Always On VPN Users Prompted for Certificate

Always On VPN Users Prompted for CertificateWhen deploying Windows 10 Always On VPN using Protected Extensible Authentication Protocol (PEAP) authentication with client certificates, administrators may find the VPN connection does not establish automatically. In this specific scenario the client is prompted to select a certificate to use to authenticate to the VPN server.

Always On VPN Users Prompted for Certificate

Multiple Certificates

This can occur when certificates from multiple Certification Authorities (CAs) are issued to the user that include the Client Authentication Enhanced Key Usage (EKU). When this happens, the user is forced to select the correct certificate to use for VPN authentication.

Clearly this is less than ideal, as it not only breaks the seamless and transparent nature of Always On VPN, the user may select the wrong certificate resulting in authentication failure. Ideally the client should be configured to select the correct certificate without user interaction.

Certificate Selection

Follow the steps below to configure automatic certificate selection for VPN authentication.

  1. On a VPN client, right-click the Always On VPN connection and choose Properties.
  2. Select the Security tab.
  3. In the Authentication section click Properties below Use Extensible Authentication Protocol (EAP).
  4. In the Select Authentication Method section click Configure.
  5. In the When connecting section click Advanced.
  6. Check the box next to Certificate Issuer.
  7. Select the root CA used to issue client authentication certificates for VPN authentication.
  8. Click Ok four times to save the configuration.

Always On VPN Users Prompted for Certificate

Once complete, export the EAP configuration to XML from the VPN client and paste the new settings in Intune or in your custom ProfileXML.

Certificate Purpose

By default, a client certificate requires only the Client Authentication EKU to establish a VPN connection. In some cases, this may not be desirable. For example, consider a deployment where Client Authentication certificates are issued to all users for Wi-Fi authentication. Depending on the Network Policy Server (NPS) configuration, these certificates may also be used to authenticate to the VPN.

VPN Specific Certificate

Follow the steps below to create a user authentication certificate template to be used exclusively for VPN authentication.

Certificate Template

  1. On the CA server, open the Certificate Templates management console (certtmpl.msc).
  2. Right-click the certificate template configured for VPN authentication and choose Properties.
  3. Select the Extension tab.
  4. Highlight Application Policies and click Edit.
  5. Click Add.
  6. Click New.
  7. Enter a descriptive name for the new application policy.
  8. Copy the Object identifier for later use and click Ok four times to save the configuration.

    Always On VPN Users Prompted for Certificate

  9. If certificate autoenrollment is configured and the certificate is already provisioned to users, right-click the certificate template and choose Reenroll All Certificate holders.

Client Configuration

  1. On the VPN client, follow the steps outlined previously to configure certificate selection.
  2. In addition to choosing a certificate issuer, select Extended Key Usage (EKU).
  3. Uncheck All Purpose.
  4. Select Client Authentication and the following EKUs.
  5. Click Add.
  6. Click Add once more.
  7. Enter the name of the custom EKU policy created previously.
  8. Enter the custom EKU object identifier copied previously from the custom policy.

    Always On VPN Users Prompted for Certificate

  9. Click Ok twice.
  10. Uncheck AnyPurpose and the following EKUs.
  11. Click Ok four times to save the configuration.

Always On VPN Users Prompted for Certificate

Once complete, export the EAP configuration to XML from the VPN client and paste the new settings in Intune or in your custom ProfileXML.

Additional Information

Windows 10 Always On VPN Clients Prompted for Authentication when Accessing Internal Resources

Get-EapConfiguration PowerShell Script on GitHub

Windows 10 Always On VPN Hands-On Training

Leave a comment


  1. Thanks Richard. Another superb article. This problem had me banging my head repeatedly against the wall until you pointed me in the right direction.
    Another symptom of this issue is the VPN connection reporting “This connection is already being dialed”.

    • Thanks Andy! 🙂

      • Hi RIchard,
        Not sure if this question directly relates to this topic, but it’s close.
        We are about to change our default AD UPN from to This will obviously break existing AO user certificates. Can I just click Reenroll All Certificate Holders for the existing certificate, or should I create a new one/duplicate it?

      • I think that if you update your user’s UPN and re-enroll all certificate holders that should work. The new certificate issued will include whatever their new UPN is at that point.

  2. Nice article, thanks for sharing. I saw this problem in several SSTP + AO VPN installations/configurations. Very helpful and very hidden parameter!

    Greets, Karsten…

  3. Colin

     /  June 19, 2019

    Richard, There seems to be problems with Windows 10 1903 connecting to AOVPN.

    Can you confirm? Fully patched 1903, cannot connect to AOVPN but 1803-1809 seem to connect fine still. Same profiles, same settings etc.. all deployed cookie cutter from SCCM.

    • No issues to report in my Always On VPN testing with Windows 10 1903.

      • Colin

         /  June 19, 2019

        I confirmed others experiencing the same problems on technet forums.

        Are you doing a clean 1903 or upgraded from 1809 to 1903. I am an upgrade to 1903

      • Clean install. Haven’t tested an upgrade yet, but will do so soon.

  4. Matthew

     /  October 9, 2019

    Hello, we have an intermittent issue with our Always on VPN user tunnels. We get “a certificate could not be found that can be used with this extensible authentication protocol” errors. The the working users and the non nonworking users were all set up the same.
    If I check the users Client Authentication cert in their personal store it all looks good, and the certification path is OK.
    If I delete the cert, reboot so it picks up a new one, then it works fine.

    Is there anyway to get enhanced debugging on cert selection?
    Kind regards

    • Very strange! I’d suggest enabling the CAPI2 operational log and having a look there.

      • Matthew Bristow

         /  October 10, 2019

        OK I’ll try that. It’s annoying as we can’t replicate it. We are using roaming profiles for hot desking, which may come into play. In addition we have 3 internal rootca certs, each time a new one has been generated the old one has been kept. All 3 are being pushed by both AD and by GPO, hence we see six rootca entries in the certificate selection dialogue. I have ticked all of them. But I was wondering if that might be complicating things. Is it worth UN-ticking “simple cert selection”?

      • You can certainly try that and see if the experience changes.

      • Eric

         /  April 6, 2020

        I stumbled on this comment with the same problem. I checked the CAPI2 log (thanks for that!) and discovered the private key for the user certificate is missing. Sure enough, try the export and you get a specific ‘key is missing’ error. I haven’t yet figured out why the user cert key disappears. I don’t see any roaming profile/roaming credential stuff setup… I did set a registry key (google ‘df9d8cd0-1501-11d1-8c7a-00c04fc297eb’) to support connecting remotely by username/password first, perhaps that has an impact… Anyway, still plugging away unless someone has any suggestions? Thanks!

  5. Matthew

     /  April 7, 2020

    Hi Eric, our problems were definitely caused by roaming profiles between TPM and non TPM machines (the private key can’t leave the TPM machine), we moved to using the software KSP… and it went away. TBH I’d rather kill off roaming profiles :-/

  6. Hi Richard,

    Thanks a lot for an excellent and informative post.

  7. Ci

     /  June 25, 2020

    I have a physical smartcard with the user certificate on it.
    The VPN fails with “A certificate could not be found that can be used with this Extensible Authentication”.
    But if I look in certmgr.msc I have one user cert with Client Authentication EKU.

    Is it possible to have seamless User VPN Tunnel established with physical smartcard (PIN protected)

    • I don’t think so. I believe it should still work though, but you’ll most likely be prompted for a pin to access the private key on the smart card.

  1. Certificate-Based Authentication Changes and Always On VPN | Richard M. Hicks Consulting, Inc.

Leave a Reply

%d bloggers like this: