Fixing Cisco VPN AnyConnect "Multiple Local users are currently logged into your computer"

Published October 10, 2013 by FoxDeploy

Since I’ve rebuilt my home testlab as a Server 2012 R2 box, I’ve been unable to connect to my companies VPN, which has caused me a world of…well, minor inconveniences. This will not do!

The message I would get upon connection was:

AnyConnect profile settings mandate a single local user, but multiple local users are currently logged into your computer.  A VPN connection will not be established. AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.

I was befuddled, as I was clearly the only logged on user (or so I thought).  After digging in deeply, I noticed in my Get-Process list that in addition to Session 0 (Kernel.Services) and my own home Session 1, there was an interloper!   I determined this by launching PowerShell and checking for open sessions. I used Get-Process | Select SessionID -Unique

I didn’t take a screen shot at the time, but the output was this, with one extra entry, a Session 2.

Imagination time, envision a very guilty and yet innocuous looking Session # 2 listed here.

I then launched “query session” (or qwinsta, as it is commonly refered to for some reason, probably an old OS2 joke), and noted the below!

SMOKING GUN! Actually, pretend there Is a session 2 listed here.

The problem was that I’m running Hyper-V (not the issue) with Remote Desktop Services Virtualization Host (the problem) enabled as well

What happens when you enable Virtualization host is that the Remote Desktop Session Host service launches as Session 2 and above, so you’d have

Session 0 – Services,

Session 1 – Console/User,

Session 2 – RDSH.

It doesn’t run many process or anything very incriminating other than an instance of CSRSS and some other base services, but that alone running will register as an additional Session, which is enough to give sadness to the VPN Client.  You can see what processes are run by the Session if you’d like using the following command:   Get-Process | Where SessionId -eq '$Interloper_id_from_above'

I ended up fixing it by using Remove-WindowsFeature PowerShell commandlette to remove the Remote Desktop Services roles, as Add Windows Features in Server Manager will not allow you to remove certain RSDH roles. The command to remove it was:

Remove-WindowsFeature Remote-Desktop-Services, RDS-Virtualization

The issue impacted Cisco VPN AnyConnect versions 2.4x, 2.5x and 3.1.01065.

Microsoft MVP

Five time Microsoft MVP, and now I work for the mothership

Need Help?

Get help much faster on our new dedicated Subreddit!

depicts a crowd of people in a night club with colored lights and says 'join the foxdeploy subrreddit today'

Blog Series
series_sml_PowerShellGUI series_sml_IntroToRaspberryPi Programming series_sml_IntroToWindows Remote Management Series The Logo for System Center Configuration Manager is displayed here Depicts a road sign saying 'Learning PowerShell Autocomplete'

Blog Stats