Certificates are a crucial part of a secure Always On VPN implementation. Certificates are phishing-resistant forms of authentication that, when configured correctly, provide robust and multifactor authentication for remote access users and devices.
AD CS
Most commonly, certificates are issued by an on-premises Microsoft Active Directory Certificate Services (AD CS) server. Administrators configure and deploy a Certification Authority infrastructure to issue and manage user and device authentication certificates in their organization. CA certificates are also required on the VPN server to support Always On VPN device tunnel connections and IKEv2 user tunnel connections. The NPS server also requires an enterprise CA certificate. Of course, the CA can issue certificates for other purposes, including Wi-Fi authentication, document signing, and code signing, just to name a few.
PSPKI
PSPKI is a PowerShell module available in the PowerShell Gallery for configuring, managing, and troubleshooting Microsoft AD CS. Created by Vadims Podans of PKI Solutions, PSPKI includes over 100 functions for various AD CS and certificate-related tasks. Always On VPN administrators will find this PowerShell module helpful when configuring and troubleshooting certificate-related issues for their Always On VPN deployments.
Note: The AD CS remote server administration tools (RSAT) must be installed to access all of the PSPKI module’s functionality.
Installation
Run the following PowerShell command to install the PSPKI PowerShell module.
Install-Module -Name PSPKI
Always On VPN and PSPKI
Always On VPN Administrators will immediately find a few PSPKI functions helpful when implementing and supporting Always On VPN.
Test-WebServerSSL – This function will connect to a remote web server and display details about the TLS certificate included in the response. This can be especially helpful when troubleshooting SSTP VPN connections.
Convert-PfxToPem – This is a handy utility for converting a PFX file to the PEM format. This is commonly required when importing CA certificates on non-Microsoft platforms, security devices, and load balancers.
Convert-PemToPfx – Occasionally, administrators must convert a certificate and private key in PEM format to PFX to install on a Windows server. This tool allows administrators to perform this task easily.
Get-CertificationAuthority – This function quickly enumerates all enterprise CA servers and displays information about their hostname, accessibility, service status, and type.
Ping-ICertInterface – This function helps troubleshoot CA connectivity issues. Administrators can quickly determine if a CA is reachable and capable of issuing a certificate using this command.
Get-CaTemplate – This command displays a list of certificate templates published on the specified target CA server. The certificate template’s display name and the minimum support CA version are provided. In addition, the output indicates if certificate autoenrollment is enabled on the template.
Much More
The PSPKI PowerShell module for AD CS has many tools for configuring and managing AD CS. PSPKI recently received a major update to version 4.0. Download and install PSPKI today. It will make your life easier, I can assure you!
Additional Information
PSPKI PowerShell Module – PowerShell Gallery
PSPKI PowerShell Module – GitHub
AOVPNTools PowerShell Module – PowerShell Gallery
AOVPNTools PowerShell Module – GitHub
InboxAccountingDatabaseManagement PowerShell Module
bueschu
/ September 3, 2023We have a complex problem with Always-on-VPN and SSTP. From time to time suddenly a user can no more connect to the VPN. The only solution is to let the user comming to the office and starting the VPN-Connection over LAN. Afterwards the user can connect again from Home Office or somewhere else over the internet. The problem exists not for all User and is not repeatebale.
– Using Azure VPN-Gateway with Conditinal Access and SSTP
– Using Windows 10
– Using NPS Server for authenticatoin
– Conditinal Access Authentication ok, Azure VPN Certificate is ok and valuable
– User VPN Certificate is valuable for one year and ok
The Client get an error on the vpn Icon (systray) which says (translated from german):
Unable to connect because there is no single sign-on Certificate. Please contact: your support representative.
There is also an event on the client with id 20227 and RAS Error Code 874.
There is no traffic between Azure gateway and NPS Server concerning this VPN-Connection
Recording the TLS traffice between VPN-Client and Azure gateways shows me about 20 Pakets, showing a normal TLS session setup. The last paket is a reset session paket from the client.
We have found another strange workaround when the problem exists on a PC. If we import another user vpn-certificate in the user store of an affected User the problem is gone. We can delete the imported user certificate and still the vpn connection get established.
Realy strange – have you any Idee what is causing this problem
Richard M. Hicks
/ September 5, 2023Unusual, for sure. Is the user certificate issued for SSO stored in TPM? I’ve had customers report various issues with certificates and TPM that are similar. We’ve not identified a workaround, unfortunately. :/
bueschu
/ September 25, 2023Sorry for the delay, I was on holiday. Yes the vpn-user certificate is stored in TPM.
Richard M. Hicks
/ September 25, 2023It could be related to a known issue with some TPM model. Try implementing the workaround in the following post and let me know if it helps at all.
https://directaccess.richardhicks.com/2023/02/13/always-on-vpn-authentication-failed-reason-code-16/