Windows Vista RC2 upgrade broke domain membership

Turns out the 32-bit Windows Vista RC2 upgrade from RC1 broke my notebook computer's domain membership in an odd way. I could still log into the machine with my domain credentials, seamlessly access Exchange over HTTP via single sign-on, etc., but I could not establish a VPN connection with IT Connection Manager. I'd be prompted for my SmartCard PIN, begin the connection but then fail on the attempt to reach our internal security server. A quick call to our helpdesk had me retry with the IPSec Policy Administration service stopped. No luck. So we removed the machine from the domain and tried to VPN again. Success! It appears there's some odd behavior in the RC1-to-RC2 upgrade that tries to pull forward domain membership, makes some incorrect assumptions and doesn't fully work as expected, but works just enough that you think it worked.

With the machine successfully connected to the VPN, I was able to rejoin it to the domain but was faced with a small challenge on reboot ... no more cached credentials for my domain account. Fortunately, logging on as the local Administrator and establishing a VPN connection is a persistent operation when choosing to switch users. I was able to Switch User and logon with my domain credentials, having them validated over the already established VPN connection and thereby creating a set of cached credentials.

Technorati tags: vista, security, vpn