|
|
Hi,
I need help invoking a logon script. We are implementing RSA Software
Tokens for VPN authentication, and it changes the order of the login
process. The strong authentication solution is aimed at users with
laptops who login remotely.
Current Set-Up:
1. Cisco VPN client appears before the Windows GINA.
2. User authenticates to the VPN client and establishes an IPSEC
tunnel.
3. User logs in with domain credentials.
4. Workstation finds logon server and executes login script as
specified in the user's profile in AD.
5. The logon script maps drives for the user.
Future Set-Up:
1. User authenticates to the GINA using cached credentials.
2. User starts Cisco VPN client (can't start before logging in to
Windows because RSA software token can't start until user gets in to
desktop).
3. User starts RSA software token.
4. User copies tokencode from software token into the VPN client and
establishes an IPSEC tunnel.
5. User is on internal network, but logon script does not run and
drives are not mapped.
RSA's suggestion is to keep the IPSEC tunnel open (Cisco VPN client ->
Options -> Windows Logon Properties -> Uncheck "Disconnect VPN
connection when logging off), log off, and log on again to run the
logon scripts. This is too obtrusive to the end user. I manually ran
lsass and netlogon as step 6 of the Future Set-Up, but that did not
invoke the logon script either. I finally wrote the following
vbscript for remote users to invoke their logon script, but would
prefer a solution that can leverage native functionalites of the
workstation (XP SP2) and / or the domain controllers (Windows 2000
Server).
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' NAME: MapDrivesVPNRSA.vbs '
' AUTHOR: Don S '
' DATE : 6/2/2007 '
' '
' This script maps drives for users that connect to the VPN using RSA
software tokens. '
' '
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Option Explicit
Dim strUserName, blnIntrnlNtwkConn, strComputerName, strLogonServer,
strUNCLogonServer, arrUNCLogonServer, strKnownIntrnlSrvr, intWaitCtr
Dim objShell, objFSO, objPing, objPingStatus
Dim objRootDSE, adoRecordset, adoCommand, adoConnection
Dim strMbox, strDNSDomain, strQuery, strBase, strFilter,
strAttributes, strUsersLogonScriptAD, strUsersHomeDirectoryAD
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
If ProgsAlreadyRunning = False Then
If objFSO.FileExists("C:\Program Files\Cisco Systems\VPN Client
\ipsecdialer.exe") and objFSO.FileExists("C:\Program Files\RSA Security
\RSA SecurID Software Token\SecurID.exe") Then
objShell.Run "C:\Program Files\Cisco Systems\VPN Client
\ipsecdialer.exe"
objShell.Run "C:\Program Files\RSA Security\RSA SecurID Software
Token\SecurID.exe"
Else
MsgBox "The Cisco VPN and RSA Software Token were not found in the
expected directories on your workstation. Please call the SupportDesk
at 1-800-XXX-XXXX.",0,"Programs Not Found!"
wscript.quit
End if
Else
strMbox = MsgBox("Proceeding with this script will execute your logon
script if you are already connected to the internal network. Make
sure you have authenticated to the VPN using the RSA Software Token.
If you ran this script several times and still do not have your drives
mapped, please contact the SupportDesk at 1-800-XXX-XXXX. To quit the
script, press Ctrl-C now.",1,"Continue or Cancel?")
If strMbox = 2 Then
wscript.echo "Now quitting the script."
wscript.quit
Else
' Continue script
End If
End If
strUserName = objShell.ExpandEnvironmentStrings("%username%")
strComputerName = objShell.ExpandEnvironmentStrings("%computername%")
strUNCLogonServer = objShell.ExpandEnvironmentStrings("%logonserver%")
arrUNCLogonServer = split(strUNCLogonServer, "\\")
strLogonServer = arrUNCLogonServer(1)
' Check the most recent logonserver first.
If InStr(strUNCLogonServer,strComputerName) > 0 Then
strKnownIntrnlSrvr = "dc.domain.com"
strUNCLogonServer = "\\dc.domain.com"
Else
strKnownIntrnlSrvr = strLogonServer
End If
' The following While loops make the script wait until the VPN
connection is established.
' The script waits by pinging up to 150 times for known internal
servers. If there is no response, the script quits.
' This while loop waits on the condition that an internal host cannot
be found because the client does not yet have an internal IP.
blnIntrnlNtwkConn = False
intWaitCtr = 0
While blnIntrnlNtwkConn = False
'Wscript.Echo "Inside First While. strKnownIntrnlSrvr is: " &
strKnownIntrnlSrvr
Set objPing = objShell.Exec("ping.exe -n 1 " & strKnownIntrnlSrvr)
objPingStatus = objPing.StdOut.ReadLine
If InStr(objPingStatus,"Ping request could not find") > 0 Then
blnIntrnlNtwkConn = False
Else
blnIntrnlNtwkConn = True
End If
intWaitCtr = intWaitCtr + 1
If intWaitCtr > 150 Then
Wscript.echo "It appears your workstation is not connected to the
internal CCI network."
Wscript.echo "Please close the Cisco VPN and RSA Software Token and
run this script again or call the SupportDesk at 1-800-XXX-XXXX."
Wscript.Quit
End If
Wend
' This while loop waits on the condition that an internal host cannot
be reached because there is not yet a route between the client and a
known internal server.
blnIntrnlNtwkConn = False
intWaitCtr = 0
While blnIntrnlNtwkConn = False
'Wscript.Echo "Inside Second While. strKnownIntrnlSrvr is: " &
strKnownIntrnlSrvr
Set objPing = objShell.Exec("ping.exe -n 1 " & strKnownIntrnlSrvr)
objPing.StdOut.ReadLine
objPing.StdOut.ReadLine
objPing.StdOut.ReadLine
objPingStatus = objPing.StdOut.ReadLine
If InStr(objPingStatus,"Request timed out") > 0 Then
blnIntrnlNtwkConn = False
Else
blnIntrnlNtwkConn = True
End If
intWaitCtr = intWaitCtr + 1
If intWaitCtr > 150 Then
Wscript.echo "It appears your workstation cannot reach a known logon
server."
Wscript.echo "Please close the Cisco VPN and RSA Software Token and
run this script again or call the SupportDesk at 1-800-XXX-XXXX."
Wscript.Quit
End If
Wend
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"
' Filter on user objects.
strFilter = "(&(objectCategory=person)(objectClass=user)
(sAMAccountName=" & strUserName &"))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "sAMAccountName,scriptPath,HomeDirectory"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes &
";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Get the login script of the user.
strUsersLogonScriptAD = adoRecordset.Fields("scriptPath").value
' Get the home directory of the user.
strUsersHomeDirectoryAD = adoRecordset.Fields("HomeDirectory").value
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop
' Execute the login script for the specific user.
objShell.Run(strUNCLogonServer & "\netlogon\" & strUsersLogonScriptAD)
objShell.Run("net use /delete U: /yes")
objShell.Run("net use U: " & strUsersHomeDirectoryAD)
' Clean up.
adoRecordset.Close
adoConnection.Close
Set objShell = Nothing
Set objFSO = Nothing
WScript.Quit
Function ProgsAlreadyRunning()
Dim strComputerName, objShell, objWMIService, colProcesses,
objProcess, blnVPNGUIRunning, blnSecurIDRunning
Set objShell = CreateObject("WScript.Shell")
strComputerName = objShell.ExpandEnvironmentStrings("%computername%")
Set objWMIService = GetObject("winmgmts:\\" & strComputerName & "\root
\cimv2")
Set colProcesses = objWMIService.ExecQuery("Select * from
Win32_Process")
' Check if Cisco VPN is running
For Each objProcess in colProcesses
If InStr(objProcess.Name, "vpngui.exe") Then
blnVPNGUIRunning = True
End If
Next
' Check if RSA Software Token is running
For Each objProcess in colProcesses
If InStr(objProcess.Name, "securid.exe") Then
blnSecurIDRunning = True
End If
Next
If blnVPNGUIRunning and blnSecurIDRunning Then
ProgsAlreadyRunning = True
Else
ProgsAlreadyRunning = False
End If
End Function
' End MapDrivesVPNRSA.vbs script
Please post any suggestions for improving the script or a more optimal
solution altogether.
|
|
<cocopuffs[ at ]mailinator.com> wrote in message
news:1181033292.954305.197860[ at ]o11g2000prd.googlegroups.com...
[Quoted Text] > Hi,
>
> I need help invoking a logon script. We are implementing RSA Software
> Tokens for VPN authentication, and it changes the order of the login
> process. The strong authentication solution is aimed at users with
> laptops who login remotely.
>
> Current Set-Up:
> 1. Cisco VPN client appears before the Windows GINA.
> 2. User authenticates to the VPN client and establishes an IPSEC
> tunnel.
> 3. User logs in with domain credentials.
> 4. Workstation finds logon server and executes login script as
> specified in the user's profile in AD.
> 5. The logon script maps drives for the user.
>
> Future Set-Up:
> 1. User authenticates to the GINA using cached credentials.
> 2. User starts Cisco VPN client (can't start before logging in to
> Windows because RSA software token can't start until user gets in to
> desktop).
> 3. User starts RSA software token.
> 4. User copies tokencode from software token into the VPN client and
> establishes an IPSEC tunnel.
> 5. User is on internal network, but logon script does not run and
> drives are not mapped.
>
> RSA's suggestion is to keep the IPSEC tunnel open (Cisco VPN client ->
> Options -> Windows Logon Properties -> Uncheck "Disconnect VPN
> connection when logging off), log off, and log on again to run the
> logon scripts. This is too obtrusive to the end user. I manually ran
> lsass and netlogon as step 6 of the Future Set-Up, but that did not
> invoke the logon script either. I finally wrote the following
> vbscript for remote users to invoke their logon script, but would
> prefer a solution that can leverage native functionalites of the
> workstation (XP SP2) and / or the domain controllers (Windows 2000
> Server).
>
> '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
> ' NAME: MapDrivesVPNRSA.vbs '
> ' AUTHOR: Don S '
> ' DATE : 6/2/2007 '
> ' '
> ' This script maps drives for users that connect to the VPN using RSA
> software tokens. '
> ' '
> '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
>
> Option Explicit
>
> Dim strUserName, blnIntrnlNtwkConn, strComputerName, strLogonServer,
> strUNCLogonServer, arrUNCLogonServer, strKnownIntrnlSrvr, intWaitCtr
> Dim objShell, objFSO, objPing, objPingStatus
> Dim objRootDSE, adoRecordset, adoCommand, adoConnection
> Dim strMbox, strDNSDomain, strQuery, strBase, strFilter,
> strAttributes, strUsersLogonScriptAD, strUsersHomeDirectoryAD
>
> Set objShell = CreateObject("WScript.Shell")
> Set objFSO = CreateObject("Scripting.FileSystemObject")
>
> If ProgsAlreadyRunning = False Then
> If objFSO.FileExists("C:\Program Files\Cisco Systems\VPN Client
> \ipsecdialer.exe") and objFSO.FileExists("C:\Program Files\RSA Security
> \RSA SecurID Software Token\SecurID.exe") Then
> objShell.Run "C:\Program Files\Cisco Systems\VPN Client
> \ipsecdialer.exe"
> objShell.Run "C:\Program Files\RSA Security\RSA SecurID Software
> Token\SecurID.exe"
> Else
> MsgBox "The Cisco VPN and RSA Software Token were not found in the
> expected directories on your workstation. Please call the SupportDesk
> at 1-800-XXX-XXXX.",0,"Programs Not Found!"
> wscript.quit
> End if
> Else
> strMbox = MsgBox("Proceeding with this script will execute your logon
> script if you are already connected to the internal network. Make
> sure you have authenticated to the VPN using the RSA Software Token.
> If you ran this script several times and still do not have your drives
> mapped, please contact the SupportDesk at 1-800-XXX-XXXX. To quit the
> script, press Ctrl-C now.",1,"Continue or Cancel?")
> If strMbox = 2 Then
> wscript.echo "Now quitting the script."
> wscript.quit
> Else
> ' Continue script
> End If
> End If
>
> strUserName = objShell.ExpandEnvironmentStrings("%username%")
> strComputerName = objShell.ExpandEnvironmentStrings("%computername%")
> strUNCLogonServer = objShell.ExpandEnvironmentStrings("%logonserver%")
>
> arrUNCLogonServer = split(strUNCLogonServer, "\\")
> strLogonServer = arrUNCLogonServer(1)
>
> ' Check the most recent logonserver first.
> If InStr(strUNCLogonServer,strComputerName) > 0 Then
> strKnownIntrnlSrvr = "dc.domain.com"
> strUNCLogonServer = "\\dc.domain.com"
> Else
> strKnownIntrnlSrvr = strLogonServer
> End If
>
> ' The following While loops make the script wait until the VPN
> connection is established.
> ' The script waits by pinging up to 150 times for known internal
> servers. If there is no response, the script quits.
> ' This while loop waits on the condition that an internal host cannot
> be found because the client does not yet have an internal IP.
> blnIntrnlNtwkConn = False
> intWaitCtr = 0
> While blnIntrnlNtwkConn = False
> 'Wscript.Echo "Inside First While. strKnownIntrnlSrvr is: " &
> strKnownIntrnlSrvr
> Set objPing = objShell.Exec("ping.exe -n 1 " & strKnownIntrnlSrvr)
> objPingStatus = objPing.StdOut.ReadLine
> If InStr(objPingStatus,"Ping request could not find") > 0 Then
> blnIntrnlNtwkConn = False
> Else
> blnIntrnlNtwkConn = True
> End If
> intWaitCtr = intWaitCtr + 1
> If intWaitCtr > 150 Then
> Wscript.echo "It appears your workstation is not connected to the
> internal CCI network."
> Wscript.echo "Please close the Cisco VPN and RSA Software Token and
> run this script again or call the SupportDesk at 1-800-XXX-XXXX."
> Wscript.Quit
> End If
> Wend
>
> ' This while loop waits on the condition that an internal host cannot
> be reached because there is not yet a route between the client and a
> known internal server.
> blnIntrnlNtwkConn = False
> intWaitCtr = 0
> While blnIntrnlNtwkConn = False
> 'Wscript.Echo "Inside Second While. strKnownIntrnlSrvr is: " &
> strKnownIntrnlSrvr
> Set objPing = objShell.Exec("ping.exe -n 1 " & strKnownIntrnlSrvr)
> objPing.StdOut.ReadLine
> objPing.StdOut.ReadLine
> objPing.StdOut.ReadLine
> objPingStatus = objPing.StdOut.ReadLine
> If InStr(objPingStatus,"Request timed out") > 0 Then
> blnIntrnlNtwkConn = False
> Else
> blnIntrnlNtwkConn = True
> End If
> intWaitCtr = intWaitCtr + 1
> If intWaitCtr > 150 Then
> Wscript.echo "It appears your workstation cannot reach a known logon
> server."
> Wscript.echo "Please close the Cisco VPN and RSA Software Token and
> run this script again or call the SupportDesk at 1-800-XXX-XXXX."
> Wscript.Quit
> End If
> Wend
>
> ' Setup ADO objects.
> Set adoCommand = CreateObject("ADODB.Command")
> Set adoConnection = CreateObject("ADODB.Connection")
> adoConnection.Provider = "ADsDSOObject"
> adoConnection.Open "Active Directory Provider"
> adoCommand.ActiveConnection = adoConnection
>
> ' Search entire Active Directory domain.
> Set objRootDSE = GetObject("LDAP://RootDSE")
> strDNSDomain = objRootDSE.Get("defaultNamingContext")
> strBase = "<LDAP://" & strDNSDomain & ">"
>
> ' Filter on user objects.
> strFilter = "(&(objectCategory=person)(objectClass=user)
> (sAMAccountName=" & strUserName &"))"
>
> ' Comma delimited list of attribute values to retrieve.
> strAttributes = "sAMAccountName,scriptPath,HomeDirectory"
>
> ' Construct the LDAP syntax query.
> strQuery = strBase & ";" & strFilter & ";" & strAttributes &
> ";subtree"
> adoCommand.CommandText = strQuery
> adoCommand.Properties("Page Size") = 100
> adoCommand.Properties("Timeout") = 30
> adoCommand.Properties("Cache Results") = False
>
> ' Run the query.
> Set adoRecordset = adoCommand.Execute
>
> ' Enumerate the resulting recordset.
> Do Until adoRecordset.EOF
> ' Get the login script of the user.
> strUsersLogonScriptAD = adoRecordset.Fields("scriptPath").value
> ' Get the home directory of the user.
> strUsersHomeDirectoryAD = adoRecordset.Fields("HomeDirectory").value
> ' Move to the next record in the recordset.
> adoRecordset.MoveNext
> Loop
>
> ' Execute the login script for the specific user.
> objShell.Run(strUNCLogonServer & "\netlogon\" & strUsersLogonScriptAD)
> objShell.Run("net use /delete U: /yes")
> objShell.Run("net use U: " & strUsersHomeDirectoryAD)
>
> ' Clean up.
> adoRecordset.Close
> adoConnection.Close
> Set objShell = Nothing
> Set objFSO = Nothing
> WScript.Quit
>
> Function ProgsAlreadyRunning()
> Dim strComputerName, objShell, objWMIService, colProcesses,
> objProcess, blnVPNGUIRunning, blnSecurIDRunning
> Set objShell = CreateObject("WScript.Shell")
> strComputerName = objShell.ExpandEnvironmentStrings("%computername%")
> Set objWMIService = GetObject("winmgmts:\\" & strComputerName & "\root
> \cimv2")
> Set colProcesses = objWMIService.ExecQuery("Select * from
> Win32_Process")
>
> ' Check if Cisco VPN is running
> For Each objProcess in colProcesses
> If InStr(objProcess.Name, "vpngui.exe") Then
> blnVPNGUIRunning = True
> End If
> Next
>
> ' Check if RSA Software Token is running
> For Each objProcess in colProcesses
> If InStr(objProcess.Name, "securid.exe") Then
> blnSecurIDRunning = True
> End If
> Next
>
> If blnVPNGUIRunning and blnSecurIDRunning Then
> ProgsAlreadyRunning = True
> Else
> ProgsAlreadyRunning = False
> End If
> End Function
>
> ' End MapDrivesVPNRSA.vbs script
>
>
> Please post any suggestions for improving the script or a more optimal
> solution altogether.
Our remote users authenticate against cached credentials, then establish a
connection through a VPN client. Since the actual logon is with cached
credentials, the network does not see the eventual connection as being a
logon event, so the logon script does not run.
To get around that, we developed a .exe that is installed on all our
laptops. It continually runs in the background looking for connectivity to
our network. When it detects this, it invokes the logon script.
/Al
|
|
On Jun 5, 6:05 am, "Al Dunbar" <AlanD...[ at ]hotmail.com.nospaam> wrote:
[Quoted Text] > <cocopu...[ at ]mailinator.com> wrote in message
>
> news:1181033292.954305.197860[ at ]o11g2000prd.googlegroups.com...
>
>
>
>
>
> > Hi,
>
> > I need help invoking a logon script. We are implementing RSA Software
> > Tokens for VPN authentication, and it changes the order of the login
> > process. The strong authentication solution is aimed at users with
> > laptops who login remotely.
>
> > Current Set-Up:
> > 1. Cisco VPN client appears before the Windows GINA.
> > 2. User authenticates to the VPN client and establishes an IPSEC
> > tunnel.
> > 3. User logs in with domain credentials.
> > 4. Workstation finds logon server and executes login script as
> > specified in the user's profile in AD.
> > 5. The logon script maps drives for the user.
>
> > Future Set-Up:
> > 1. User authenticates to the GINA using cached credentials.
> > 2. User starts Cisco VPN client (can't start before logging in to
> > Windows because RSA software token can't start until user gets in to
> > desktop).
> > 3. User starts RSA software token.
> > 4. User copies tokencode from software token into the VPN client and
> > establishes an IPSEC tunnel.
> > 5. User is on internal network, but logon script does not run and
> > drives are not mapped.
>
> > RSA's suggestion is to keep the IPSEC tunnel open (Cisco VPN client ->
> > Options -> Windows Logon Properties -> Uncheck "Disconnect VPN
> > connection when logging off), log off, and log on again to run the
> > logon scripts. This is too obtrusive to the end user. I manually ran
> > lsass and netlogon as step 6 of the Future Set-Up, but that did not
> > invoke the logon script either. I finally wrote the following
> > vbscript for remote users to invoke their logon script, but would
> > prefer a solution that can leverage native functionalites of the
> > workstation (XP SP2) and / or the domain controllers (Windows 2000
> > Server).
>
> > '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
> > ' NAME: MapDrivesVPNRSA.vbs '
> > ' AUTHOR: Don S '
> > ' DATE : 6/2/2007 '
> > ' '
> > ' This script maps drives for users that connect to the VPN using RSA
> > software tokens. '
> > ' '
> > '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
>
> > Option Explicit
>
> > Dim strUserName, blnIntrnlNtwkConn, strComputerName, strLogonServer,
> > strUNCLogonServer, arrUNCLogonServer, strKnownIntrnlSrvr, intWaitCtr
> > Dim objShell, objFSO, objPing, objPingStatus
> > Dim objRootDSE, adoRecordset, adoCommand, adoConnection
> > Dim strMbox, strDNSDomain, strQuery, strBase, strFilter,
> > strAttributes, strUsersLogonScriptAD, strUsersHomeDirectoryAD
>
> > Set objShell = CreateObject("WScript.Shell")
> > Set objFSO = CreateObject("Scripting.FileSystemObject")
>
> > If ProgsAlreadyRunning = False Then
> > If objFSO.FileExists("C:\Program Files\Cisco Systems\VPN Client
> > \ipsecdialer.exe") and objFSO.FileExists("C:\Program Files\RSA Security
> > \RSA SecurID Software Token\SecurID.exe") Then
> > objShell.Run "C:\Program Files\Cisco Systems\VPN Client
> > \ipsecdialer.exe"
> > objShell.Run "C:\Program Files\RSA Security\RSA SecurID Software
> > Token\SecurID.exe"
> > Else
> > MsgBox "The Cisco VPN and RSA Software Token were not found in the
> > expected directories on your workstation. Please call the SupportDesk
> > at 1-800-XXX-XXXX.",0,"Programs Not Found!"
> > wscript.quit
> > End if
> > Else
> > strMbox = MsgBox("Proceeding with this script will execute your logon
> > script if you are already connected to the internal network. Make
> > sure you have authenticated to the VPN using the RSA Software Token.
> > If you ran this script several times and still do not have your drives
> > mapped, please contact the SupportDesk at 1-800-XXX-XXXX. To quit the
> > script, press Ctrl-C now.",1,"Continue or Cancel?")
> > If strMbox = 2 Then
> > wscript.echo "Now quitting the script."
> > wscript.quit
> > Else
> > ' Continue script
> > End If
> > End If
>
> > strUserName = objShell.ExpandEnvironmentStrings("%username%")
> > strComputerName = objShell.ExpandEnvironmentStrings("%computername%")
> > strUNCLogonServer = objShell.ExpandEnvironmentStrings("%logonserver%")
>
> > arrUNCLogonServer = split(strUNCLogonServer, "\\")
> > strLogonServer = arrUNCLogonServer(1)
>
> > ' Check the most recent logonserver first.
> > If InStr(strUNCLogonServer,strComputerName) > 0 Then
> > strKnownIntrnlSrvr = "dc.domain.com"
> > strUNCLogonServer = "\\dc.domain.com"
> > Else
> > strKnownIntrnlSrvr = strLogonServer
> > End If
>
> > ' The following While loops make the script wait until the VPN
> > connection is established.
> > ' The script waits by pinging up to 150 times for known internal
> > servers. If there is no response, the script quits.
> > ' This while loop waits on the condition that an internal host cannot
> > be found because the client does not yet have an internal IP.
> > blnIntrnlNtwkConn = False
> > intWaitCtr = 0
> > While blnIntrnlNtwkConn = False
> > 'Wscript.Echo "Inside First While. strKnownIntrnlSrvr is: " &
> > strKnownIntrnlSrvr
> > Set objPing = objShell.Exec("ping.exe -n 1 " & strKnownIntrnlSrvr)
> > objPingStatus = objPing.StdOut.ReadLine
> > If InStr(objPingStatus,"Ping request could not find") > 0 Then
> > blnIntrnlNtwkConn = False
> > Else
> > blnIntrnlNtwkConn = True
> > End If
> > intWaitCtr = intWaitCtr + 1
> > If intWaitCtr > 150 Then
> > Wscript.echo "It appears your workstation is not connected to the
> > internal CCI network."
> > Wscript.echo "Please close the Cisco VPN and RSA Software Token and
> > run this script again or call the SupportDesk at 1-800-XXX-XXXX."
> > Wscript.Quit
> > End If
> > Wend
>
> > ' This while loop waits on the condition that an internal host cannot
> > be reached because there is not yet a route between the client and a
> > known internal server.
> > blnIntrnlNtwkConn = False
> > intWaitCtr = 0
> > While blnIntrnlNtwkConn = False
> > 'Wscript.Echo "Inside Second While. strKnownIntrnlSrvr is: " &
> > strKnownIntrnlSrvr
> > Set objPing = objShell.Exec("ping.exe -n 1 " & strKnownIntrnlSrvr)
> > objPing.StdOut.ReadLine
> > objPing.StdOut.ReadLine
> > objPing.StdOut.ReadLine
> > objPingStatus = objPing.StdOut.ReadLine
> > If InStr(objPingStatus,"Request timed out") > 0 Then
> > blnIntrnlNtwkConn = False
> > Else
> > blnIntrnlNtwkConn = True
> > End If
> > intWaitCtr = intWaitCtr + 1
> > If intWaitCtr > 150 Then
> > Wscript.echo "It appears your workstation cannot reach a known logon
> > server."
> > Wscript.echo "Please close the Cisco VPN and RSA Software Token and
> > run this script again or call the SupportDesk at 1-800-XXX-XXXX."
> > Wscript.Quit
> > End If
> > Wend
>
> > ' Setup ADO objects.
> > Set adoCommand = CreateObject("ADODB.Command")
> > Set adoConnection = CreateObject("ADODB.Connection")
> > adoConnection.Provider = "ADsDSOObject"
> > adoConnection.Open "Active Directory Provider"
> > adoCommand.ActiveConnection = adoConnection
>
> > ' Search entire Active Directory domain.
> > Set objRootDSE = GetObject("LDAP://RootDSE")
> > strDNSDomain = objRootDSE.Get("defaultNamingContext")
> > strBase = "<LDAP://" & strDNSDomain & ">"
>
> > ' Filter on user objects.
> > strFilter = "(&(objectCategory=person)(objectClass=user)
> > (sAMAccountName=" & strUserName &"))"
>
> > ' Comma delimited list of attribute values to retrieve.
> > strAttributes = "sAMAccountName,scriptPath,HomeDirectory"
>
> > ' Construct the LDAP syntax query.
> > strQuery = strBase & ";" & strFilter & ";" & strAttributes &
> > ";subtree"
> > adoCommand.CommandText = strQuery
> > adoCommand.Properties("Page Size") = 100
> > adoCommand.Properties("Timeout") = 30
> > adoCommand.Properties("Cache Results") = False
>
> > ' Run the query.
> > Set adoRecordset = adoCommand.Execute
>
> > ' Enumerate the resulting recordset.
> > Do Until adoRecordset.EOF
> > ' Get the login script of the user.
> > strUsersLogonScriptAD = adoRecordset.Fields("scriptPath").value
> > ' Get the home directory of the user.
> > strUsersHomeDirectoryAD = adoRecordset.Fields("HomeDirectory").value
> > ' Move to the next record in the recordset.
> > adoRecordset.MoveNext
> > Loop
>
> > ' Execute the login script for the specific user.
> > objShell.Run(strUNCLogonServer & "\netlogon\" & strUsersLogonScriptAD)
> > objShell.Run("net use /delete U: /yes")
> > objShell.Run("net use U: " & strUsersHomeDirectoryAD)
>
> > ' Clean up.
> > adoRecordset.Close
> > adoConnection.Close
> > Set objShell = Nothing
> > Set objFSO = Nothing
> > WScript.Quit
>
> > Function ProgsAlreadyRunning()
> > Dim strComputerName, objShell, objWMIService, colProcesses,
> > objProcess, blnVPNGUIRunning, blnSecurIDRunning
> > Set objShell = CreateObject("WScript.Shell")
> > strComputerName = objShell.ExpandEnvironmentStrings("%computername%")
> > Set objWMIService = GetObject("winmgmts:\\" & strComputerName & "\root
> > \cimv2")
> > Set colProcesses = objWMIService.ExecQuery("Select * from
> > Win32_Process")
>
> > ' Check if Cisco VPN is running
> > For Each objProcess in colProcesses
> > If InStr(objProcess.Name, "vpngui.exe") Then
> > blnVPNGUIRunning = True
> > End If
> > Next
>
> > ' Check if RSA Software Token is running
> > For Each objProcess in colProcesses
> > If InStr(objProcess.Name, "securid.exe") Then
> > blnSecurIDRunning = True
> > End If
> > Next
>
> > If blnVPNGUIRunning and blnSecurIDRunning Then
> > ProgsAlreadyRunning = True
> > Else
> > ProgsAlreadyRunning = False
> > End If
> > End Function
>
> > ' End MapDrivesVPNRSA.vbs script
>
> > Please post any suggestions for improving the script or a more optimal
> > solution altogether.
>
> Our remote users authenticate against cached credentials, then establish a
> connection through a VPN client. Since the actual logon is with cached
> credentials, the network does not see the eventual connection as being a
> logon event, so the logon script does not run.
>
> To get around that, we developed a .exe that is installed on all our
> laptops. It continually runs in the background looking for connectivity to
> our network. When it detects this, it invokes the logon script.
>
> /Al- Hide quoted text -
>
> - Show quoted text -
Hi Al,
It seems like we are experiencing the same symptoms. The difference
seems to be that my script contains logic to start the programs for
establishing a VPN connection as well as to map drives after it
detects a connection. We wanted to minimize the impact of strong
authentication as much as possible because our users are not that
technically saavy. The concept of a daemon sounds great, but writing
services as an executable is way beyond our skill level. Your
approach kind of confirms my suspicion that there's no way to emulate
a logon event; I thought running lsass and netlogon manually would do
it, but nothing happens. I also tried manually running gpudate as
well, but that doesn't have the desired effect either (because our
logon scripts are in %logonserver%\netlogon\, not in group policy),
and is probably not suitable (because a re-start is required in some
cases after running gpupdate).
Al, if you don't mind, can you share some of the logic in the .exe
that checks for connectivity? My while loops are pretty clunky and
flashes annoying cmd windows while the script is waiting. I'm pretty
new to vbscript, so I just invoked commands through the shell. If
there's better ways to make native system calls with regards to
checking for connectivity, I'd like to learn.
Thanks,
Don
|
|
<cocopuffs[ at ]mailinator.com> wrote in message
news:1181093168.736123.28760[ at ]i38g2000prf.googlegroups.com...
On Jun 5, 6:05 am, "Al Dunbar" <AlanD...[ at ]hotmail.com.nospaam> wrote:
[Quoted Text] > <cocopu...[ at ]mailinator.com> wrote in message
>
> news:1181033292.954305.197860[ at ]o11g2000prd.googlegroups.com...
>
>
>
>
>
> > Hi,
>
> > I need help invoking a logon script. We are implementing RSA Software
> > Tokens for VPN authentication, and it changes the order of the login
> > process. The strong authentication solution is aimed at users with
> > laptops who login remotely.
<snip>
> > Please post any suggestions for improving the script or a more optimal
> > solution altogether.
>
> Our remote users authenticate against cached credentials, then establish a
> connection through a VPN client. Since the actual logon is with cached
> credentials, the network does not see the eventual connection as being a
> logon event, so the logon script does not run.
>
> To get around that, we developed a .exe that is installed on all our
> laptops. It continually runs in the background looking for connectivity to
> our network. When it detects this, it invokes the logon script.
>
> /Al- Hide quoted text -
>
> - Show quoted text -
Hi Al,
It seems like we are experiencing the same symptoms. The difference
seems to be that my script contains logic to start the programs for
establishing a VPN connection as well as to map drives after it
detects a connection. We wanted to minimize the impact of strong
authentication as much as possible because our users are not that
technically saavy. The concept of a daemon sounds great, but writing
services as an executable is way beyond our skill level. Your
approach kind of confirms my suspicion that there's no way to emulate
a logon event; I thought running lsass and netlogon manually would do
it, but nothing happens. I also tried manually running gpudate as
well, but that doesn't have the desired effect either (because our
logon scripts are in %logonserver%\netlogon\, not in group policy),
and is probably not suitable (because a re-start is required in some
cases after running gpupdate).
Al, if you don't mind, can you share some of the logic in the .exe
that checks for connectivity? My while loops are pretty clunky and
flashes annoying cmd windows while the script is waiting. I'm pretty
new to vbscript, so I just invoked commands through the shell. If
there's better ways to make native system calls with regards to
checking for connectivity, I'd like to learn.
===> sorry, I can't share. I was not part of the team that developed the
script. Anyway, I suspect it would be somewhat specific to our environment,
and not a general purpose sort of thing.
Of course, it is not written as a service; it is started through the run key
or the startup group to run in the user's context - otherwise it would not
be able to introduce share mappings in that context.
Much the same could be done with a scripting language, along these lines:
do while notconnected()
kill some time
loop
lookup user's logon script definition
invoke user's logon script.
exit
the not connected function would just need to determine if it could reach
some resource on your network, ideally something like a router that is part
of the infrastructure making your connection.
/Al
|
|
Al Dunbar wrote:
[Quoted Text] > <cocopuffs[ at ]mailinator.com> wrote in message > news:1181093168.736123.28760[ at ]i38g2000prf.googlegroups.com... > On Jun 5, 6:05 am, "Al Dunbar" <AlanD...[ at ]hotmail.com.nospaam> wrote: >> <cocopu...[ at ]mailinator.com> wrote in message >> >> news:1181033292.954305.197860[ at ]o11g2000prd.googlegroups.com... >> >> >> >> >> >>> Hi, >>> I need help invoking a logon script. We are implementing RSA Software >>> Tokens for VPN authentication, and it changes the order of the login >>> process. The strong authentication solution is aimed at users with >>> laptops who login remotely. > > <snip> > >>> Please post any suggestions for improving the script or a more optimal >>> solution altogether. >> Our remote users authenticate against cached credentials, then establish a >> connection through a VPN client. Since the actual logon is with cached >> credentials, the network does not see the eventual connection as being a >> logon event, so the logon script does not run. >> >> To get around that, we developed a .exe that is installed on all our >> laptops. It continually runs in the background looking for connectivity to >> our network. When it detects this, it invokes the logon script. >> >> /Al- Hide quoted text - >> >> - Show quoted text - > > Hi Al, > > It seems like we are experiencing the same symptoms. The difference > seems to be that my script contains logic to start the programs for > establishing a VPN connection as well as to map drives after it > detects a connection. We wanted to minimize the impact of strong > authentication as much as possible because our users are not that > technically saavy. The concept of a daemon sounds great, but writing > services as an executable is way beyond our skill level. Your > approach kind of confirms my suspicion that there's no way to emulate > a logon event; I thought running lsass and netlogon manually would do > it, but nothing happens. I also tried manually running gpudate as > well, but that doesn't have the desired effect either (because our > logon scripts are in %logonserver%\netlogon\, not in group policy), > and is probably not suitable (because a re-start is required in some > cases after running gpupdate). > > Al, if you don't mind, can you share some of the logic in the .exe > that checks for connectivity? My while loops are pretty clunky and > flashes annoying cmd windows while the script is waiting. I'm pretty > new to vbscript, so I just invoked commands through the shell. If > there's better ways to make native system calls with regards to > checking for connectivity, I'd like to learn. > > > ===> sorry, I can't share. I was not part of the team that developed the > script. Anyway, I suspect it would be somewhat specific to our environment, > and not a general purpose sort of thing. > > Of course, it is not written as a service; it is started through the run key > or the startup group to run in the user's context - otherwise it would not > be able to introduce share mappings in that context. > > Much the same could be done with a scripting language, along these lines: > > do while notconnected() > kill some time > loop > lookup user's logon script definition > invoke user's logon script. > exit > > the not connected function would just need to determine if it could reach > some resource on your network, ideally something like a router that is part > of the infrastructure making your connection. > > /Al > >
link detection to determine what policies get applied. I've seen
instances where logon scripts and other policies don't get applied
because the link is too slow. This especially happens over VPNs or other
encrypted channels. The added overhead sometimes makes the packets too
large, forcing fragmentation which further reduces response time. There
are settings you can configure to adjust slow link threshhold. There
are also some Ping tests you can do to look at response times. I don't
have the tests handy but if you search for slow link detection testing
or something like that you might find more information.
--
Jeffery Hicks
SAPIEN Technologies - Scripting, Simplified. www.SAPIEN.com
VBScript & Windows PowerShell Training -
www.ScriptingTraining.com/classes.asp
Windows PowerShell? - www.SAPIENPress.com/powershell.asp
blog: http://blog.SAPIEN.com
blog: http://jdhitsolutions.blogspot.com
|
|
Jeff,
I'm no expert, but it seems that we have a similar setup without the
RSA stuff. The way I got around it was to add a stub script on the
local PC which executes when the VPN software connects. The stub
basically loops until it sees the domain authentication complete and
then passes control to the login script on the domain controller.
Here's the stub script:
'VPNStub.vbs
'Created May 2006 by Thom L. Inglin, BDHHI Baldwin Hardware
'Modified 5/31/06 to use LDAP query
'Purpose: To supply a mechanism for causing the remote users' system
to wait until
'the user is fully authenticated before passing control to the
VPNlogin.vbs script
'Scope: This script will be copied to and reside on the local drives
of notebook PCs
Option Explicit
On Error Resume Next
Dim oNetwork, oShell, sDNSDomain, oRootDSE
Set oNetwork = CreateObject("WScript.Network")
Set oShell = CreateObject("Wscript.Shell")
' Constants for the NameTranslate object.
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1
' Determine DNS domain name from RootDSE object
' Don't move on until you have it
Do Until sDNSDomain <> ""
Set oRootDSE = GetObject("LDAP://RootDSE")
sDNSDomain = oRootDSE.Get("defaultNamingContext")
Loop
'Pass control to network login script
oShell.Run "WScript.exe \\reaaddc01\sysvol\bdhhi.com\scripts
\vpnlogin.vbs",0,False
Set oNetwork = Nothing
Set oUser = Nothing
Set oShell = Nothing
Set oRootDSE = Nothing
Don't know if it will help, but there's my 2 cents. It works great
for us!
Thom
|
|
|