Child pages
  • Cisco Anyconnect setup for Start Before Logon (SBL)
Skip to end of metadata
Go to start of metadata

With the advent of machines that only have wireless connections it becomes somewhat non-trvial to set up inital cached kerberos credentials for mobile/AD users. For windows, we have a workable solution which utilizes the Start Before Logon add-on to the Cisco Anyconnect Software.

You can grab the required software components from here:

You will need to install these in the specified order:

  • anyconnect-win-4.4.00243-core-vpn-predeploy-k9.msi
  • anyconnect-win-4.4.00243-gina-vpn-predeploy-k9.msi

Once installed, delay reboot and edit your xml settings file:

  • C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\Lab_name.xml

Replace this line:

  •  <UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon> 

With this line:

  • <UseStartBeforeLogon UserControllable="false">true</UseStartBeforeLogon>

Once you reboot, you should see a network logon option from the login screen:

Windows 7:

Windows 10:



This should bring up the standard Any connect login screen but after successfully connecting, I was left with the following screen: 


I was able to click on cancel (or hit esc) after I was connected and proceed to log onto the CIT domain with a "new" user from the VPN connected system.


Many thanks to Simon Webster for his help in getting this going.

  • No labels