Awards
Consulting

Consulting Services

Now Available!
Connect
Mailing List

Sign Up Now!
Richard M. Hicks Consulting Newsletter
@richardhicks
- #Windows 10 Always On #VPN IKEv2 features and limitations. #Windows10 #Win10 #Microsoft #mobility #aovpn rmhci.co/2XcV8tq:: 1 day ago
- #Windows 10 Always On #VPN SSTP load balancing with the @KempTech LoadMaster load balancer. #Microsoft #Windows10… twitter.com/i/web/status/1…:: 1 day ago
- Deploying #Windows 10 Always On #VPN with @MSIntune using custom ProfileXML. #Microsoft #Windows10 #Win10 #mobility… twitter.com/i/web/status/1…:: 2 days ago
- Configuring the #Microsoft @Azure #VPN gateway for #Windows 10 Always On VPN. #Windows10 #Win10 #mobility #cloud… twitter.com/i/web/status/1…:: 2 days ago
- RT @ipv6buzz: Podcast: IPv6 Buzz 055: The Good, Bad, And Ugly Of IPv6 With Geoff Huston - packetpushers.net/podcast/ipv6-b…:: 2 days ago
Follow @richardhicks
Facebook

Facebook
RSS Feed
- RSS - Posts
- RSS - Comments
Archives
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- November 2014
- October 2014
- September 2014
- August 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- July 2012
- June 2012
- May 2012
- April 2012
Categories
Tag Cloud
Active Directory ADC Always On VPN AOVPN application delivery controller authentication Azure CA certificate certificates cloud configuration device tunnel DirectAccess DNS education encryption enterprise mobility error F5 firewall Forefront Forefront UAG Forefront UAG 2010 group policy high availability hotfix IKEv2 Important Links InTune IP-HTTPS IPsec IPv6 IPv6 transition technology Kemp load balancer load balancing LoadMaster Manage Out Microsoft Mobility multisite Networking network location server NLB NLS OTP performance PKI PowerShell ProfileXML public cloud redundancy Remote Access routing and remote access service RRAS scalability security SSL SSTP TLS training troubleshooting UAG update VPN Windows Windows 7 Windows 8 Windows 10 Windows Server Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019

All posts in category Compliance

Troubleshooting Always On VPN Errors 691 and 812

When configuring Windows 10 Always On VPN using the Routing and Remote Access Service (RRAS) on Windows Server 2012 R2 and Extensible Authentication Protocol (EAP) authentication using client certificates, clients attempting to establish a VPN connection using Internet Key Exchange version 2 (IKEv2) may receive the following error.

“The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile.”

The event log on the client also records RasClient event ID 20227 stating “the error code returned on failure is 812”.

Troubleshooting Always On VPN Errors 691 and 812

Always On VPN clients using the Secure Socket Tunneling Protocol (SSTP) may receive the following error.

“The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.”

Troubleshooting Always On VPN Errors 691 and 812

The event log on the client also records RasClient event ID 20227 stating “the error code returned on failure is 691”.

Troubleshooting Always On VPN Errors 691 and 812

Resolution

These errors can occur when Transport Layer Security (TLS) 1.0 has been disabled on the RRAS server. To restore functionality, enable TLS 1.0 protocol support on the RRAS server. If disabling TLS 1.0 is required for compliance reasons, consider deploying RRAS on Windows Server 2016. TLS 1.0 can be safely disabled on Windows Server 2016 without breaking EAP client certificate authentication for Windows 10 Always On VPN clients.

Additional Information

Windows 10 Always On VPN Hands-On Training

What’s the Difference Between DirectAccess and Windows 10 Always On VPN?

5 Important Things DirectAccess Administrators Should Know About Windows 10 Always On VPN

3 Important Advantages of Windows 10 Always On VPN over DirectAccess

Windows 10 Always On VPN and the Future of DirectAccess

24 Comments

by Richard M. Hicks on February 26, 2018 • Permalink

Posted in Always On VPN, AOVPN, certificates, Compliance, enterprise mobility, Mobility, Remote Access, Security, SSL and TLS, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on February 26, 2018

https://directaccess.richardhicks.com/2018/02/26/troubleshooting-always-on-vpn-errors-691-and-812/

DirectAccess IP-HTTPS Null Cipher Suites Not Available

DirectAccess IP-HTTPS Null Cipher Suites Not Available Microsoft first introduced support for null cipher suites for the IP-HTTPS IPv6 transition technology in Windows Server 2012, and it is supported for DirectAccess in Windows 8.x and Windows 10 clients. Using null cipher suites for IP-HTTPS eliminates the needless double encryption that occurs when using encrypted cipher suites. DirectAccess is a unique workload where SSL/TLS encryption isn’t really required because the payload being transported in HTTPS is already encrypted.

No Encryption by Design

When supporting Windows 8.x and Windows 10 clients, ensuring null cipher suites (TLS_RSA_WITH_NULL_SHA and TLS_RSA_WITH_NULL_SHA256) are enabled and operational is crucial to providing the highest levels of performance and scalability for the remote access solution. When following implementation best practices, this isn’t really an issue. However, in some cases null cipher suites may be disabled. This will result in reduced scalability and degraded performance for Windows 8.x and Windows 10 clients.

Validating SSL/TLS Configuration

The easiest way to verify that null cipher suites are being offered by the DirectAccess server is to use the Qualys SSL Labs server test site. Ideally you should see a result similar to this.

Figure 1. Qualys SSL Labs server test site results for properly configured DirectAccess server.

Don’t be alarmed by the overall rating “F”. That happens because the Qualys test site is designed to test web servers where using null cipher suites would be a serious security issue. As I stated previously, the DirectAccess workload is unique in that its HTTPS payload is already encrypted, so using null cipher suites is acceptable in this scenario.

Figure 2. Qualys SSL Labs server test site results for properly configured DirectAccess server showing support for null SSL/TLS cipher suites.

Null Cipher Suites Missing

When performing the Qualys SSL labs server test on a DirectAccess server, an overall rating of “A” is not desirable and indicates the DirectAccess server is misconfigured. This is caused by the lack of support for null cipher suites.

Figure 3. Qualys SSL Labs server test site results for misconfigured DirectAccess server.

Common Causes

Null cipher suites for SSL and TLS can be disabled for a variety of reasons. Below are some of the most common causes for the lack of support for null cipher suites for DirectAccess.

Self-Signed Certificates – Using the Getting Started Wizard (simplified deployment) will configure DirectAccess using a self-signed certificate for IP-HTTPS. Using a self-signed certificate is discouraged for numerous reasons, most importantly because it disables support for null cipher suites.

Security Hardening – Security administrators may proactively disable support for null cipher suites in a misguided effort to “improve security” for DirectAccess. While this is acceptable and recommended on a web server, it is not advisable to disable null cipher suites on a DirectAccess server.

SSL Certificate Signing Algorithm – Using an SSL certificate signed with an Elliptical Curve (EC) key as opposed to an RSA key will result in the loss of support for null cipher suites for IP-HTTPS. High security/assurance certificates signed with EC keys are not recommended for use on DirectAccess servers and should be avoided if possible.

DirectAccess Configuration Options – Enabling One-Time Password (OTP) authentication on the DirectAccess server will also result in a loss of support for null cipher suites. Also, adding additional roles to the DirectAccess server such as client-based VPN or the Web Application Proxy (WAP) can also result in null cipher suites being disabled.

Summary

Null cipher suites are implemented by design on DirectAccess servers to enhance performance for Windows 8.x and Windows 10 clients and improve overall scalability for the implementation. They eliminate the pointless double encryption of DirectAccess communication, which itself is already encrypted. For optimal performance and scalability, be sure to follow implementation best practices and use a PKI-managed (public or private) SSL certificate signed with an RSA key (SHA-256 recommended). Resist the urge to “harden” the DirectAccess server by disabling support for null cipher suites, and avoid the use of SSL certificates signed with EC keys. In addition, carefully consider DirectAccess deployment options such as OTP authentication and consider deploying roles such as VPN and WAP on a separate server.

Additional Information

DirectAccess IP-HTTPS SSL and TLS Insecure Cipher Suites

DirectAccess IP-HTTPS Null Encryption and SSTP VPN

DirectAccess and FIPS Compliant Algorithms for Encryption

SSL Certificate Considerations for DirectAccess IP-HTTPS

3 Comments

by Richard M. Hicks on December 18, 2017 • Permalink

Posted by Richard M. Hicks on December 18, 2017

https://directaccess.richardhicks.com/2017/12/18/directaccess-ip-https-null-cipher-suites-not-available/

DirectAccess and FIPS Compliant Algorithms for Encryption

DirectAccess administrators may be required to enable Federal Information Processing Standards (FIPS) compliant algorithms for encryption, hashing, and signing on DirectAccess servers to meet certain regulatory and compliance requirements.

DirectAccess and FIPS Compliant Algorithms for Encryption

Performance Impact

Be advised that enabling this setting will disable support for null cipher suites for the IP-HTTPS IPv6 transition technology. This will result in the double encryption of all DirectAccess client communication, which will increase resource consumption on DirectAccess servers. This leads to reduced scalability and degraded performance for all DirectAccess clients, including Windows 8.x and Windows 10.

If enabling FIPS compliant cannot be avoided, additional compute capacity (CPU and memory) should be provisioned. For best results, add additional servers to distribute the workload and improve performance for DirectAccess clients.

Always On VPN

If you’re looking for better security and performance, consider migrating to Windows 10 Always On VPN. Always On VPN fully supports FIPS compliant algorithms without the negative performance impact associated with DirectAccess. If you’d like to learn more about security and Always On VPN, fill out the form below and I’ll get in touch with you.

Additional Resources

Always On VPN and the Future of DirectAccess

5 Things DirectAccess Administrators Should Know About Always On VPN

3 Important Advantages of Always On VPN over DirectAccess

1 Comment

by Richard M. Hicks on December 6, 2017 • Permalink

Posted in Always On VPN, Compliance, DirectAccess, Encryption, IP-HTTPS, IPv6, IPv6 Transition, Remote Access, Security, SSL and TLS, VPN, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2012 R2, Windows Server 2016

Tagged Always On VPN, Compliance, DirectAccess, encryption, FIPS, hashing, IP-HTTPS, IPv6 transition technologies, IPv6 transition technology, performance IPv6, Remote Access, scalability, security, signing, transition technologies, transition technology, utilization, VPN

Posted by Richard M. Hicks on December 6, 2017

https://directaccess.richardhicks.com/2017/12/06/directaccess-and-fips-compliant-algorithms-for-encryption/

Search for:
DirectAccess Book

DirectAccess Book

Available Now!
NetMotion Mobility

DirectAccess-like Remote Access for Windows, Mac, iPhone, iPad, and Android

Learn More!
Kemp Technologies

Modern Application Delivery

Download a free trial!
Recent Posts
Always On VPN Resources
DirectAccess Resources

Richard M. Hicks Consulting, Inc.

Awards

Consulting

Connect

Mailing List

@richardhicks

Facebook

RSS Feed

Archives

Categories

Tag Cloud

All posts in category Compliance

Troubleshooting Always On VPN Errors 691 and 812

Share this:

Like this:

DirectAccess IP-HTTPS Null Cipher Suites Not Available

Share this:

Like this:

DirectAccess and FIPS Compliant Algorithms for Encryption

Share this:

Like this:

DirectAccess Book

NetMotion Mobility

Kemp Technologies

Recent Posts

Always On VPN Resources

DirectAccess Resources