With the advent of machines that only have wireless connections it becomes somewhat non-trvial to set up inital cached kerberos credentials for mobile/AD users. For windows, we have a workable solution which utilizes the Start Before Logon add-on to the Cisco Anyconnect Software.
You can grab the required software components from here:
You will need to install these in the specified order:
Once installed, delay reboot and edit your xml settings file:
- C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\Lab_name.xml
Replace this line:
- <UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
With this line:
- <UseStartBeforeLogon UserControllable="false">true</UseStartBeforeLogon>
Once you reboot, you should see a network logon option from the login screen:
This should bring up the standard Any connect login screen but after successfully connecting, I was left with the following screen:
I was able to click on cancel (or hit esc) after I was connected and proceed to log onto the CIT domain with a "new" user from the VPN connected system.
Many thanks to Simon Webster for his help in getting this going.