Question : "pre-Windows Logon" SSL VPN connection

Let me start by thanking anyone who is patient enough to even read this post. This is (to me at least) a complicated problem that may not have a solution...but I am open to any suggestions.

Background...

I am a network/VPN admin not a Windows admin (but I do have extensive experience with Windows and a programming background)
We are currently in the process of designing a new laptop for aprox. 1000 remote users.
We would like to access the VPN "pre-Windows Logon" so that the users will authenticate against the Domain during Logon.
When I use the term "pre-Windows Logon" I am referring to the point before Windows is fully loaded...when you are sitting at the Windows Logon Prompt.
The Cisco VPN client we are using allows this. It also allows us to launch a 3rd party application "pre-Windows Logon". This is possible as Cisco installs a custom GINA when you select the option to "allow 3rd party application preboot" from the client configuration.
It is important that we maintain as streamlined a connection process as possible (we do not wish to have different procedures to connect from different locations).
The users will connect from Home offices via dialup or broadband (using a NAT device - wired and wireless) and from hotel/coffee-shop/hotspots when traveling.

It is the hotspot access that is the reason for this post. When a user connects to the internet from a hotspot, they are usually prompted with an HTTP based Authentication. Meaning you launch your web browser and fill out a form (or just click a button) before you are allowed to access the internet. I require the ability to do this "pre-Windows Logon". Before I send you down the wrong path I have already managed this. I have developed a VB6 application that is launched "pre-Windows Logon" by the Cisco VPN Client. Basically a web client that does not have an address bar and will only go where I tell it (or where it is automatically redirected). So I am able to web authenticate the hotspot "pre-Windows Logon"...connect to my SSL VPN server...I am able to enter my Login ID and pin/token...I agree to the Active X control stuff...the SSL VPN client installation begins at this point (note: the SSL VPN was pre-installed by the administrator and normally does not need to install at SSL login...but we are in a "pre-Windows Logon" system at this point)...Installation downloads and completes...It appears to be connecting normally (normal for a first time SSL login)..then I receive this error "Unable to obtain handles for user process impersonation".

You may be asking at this point..."if you can authenticate to the hotspot and have an internet connection, why not just use the standard client (instead of the SSL VPN)?" and you would have a good point. This would (and does) work for about 80% of the hotspots (wired and wireless). However about 20% block the return VPN traffic...ether because the device does not support VPN tunneling, it does not support NAT Transversal, it drops UDP traffic, or it was just not setup correctly to begin with. However they all support TCP 80 and 443 traffic (it would not be a very good hotspot if it did not support these) and 443 traffic is what SSL VPN uses. Now, we could have 2 methods for hotspot users to connect...but if we can make them all work the same that would be better (I think any admin with more than 100 users will agree with me on that).

After reviewing how the Cisco SSL client works I have come to some conclusions. The SSL client requires a cookie to work (this is noted in the manual). During the "pre-Windows Logon" session you are actually "logged in" using the "SYSTEM" account. I believe that this could be the problem as the "SYSTEM" user would have no where to store the cookie, or maybe there is no user to "impersonate". I did some research on "application user impersonation" (and this is way beyond me), there appears to be some interesting things you could do with this that might fix my problem.

One of the things that I tried (more just to determine what Windows would allow during the "pre-Windows Logon" session) was to launch a command prompt and try to use the runas command. I figured that I could force the application to run as a particular user...but I keep receiving the "access is denied" message. I am using the local administrator account in the runas command.

If someone knows how to execute a runas command "pre-Windows Logon" this would probably resolve my issue...but any suggestions would be helpful.

Answer : "pre-Windows Logon" SSL VPN connection

re ssl vpn- any chance it can be converted into a service (sounds insecure because it would have hardcoded authentication info somewhere)

re hotspot
can't you just logon locally with domain cached credentials, fire up IE, get access to the wifi hotspot, who no doubt caches your mac address in a table with your authentication, and this is good for a while. Then logoff and logon with.

Maybe a tool that will help you is muilt-domain logon.
one is the cached crential domain that for all intents and purposes the machine never sees again,
the other is the real domin with only authenicate live with DC to access system on, and that one runs via custom gina. or service method I suggested.

Random Solutions

What is the best possible way to rename computer names? I have 200 clients?

Access Lists on IPSEC VTIs (Cisco IOS)

Can I change admin password on server console

Is ther a command line startup and start for RAS in Windows 2000?

Removing offline Exchange Server

Mac mail application can receive email but can't send email

domain name and mail server domain

When trying to rename a machine on my windows 2003 domain it say's the user name could not be found.

Manage Java Updates

help needed for addressing network IP Filter and subnets