Hi Alastair,

try enabling the feature "start before logon" on the client. It could
be that AD credentials are conflict somehow with the Domain
Controller and you are required to be part of the domain when doing
MAPI. The above feature will allow you to connect your vpn client
before you loging into the local domain. Once your client is
connected, you will be able to logon into the local domain thru the
vpn tunnel. Meaning, your domain credentials will be sent over the
vpn connection for authentication.

To enable this feature on the client go to Options-> Windows Logon
Properties and check the option "Start before Logon", apply the
changes, and reboot your PC.

Hope this helps.


>Hello all,
>First post to the list (for years) and it is rather long but I hope
>someone can help. I have been through the Cisco site and Google but
>no avail.
>At Strathclyde University, Glasgow, UK, we have a Cisco 3030 VPN
>concentrator which users connect to using the v4.6.04.0043 ( and
>Cisco VPN client. They connect successfully with most using the
>for 'full client' i.e. Outlook 2003 MAPI access, to Exchange 2003
>boxes and for web browsing on and off the Uni LAN using IE. No
>with this.
>I have been testing a new VPN client, v4.8.01.03000 (because some
>security advice advises upgrading to the new one).
>Testing (very) Environment:
>Windows XP SP2 machines.
>Antivirus turned off during installation (and testing).
>Win XP firewall off during testing.
>No other personal firewalls involved.
>Outlook 2003.
>Testing performed on different machines.
>Tested on the LAN and also through a dialup connection.
>Software installs smoothly, VPN client runs and creates tunnel fine.
>browsing works.
>Now the problems.
>Logging on, using an Outlook MAPI connection, to test account
>using those accounts' credentials, works.
>But attempting the same operation using 'real' accounts/mailboxes
>The test accounts are in the same Active Directory OU as the real
>accounts, so account location would not seem relevant.
>One thought I had is that for some (bizarre) reason the problem
>to the verification of the real users' AD credentials when
>attempting a
>MAPI connection to their mailboxes using the new VPN client.
>I have noted failed logon attempts in the Exchange server's Security
>Event log at the time of the connection attempts. BUT the attempts
>appear to be logon attempts from the workstation/PC being used, using
>the account under which the logon to that machine was made; not an
>user logon attempt. Why an attempt with those credentials should be
>is odd but it would make sense for it to fail. If anyone has
>thoughts on
>why such a logon attempt is being made it could provide clues as to
>is going wrong.
>Also, on the client machine, Outlook indicates during the logon
>that it HAS connected to the Exchange server but that it has failed
>connect to a Domain Controller, (which it presumably needs to do for
>credentials to be authenticated). This information is provided in
>Outlook by the following procedure: Right clicking on the Outlook
>in the task bar, while holding down the Ctrl key, then selecting the
>Connection Status item on the menu revealed.
>An IMAP connection using Outlook by real users to their mailboxes
>fine using the new VPN client. So user credentials over the VPN per
>do not seem to be the problem (but they are possibly problematic
>when a
>MAPI/RPC connection attempt is made).
>Any insight into any of the above (or even better, the solution :-)
>would be greatly appreciated.
>p.s. Out of desperation I have also experimented with modifying the
>on the VPN client but that does nothing useful.
>Strathclyde University
>Glasgow UK
>VPN mailing list

VPN mailing list