Windows Auto Logon Issue with latest Windows 10,11 Updates
Article ID: CTX475052
Updated On:
Description
The Always-On VPN before Windows Logon (formally Always On service) feature enables users to establish a machine level VPN tunnel even before a user logs on to a Windows system. The tunnel remains active until the machine shuts down. After the user logs on, the machine-level VPN tunnel is taken over by a user-level VPN tunnel automatically without the user having to enter the credentials. In other words, a single sign-on must happen using the Windows credentials if the authentication configured on Citrix Gateway is linked to an Active Directory. However, with the latest Windows 10 and Windows 11 updates, the SSO fails for non-domain joined PCs.
Resolution
Citrix is working with Microsoft for supporting autologon on non-domain joined machines
of the Windows Trusted Boot Auto-Logon (TBAL) plug-in, wherein the password information cannot be retained through the credential provider when the machine is not joined to the domain. Auto-logon is a built-in Windows feature that allows users to log on automatically instead of waiting for them to enter their credentials. The autologon feature is activated through a registry where you need to enter the user's cleartext password. During startup, the system checks for this registry and if it's set, reads the plaintext password, and uses it to perform the logon.
In Windows 10 and Windows 11, autologon is extended with the TBAL plug-in. TBAL is a combination of auto logon and automatic restart sign-on (ARSO).
Before shutting down, the LSA process saves the value _TBAL_{68EDDCF5-0AEB-4C28-A770-AF5302ECA3C9} in the LSA secret Default Password repository indicating that this is not a common autologon password but a TBAL token instead.
When the system boots, Citrix VPN credential provider receives this value instead of a real user's password. Hence, this value cannot be used by VPN Plug-in to perform VPN autologon SSO and the user is prompted to provide LDAP/AD credentials.
Problem Cause
The single sign-on fails becauseIn Windows 10 and Windows 11, autologon is extended with the TBAL plug-in. TBAL is a combination of auto logon and automatic restart sign-on (ARSO).
Before shutting down, the LSA process saves the value _TBAL_{68EDDCF5-0AEB-4C28-A770-AF5302ECA3C9} in the LSA secret Default Password repository indicating that this is not a common autologon password but a TBAL token instead.
When the system boots, Citrix VPN credential provider receives this value instead of a real user's password. Hence, this value cannot be used by VPN Plug-in to perform VPN autologon SSO and the user is prompted to provide LDAP/AD credentials.
Was this article helpful?
Yes
No
Powered by
