It sounds like that the client is not logged into the required (internal) domain as the NC tunnel was not established when they logged on to the PC so they are logged on to the local computer (http://support.microsoft.com/?id=242536) .

Maybe this feature will help (p.649 of 6.5 Admin Guide):

Logging In To Windows Through a Secure Tunnel
Use the Logoff On Connect feature for users to log in to their Windows
environment through an existing Network Connect secure tunnel. This feature lets
them authenticate against a Windows Domain server in real time, as opposed to
authenticating with the locally cached credentials. When this feature is enabled,
they are automatically logged off Windows after the Network Connect session
starts. The standard Windows login screen re-appears and they log in using their
Windows credentials. Their Windows environment is now established through the
Network Connect tunnel.

To use the Logoff On Connect feature:
1. Users log on to their local machine using their domain cached credentials.
Their machine must be part of a Windows domain.
2. Users launch Network Connect and click Tools from the Network Connect login
page.
3. Select the Logoff on Connect option and click OK.
4. Users enter their username and password credentials in the Network Connect
login page.

Network Connect establishes a tunnel and logs them off of their local machine.
The Windows login page appears.
5. Users enter their username and password credentials to sign-in to their
Windows Domain using the Network Connect tunnel.

Another possible option is GINA, which would allow the NC tunnel to be established before the user signs in to the Windows domain.

---

@MattS wrote:

It sounds like that the client is not logged into the required (internal) domain as the NC tunnel was not established when they logged on to the PC so they are logged on to the local computer (http://support.microsoft.com/?id=242536) .

Maybe this feature will help (p.649 of 6.5 Admin Guide):

Logging In To Windows Through a Secure Tunnel

.....

---

MattS, thank you for the answer!

Yes, this option really works! But it only works for domain computers...

So, this is a partial solution.

Is there a way to provide same access from the computer which is not a domain member?

P.S. As far as I undestand, with SSO turned on, the SA appliance should use credentials, entered by user while signing in. Not the local credentials!

Example:

- User logs into his home PC - login:home pwd:XXX

- Then he signs in to the SA and launches NC using - login: DOMAIN\domain_user pwd:YYY

- When user launches MS ACCESS (on his non-domain PC) and tries to connect to SQL (through the NC), SA appliance should provide the "login: DOMAIN\domain_user pwd:YYY" for auth! But the local credentials are provided instead of the domain credentials!

With a NC connection, the user is given an IP address so they are the internal subnet - the SA does not intermediate the access to applications so you cannot configure SSO for NC. GINA should allow the user to establish a NC tunnel then sign onto the domain with their credentials.

If you use a web/file resource then the client connects to the SA which proxies/re-writes the connection - in those cases the SA can then insert SSO information such as <username> and <password>.

---

@MattS wrote:

.....

GINA should allow the user to establish a NC tunnel then sign onto the domain with their credentials.

.....

---

According to http://kb.pulsesecure.net/KB11010 , the computer using GINA MUST belong to a domain! So GINA is applicable only for domain PCs!

Is there a way to provide access to LAN resources (as a domain user) from a PC which doesn't belong to a domain?

I think you could create a Windows: Session start script under Roles-[role name]->Network Connect->Options that maps a connection to \\win2k8SQLserver\IPC$ using the users' domain credentials.

You could also do the same thing with a 1-line batch file that they'd have to run prior to connecting to the SQL server. This would cause a connection to be opened to the SQL server using their domain credentials, and should allow SQL to piggyback on this auth.

I am not sure if you could pass <user> to the script as a command-line option, and I don't know if they resulting password prompt would be visible. This is something that I haven't tried in a while.