join a computer to an AD domain using Mobile VPN

Hello,
I'm stuck at home with the covid-19 crisis. I received new laptop. I'd like to join them to the active directory domain of my office using a mobile vpn with ssl.
Is it possible?

Comments

  • I have the same question too. I tried joining Windows 10 Pro to AD domain over IKEv2 VPN. It takes a very long time before I give up and shut down the PC. It would be easier to join AD while in the LAN before taking the laptop home.

  • Yes much better.
    I opened a technical case, and a technician just answered me but I don't understand what I have to do. Here is the answer:
    _In order to connect a computer to AD you need to be connected before the authentication happens. In order to run the SSL VPN client you need to first authenticate to the computer, so this is the reason why you can't do this. For this kind of setup you need to use RDP to your computer behind the Firebox over the SSL VPN. _
    do you have any idea?

  • edited March 2020

    @VincentVancoillie said:
    For this kind of setup you need to use RDP to your computer behind the Firebox over the SSL VPN. _

    It sounds like it isn't possible to join a computer to AD domain over VPN but I may be wrong. What they're saying above is you need to Remote Desktop to a computer in the AD domain (at the office) after establishing VPN connection. It goes something like this:

    Login to Windows locally
    Establish VPN (doesn't matter what type of VPN)
    Open Remote Desktop Connection
    Connect to a PC inside your AD or LAN at the office

    You'll be using that remote PC at the office as if you're at work.

  • Review this:
    Join Domain and Login over a VPN Connection
    https://theitbros.com/join-domain-and-login-over-a-vpn-connection/

  • edited March 2020

    @Bruce_Briggs said:
    Review this:
    Join Domain and Login over a VPN Connection
    https://theitbros.com/join-domain-and-login-over-a-vpn-connection/

    The article teaches us how to create VPN connection and how to join AD domain. I am the admin and I already know how to create VPN and how to join.

    That's exactly what did not work on my Win 10 Pro when I tried to join AD domain (from home) with IKEv2 VPN already established.

    Win10 "tries" to join for the longest time. I waited for about 2-3 minutes before giving up and shut it down.

  • edited March 2020

    I used to do this YEARS ago with an XTM 26 at my client's office. I would have the new computer delivered to me, set it up Windows, connect to the SSLVPN, then join the domain.

    The key is that your laptop needs to have its ONLY DNS server be the same as any LAN computer, i.e., the IP of your AD domain controller. The domain-join process from there should be no different except for speed.

    EDIT: In your SSLVPN config, set custom DNS and put in your AD DNS server as the only IP. Force all traffic through the VPN. That is all I needed to do.

    Gregg

    Gregg Hill

  • Well, duh, this part is true, "In order to run the SSL VPN client you need to first authenticate to the computer" BUT that has NOTHING to do with joining the domain. That is like saying that you need to turn on the laptop first. All you need to "authenticate" to FIRST is your laptop. Then you start the SSLVPN, which if properly set up, lets the laptop see active directory as would any new computer put onto the LAN.


    "In order to connect a computer to AD you need to be connected before the authentication happens...."

    That statement is misleading at best. If you log into the SSLVPN from a non-domain new laptop, you WILL BE "connected before the authentication happens" to AD because it is no different than putting that new laptop on the LAN while at work. Nothing needs to "authenticate" UNTIL you actually try JOINING the domain, and then it's business as usual for any new computer setup.

    Picture yourself being at work, and you turned on the laptop and logged into it while out in the parking lot, not connected to any network. You walk inside, connect it to the LAN with a network cable, then join it to the domain. Doing it over SSLVPN essentially is the same process...just slower and with a longer "cable". You turn on the laptop and log into it while at home, connect your REALLY LONG network cable, i.e., you log into the SSLVPN. You are now "connected before the authentication happens" to AD, just like a new computer at work. Now you have access to the AD domain controller and if you have your SSLVPN feeding the AD DNS server only, you should proceed as though you were at work on the LAN.

    Gregg Hill

  • Hello,
    hank a lot to all your replies.
    So I'm at my house. I have a new laptop. I logged in with a local account and it's not on a domain, just in WORKGROUP.
    I am connected to my office thru a Mobile VPN SSL connection.
    In the configuration of the VPN SSL in my firebox, I set up the dns of the domain controller. And I forced all traffic through the VPN.
    When I'm connected, the dns of the TAP Interface (vpn network interface) is the ip adress of the domain controller of my office.
    So I think that every thing is correct.

    I just do another try and it work well.
    I don't understand why it didn't work yesterday.

    And after a reboot, my laptop is on my AD domain. But I have to log in my laptop with a local account because my vpn connection can be launched after being connected on windows.

  • "nd after a reboot, my laptop is on my AD domain. But I have to log in my laptop with a local account because my vpn connection can be launched after being connected on windows."

    Once your laptop is on the domain, you should be able to log into the DOMAIN account of your laptop, then you connect to the SSLVPN, and the AD domain controller will see your domain account when you try to access domain resources.

    Gregg Hill

  • "But I have to log in my laptop with a local account because my vpn connection can be launched after being connected on windows."

    No, you log into the laptop with your domain account, then connect to the SSLVPN.

    Think about it as being in the office with a domain-joined computer that is turned off.. Disconnect its network cable, turn it on and log into it with your domain account. Now connect the network cable. You are now able to access domain resources, even though you logged into the computer BEFORE it could see the AD domain controller...just like using the SSLVPN.

    Gregg Hill

  • @Greggmh123 said:
    " Think about it as being in the office with a domain-joined computer that is turned off.. Disconnect its network cable, turn it on and log into it with your domain account. Now connect the network cable. You are now able to access domain resources, even though you logged into the computer BEFORE it could see the AD domain controller...just like using the SSLVPN.

    I agree with you with this fact, when I have a computer linked on my network, I log on the domain without problem. I can unplug the network cable and still log on the computer.

    It works fine because I logged the first time on my domain with a network cable.
    In my case, when I want to log with the account DomainName\Administrator the computer tries to reach the DC of my domain to check if my password is good and it can't find it because I'm in my house.

  • "In my case, when I want to log with the account DomainName\Administrator the computer tries to reach the DC of my domain to check if my password is good and it can't find it because I'm in my house."

    I haven't done the remote join for over five years, but I remember having no issue with that. I can test it with my laptop that I never did put onto my domain.

    Can you log into the laptop with your local account, connect to the SSLVPN, switch user (but don't log off, obviously!), and then log in with the domain account?

    Gregg Hill

  • @Greggmh123 said:
    " Can you log into the laptop with your local account, connect to the SSLVPN, switch user (but don't log off, obviously!), and then log in with the domain account?"

    I had the same idea during my night. I tried when I woke up.
    It works fine ! Thanks a lot !

    I can continue to work efficiently even with the covid.
    Have a nice day
    thanks again

  • @VincentVancoillie said:

    @Greggmh123 said:
    " Can you log into the laptop with your local account, connect to the SSLVPN, switch user (but don't log off, obviously!), and then log in with the domain account?"

    I had the same idea during my night. I tried when I woke up.
    It works fine ! Thanks a lot !

    I can continue to work efficiently even with the covid.
    Have a nice day
    thanks again

    Now that you have logged into the domain once, the laptop should have your domain credentials cached and you should be able to log into the laptop as the domain user, then connect to the SSLVPN and go about working, without having to do the switch user trick. That step was just to get you logged into the domain the very first time so your profile would gt created and your credentials would cache.

    Gregg Hill

Sign In to comment.