0

I need to make a VPN connection using pbk file and login / password silently without any dialogs. Just like run script - connected. Also user should not create a connection manually, everything should be done programmatically.

First I created a connection manually to check that it's working, I run pbk file, entered login and password in the new connection dialog and clicked connect button. The connection has been successfully created and VPN worked.

Then I closed the connection and run following command in the cmd:

rasdial "MyVPNName" "login" "password" /phonebook:"path\to\file.pbk"

and successfully connected to VPN. I was happy, everything works as I expected. But when I run the same command on another PC, I got 703 error:

The connection needs information from you, but the application does not allow user interaction.

I think it requires login and password. I noted that it ignores login and password in the command line and works with wrong credentials or even without them. I tried to create connection with rasphone.exe, but create connection dialog appears. When I created a connection with that dialog - rasdial command working even without login and password in the command line. It seems the system stores a connection and uses saved credentials to connect.

But it's not what I need. I need to establish a VPN connection in a single click in my application. In that app I'm planning to run rasdial.exe or another built-in utility and user should not see any another dialogs except my app or type login / password manually.

I have PreviewUserPw=0 in the pbk file as mentioned here Single-Click to connet to VPN on Windows 10 but it does not help, the dialog appears anyway.

Or maybe I could set login and password into pbk file? It it possible?

user12125591
  • 1

1 Answers1

0
  1. rasdial vpnname worked fine for me on MS Windows 10, 19XX, 20H1, 20H2, but when I upgraded to 21H1 this stopped working with VPN configurations which used certificate based auth or which used saved credentials.

The error generated was:

Remote Access error 703 - The connection needs information from you, but the application does not allow user interaction.

rasdial appears to have started to require 2 additional args after specifying a configuration to use: "username" and "password"

You can substitute " * " for password and then you can be prompted for password. You can substitute " * * " for username and password to be prompted for both.

However, if you have saved credentials in your config, or you use certificate based authentication, these are not really required.

You can instead pass the arguments " '' '' " (no double-quotes, just two single quotes, back-to-back '' for username and then a whitespace followed by two more single quotes, back-to-back '' for password:

rasdial vpnname '' ''

Consider trying to pass '' '' for username password and see if that side-steps the problem you have encountered.

2) If you use strongswan as your IPSec Tunnel service you are connecting to from windows, there is a "bug" which prevents MS Windows "save username and password" from working. A work-around for this windows/strongswan issue was provided as changes to your strongswan configuration which works: https://serverfault.com/questions/908098/strongswan-clients-access-rights/9081

3) Assuming IPSec tunnel... I found using PowerShell to create a VPN "Connection" seems to support everything needed to save credential so that "rasdial" can be scripted to check to see if the named vpn is running and if not start it without prompting. That scripted process worked before Windows 10 21H1, but required a change to rasdial described above.

The one caveat? The first time a user connects they need to specify their credentials, but if they succeed, no longer prompted for them. After that? A script can be used to call rasdial to start the vpn.

For the powershell creation of a vpn "connection" , there is no need to specify a /phonebook:\path\to\pbk

Example with powershell for creating a vpn "connection" available to rasdial, assuming IKEv2 and more assumptions, change as needed: (PowerShell example) Add-VpnConnection -Name "your-vpn-connection-name" -ServerAddress "fqdn.example.com" -TunnelType "IKEv2" -RememberCredential -AuthenticationMethod Eap -EncryptionLevel "Maximum";

Then maybe add more features: Set-VpnConnection -Name "your-vpn-connection-name" -ServerAddress "fqdn.example.com" -SplitTunneling $False -RememberCredential $True -TunnelType "IKEv2" -AuthenticationMethod Eap -UseWinlogonCredential $False -EncryptionLevel "Maximum";

You can then use PowerShell "Set-VpnConnectionIPsecConfiguration" to set things like: ciphers to use, hashes to use, and more advanced features.

4) Once you have a named vpn "connection" you should be able to:

(With older rasdial that didn't require username/password args:)

rasdial your-vpn-connection-name

(Newer rasdial which requires username and password, which you saved or intended to save to the system:)

rasdial your-vpn-connection-name '' ''

Hope this helps. Good luck!

Default Username
  • 1