certificate store', however this method will not suffice as the certificate is to remain on the token and NOT on the local PC.

Could somebody suggest any ideas that I may be able to try. I am stuck for all ideas except for:

Creating a local account with limited privileges, have a user (that does not have cached credentials) logon via this account, establish a VPN and log off the computer (whislt leaving the VPN up) then authenticate to the domain. All subsequent logons would be by the method initially described. As you can see this is quite messy and would like to be avoided if possible.


Michael Evdokimov

Network Design & Implementation



Re: Establishing a VPN with a Digital Cert to recieve Domain Cre

I have searched for alternative solutions but could not find anything relative. Let me know if you find a cleaner solution than what you currently have suggested.

Community Member

Re: Establishing a VPN with a Digital Cert to recieve Domain Cre


I am faced with the same problem too. Would like to find out whether have you found out a solution to the problem.

Thank you very much in advance.


Tay Pak Leng Bob


NCS CE Pte Ltd

Community Member

Re: Establishing a VPN with a Digital Cert to recieve Domain Cre


Since nobody was able to help me I had to try to come up with a solution myself. As I mentioned before, if you are trying to use digital certs with a smart card / token, the only way the OS can read the cert is via the MS CryptoAPI. This is where our problem lies since the MS Crypto API is not availble until a user has logged ont the PC therefore rendering the dial-up before authenticating to the domain login option useless.

Therefore the only way I saw possible to have a user authenticate directly to the domain is to use a two step authentication approach. The first step is to firstly establigh a VPN and the second is to authenticate directly to the domain.

OK - How to do this.

1. Need to utilise a specialised secure local generic account and use the 'keep VPN connection alive after logoff' option in the Cisco VPN dialer.

2. Logoff and authenticate to the domain via normal logon (since VPN is active).

How to achieve this (in a simplified version)

Create a local account on the PC, giving the account only 'user' privileges.

Using an administrator account use Microsoft Policy Editor to create a special policy the the local account which locks it down as tight as you want. I locked the account down as tight as possible by using a specialised shell. This shell was basically one big script which controlled the establishment of dial-up and VPN connection. (Note: A custom shell can be any .exe file).

A user who does not have cached domain credentials on the PC simply logs in via the special local account and follow the steps i nthe scripted shell. THe scripted shell will simply prompt the user for their dial-up username and password for use by rasdial.exe and then initiates the VPN connection over the top. Once the VPN connection is completed, the client is messaged that they are about to be logged off and that they can authenticate to the domain vai normal methods. The client is then logged off.

The user can then simply log onto the domain and utilises their normal account.

If you would like more info message me back .



作成コンテンツを作成するには してください