All posts in category PEAP

Always On VPN and NPS AD Registration

Always On VPN Users Prompted for Certificate

Windows Server Network Policy and Access Services (NPAS, more commonly called NPS) is a popular solution used in Always On VPN deployments to support Active Directory authentication for user-based VPN connections. NPS is integrated with Active Directory to perform certificate-based authentication. With additional configuration, NPS can apply specific settings to an individual connection by reading the properties of the user’s AD account.

Dial-In Properties

Administrators can allow or deny network access, assign a static IP address, or assign a static route on a per-user basis. This information is defined on the Dial-In tab of the user account in Active Directory Users and Computers (dsa.msc).

Register in AD

Registering the NPS server in Active Directory is strictly optional. It is not required to perform user authentication. However, administrators must register the NPS server in Active Directory to assign connection properties per user. Active Directory registration for NPS allows the NPS server to read the properties of individual Active Directory user accounts. Active Directory registration for NPS is accomplished in one of several ways.

NPS Management Console

On each NPS server, open the NPS management console (nps.msc), right-click the server, and choose Register server in Active Directory.

Command Line

Administrators can register the NPS server in Active Directory by opening an elevated command window and running the following command.

netsh.exe nps add registeredserver <domain> <host>

Where <domain> is the Active Directory domain where you want to add the NPS server to the RAS and IAS Servers security group, and <host> is the hostname of the NPS server to register.

For example:

netsh.exe nps add registeredserver lab.richardhicks.net nps1

ADUC

Registering an NPS server in Active Directory does nothing more than add the NPS server to the RAS and IAS Servers domain security group. Administrators can open ADUC and add NPS servers to the group directly if required.

Note: Registering an NPS server in Active Directory using the NPS console or the command line adds the NPS server to the RAS and IAS Servers group in the domain to which the NPS server belongs. If user accounts are in a different domain, NPS servers must also be added to the RAS and IAS Servers group in those domains.

NPS Policy

In addition to registering the NPS server in Active Directory, administrators must ensure that the option to Ignore user account dial-in properties on the Network Policy used for Always On VPN is not checked.

Additional Information

Always On VPN and NPS Server Load Balancing

Always On VPN NPS Auditing and Logging

Always On VPN NPS RADIUS Configuration Missing

4 Comments
by Richard M. Hicks on February 6, 2024  •  Permalink
Posted in Active Directory, administration, Always On VPN, AOVPN, authentication, Enterprise, enterprise mobility, extensible authentication protocol, Microsoft, Mobility, network policy server, NPS, Operational Support, PEAP, Remote Access, Security, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 6, 2024

https://directaccess.richardhicks.com/2024/02/06/always-on-vpn-and-nps-ad-registration/

Microsoft Intune Certificate Connector Failure

The Microsoft Intune Certificate Connector enables the provisioning and de-provisioning of on-premises PKI certificates for Intune-managed devices. Always On VPN administrators using Intune to deploy certificates with the Intune Certificate Connector using either PKCS or SCEP may encounter a scenario where certificates are no longer being provisioned to users or devices after working reliably previously.

Certificate Not Found

When this issue occurs, users will no longer be able to access the VPN and receive a “certificate could not be found that can be used with this Extensible Authentication Protocol” error message.

Connector Status

To determine the status of the Intune Certificate Connector, open the Microsoft Intune Admin Center (https://intune.microsoft.com) and navigate to Tenant Administration > Connectors and Tokens > Certificate Connectors. The status of the certificate connector server will be in Error.

Event Log

Open the event log on the server where the Intune Certificate Connector is installed. Navigate to Applications and Services Logs > Microsoft > Intune > CertificateConnectors > Operational. Here, you will find a variety of warning and error messages.

Event ID 5001

This is a warning from the CertificateConnectors source with event ID 5001 in the Task Category HealthMessageUploadFailedAttempt with the following details.

PKI Create Service:

Failed to upload health messages. Requeuing messages.

Event ID 1003

This is an error from the CertificateConnectors source with event ID 1003 in the Task Category PkcsDownloadFailure with the following details.

PKI Create Service:

Failed to download PKCS requests.

Event ID 2

This is an error from the CertificateConnectors source with event ID 2 in the Task Category Exception with the following details.

PKI Create Service:

Microsoft.Intune.Connectors.PkiCreateProcessor.Process threw an exception.

Expired Certificate

The warning and error messages recorded in the event log indicate an expired certificate on the Intune Certificate Connector server. Open the local computer certificate store (certlm.msc) on the server where the Intune Certificate Connector is installed. Review the expiration date of the certificate issued by Microsoft Intune ImportPFX Connector CA. It is most likely expired.

Click on the Certification Path tab to view the certificate status.

Renew Certificate

To renew this certificate, you must reinstall the Intune Certificate Connector. However, you do not have to uninstall it first. To renew the certificate, navigate to C:\Program Files\Microsoft Intune\PFXCertificateConnector\ConnectorUI and double-click on PFXCertificateConnectorUI.exe. Follow the prompts without making changes to the existing configuration. You’ll be prompted for the service account password (if using a domain account) and proxy credentials (if using a proxy server). In addition, you’ll be asked to sign in to Entra ID (formerly Azure AD). Be sure to provide credentials that are a global administrator and have an Intune license assigned. Once the process is complete, a new certificate will be installed in the local computer certificate store.

Intune Configuration

After updating the Intune Certificate Connector, a new certificate connector appears in the Intune Admin Center. You can now safely delete the old connector and rename the new one accordingly.

Redundancy

Deploying multiple instances of the Intune Certificate Connector is an excellent way to avoid future outages! It’s also a good idea to stagger their installation by a few months to ensure that a future certificate expiration doesn’t result in lost functionality. If you’ve deployed Intune Certificate Connectors recently, consider updating them at rotating intervals so certificates expire at different times.

Additional Information

Intune Certificate Connector Configuration Failed

Intune Certificate Connector Service Account and PKCS

Intune Certificate Connector Configuration Failure

Microsoft Intune Learning Resources for Always On VPN Administrators

Leave a comment
by Richard M. Hicks on November 27, 2023  •  Permalink
Posted in Active Directory Certificate Services, AD CS, administration, Always On VPN, AOVPN, authentication, Azure, Azure Active Directory, Azure AD, Certificate Connector for Intune, Certificate Services, certificates, cloud, Device Management, EAP, Endpoint Manager, Enterprise, enterprise mobility, Entra, Entra ID, extensible authentication protocol, InTune, Intune Certificate Connector, Intune PFX Connector, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Entra, Microsoft Entra ID, Microsoft Intune, Mobile Device Management, Mobility, Network Device Enrollment Service, Network Device Enrollment Services, Operational Support, PEAP, PFX Connector, PKCS, PKI, Protected EAP, public cloud, public key infrastructure, Remote Access, SCEP, Simple Certificate Enrollment Protocol, systems management, troubleshooting, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 27, 2023

https://directaccess.richardhicks.com/2023/11/27/microsoft-intune-certificate-connector-failure/

Always On VPN November 2023 Security Updates

Microsoft has released its security updates for November 2023. For Always On VPN administrators, it’s a light month, with just a single CVE affecting Always On VPN infrastructure.

PEAP

CVE-2023-36028 addresses a remote code execution (RCE) vulnerability in the Microsoft Protected Extensible Authentication Protocol (PEAP). An attacker could exploit this vulnerability by sending a specially crafted PEAP packet to a Windows Network Policy Server (NPS). This attack does not require authentication or user interaction.

Affected Systems

This PEAP vulnerability affects only NPS servers configured to support PEAP authentication explicitly. PEAP authentication is a best practice configuration for Always On VPN deployments and is widely deployed. NPS servers deployed to support other services, such as Wi-Fi or router and switch access that are configured to allow PEAP authentication, are also affected.

Exposure

NPS servers are not (or should not be!) exposed directly to the public Internet. This limits the attack surface to adversaries already on the internal network.

Mitigation

Microsoft suggests disabling PEAP authentication support on NPS servers until the update is applied. However, this would break the majority of Always On VPN deployments today. Since disabling PEAP isn’t a viable option, administrators can reduce their attack surface by updating the NPS firewall rules to restrict access only to authorized VPN servers or other network devices until their systems are fully updated.

Additional Information

November 2023 Security Updates

CVE-2023-36028 PEAP Remote Code Execution Vulnerability

4 Comments
by Richard M. Hicks on November 14, 2023  •  Permalink
Posted in Active Directory, administration, Always On VPN, AOVPN, authentication, CVE, EAP, Enterprise, enterprise mobility, Infrastructure, Microsoft, Mobility, network policy server, NPS, Operational Support, PEAP, Protected EAP, Remote Access, Security, Security Update, Update, user tunnel, VPN, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 14, 2023

https://directaccess.richardhicks.com/2023/11/14/always-on-vpn-november-2023-security-updates/

« Older Posts