When using Cisco Anyconnect Secure Mobility Client for establishing VPN connections, one might see such frustrating error message:
- Vpn Establishment Capability From A Remote Desktop Is Disabled As A
- Vpn Establishment Capability From A Remote Desktop Is Disabled Use
AnyConnect profile settings mandate a single local user, but multiple local users are currently logged into your computer. A VPN connection will not be established.
I am using Anyconnect (ver. VPN is working from desktop, but doesn't work through RDP connection. In the XML file the following settings about remote session was changed to: SingleLocalLogon AllowRemoteUsers but anyconnect doesn't work. 'VPN establishment capability from a remote desktop is disabled. A VPN connection wil not be established' I have looked in the ELS-IMelAde-TCP.XML connection profile and the settings seem to allow it according to the Cisco VPN XML Reference ( Table A-19 ). VPN establishment capability from a remote desktop is disabled. A VPN connection will not be established. Cisco’s documentation mention these limitations are specified in a profile XML file which is downloaded from the VPN server during the connection establishment. VPN establishment capability from a Remote Desktop is disabled. A VPN connection will not be established. This, behaviour is default, and despite me trawling the internet to find a solution (most posts quote changing the local AnyConnectProfile.tmpl file, this file does not exist using Version 3 (I was using v 3.0.4235). Update: With Early versions of AnyConnect version 4 it does not tell you. VPN Establishment capability from a Remote Desktop is disabled. A VPN Connection will not be established. I did a lot of research, and found out that in order to allow this, you need to first setup a Client Profile on the Cisco ASA.
or this one:
VPN establishment capability from a remote desktop is disabled. A VPN connection will not be established.
Cisco’s documentation mention these limitations are specified in a profile XML file which is downloaded from the VPN server during the connection establishment.
Vpn Establishment Capability From A Remote Desktop Is Disabled As A
Using SysInternal’s Process Monitor, it is possible to detect that this file is downloaded to the following path:
%programdata%CiscoCisco AnyConnect Secure Mobility ClientProfile[some name].xml
It turns out the file is downloaded by the Anyconnect Secure Mobility Client (vpngui.exe) and then analyzed. In order to bypass the restrictions imposed in the file, it is enough to use a simple application that monitors changes to that specific file and immediately replaces it with another file (where the restrictions are not present).
The two restrictions related to the error messages above are specified in the following nodes of the file:
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
Vpn Establishment Capability From A Remote Desktop Is Disabled Use
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
A copy of the current profile XML file could be made where the nodes above are commented out. Then the aforementioned application will overwrite the downloaded XML file with the “custom” version. A sample source code for such application follows (C#):
Note: it might be necessary to run the application with elevated privileges.