Hello There
asked on
Pings stop while user log off
Hello.
I got this issue: When I log out of any account, the computer stops pinging. That's probably why I got this error message: "There are currently no logon servers available to process your logon request." After I log in back, it starts pinging immediately.
I am able to log on local and domain admin. I cannot log on any account with cached credentials. We use Windows 7 + Windows 2008.
So is there any setting to make this PC pinging after it logs off?
Any help appreciated.
I got this issue: When I log out of any account, the computer stops pinging. That's probably why I got this error message: "There are currently no logon servers available to process your logon request." After I log in back, it starts pinging immediately.
I am able to log on local and domain admin. I cannot log on any account with cached credentials. We use Windows 7 + Windows 2008.
So is there any setting to make this PC pinging after it logs off?
Any help appreciated.
Mal Osborne
Are you running a CAT5 cable, or a wireless NIC?
ASKER
I forgot to mention that this PC was connected via VPN. To solve this I needed to connect the computer to the domain network and disable Cisco AnyConnect. After that servers were available. So I logged on and logged off = credentials have been cached.
Although I had to enable Cisco AnyConnect back, now I am able to log on using cached credentials.
The real problem is Cisco AnyConnect that always disconnects the computer from network when user logs off so user always needs to use cached information while he use VPN.
If you want to help me to solve this...
Although I had to enable Cisco AnyConnect back, now I am able to log on using cached credentials.
The real problem is Cisco AnyConnect that always disconnects the computer from network when user logs off so user always needs to use cached information while he use VPN.
If you want to help me to solve this...
You will need to enable machine authentication on your network so you (windows) machine can do the authentication even though the user isn't known yet/anymore.
ASKER
How to do this?
That is a loaded question I'm afraid.
Basically it requires a setup on both your network and your client to do 'computer' or 'computer and/or user' authentication.
Basically machine authentication authenticates the machine when it is booted, even before an actual Windows logon.
This means that your PC can have network connectivity and is able to run logon scripts before any user has logged on or is even known.
How to configure it depends a lot on your network.
Are you connected wired or wireless?
For wireless networks this is becoming pretty standard, and relatively easy to fit into existing configs.
If you are connecting via wire, then I'm afraid it's a bit more tricky to implement as you'll have to take in account plenty of exceptions that cannot do 802.1X authentication at all.
Configuration also depends on what equipment you have, so telling you how you can configure it? Well, I'd say, go talk to your networking people.
Basically it requires a setup on both your network and your client to do 'computer' or 'computer and/or user' authentication.
Basically machine authentication authenticates the machine when it is booted, even before an actual Windows logon.
This means that your PC can have network connectivity and is able to run logon scripts before any user has logged on or is even known.
How to configure it depends a lot on your network.
Are you connected wired or wireless?
For wireless networks this is becoming pretty standard, and relatively easy to fit into existing configs.
If you are connecting via wire, then I'm afraid it's a bit more tricky to implement as you'll have to take in account plenty of exceptions that cannot do 802.1X authentication at all.
Configuration also depends on what equipment you have, so telling you how you can configure it? Well, I'd say, go talk to your networking people.
Uch!
Didn't see your comment about the VPN. My solution is for locally connected devices so you can ignore pretty much all I just said.
If your Cicso VPN is shutting down. Isn't that just because it is running with user rights? Can't you somehow install that with system rights as a service?
Sorry, not I won't be much help here. You need a Cisco AnyConnect specialist and that I am not.
Didn't see your comment about the VPN. My solution is for locally connected devices so you can ignore pretty much all I just said.
If your Cicso VPN is shutting down. Isn't that just because it is running with user rights? Can't you somehow install that with system rights as a service?
Sorry, not I won't be much help here. You need a Cisco AnyConnect specialist and that I am not.
ASKER
Wirelessnerd: Thank you for your effort.
Any Cisco AnyConnect expert here?
Any Cisco AnyConnect expert here?
From memory Cisco AnyConnect Secure Mobility Client, which is the only supported one now, should allow a login via VPN (there should be a checkbox in the login screen). The older IPsec client did have that feature too, IIRC.
As I never used that myself I can only speculate, but I assume logging off still terminates the VPN, but logging in re-establishes the VPN connection.
As I never used that myself I can only speculate, but I assume logging off still terminates the VPN, but logging in re-establishes the VPN connection.
Hi B A,
How many DCs are in you domain?
Have you checked dcdiag and verified your AD health?
What is your DNS config setup for the VPN? Do you have it pointed to your DC or Public DNS?
Is the VPN running in a split tunnel config?
It's also possible that the VPN is not configured to forward all traffic through the VPN. If this is the case, then you've only configured the VPN to allow certain traffic to traverse the VPN. DNS, LDAP, etc. might be getting lost along the way.
Your client isn't configured to use your internal AD DNS servers when it is connected remotely.
What type of Firewall is it? I'd run Wireshark or Netmon on both ends to see where the problem is. It should be fairly obvious.
How many DCs are in you domain?
Have you checked dcdiag and verified your AD health?
What is your DNS config setup for the VPN? Do you have it pointed to your DC or Public DNS?
Is the VPN running in a split tunnel config?
It's also possible that the VPN is not configured to forward all traffic through the VPN. If this is the case, then you've only configured the VPN to allow certain traffic to traverse the VPN. DNS, LDAP, etc. might be getting lost along the way.
Your client isn't configured to use your internal AD DNS servers when it is connected remotely.
What type of Firewall is it? I'd run Wireshark or Netmon on both ends to see where the problem is. It should be fairly obvious.
You need to enable SBL in Anyconnect. Have a look here...
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107598-sbl.html
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107598-sbl.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As Craig points out SBL is sounds like what you actually want, why do you need to be able to contact the PC when no one is logged on? do you use WSUS or SCCM or something? If so perhaps 'Always On' AnyConnect might be a better fit for you? I prefer to set this up with certificates rather than passwords so as soon as the machine either starts, OR logs on it connects.
Note: there are massive security concerns with only using computer authentication (what happens if the device is stolen)
Heres me compromising one to demonstrate.
Note: there are massive security concerns with only using computer authentication (what happens if the device is stolen)
Heres me compromising one to demonstrate.
ASKER
Solved.
\...o.../
Please note: Taking the machine into office and back home is only a temporary workaround. The profile will not update and kept cached. Profile changes are not synchronized.
As Craig stated, the correct answer is using SBL. That allows to connect to VPN prior to logging in.
As Craig stated, the correct answer is using SBL. That allows to connect to VPN prior to logging in.