All posts in category network policy server

Strong Certificate Mapping Enforcement February 2025

Are you ready? In just a few short weeks(!) Microsoft will release the February 2025 security updates. This is a critical update because Microsoft plans to enable full enforcement of strong certificate mapping on Active Directory Domain Controllers (DCs) with this release. Administrators unprepared for this may incur outages for workloads using certificate-based authentication such as Always On VPN, Wi-Fi, and others.

Reminder: There’s still space available in my Certificates and Intune Masterclass. Register now!

KB5014754

Microsoft introduced strong certificate mapping with the May 2022 update KB5014754 to address vulnerabilities identified with certificate-based authentication. The update makes changes to Active Directory Certificate Services (AD CS) certification authorities (CAs) to embed the principal’s Security Identifier (SID) on issued certificates with a new certificate extension. The update also changes domain controller behavior to monitor and optionally enforce strong certificate mapping for authentication.

Enforcement Mode

When first introduced, the update is configured in compatibility mode. If a certificate that isn’t strongly mapped is presented for authentication, an event is recorded in the event log indicating that. Microsoft has been planning for years to enable full enforcement. After many delays, that time is now upon us. Specifically, full enforcement for strong certificate mapping will be enabled by default on DCs after applying the February 2025 security updates.

Note: Administrators can switch back to compatibility mode for now. See below for more details.

Limitations

Initially, the strong certificate mapping update was applied only to online certificate templates. Specifically, those templates are configured to build the subject name from Active Directory information. However, offline templates, where the subject name is supplied in the request, do not include this information by default. Crucially, any certificate issued with Microsoft Intune with PKCS or SCEP uses offline templates and is not strongly mapped. The lack of strong certificate mapping options for Intune-issued certificates forced Microsoft to delay its full enforcement deadline until these limitations were resolved.

Updates

In October 2024, Microsoft Intune announced support for strong certificate mapping for PKCS and SCEP certificates. Administrators can now configure these certificates to include strong certificate mapping. However, administrators must take action to affect this change.

PKCS

To enable strong certificate mapping for PKCS certificates, administrators must ensure that the certificate connector is running at least version 6.2406.0.1001. In addition, the following registry key must be configured on the connector server.

Key: HKLM\Software\Microsoft\MicrosoftIntune\PFXCertificateConnector
Name: EnableSidSecurityExtension
Type: DWORD
Value: 1

You can implement this change by opening an elevated PowerShell command window and running the following command.

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Microsoft\MicrosoftIntune\PFXCertificateConnector’ -Name EnableSidSecurityExtension -Value 1 -Force

The Intune Certificate Connector server must be restarted for this change to take effect. No changes are required on the PKCS certificate policy in Intune.

SCEP

To enable strong certificate mapping for SCEP certificates, administrators must add the following attribute/value pair to the Subject alternative name settings on their existing Intune SCEP certificate policy.

Attribute: URI
Value: {{OnPremisesSecurityIdentifier}}

Preparation

Administrators using certificate-based authentication against on-premises Active Directory should ensure all user and device authentication certificates include embedded SID information. For certificates issued on-premises, with Intune using PKCS or certificates issued by Entra Conditional Access, the certificate should now have the extension 1.3.6.1.4.1.311.25.2, including the principal’s SID.


SCEP certificates issued using Intune will include the following information in the Subject Alternative Name field.

URL=tag:microsoft.com,2022-09-24:sid:<sid>


Note: This applies to certificates issued using Cloud PKI for Microsoft Intune as those certificates are deployed using a SCEP device configuration policy.

Opt-Out

With the February 2025 security update, all domain controllers will be switched to full enforcement mode. Authentication requests using certificates without strong mapping will be denied in this configuration.

If your organization is not prepared to move to full enforcement mode, the February 2025 update allows administrators to opt out and switch back to compatibility mode by enabling the following registry key on all domain controllers.

Key: HKLM:\SYSTEM\CurrentControlSet\Services\Kdc
Name: StrongCertificateBindingEnforcement
Type: DWORD
Value: 1

You can implement this change by opening an elevated PowerShell command window and running the following command.

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\Kdc’ -Name ‘StrongCertificateBindingEnforcement’ -PropertyType DWORD -Value 1 -Force

September 2025

Administrators are strongly encouraged to update all user and device authentication certificates before September 2025. With the September 2025 security update, Microsoft will no longer honor the opt-out registry settings and strictly enforce strong certificate mapping for all certificate-based authentication requests.

Troubleshooting

Certificate authentication is commonly used for Always On VPN and Wi-Fi authentication. If full enforcement mode is enabled on domain controllers and a certificate is presented for authentication that is not strongly mapped, administrators may see the following event log information recorded on the Network Policy Server (NPS).

Network Policy Server denied access to a user.

The details of the event include the following.

Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

Obviously, the user does not enter their password when using certificates for authentication. However, the indication of a credential mismatch can be caused by missing strong certificate mapping information when the DC is in full enforcement mode.

Note: There are other causes for reason code 16 failures on NPS. Further investigation may be required to determine the root cause.

Additional Information

Training: Certificates and Intune Masterclass

Certificate-Based Authentication Changes and Always On VPN

Strong Certificate Mapping for Intune PKCS and SCEP Certificates

Entra Conditional Access Certificates with SID Information Now Available

Intune Strong Certificate Mapping Error

Strong Certificate Mapping Error with PKCS

KB5014754: Certificate-Based Authentication Changes on Windows Domain Controllers

2 Comments
by Richard M. Hicks on January 27, 2025  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, administration, Always On VPN, AOVPN, authentication, Azure Active Directory, Azure AD, Azure VPN, CBA, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, Certificate-Based Authentication, certificates, cloud, Cloud PKI, Conditional Access, Endpoint Manager, Enterprise, enterprise mobility, Entra, Entra Conditional Access, Entra ID, InTune, Intune Certificate Connector, Intune PFX Connector, MDM, Microsoft, Microsoft Endpoint Manager, Microsoft Entra, Microsoft Entra ID, Microsoft Intune, Mobile Device Management, Mobility, Network Device Enrollment Service, Network Device Enrollment Services, network policy server, NPS, Operational Support, PFX Connector, PKCS, PKI, PowerShell, public cloud, public key infrastructure, Remote Access, SCEP, Security, Security Update, Simple Certificate Enrollment Protocol, systems management, troubleshooting, Update, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 27, 2025

https://directaccess.richardhicks.com/2025/01/27/strong-certificate-mapping-enforcement-february-2025/

Always On VPN and Cloud PKI for Intune Error 853

Microsoft Cloud PKI for Intune is a PKI-as-a-Service offering that allows organizations to issue and manage digital certificates without on-premises infrastructure. Certificates are excellent phishing-resistant credentials that are well-suited for applications requiring strong authentication, such as secure remote access with Always On VPN. However, administrators may encounter errors when attempting to authenticate users or devices using certificates issued by Cloud PKI for Intune.

Error 853

After publishing certificates with Cloud PKI for Intune and configuring the on-premises Always On VPN infrastructure to support this, administrators will find that the Always On VPN connection fails to connect. Attempts to manually start the connection result in the following error message.

“The remote access connection completed, but authentication failed because the certificate that authenticates the client to the server is not valid. Ensure the certificate used for authentication is valid.”

In the event log on the Windows client, you’ll find an event ID 20227 from the RasClient source that includes the following error message.

“The user <domain>\<user> dialed a connection named <VPN connection name> which has failed. The error code returned on failure is 853.”

Error 853 (ERROR_EAP_USER_CERT_INVALID) indicates the user certificate is invalid.

Certificate

Upon further investigation, the certificate shows no issues, is valid, is trusted, and has a private key.

NPS

Looking at the event log on the Network Policy Server (NPS), you’ll find a corresponding event ID 6273 from the Microsoft Windows security auditing source that includes the following error message.

“Network Policy Server denied access to a user.”

Looking at the authentication details section of this event log entry yields the following important clue.

Reason Code: 258
Reason: The revocation function was unable to check revocation for the certificate.

Failed Revocation Check

Since the NPS server indicates that it rejected the authentication request because it could not perform a revocation check, let’s bring the user authentication certificate to the NPS server and perform some tests.

Export Certificate

Open the user certificate store (certmgr.msc) on the client and expand Personal > Certificates. Right-click on the certificate in question and choose All Tasks > Export. Export the certificate only (not the private key) and copy the file to the NPS server.

Verify Certificate

Open a PowerShell or command window on the NPS server and run the following command to validate the certificate.

certutil.exe -verify -urlfetch <path to exported certificate>

For example.

certutil.exe -verify -urlfecth .\rdeckard.cer

The command generates a lot of output, but if you look at the very end of the data stream, you’ll see two interesting items.

  • Revocation check skipped – no revocation information available
  • Leaf certificate revocation check passed

Based on this information the user certificate (the leaf certificate) passed a revocation check. However, it would appear that another certificate in the chain does not include revocation information. Since there is only a root and issuing CA in the chain, and root certificates don’t include revocation information because they are the self-signed root of trust, it would appear that revocation information is missing from the issuing CA certificate.

We can confirm this by scrolling up in the previous command’s output to where the verification of the issuing CA certificate takes place. Here, you’ll see that the issuing CA certificate is missing CDP (CRL Distribution Point) information.

When NPS attempts to validate the certificate and the certificate chain, it expects to find CDP information, which it will use to check if the issuing CA certificate has been revoked. The revocation check fails without this information, and the authentication request is rejected.

Design Error?

Missing CDP information is not unusual for end-entity (leaf) certificates when they are short-lived. An example is Entra ID conditional access certificates, which do not include CDP information by design. However, I expect this information to be listed on an issuing CA certificate. Why it’s not there, I’m not sure. I’ll investigate this in more depth and report on anything I learn that’s new.

Workaround

To move forward using Cloud PKI for Intune certificates with Always On VPN, administrators must implement the following registry setting on all NPS servers handling authentication requests for Always On VPN servers.

Key = HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
Name = IgnoreNoRevocationCheck
Type = DWORD
Value = 1

To implement this change using PowerShell, open an elevated PowerShell command window and run the following command.

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13\’ -Name IgnoreNoRevocationCheck -PropertyType DWORD -Value 1 -Force

Once complete, restart the NPS server for the changes to take effect.

Additional Information

Cloud PKI for Microsoft Intune

Cloud PKI for Microsoft Intune and Active Directory

Cloud PKI for Microsoft Intune and Certificate Templates

Strong Certificate Mapping for Microsoft Intune PKCS and SCEP Certificates

Troubleshooting Intune Failed PKCS Request

Cloud PKI for Microsoft Intune SCEP URL

Delete A Cloud PKI for Microsoft Intune Certificate Authority

Cloud PKI for Microsoft Intune on RunAs Radio Podcast

Mastering Certificates with Microsoft Intune Online Training

Leave a comment
by Richard M. Hicks on January 16, 2025  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, administration, Always On VPN, AOVPN, authentication, Certificate Authentication, Certificate Authority, Certificate Services, certificates, cloud, Cloud PKI, Cloud Service, Deployment, Device Management, Endpoint Manager, Enterprise, enterprise mobility, Entra, extensible authentication protocol, Infrastructure, InTune, MDM, MEM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, network policy server, NPS, Operational Support, PEAP, PKI, PowerShell, Protected EAP, public cloud, public key infrastructure, Remote Access, Security, Simple Certificate Enrollment Protocol, troubleshooting, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 16, 2025

https://directaccess.richardhicks.com/2025/01/16/always-on-vpn-and-cloud-pki-for-intune-error-853/

Always On VPN and Blast-RADIUS

Microsoft released an update for the Windows Server Network Policy Server (NPS) to address recently disclosed vulnerabilities in the Remote Access Dial-In User Service (RADIUS) protocol in the July 2024 security updates. RADIUS is an industry-standard authentication protocol widely used for remote access, including Always On VPN. The RADIUS protocol was first introduced in the early 1990s and, unfortunately, still relies on the deprecated MD5 cryptographic hash function. The good news is that this vulnerability does not affect Always On VPN. Read on to learn more.

Blast-RADIUS

Blast-RADIUS is an attack on the RADIUS protocol that allows an attacker to alter network authentication packets to gain access to a service relying on RADIUS for authentication by exploiting the weakness of MD5 integrity checks in RADIUS. In the absence other controls, an attacker could alter an authentication response and change the reply from Access-Reject to Access-Accept.

Considerations

It’s important to note that leveraging this attack is not trivial. It requires local network access, so the attacker must have a presence on the target network to carry out this attack. However, cloud-hosted RADIUS services are inherently more vulnerable. In addition, the attack is mostly academic today because the default timeout for authentication requests is typically short, usually between 5 and 30 seconds. This is not enough time (today) for an attacker to mount the attack. However, this attack could become more feasible if authentication timeouts are increased (sometimes required to support MFA) or if an attacker has access to vast computing resources.

Affected Protocols

Although Blast-RADIUS is a vulnerability in the RADIUS protocol itself, not all authentication protocols are affected. Specifically, this vulnerability affects services leveraging PAP, CHAP, MS-CHAP, and MS-CHAPv2. Extensible Authentication Protocol (EAP) and Protected Extensible Authentication Protocol (PEAP) are not vulnerable to this attack. Since Always On VPN requires EAP authentication, it is not susceptible to this attack.

Mitigation

Microsoft has published guidance in KB5040268 for mitigating Blast-RADIUS attacks on Windows NPS servers. Specifically, administrators are encouraged to enable the Message-Authenticator attribute in Access-Request packets sent by the network access server and to ensure the NPS server requires the Message-Authenticator attribute in any Access-Request messages it receives.

Note: The following changes are not required for Always On VPN or any other workload using EAP-TLS or Protected EAP, as these protocols use TLS natively to protect the authentication exchange.

NPS

To configure this setting in the UI, open the NPS management console (nps.msc) and perform the following steps.

  1. Expand RADIUS Clients and Servers.
  2. Highlight RADIUS Clients.
  3. Right-click the RADIUS client to configure and choose Properties.
  4. Select the Advanced tab.
  5. Check the box next to Access-Request messages must contain the Message-Authenticator attribute.

PowerShell

To configure this setting using PowerShell, open an elevated PowerShell command window and run the following command.

Set-NpsRadiusClient -Name <RADIUS client name> -AuthAttributeRequired $True

Additional NPS Settings

Administrators should also run the following commands on their NPS servers to further protect their infrastructure from Blast-RADIUS attacks.

netsh.exe nps set limitproxystate all = enable

netsh.exe nps set requiremsgauth all = enable

RRAS

When using Windows Server Routing and Remote Access (RRAS) without EAP, ensure the RADIUS server configuration always includes the Message-Authenticator. To configure this setting, open the Routing and Remote Access console (rrasmgmt.msc) on the RRAS server and perform the following steps.

  1. Right-click the VPN server and choose Properties.
  2. Select the Security tab.
  3. Click the Configure button next to the Authentication provider drop-down list.
  4. Highlight the RADIUS server and choose Edit.
  5. Check the box next to Always use message authenticator.

Repeat these steps for any additional configured RADIUS servers.

CLI

Administrators can implement this change at the command line by opening an elevated command window and entering the following command.

netsh.exe ras aaaa set authserver name = <name of RADIUS server> signature = enabled

For example:

netsh.exe ras aaaa set authserver name = nps.lab.richardhicks.net signature = enabled

New NPS Events

After installing the KB5040268 update on NPS servers, the NPS server will record event ID 4421 from the NPS source after a service start if the RequireMsgAuth or LimitProxyState settings are not configured.

“RequireMsgAuth and/or limitProxyState configuration is in Disable mode. These settings should be configured in Enable mode for security purposes.”

Optional Mitigation

If administrators cannot configure the above settings, consider using IPsec to secure network traffic at the transport layer. IPsec will protect all RADIUS traffic at the network layer to mitigate Blast-RADIUS attacks. Unfortunately, Windows Server NPS does not support TLS or DTLS, so IPsec is your only option.

Summary

Always On VPN is not vulnerable to the Blast-RADIUS attack. However, NPS is commonly a shared service in many organizations, and other workloads may use older, vulnerable protocols. Consider implementing the changes detailed in KB5040268 as outlined in above to ensure the integrity of your environment and mitigate these potential attacks.

More Information

Microsoft KB5040268: how to manage Access-Request packets attack vulnerability associated with CVE-2024-3596

RADIUS Protocol Vulnerability Exposes Networks to MitM Attacks

New Blast-RADIUS attack breaks 30-year-old protocol used in networks everywhere

Overview of Microsoft Protected Extensible Authentication Protocol (PEAP)

Always On VPN NPS Auditing and Logging

2 Comments
by Richard M. Hicks on July 15, 2024  •  Permalink
Posted in Always On VPN, AOVPN, authentication, Certificate Authentication, Cryptography, CVE, EAP, Encryption, Enterprise, enterprise mobility, extensible authentication protocol, Infrastructure, Microsoft, Mobility, network policy server, NPS, Operational Support, PEAP, PowerShell, Protected EAP, Remote Access, routing and remote access service, RRAS, Security, Security Update, SSL, SSL and TLS, TLS, Transport Layer Security, Update, user tunnel, VPN, Vulnerability, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on July 15, 2024

https://directaccess.richardhicks.com/2024/07/15/always-on-vpn-and-blast-radius/

« Older Posts
Newer Posts »