Many thanks for your suggestion Aida.

It did make a difference both on the LAN and using dial up. MAPI
connections to the troublesome mailboxes work once 'Enable start before
logon' is on in the VPN client.

However I am not keen to make this part of the VPN client release for
users for the following reason.

Using 'Enable start before logon' worked from a PC on which the owners
of the troublesome mailboxes already had an AD profile. They already had
such a profile because they had previously logged onto the domain from
that PC while on the LAN (not using the VPN).

However in the case of home users who have never logged onto the domain
from their home PC and do not already have an AD user profile on that
home client machine, the first logon from the PC and creation of the
domain user profile on it will need to be done during a VPN session.

I have just experimented with this and although a successfully VPN
connection was made (by virtue of 'start before logon', and AD
credentials were supplied in the logon box, the machine hung after that
(presumably something was timing out while trying to authenticate and/or
create the profile).

If this happens using the VPN over the LAN I would not hold out much
hope of it succeeding over a 56kbps dial-up connection (we still have
many such users).

Therefore it would seem better to avoid logging in to the AD domain when
using the VPN,

Any thoughts on how this can be avoided but the original aim of a MAPI
connection achieved for the problematic users/mailboxes? After all, as I
noted previously, for some users/mailboxes it is not necessary to logon
to the domain and even for those for which, with the new VPN client, it
does now seem necessary, it was not so with the previous VPN client.

Thanks for any further help.

Alastair

------------------------------
alastair.morrison@strath.ac.uk
Strathclyde University
Glasgow UK

> -----Original Message-----
> From: Aida Lumbreras [mailto:aidamx@gmx.net]
> Sent: 04 July 2006 19:48
> To: Alastair Morrison; vpn@lists.shmoo.com
> Subject: Re: [VPN] New Cisco VPN client - problems making
> MAPI connectionsto Exchange mailboxes
>
> Hi Alastair,
>
> try enabling the feature "start before logon" on the client.
> It could be that AD credentials are conflict somehow with the
> Domain Controller and you are required to be part of the
> domain when doing MAPI. The above feature will allow you to
> connect your vpn client before you loging into the local
> domain. Once your client is connected, you will be able to
> logon into the local domain thru the vpn tunnel. Meaning,
> your domain credentials will be sent over the vpn connection
> for authentication.
>
> To enable this feature on the client go to Options-> Windows
> Logon Properties and check the option "Start before Logon",
> apply the changes, and reboot your PC.
>
> Hope this helps.
>
> Aida
>
>
> ---------------------
> >Hello all,
> >
> >First post to the list (for years) and it is rather long but I hope
> >that someone can help. I have been through the Cisco site and Google
> >but to no avail.
> >
> >At Strathclyde University, Glasgow, UK, we have a Cisco 3030 VPN
> >concentrator which users connect to using the v4.6.04.0043 ( and
> >older)
> >Cisco VPN client. They connect successfully with most using

> the tunnel
> >for 'full client' i.e. Outlook 2003 MAPI access, to Exchange

> 2003 mail
> >boxes and for web browsing on and off the Uni LAN using IE.

> No problems
> >with this.
> >
> >I have been testing a new VPN client, v4.8.01.03000 (because some
> >security advice advises upgrading to the new one).
> >
> >Testing (very) Environment:
> >
> >Windows XP SP2 machines.
> >Antivirus turned off during installation (and testing).
> >Win XP firewall off during testing.
> >No other personal firewalls involved.
> >Outlook 2003.
> >Testing performed on different machines.
> >Tested on the LAN and also through a dialup connection.
> >
> >Installation:
> >Software installs smoothly, VPN client runs and creates tunnel fine.
> >IE
> >browsing works.
> >
> >Now the problems.
> >
> >Logging on, using an Outlook MAPI connection, to test account
> >mailboxes, using those accounts' credentials, works.
> >
> >But attempting the same operation using 'real' accounts/mailboxes
> >fails.
> >
> >The test accounts are in the same Active Directory OU as the real
> >accounts, so account location would not seem relevant.
> >
> >One thought I had is that for some (bizarre) reason the

> problem relates
> >to the verification of the real users' AD credentials when

> attempting a
> >MAPI connection to their mailboxes using the new VPN client.
> >
> >I have noted failed logon attempts in the Exchange server's Security
> >Event log at the time of the connection attempts. BUT the attempts
> >appear to be logon attempts from the workstation/PC being

> used, using
> >the account under which the logon to that machine was made;

> not an AD
> >user logon attempt. Why an attempt with those credentials should be
> >made is odd but it would make sense for it to fail. If anyone has
> >thoughts on why such a logon attempt is being made it could provide
> >clues as to what is going wrong.
> >
> >Also, on the client machine, Outlook indicates during the

> logon attempt
> >that it HAS connected to the Exchange server but that it has

> failed to
> >connect to a Domain Controller, (which it presumably needs to do for
> >the credentials to be authenticated). This information is

> provided in
> >Outlook by the following procedure: Right clicking on the

> Outlook icon
> >in the task bar, while holding down the Ctrl key, then selecting the
> >Connection Status item on the menu revealed.
> >
> >An IMAP connection using Outlook by real users to their

> mailboxes works
> >fine using the new VPN client. So user credentials over the

> VPN per se
> >do not seem to be the problem (but they are possibly

> problematic when a
> >MAPI/RPC connection attempt is made).
> >
> >Any insight into any of the above (or even better, the solution :-)
> >would be greatly appreciated.
> >
> >Alastair
> >
> >p.s. Out of desperation I have also experimented with

> modifying the MTU
> >on the VPN client but that does nothing useful.
> >
> >------------------------------
> >alastair.morrison@strath.ac.uk
> >Strathclyde University
> >Glasgow UK
> >_______________________________________________
> >VPN mailing list
> >VPN@lists.shmoo.com
> >http://lists.shmoo.com/mailman/listinfo/vpn
> >

>
>

_______________________________________________
VPN mailing list
VPN@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn