When is this feature needed?
If you use an always on VPN type e.g. Direct Access from Microsoft, or other VPN types that always ensure that the client machine is connected to the domain. Then this feature is obsolete. The same is true for Azure AD accounts. The typical scenario for using this features is when a user is working remote on a domain PC. The user starts the PC and cannot login to Windows because they forgot the password. The user cannot start the VPN because it is not available at the logon screen and maybe the VPN even also needs the same password. The user can call the service desk and they can reset the domain password, but unfortunately, as the PC is not connected to the domain the user cannot use the password on the PC.
The Integration between MyPass and the VPN utilizes the present VPN solution the customer has. MyPass does not provide the VPN solution. In order for the integration to work the following requirements has to be met:
- The VPN must be startable and stoppable from the command line. The full connection and all the parameters needed must be given in the command line.
- The VPN GUI will not be shown –hence no input from the user can be entered or clicked.
- The VPN needs to be capable of running as System
- The VPN must establish a connection if a user is logged on the PC already (This point can be circumvented, but then the user will have to perform are boot before attempting the operation.)
When connected the VPN must allow the PC to access the following:
- The MyPassServer
- A Domain Controller (Read only is fine)
How it works
To use this feature, a VPN connection and script must be setup for use with Windows Client. What MyPass does is that it starts a VPN and forces the client machine to update the locally cached password, hereby enabling the end-user to login after having reset the password. The VPN connection needs to allow a connection to a domain controller and to the MyPass server.
Basically, the VPN feature can act in two ways:
- As soon as the Windows Client starts (Full VPN).
- Right after the user has reset the password (VPN).