Need help invoking logon script after logging in to VPN authenticated by RSA software token

Hi,

I need help invoking a logon script. We are implementing RSA Software
Tokens for VPN authentication, and it changes the order of the login
process. The strong authentication solution is aimed at users with
laptops who login remotely.

Current Set-Up:
1. Cisco VPN client appears before the Windows GINA.
2. User authenticates to the VPN client and establishes an IPSEC
tunnel.
3. User logs in with domain credentials.
4. Workstation finds logon server and executes login script as
specified in the user's profile in AD.
5. The logon script maps drives for the user.

Future Set-Up:
1. User authenticates to the GINA using cached credentials.
2. User starts Cisco VPN client (can't start before logging in to
Windows because RSA software token can't start until user gets in to
desktop).
3. User starts RSA software token.
4. User copies tokencode from software token into the VPN client and
establishes an IPSEC tunnel.
5. User is on internal network, but logon script does not run and
drives are not mapped.

RSA's suggestion is to keep the IPSEC tunnel open (Cisco VPN client ->
Options -> Windows Logon Properties -> Uncheck "Disconnect VPN
connection when logging off), log off, and log on again to run the
logon scripts. This is too obtrusive to the end user. I manually ran
lsass and netlogon as step 6 of the Future Set-Up, but that did not
invoke the logon script either. I finally wrote the following
vbscript for remote users to invoke their logon script, but would
prefer a solution that can leverage native functionalites of the
workstation (XP SP2) and / or the domain controllers (Windows 2000
Server).

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' NAME: MapDrivesVPNRSA.vbs '
' AUTHOR: Don S '
' DATE : 6/2/2007 '
' '
' This script maps drives for users that connect to the VPN using RSA
software tokens. '
' '
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Option Explicit

Dim strUserName, blnIntrnlNtwkConn, strComputerName, strLogonServer,
strUNCLogonServer, arrUNCLogonServer, strKnownIntrnlSrvr, intWaitCtr
Dim objShell, objFSO, objPing, objPingStatus
Dim objRootDSE, adoRecordset, adoCommand, adoConnection
Dim strMbox, strDNSDomain, strQuery, strBase, strFilter,
strAttributes, strUsersLogonScriptAD, strUsersHomeDirectoryAD

Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")

If ProgsAlreadyRunning = False Then
If objFSO.FileExists("C:\Program Files\Cisco Systems\VPN Client
\ipsecdialer.exe") and objFSO.FileExists("C:\Program Files\RSA Security
\RSA SecurID Software Token\SecurID.exe") Then
objShell.Run "C:\Program Files\Cisco Systems\VPN Client
\ipsecdialer.exe"
objShell.Run "C:\Program Files\RSA Security\RSA SecurID Software
Token\SecurID.exe"
Else
MsgBox "The Cisco VPN and RSA Software Token were not found in the
expected directories on your workstation. Please call the SupportDesk
at 1-800-XXX-XXXX.",0,"Programs Not Found!"
wscript.quit
End if
Else
strMbox = MsgBox("Proceeding with this script will execute your logon
script if you are already connected to the internal network. Make
sure you have authenticated to the VPN using the RSA Software Token.
If you ran this script several times and still do not have your drives
mapped, please contact the SupportDesk at 1-800-XXX-XXXX. To quit the
script, press Ctrl-C now.",1,"Continue or Cancel?")
If strMbox = 2 Then
wscript.echo "Now quitting the script."
wscript.quit
Else
' Continue script
End If
End If

strUserName = objShell.ExpandEnvironmentStrings("%username%")
strComputerName = objShell.ExpandEnvironmentStrings("%computername%")
strUNCLogonServer = objShell.ExpandEnvironmentStrings("%logonserver%")

arrUNCLogonServer = split(strUNCLogonServer, "\\")
strLogonServer = arrUNCLogonServer(1)

' Check the most recent logonserver first.
If InStr(strUNCLogonServer,strComputerName) > 0 Then
strKnownIntrnlSrvr = "dc.domain.com"
strUNCLogonServer = "\\dc.domain.com"
Else
strKnownIntrnlSrvr = strLogonServer
End If

' The following While loops make the script wait until the VPN
connection is established.
' The script waits by pinging up to 150 times for known internal
servers. If there is no response, the script quits.
' This while loop waits on the condition that an internal host cannot
be found because the client does not yet have an internal IP.
blnIntrnlNtwkConn = False
intWaitCtr = 0
While blnIntrnlNtwkConn = False
'Wscript.Echo "Inside First While. strKnownIntrnlSrvr is: " &
strKnownIntrnlSrvr
Set objPing = objShell.Exec("ping.exe -n 1 " & strKnownIntrnlSrvr)
objPingStatus = objPing.StdOut.ReadLine
If InStr(objPingStatus,"Ping request could not find") > 0 Then
blnIntrnlNtwkConn = False
Else
blnIntrnlNtwkConn = True
End If
intWaitCtr = intWaitCtr + 1
If intWaitCtr > 150 Then
Wscript.echo "It appears your workstation is not connected to the
internal CCI network."
Wscript.echo "Please close the Cisco VPN and RSA Software Token and
run this script again or call the SupportDesk at 1-800-XXX-XXXX."
Wscript.Quit
End If
Wend

' This while loop waits on the condition that an internal host cannot
be reached because there is not yet a route between the client and a
known internal server.
blnIntrnlNtwkConn = False
intWaitCtr = 0
While blnIntrnlNtwkConn = False
'Wscript.Echo "Inside Second While. strKnownIntrnlSrvr is: " &
strKnownIntrnlSrvr
Set objPing = objShell.Exec("ping.exe -n 1 " & strKnownIntrnlSrvr)
objPing.StdOut.ReadLine
objPing.StdOut.ReadLine
objPing.StdOut.ReadLine
objPingStatus = objPing.StdOut.ReadLine
If InStr(objPingStatus,"Request timed out") > 0 Then
blnIntrnlNtwkConn = False
Else
blnIntrnlNtwkConn = True
End If
intWaitCtr = intWaitCtr + 1
If intWaitCtr > 150 Then
Wscript.echo "It appears your workstation cannot reach a known logon
server."
Wscript.echo "Please close the Cisco VPN and RSA Software Token and
run this script again or call the SupportDesk at 1-800-XXX-XXXX."
Wscript.Quit
End If
Wend

' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE";)
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://"; & strDNSDomain & ">"

' Filter on user objects.
strFilter = "(&(objectCategory=person)(objectClass=user)
(sAMAccountName=" & strUserName &"))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "sAMAccountName,scriptPath,HomeDirectory"

' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes &
";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Get the login script of the user.
strUsersLogonScriptAD = adoRecordset.Fields("scriptPath").value
' Get the home directory of the user.
strUsersHomeDirectoryAD = adoRecordset.Fields("HomeDirectory").value
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop

' Execute the login script for the specific user.
objShell.Run(strUNCLogonServer & "\netlogon\" & strUsersLogonScriptAD)
objShell.Run("net use /delete U: /yes")
objShell.Run("net use U: " & strUsersHomeDirectoryAD)

' Clean up.
adoRecordset.Close
adoConnection.Close
Set objShell = Nothing
Set objFSO = Nothing
WScript.Quit

Function ProgsAlreadyRunning()
Dim strComputerName, objShell, objWMIService, colProcesses,
objProcess, blnVPNGUIRunning, blnSecurIDRunning
Set objShell = CreateObject("WScript.Shell")
strComputerName = objShell.ExpandEnvironmentStrings("%computername%")
Set objWMIService = GetObject("winmgmts:\\" & strComputerName & "\root
\cimv2")
Set colProcesses = objWMIService.ExecQuery("Select * from
Win32_Process")

' Check if Cisco VPN is running
For Each objProcess in colProcesses
If InStr(objProcess.Name, "vpngui.exe") Then
blnVPNGUIRunning = True
End If
Next

' Check if RSA Software Token is running
For Each objProcess in colProcesses
If InStr(objProcess.Name, "securid.exe") Then
blnSecurIDRunning = True
End If
Next

If blnVPNGUIRunning and blnSecurIDRunning Then
ProgsAlreadyRunning = True
Else
ProgsAlreadyRunning = False
End If
End Function

' End MapDrivesVPNRSA.vbs script


Please post any suggestions for improving the script or a more optimal
solution altogether.

.

Relevant Pages