How can I enable domain authentication over wireless in Windows 7/2k8?

authentication windows-server-2008 wifi windows-7 active-directory

I've got several domain-member laptops which commonly roam to places where there aren't any network ports available. Occasionally, during these times, the laptop may be used by someone who has not logged into it previously - therefore, they cannot rely on cached credentials to allow them onto the system.

We also have a fairly ubiquitous wireless network that allows us to connect using our domain accounts for 802.1X authentication. Under this configuration, the Dell WLAN Card Utility has a feature which allows the system to connect to the wireless network at logon (after the user has entered their credentials) prior to attempting authentication to the domain for local system access.

Here's the option in the configuration screen:

enter image description here

Here's the feature in action, just after submitting user credentials at the login screen. This occurs before allowing the user local access to the system. The computer initializes the wireless adapter, searches for the wireless network, authenticates to the wireless network (presumably with the supplied user credentials), grabs an IP address, and then searches for a Domain Controller. Once the Domain Controller is found, the user (if authenticated) is then logged in to the local system.

enter image description here

The above screenshots are from Server 2003, but I'm upgrading the laptops to Server 2008 and would rather not install the vendor-specific utility if it is not needed. Is this a feature that is built-in to newer versions of Windows? If so, how do I enable it without having to use the vendor-specific configuration utility? Could the configuration be pushed through a GPO?


Try this (on the client computer):

  1. Login locally using a user with administrator privileges.

  2. Connect to your office's wireless network, save the credentials, and then make sure you check the "Connect automatically" checkbox.

  3. Open a command prompt window and type the following command to find the profile name of your wireless network: netsh wlan show profiles

    netsh wlan show profile

  4. Let's say the profile to use in the example is "office-network". Open regedit and look for the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run

  5. Create a new String Value (REG_SZ) at that location, and name it anything you want (i.e. WIFI_Connect), and enter the following command string: %comspec% /c netsh wlan connect name="<profile name>" where profile name in our example would be "office-network".

  6. Reboot the laptop for this to take effect.

  7. If it still doesn't work or fails to connect to your office network at pre-logon, try enabling the following Local Group Policy (using gpedit.msc): Computer Configuration\Policies\Administrative templates\System\Logon\Always wait for the network at computer startup and logon. A full description of what this policy does is present on the dialog when you edit it. (It's too long to paste here).

  8. If it still says it cannot find a valid domain, it could be a DNS issue. Make sure that the wireless router providing you the connection is setup to provide the proper DNS servers over DHCP, and that the domain can be resolved with them.

If not of that works, I don't know what is wrong, but it's nothing obvious. Every KB I've read so far point to this solution, and it seems to work well for others.


I've setup this exact scenario except I do not use any 3rd party wireless utilities such as the Dell one, I simply let Windows do it's thing.

I set this up on 7 but should be the same for Vista and actually XP. Since I hate doing things redundantly and repetitively, I simply use the GPO Computer Config > Policies > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies. You can create a Vista+ and XP policy in there that gets the job done.

Also good idea to enable "Always wait for the network at computer start-up and logon" (Computer Config > Policies > Administrative Templates > System/Logon).

When the SSID is in range, the machine will connect to it using the credentials supplied at logon (SSO), connect then auth. Also, if the credentials supplied to not allow the machine to connect, I have it set to the user can be prompted to enter credentials again for wireless (not necessary with SSO but in some cases it's useful).

Here are some screenshots from my setup: http://www.reborndigital.com/pubfiles/wifi_gp_ss/

Hope that helps!

Related

Setting up two NICs on two separate LANs provides error
IP/Process based bandwidth usage stats tool for linux
Experiences in Upgrading from Exchange 2003 to Exchange 2010
What steps to do to set the DNS PTR record, is the IP in reverse in the name needed?
Recommended website performance monitoring services? [closed]
socat connect-connect "proxy" two inbound TCP connections to expose a firewalled service?
Routing decision when there are two default gateways on windows
SELinux blocking sudo from zabbix_agentd
Upgrade Centos 5 tot PHP 5.2 or 5.3 [recommended way?]
SQL Server licensing, is it per CPU? So a 32 CPU would mean like 150K in licensing? [closed]
Monitor ESXi hosts with Nagios
Rebuild Fedora 19 ISO adding Kickstart for USB install