Always On VPN Authentication Failure After February 2025 Security Update

Microsoft introduced changes to Windows domain controllers in the February 2025 security update that may result in authentication failures for Always On VPN user tunnel connections. If you suddenly find that all your Always On VPN user tunnel connections fail, additional changes may be required to resolve the issue.

Authentication Failure

Administrators may find that Always On VPN connections fail after applying the February 2025 Microsoft security updates. Specifically, users may receive the following warning message.

“The remote access connection completed, but authentication failed because the certificate that authenticates the client to the server is not valid. Ensure that the certificate used for authentication is valid.”

Error 853

Administrators will also find a corresponding event log entry with event ID 20227 from the RasClient source with the following error message.

“The user <username> dialed a connection named <connection name> which has failed. The error code returned on failure is 853.”

NPS Events

The event log on the NPS server will also record event ID 6273 from the Microsoft Windows security auditing source with the following error message.

“Network Policy Server denied access to a user.”

The authentication details of the event include Reason Code 16 with the following reason.

“Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.”

DC Events

If the issue is related to changes implemented to domain controllers in the February 2025 security update, administrators will also find a corresponding event log entry on a domain controller with event ID 39 from the Kerberos-Key-Distribution-Center source with the following error message.

“The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). Such certificates should either be replaced or mapped directly to the user via explicit mapping.”

Root Cause

The above conditions indicate that a user attempted to authenticate to the VPN with a certificate that was not strongly mapped. Most likely, the certificate was issued using Microsoft Intune with SCEP or PKCS. This results from changes made to domain controllers in the February 2025 security update that requires certificates used for Active Directory authentication to be strongly mapped. Until now, domain controllers allowed access and only logged an event in the event log when a certificate did not include strong certificate mapping. The February 2025 security update now enforces strong certificate mapping, and authentication requests will fail without it.

Resolution

Administrators must issue new certificates that are strongly mapped to resolve this issue. For certificates issued with PKCS, changes are required on the Intune Certificate Connector server before re-issuing. For certificates issued with SCEP, changes to the device configuration policy are required. See the post Strong Certificate Mapping for Intune PKCS and SCEP Certificates for more details.

Workaround

Re-issuing certificates takes time. To restore connectivity immediately, administrators can implement the following registry settings on all domain controllers to switch back to audit mode and allow authentication without strong certificate mapping.

Key: HKLM:\SYSTEM\CurrentControlSet\Services\Kdc
Name: StrongCertificateBindingEnforcement
Type: DWORD
Value: 1

I recommend deploying this setting via GPO assigned to the Domain Controllers OU. However, you can also implement this change using PowerShell if necessary.

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\Kdc’ -Name ‘StrongCertificateBindingEnforcement’ -PropertyType DWORD -Value 1 -Force

Additional Information

Strong Certificate Mapping for Intune PKCS and SCEP Certificates

Strong Certificate Mapping Enforcement February 2025

Certificate-Based Authentication Changes and Always On VPN

Intune Strong Certificate Mapping Error

Strong Certificate Mapping Error with PKCS

Always On VPN and SQL Target Principal Name Incorrect

Microsoft Always On VPN provides seamless and transparent remote access to corporate applications and data. In most cases, accessing resources over the VPN works the same as on-premises. However, a few folks have asked recently about an issue they found when using the SQL Server Management Studio (SMSS) to connect to a remote SQL server over Always On VPN.

Principal Name Incorrect

Administrators may encounter the following error message when using SMSS to connect to Microsoft SQL servers over an Always On VPN connection.

“The target principal name is incorrect. Cannot generate SSPI context. (Microsoft SQL Server)”

Resolution

There are a few different ways to resolve this issue. Choose the option that works best in your environment.

VPN Configuration

For Always On VPN deployments with Windows 11 24H2 and later clients, add the following setting to your XML configuration file.

<UseRasCredentials>false</UseRasCredentials>

For clients older than Windows 11 24H2, you must edit the rasphone.pbk file setting as follows.

UseRasCredentials=0

Group Policy

Optionally, a Group Policy Object (GPO) can be created and applied to target endpoints. For testing, you can enable this setting using the local group policy editor (gpedit.msc). Using either method, enable the following group policy setting.

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network access: Do not allow storage of passwords and credentials for network authentication = Enabled

Registry Editor

This method can be used for local testing. Open the Windows Registry Editor (regedit.exe) on a test client and create the following entry.

Key = HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Name = DisableDomainCreds
Type = DWORD
Value = 1

PowerShell

The following PowerShell command will also create the required registry entry. Administrators can run the command interactively or deploy it via automation.

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Lsa’ -Name DisableDomainCreds -Value 1

Additional Information

Always On VPN Short Name Access Failure

Always On VPN and Entra Conditional Access

Microsoft recently introduced Entra Private Access, an identity-centric Zero Trust Network Access (ZTNA) solution to provide secure remote access to on-premises resources. With Entra Private Access, administrators can leverage Entra Conditional Access to enforce policy-based access control for network access. However, Entra Private Access isn’t for everyone. It does not provide full feature parity with Always On VPN, and there are also licensing considerations. However, for those organizations using Always On VPN, the good news is that you can integrate Entra Conditional Access with Always On VPN today to gain some of the security benefits it provides.

Conditional Access

Microsoft Entra Conditional Access is a security feature that enables administrators to create and enforce policies that specify how users can access resources. In the specific case of Always On VPN, conditional access is critical to ensuring legitimate access to authenticated users on authorized devices.

Signals

Conditional access policies use a wide variety of signals for policy enforcement, such as:

  • User Identity: Who is making this access request?
  • User Properties: Is this user a member of a specific group?
  • Location: Where is this access request originating?
  • Device Management: Is this device joined to Entra ID?
  • Device State: Is this device compliant with security policies?
  • Device Platform: Is this a Windows device?
  • Risk Level: Is this login considered risky?

Access Control

Based on these signals, administrators can design a conditional access policy to enforce granular access control, such as:

  • Grant access only from managed devices
  • Deny access from untrusted locations
  • Require additional context-based authentication (e.g., multifactor authentication)
  • Enforce specific authentication types (e.g., phishing-resistant credentials)
  • Allow access only from specific device platforms (e.g., Windows only)
  • Require Entra hybrid-joined device
  • Block access when a device is not compliant with security policies

Always On VPN

Entra Conditional Access works with Always On VPN by issuing a special, short-lived user authentication certificate once the user has been authorized. The Always On VPN infrastructure can be configured to use this certificate to grant access to the VPN. Integrating conditional access with Always On VPN can significantly improve the security posture of organizations using this feature.

Deployment Guide

I’ve published a detailed, step-by-step deployment guide to configure Entra conditional access for Always On VPN. In addition, I have posted a demonstration video for enabling Entra conditional access with Aways On VPN on YouTube.

Additional Information

Microsoft Entra Conditional Access Overview

Configure Entra Conditional Access for Always On VPN