When using Cisco Anyconnect Secure Mobility Client for establishing VPN connections, one might see such frustrating error message:
AnyConnect profile settings mandate a single local user, but multiple local users are currently logged into your computer. A VPN connection will not be established.
or this one:
VPN establishment capability from a remote desktop is disabled. A VPN connection will not be established.
Cisco’s documentation mention these limitations are specified in a profile XML file which is downloaded from the VPN server during the connection establishment.
Using SysInternal’s Process Monitor, it is possible to detect that this file is downloaded to the following path:
%programdata%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\[some name].xml
It turns out the file is downloaded by the Anyconnect Secure Mobility Client (vpngui.exe) and then analyzed. In order to bypass the restrictions imposed in the file, it is enough to use a simple application that monitors changes to that specific file and immediately replaces it with another file (where the restrictions are not present).
The two restrictions related to the error messages above are specified in the following nodes of the file:
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
A copy of the current profile XML file could be made where the nodes above are commented out. Then the aforementioned application will overwrite the downloaded XML file with the “custom” version. A sample source code for such application follows (C#):
Note: it might be necessary to run the application with elevated privileges.
class Program { private static bool replaced = false; static void Main(string[] args) { FileSystemWatcher watcher = new FileSystemWatcher(@"C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile"); watcher.Created += watcher_Changed; watcher.Deleted += watcher_Changed; watcher.Changed += watcher_Changed; watcher.EnableRaisingEvents = true; while (!replaced) { System.Threading.Thread.Sleep(100); } } static void watcher_Changed(object sender, FileSystemEventArgs e) { if (e.ChangeType == WatcherChangeTypes.Created) { ReplaceFile(); } } static void ReplaceFile() { File.Delete(@"C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\profile.xml"); File.Copy(@"C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\customprofile.xml", @"C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\profile.xml"); replaced = true; } }
ncsugrad
September 16, 2013
This worked for me. You Rock!
Helpful Stranger
May 28, 2014
to compile or run you need .net 4.0
#compile
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe AnyconnectBypass.cs
#generates an exe
Code:
http://pastebin.com/N0nZP0p1
Note:
Works the second time for me, After it works the utility app exits for an unknown reason. probably needs a try-catch.
I have these settings enabled in backup.xml
SingleLocalLogon
AllowRemoteUsers
Apollo77
June 5, 2014
This looks like exactly the solution I need. However, I am wondering if Anyconnect has been changed to prevent this method. My client version is 3.1.05160.
Helpful Stranger, I compiled the code on the link you provided. I made necessary changes such as changing the filenames to match my setup. I also flipped from the XP configuration to the win7. The program itself works as expected.
However, when I launch the program and attempt to connect to the VPN, the xml file gets replaced as expected, but I get this message from AnyConnect: “The VPN client driver encountered an error. Please restart your computer or device, then try again.”
I can see in the CMD window that the file gets replaced. In fact, I get the message 11 times. That seems strange. Is it possible AnyConnect sees the file has been changed and replaces it 11 times and then gives up?
Any idea what might be happening here. It seems like AnyConnect detects that the file has been changed and still will not allow me to connect using RDP.
Helpful Stranger
June 5, 2014
Yes I see it logged many times as well.
In the mean time I found another solution. Disable “desktop integration” temporarily while you connect and then enable it again after connecting. Works fine for my VirtualPC XP image.
Sev
January 20, 2015
Thanks!
Apollo77
June 5, 2014
I must be missing something. I cannot seem to get this working. I was not previously using Virtual PC, but I installed it and set up a Win7 32-bit VM (apparently, Virtual PC does not support 64-bit guests … arrgghhh). I connect with “integration services” disabled. Then I enable integration services. No difference. I still cannot RDP into the VM once the VPN is connected.
wb640
July 4, 2014
Replacing the XML file with a modified copy doesn’t seem to work anymore, AnyConnect (3.1.05160) crashes when that happens … If anyone knows another method of bypassing the RDP restricition, please …!
Fixer
November 27, 2014
I solved it somewhat different, but based on the same principle.
1. Create a text file called ReplaceProfile.bat (make sure it’s not extension .bat.txt) in the folder where your Cisco profile is stored (for me: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile), replace ‘COMPANY_PROFILE’ (2x) below with the name of your specific XML file :
:———————————————————————————————————
@echo off
cd /d “C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile”
cd
:check
fc COMPANY_PROFILE.xml MyProfile.xml
if errorlevel 1 goto DoCopy
goto OK
:DoCopy
echo Copying
copy MyProfile.xml COMPANY_PROFILE.xml >nul
:OK
goto check
ping localhost >nul
exit
:———————————————————————————————————
2. Create a shortcut on your desktop to ReplaceProfile.bat, edit the shortcut properties to run it ‘As administrator’
3. One-time setup:
– copy your company’s profile.xml to MyProfile.xml
– edit MyProfile.xml and change:
LocalUsersOnly
to:
AllowRemoteUsers
and save
4. Everytime hack:
– Just before connecting, or just before hitting Enter after typing your credentials, run the shortcut to ReplaceProfile.bat
5. Cisco starts the connection even when you logged onto that PC over remote desktop!
(worked for me, but this might be timing critical, since Cisco has some mechanism to prevent changes to the XML file)
6. You can kill the running ReplaceProfile.bat after VPN connected
Hope this helps.
lotuswill
March 3, 2016
Could you please let me know which version of Cisco VPN Client does this code work ? I am using 3.1 and Cisco VPN reads the profile.xml even before the file gets replaced, could you please help ?
Joao
March 6, 2016
Hi,
Unfortunately I no longer need to use a VPN and I’m not able to verify your issue. The blog post was written 2.5 years ago and I believe I was using the most up-to-date version of the AnyConnect vpn client back then.
Best regards,
Joao
Sean C.
March 7, 2016
Could someone provide a compiled exe of this code for someone that does not have visual studio? Would be greatly appreciated!!
Natalia
May 9, 2016
Joao, Thank you so much! Your decision just saved our project!
PS. We use cisco anyconnect secure mobility client 4.x
Dimitri “Shedal” Shevchenko
July 20, 2016
I am using VPN client version 4.2.02075. The .xml file is missing from the folder, the only file that exists there is `AnyConnectProfile.xsd`. So they might have changed the client to download and analyze the .xml file in-memory instead of saving it to disk.
zazzn
July 26, 2016
I don’t think this works anymore, because the client is too quick at reading the file. At least the batch file didn’t work for me.
Guido
December 18, 2016
Joao, thanks from my side as well. Urgent project.. now we can do it :-).
G.
omegaman
September 23, 2019
Thanks for the code. I found a few issues which could cause failure. I have documented on my blog which has a trackback which you reference. And yes, the process in general still works on the latest client.
Anonymous
November 24, 2020
This doesn’t seem to work at least with version 4.6 which I am using.
I have tried using the filewatcher to check all folders under cisco both in “ProgramData” and “AppData\Local” no xml files are created of modified.