When deploying Windows 10 Always On VPN using Protected Extensible Authentication Protocol (PEAP) authentication with client certificates, administrators may find the VPN connection does not establish automatically. In this specific scenario the client is prompted to select a certificate to use to authenticate to the VPN server.

Multiple Certificates

This can occur when certificates from multiple Certification Authorities (CAs) are issued to the user that include the Client Authentication Enhanced Key Usage (EKU). When this happens, the user is forced to select the correct certificate to use for VPN authentication.

Clearly this is less than ideal, as it not only breaks the seamless and transparent nature of Always On VPN, the user may select the wrong certificate resulting in authentication failure. Ideally the client should be configured to select the correct certificate without user interaction.

Certificate Selection

Follow the steps below to configure automatic certificate selection for VPN authentication.

1. On a VPN client, right-click the Always On VPN connection and choose Properties.
2. Select the Security tab.
3. In the Authentication section click Properties below Use Extensible Authentication Protocol (EAP).
4. In the Select Authentication Method section click Configure.
5. In the When connecting section click Advanced.
6. Check the box next to Certificate Issuer.
7. Select the root CA used to issue client authentication certificates for VPN authentication.
8. Click Ok four times to save the configuration.

Once complete, export the EAP configuration to XML from the VPN client and paste the new settings in Intune or in your custom ProfileXML.

Certificate Purpose

By default, a client certificate requires only the Client Authentication EKU to establish a VPN connection. In some cases, this may not be desirable. For example, consider a deployment where Client Authentication certificates are issued to all users for Wi-Fi authentication. Depending on the Network Policy Server (NPS) configuration, these certificates may also be used to authenticate to the VPN.

VPN Specific Certificate

Follow the steps below to create a user authentication certificate template to be used exclusively for VPN authentication.

Certificate Template

1. On the CA server, open the Certificate Templates management console (certtmpl.msc).
2. Right-click the certificate template configured for VPN authentication and choose Properties.
3. Select the Extension tab.
4. Highlight Application Policies and click Edit.
5. Click Add.
6. Click New.
7. Enter a descriptive name for the new application policy.
8. Copy the Object identifier for later use and click Ok four times to save the configuration.

   

9. If certificate autoenrollment is configured and the certificate is already provisioned to users, right-click the certificate template and choose Reenroll All Certificate holders.

Client Configuration

1. On the VPN client, follow the steps outlined previously to configure certificate selection.
2. In addition to choosing a certificate issuer, select Extended Key Usage (EKU).
3. Uncheck All Purpose.
4. Select Client Authentication and the following EKUs.
5. Click Add.
6. Click Add once more.
7. Enter the name of the custom EKU policy created previously.
8. Enter the custom EKU object identifier copied previously from the custom policy.

   

9. Click Ok twice.
10. Uncheck AnyPurpose and the following EKUs.
11. Click Ok four times to save the configuration.

Once complete, export the EAP configuration to XML from the VPN client and paste the new settings in Intune or in your custom ProfileXML.

Additional Information

Windows 10 Always On VPN Clients Prompted for Authentication when Accessing Internal Resources

Get-EapConfiguration PowerShell Script on GitHub

Windows 10 Always On VPN Hands-On Training