All posts in category NPS

Microsoft Intune Cloud PKI

Recently, Microsoft introduced the general availability of its new PKI-as-a-service solution called Microsoft Intune Cloud PKI. Cloud PKI allows administrators to issue and manage user and device authentication certificates for Intune-managed endpoints without deploying Active Directory Certificate Services (AD CS) on-premises. Cloud PKI frees administrators from the burdens of deploying and managing AD CS, including the complicated Network Device Enrollment Service (NDES) server configuration required for Simple Certificate Enrollment Protocol (SCEP) certificate deployment with Intune.

Advantages

Microsoft Intune Cloud PKI offers many significant advantages over traditional on-premises AD CS deployments.

No Infrastructure

The most obvious advantage of using Cloud PKI is that you do not have to deploy and manage your own Certification Authority (CA). Although implementing AD CS isn’t that difficult, managing and operating a CA infrastructure securely can be quite challenging. In addition, a high-security AD CS deployment utilizes hardware secure modules (HSMs) to protect CA private keys, which are quite expensive and sometimes difficult to support.

Cloud-Hosted SCEP

Removing the requirement to configure and deploy your own NDES server to support SCEP certificates is certainly a welcome advantage. NDES is notoriously difficult to configure, secure, and troubleshoot when it doesn’t work correctly. Cloud PKI includes cloud hosted SCEP services that are highly available and redundant within the Microsoft Azure infrastructure.

Automatic Revocation

Cloud PKI automates the deployment of certificates to Intune-managed users and devices and automatically revokes certificates when they fall out of scope. Administrators can also manually revoke certificates using the Intune management console.

Reporting

Administrators can easily view the status of Cloud PKI-issued certificates in Intune. The UI shows the active, expired, and revoked certificates for the issuing CA.

Clicking View all certificates shows a detailed list of all certificates.

BYOCA

Another compelling feature of Cloud PKI is Bring Your Own CA (BYOCA). This feature enables administrators to deploy a cloud-hosted CA that is chained to their existing on-premises AD CS root CA. This is helpful for scenarios where AD CS is already in place and used to issue and manage certificates to existing domain-joined clients and servers. BYOCA effectively allows you to extend your existing CA infrastructure to the cloud and use Cloud PKI to issue and manage certificates for your Intune-managed endpoints while maintaining the full functionality and feature set of on-premises AD CS for non-Intune-managed devices.

Limitations

Although there are many advantages to Cloud PKI, there are some limiting factors to consider.

RSA Only

Today, Cloud PKI is limited to RSA keys only. Administrators can create CAs using RSA 2048, 3072, or 4096-bit keys. Elliptic Curve (EC) keys are not currently supported in Cloud PKI.

Intune Devices Only

Cloud PKI is limited to issuing certificates to Intune-managed devices only. Endpoints must be Entra-joined, or hybrid Entra-joined to enroll for certificates using Cloud PKI.

Inflexible Configuration

The Cloud PKI root and issuing CAs cannot be reconfigured after deployment. Since Cloud PKI root and issuing CAs don’t support the Any Purpose EKU (2.5.29.37.0), all EKUs must be defined when the CA is created. If, in the future, an administrator requires an EKU that was not present when the CA was deployed, an entirely new hierarchy (root and issuing CA) must be deployed.

No Strong Mapping

As of this writing, Cloud PKI does not yet support strong certificate mapping for KB5014754. Microsoft fixed this limitation with Entra Conditional Access certificates and is working to include support for SCEP and PKCS. Hopefully, this shortcoming will be addressed soon in Cloud PKI.

Cost

There’s been much discussion about the cost associated with Cloud PKI. Cloud PKI can be licensed as part of the Intune Suite, which is $10.00 per user per month. Cloud PKI licenses will also be available as a standalone add-on for $2.00 per user per month. For large organizations, this might be cost-prohibitive.

Summary

Overall, Microsoft Intune Cloud PKI is a welcome addition to the Microsoft suite of cloud services. Certificates are excellent phishing-resistant credentials that can be used to improve security for organizations of all sizes. However, managing a CA can be tedious and time-consuming. Leveraging the cloud for PKI and certificate management will be helpful in many scenarios. However, Cloud PKI has some potential drawbacks, and many may not fit everyone.

More Information

Want to learn more about Microsoft Intune Cloud PKI and how it can benefit your organization? Take the first step towards streamlined certificate management and enhanced security for your organization. Fill out the form below, and I’ll provide more information about using Intune Cloud PKI to safeguard your digital assets confidently.

Submit a form.
2 Comments
by Richard M. Hicks on March 18, 2024  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, administration, authentication, Azure, Azure Active Directory, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, certificates, cloud, Cloud PKI, Cloud Service, Cryptography, Device Management, Encryption, Endpoint Manager, Enterprise, enterprise mobility, Entra, Entra ID, HAADJ, Hybrid Azure AD Join, Infrastructure, InTune, Intune Certificate Connector, Intune PFX Connector, MDM, Microsoft, Microsoft Endpoint Manager, Microsoft Entra, Microsoft Entra ID, Microsoft Intune, Mobile Device Management, Mobility, Multifactor Authentiction, Network Device Enrollment Service, Network Device Enrollment Services, network policy server, NPS, Operational Support, PFX Connector, PKCS, PKI, public cloud, public key infrastructure, SCEP, Security, Simple Certificate Enrollment Protocol, systems management, TPM, troubleshooting, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 18, 2024

https://directaccess.richardhicks.com/2024/03/18/microsoft-intune-cloud-pki/

Always On VPN Static IP Address Assignment

A question that occasionally arises when I’m conducting an Always On VPN planning and design workshop for a customer is static IP address assignment options for VPN connections. Typically, the use case is a specific user that requires special access to a sensitive system internally. Assigning a static IP address to the user allows administrators to create firewall rules restricting access to this connection.

Static IP Assignment

Assigning a static IP address to a user is accomplished by editing the properties of their user account in Active Directory. Open the Active Directory Users and Computers console (dsa.msc), navigate to the Dial-in tab on the target individual’s Active Directory user account, and check the box next to Assign Static IP Addresses.

Next, click the Static IP Addresses button, check the box next to Assign a Static IPv4 address, and enter an IP address. Optionally, check the box next to Assign a static IPv6 address and enter a prefix and Interface ID, if required.

NPS Configuration

Once the user account in Active Directory is configured with a static IP address assignment, each NPS server in the organization must be registered in Active Directory. More details on Active Directory registration for NPS servers can be found here.

Caveats

Assigning static IP addresses to VPN users has many drawbacks and limitations. Consider the following.

Device IP

Assigning a static IP address to a device is not supported. You can only assign a static IP address to a user in Active Directory.

Address Assignment

The IP address you assign to the user must be from the same subnet as the VPN server’s internal network interface. If there is more than one VPN server, all VPN servers must be on the same subnet.

Multisite

Assigning static IP addresses to users is not supported when VPN servers are deployed in multiple locations.

Concurrent Sessions

Users with a static IP address assignment must only log on to one device at a time. If a user attempts to log in to multiple devices simultaneously, subsequent connections will fail due to the duplicate IP address assignment.

NPS

Always On VPN administrators may have discovered the option to assign a static IP address using NPS policy. Unfortunately, this option is severely limited. A separate NPS policy is needed for each user that requires a static IP address. However, NPS does not support assigning NPS policies to users, only groups. Technically speaking, you could create a separate group for each user needing a static IP address, but that’s not scalable. Also, it offers no real advantage over using the Active Directory method described above.

Summary

Although it’s possible to assign a static IP address to a user, there is currently no option to assign a static IP address to a device. In addition, static IP address assignment imposes other limitations that make the option challenging. Also, the inability to connect to geographically dispersed VPN servers is severely limiting.

Additional Information

Always On VPN and NPS Active Directory Registration

Always On VPN Client IP Address Assignment Methods

Always On VPN and IPv6

Leave a comment
by Richard M. Hicks on February 19, 2024  •  Permalink
Posted in Active Directory, administration, Always On VPN, AOVPN, authentication, Deployment, Enterprise, enterprise mobility, Infrastructure, IPv6, Microsoft, Mobility, multisite, network policy server, NPS, Operational Support, Remote Access, routing and remote access service, RRAS, Security, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , ,

Posted by Richard M. Hicks on February 19, 2024

https://directaccess.richardhicks.com/2024/02/19/always-on-vpn-static-ip-address-assignment/

Always On VPN and NPS AD Registration

Always On VPN Users Prompted for Certificate

Windows Server Network Policy and Access Services (NPAS, more commonly called NPS) is a popular solution used in Always On VPN deployments to support Active Directory authentication for user-based VPN connections. NPS is integrated with Active Directory to perform certificate-based authentication. With additional configuration, NPS can apply specific settings to an individual connection by reading the properties of the user’s AD account.

Dial-In Properties

Administrators can allow or deny network access, assign a static IP address, or assign a static route on a per-user basis. This information is defined on the Dial-In tab of the user account in Active Directory Users and Computers (dsa.msc).

Register in AD

Registering the NPS server in Active Directory is strictly optional. It is not required to perform user authentication. However, administrators must register the NPS server in Active Directory to assign connection properties per user. Active Directory registration for NPS allows the NPS server to read the properties of individual Active Directory user accounts. Active Directory registration for NPS is accomplished in one of several ways.

NPS Management Console

On each NPS server, open the NPS management console (nps.msc), right-click the server, and choose Register server in Active Directory.

Command Line

Administrators can register the NPS server in Active Directory by opening an elevated command window and running the following command.

netsh.exe nps add registeredserver <domain> <host>

Where <domain> is the Active Directory domain where you want to add the NPS server to the RAS and IAS Servers security group, and <host> is the hostname of the NPS server to register.

For example:

netsh.exe nps add registeredserver lab.richardhicks.net nps1

ADUC

Registering an NPS server in Active Directory does nothing more than add the NPS server to the RAS and IAS Servers domain security group. Administrators can open ADUC and add NPS servers to the group directly if required.

Note: Registering an NPS server in Active Directory using the NPS console or the command line adds the NPS server to the RAS and IAS Servers group in the domain to which the NPS server belongs. If user accounts are in a different domain, NPS servers must also be added to the RAS and IAS Servers group in those domains.

NPS Policy

In addition to registering the NPS server in Active Directory, administrators must ensure that the option to Ignore user account dial-in properties on the Network Policy used for Always On VPN is not checked.

Additional Information

Always On VPN and NPS Server Load Balancing

Always On VPN NPS Auditing and Logging

Always On VPN NPS RADIUS Configuration Missing

4 Comments
by Richard M. Hicks on February 6, 2024  •  Permalink
Posted in Active Directory, administration, Always On VPN, AOVPN, authentication, Enterprise, enterprise mobility, extensible authentication protocol, Microsoft, Mobility, network policy server, NPS, Operational Support, PEAP, Remote Access, Security, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 6, 2024

https://directaccess.richardhicks.com/2024/02/06/always-on-vpn-and-nps-ad-registration/

« Older Posts