Share via

Slow Logon problem when you have DirectAccess+OTP+Persistent Internet Connection.

  • Article

Hello All,

One of our customers had deployed UAG 2010 DirectAccess and since we deployed our DA, we had users complaining about a wired issue, just thought of sharing my exp…

Let’s start talking about it without any delay. J

A quick intro about our setup:

  1. We have 2 UAG 2010 Servers acting as DirectAccess Servers with Windows7 Clients 
  2. We have 2FA in place. (Entrust + AD)
  3. We have users having their home drive at CORP Network (H :)
  4. Have a Startup Script pushed through GPO, which will run at startup and will map the User’s home drive at Logon.

Issue we were facing:

  1. Users facing a black screen (which would last for few mins) when they tried to logon Windows7 after starting their machine.
  2. Fortunately it didn’t happen all the time and BLACK SCREEN appeared only when users had a persistent internet connection when the machine was booting up.
  3. (Eg., It would happen  when users  had their machines connected internet through to WiFi or LAN Connection).

Troubleshooting:

  1. As always we did basic troubleshooting like, updating the Drivers, checking configs of the machine and so on, however nothing helped L
  2. Then eventually when we eliminated possible causes one by one, we were able to find this: IF we remove the home drive from User’s Profile, Logon was faster.
  3. When we decided to use Process Monitor (a sysinternals tool) to see what is going on during boot process è we took ProcMon trace with boot logging enabled. And was able to see the same behavior which was explained by Mark Russinovich Here in this  blog http://blogs.technet.com/b/markrussinovich/archive/2012/07/02/3506849.aspx

In conclusion:

By Nature of the DirectAccess + OTP + Persistent Internet, when machine got access to internet, it was able to Form Tunnel#1 (or the Infrastructure Tunnel), and when it tried to Form the Tunnel#2 – it was interrupted as we had 2FA in place(Which is as per design), because of which machine was waiting for OTP and on the other hand we had different thread which is trying to map the drive – Because of this race condition, user was facing a 20-30 minutes delay.

However our customer was NOT READY to remove the home drive mapping OR Customer did not want user to do any manual task (Like Manual Drive mapping or to run any custom script for drive mapping)

So it’s good that we were able to figure out the root cause- now how do we fix this?

In my opinion, this is what we have to do resolve the issue.

  1. Write a simple VBS (NLSScript.vbs) which will run as a part of Logon, and trigger DriveMapper.vbs, if we find a reliable, direct connection to Domain.
    1. It should be configured as a “program” at logon using below GPO setting.
    2. “User Configuration/Admin Templates/System/Logon/Run these programs at user logon” complete path has to be provided here like, c:\windows\system32\Adminscripts\NLSScript.vbs
    3. IF we are not able to find a reliable, connection to Domain DO NOTHING and quit ASAP.
    4. In this case, I tried to resolve the name of NLS Servers, and if that’s resolvable using below command, then it would call Mapper or Quit immediately
      1. nslookup -timeout=2 -retry=1 -type=A nls.contoso.com

Above steps will help us to reduce the logon time very much, as we are not doing anything when machine is on Internet, on the other hand when we have the machine on LAN, we pull up the DriveMapper to do the mapping immediately

Now the challenge is, how do we map when the user is on Internet?

Do we have any setting in DA, which will allow us to run something after DA Session starts? Like any other VPN? Answer is NO. So we might have to find a way to know programmatically when Tunnel#2 gets established.

There could be many other logics to run a program after successful DA connection- in this case I did the below:

  1. We may have to enable IPSec Logs through GPO, so IPsec related events are logged in eventvwr and we may use these logs to trigger home drive mapping after user connects to DA (2nd tunnel)
  2. This can be configured using below key in GPO
    1. Computer config/Windows Settings/Security Settings/Advanced Audit policy config/system audit policies/"Logon/Logoff"
      1. Audit IPSec extended mode       Success and Failure
      2. Audit IPSec main mode                 Success and Failure
      3. Audit IPSec Quick mode                Success and Failure
      4. Create a scheduled Task as per http://technet.microsoft.com/en-us/library/cc725745.aspx to run DriveMapper.vbs which will be triggered after a event matches the below query

<QueryList>

<Query Id="0" Path="Security">

<Select Path="Security">*[System[(EventID=4982)] and EventData[Data and (Data='DC=com, DC=yourdomain, CN=Your_OTPCA')]]</Select>

</Query>

</QueryList>

More documentation about IPSEC events hereè http://technet.microsoft.com/en-us/library/dd772751(v=ws.10).aspx

The other elegant approach to the same problem could be,

  1. Start the IPHLPSVC (an essential service for DA) only after Interactive Desktop is present to the user 
  2.  You can do this by Trigger start the IPhlpsvc using UBPM (http://blogs.technet.com/b/askperf/archive/2009/10/04/windows-7-windows-server-2008-r2-unified-background-process-manager-ubpm.aspx ) based on any ETW event which gets generated after Interactive Desktop is present to the user using the sc utility like below
    1. sc triggerinfo iphlpsvc start/custom/0850302a-b344-4fda-9be9-90576b8d46f0

Hope this helps!

Thanks so much for reading!

Thanks, 
Vasu Deva