When using VPN before Windows logon, the user is offered a list of preconfigured VPN connections to select from on the Windows logon screen. This requires that the Windows logon screen is not bypassed. As such, if VPN before Windows logon is enabled, it is required to also select the Users must enter a user name and password to use this computer checkbox in the User Accounts dialog.
To activate VPN before Windows logon:
- In FortiClient, create the VPN tunnels of interest or receive the VPN list of interest from FortiClient EMS.
- Ensure that VPN is enabled before logon to the FortiClient Settings page.
- On the Windows system, start an elevated command line prompt.
control passwords2and press
Enter. Alternatively, you can enter
- Check the checkbox for Users must enter a user name and password to use this computer.
- Click OK to save the setting.
VPN before logon is unrelated to auto-connect or always-up and is a one-time connection made so the domain controller can be reached prior to login. This is often leveraged in conjunction with a user password reset. For the remote device to sync the new password, it must contact the domain controller which is often unreachable outside of a VPN connection.
VPN before logon authentication supports:
- Smart cards
- Machine certificates without usernames
- Username and password
- Two-factor authentication