UVa Identity Token Authentication
Installation: Special User JointVPN Profile
Some users will need to log into Windows Domain services that are located either on the Clinical Subnet or on the JointVPN network itself. Your department or your LSP will typically notify you if you need to log into a Windows Domain that is protected by the JointVPN.
If you need to log into a Windows Domain, use the JointVPN-SpecialRelogin VPN profile instead of the standard JointVPN profile, as illustrated in the image below. (Note: before you can use the JointVPN-SpecialRelogin profile, you must first configure the profile as shown in the section on Installing the VPN client software and configuring for use with the JointVPN; with the VPN client software installed, simply select the JointVPN-SpecialRelogin profile as shown below, and perform the same steps outlined for the standard JointVPN configuration.)
- To use the JointVPN-SpecialRelogin profile, click the profile to highlight it,
and click the Connect icon.
- Enter the password to your UVa Identity Token hardware token when prompted. Once the VPN session
is established, the window shown below will appear for five seconds. At the end of the five-second
interval, you will be automatically logged out of and then back into Windows.
- At the Windows login prompt, enter your normal Windows password. Once you have logged
into Windows, you will be fully logged into your Windows Domain and ready to work.
Note for technical professionals: the user's first Windows login used cached credentials since no access to the Domain Controller existed before the VPN tunnel was established. Once the user logged into the local workstation using cached credentials, the VPN session was started using the UVa Identity Token Hardware Token. As soon as the VPN tunnel was established, the VPN client software forced a Windows logoff and relogin. Since the VPN session was maintained throughout the logoff and relogin process and a connection to the domain controller was thus possible, the second Windows login was a full domain login using all of the normal login processing scripts. This technique enables the use of all Windows Domain capabilities even when the domain resides completely on a protected network segment and the user's workstation is located outside of the firewall and uses a VPN for its connection.