This document describes special logon features in the Cisco VPN Client for the Windows NT platform, which includes Microsoft Windows NT 4.0, Windows 2000, and Windows XP.
Note: The Start Before Logon (SBL) feature is not supported on VPN clients for Windows Vista. The workaround is to use ForceNetLogin=1 in .pcf file and [NetLogin] Force=1 Wait=30 in vpnclient.ini file. Refer to Cisco bug ID CSCsi35107 in the Open Caveats section of the Release Notes for VPN Client, Release 5.0 for more information.
Note: The SBL feature is not supported on IPSec VPN clients on Windows7. It is supported with AnyConnect VPN Client.
Before you attempt this configuration, ensure that the VPN Client is installed and configured for the VPN connection.
The information in this document is based on Cisco VPN Client 4.x.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
In the VPN Client, these are the special logon features for the Windows NT platform which includes Windows NT 4.0, Windows 2000, and Windows XP:
Choose Start > Programs > Cisco Systems VPN Client > VPN Client in order to launch the Cisco VPN Client.
Choose Options > Windows Logon Properties in order to access the Windows Logon Properties.
The VPN Client displays a dialog box that contains these three parameters:
Ability to start a connection before you log on to a Windows NT system
Permission to launch a third party application before you log on to a Windows NT system
Control over auto-disconnect when you log off of a Windows NT system
Note: The VPN Client displays Windows Logon Properties only on Windows NT, Windows 2000, and Windows XP.
On a Windows NT platform, you can connect to the private network before you log on to your system. This feature is called Start Before Logon and its purpose is to allow you to log in to the domain and run login scripts.
Your administrator might have set this up for you. Once you establish a VPN connection, your credentials are sent to a domain controller for logging on to your system. If you need to launch an application before you log on, see the Launch an Application section of this document for more information.
When you establish a successful VPN connection, the VPN Client window closes, and your logon window displays. If the connection is not successful, the VPN Client window continues to display. Your administrator might have set up a banner that lets you know when you have a successful connection.
Complete these steps in order to activate the Start Before Logon feature:
Launch the VPN Client and choose Options > Windows Logon Properties.
Check Enable Start Before Logon and click OK.
What Happens When You Use the Start Before Logon Feature?
When Start Before Logon is active, these events occur when your system starts:
Your system logon dialog box displays. Other messages might display as well, depending on your setup. Wait until you see the VPN Client start.
The VPN Client starts and displays the connection dialog box over the system logon dialog box.
You connect to the private network of the VPN device. The connection dialog box goes away.
Note: You can use certificates for authentication with the Start Before Logon feature when your personal certificate, along with the Certificate Authority (CA) or intermediary certificate(s), are in your Cisco certificate store and the Microsoft local machine, but not your personal Microsoft store (CAPI certificates). However, to use a CAPI certificate, you can log on using cached credentials, connect using your CAPI certificate, and disable the Disconnect VPN Connection when Logging Off parameter. This action keeps your connection open and you can now log back on to the system.
Turn Off the Start Before Logon Feature
Complete these steps in order to turn off the Start Before Logon:
Launch the Cisco VPN Client and choose Options > Windows Logon Properties.
Uncheck Enable Start Before Logon and click OK.
Reboot your PC in order to make these changes take effect.
Note: Your system administrator determines whether you can launch applications and third party dialers before you log on to a Windows NT platform. In order to protect system and network security, your system administrator might have disabled this feature. If this feature is greyed out, you cannot launch applications and third party dialers before you log on to a Windows NT platform. You must have system administrator privileges to change this parameter.
You can configure the dialer to launch an application automatically before a connection is established. Some examples of why you would want to use this feature are:
You are configured for Start Before Logon and you need to start an authentication application at the logon desktop.
You want to launch a monitoring application before each connection.
Use the Application Launcher in order to configure the VPN Client to launch an application from the logon desktop.
The Application Launcher starts the specified application once per session. In order to launch an application again, you must exit from the VPN Client, restart the VPN Client, and launch the application.
Complete these steps in order to activate the Application Launcher:
Launch the VPN Client and choose Options > Application Launcher.
The VPN Client displays a dialog box that prompts you for the name of the application.
Check Enable in order to enable the feature. Similarly, uncheck Enable in order to disable this feature.
Either type the complete pathname of the application or click Browse in order to locate the application.
Click Apply in order to activate the application or click Cancel in order to cancel the operation.
This parameter controls whether your VPN Client connection automatically disconnects when you log off your Windows NT system.
Check this parameter in order to always automatically terminate your connection when you log off. This parameter is checked by default.
Uncheck this parameter in order to disable auto-disconnect while you log off. When you uncheck the parameter, the VPN Client displays this warning message:
When you disable this parameter, it allows your connection to remain up during and after log off, which allows profiles or folders to be synchronized during log off. You disable this parameter when you use the Windows Roaming Profiles feature.
Note: With this feature disabled, you must completely shut down your system in order to disconnect your VPN Client connection.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.