All posts in category PKI

Always On VPN at MMSMOA 2023

I’m excited to share that I’ve been invited to present at the popular Midwest Management Summit at Mall of America (MMSMOA) this year! The event takes place Monday, May 2, through Thursday, May 4, 2023.

Sessions

I will be delivering two talks at the event this year. One on Microsoft Always On VPN and Intune, the other on deploying certificate using Intune.

Always On VPN and Intune: Notes from the FieldTuesday, May 2 at 10:00 AM CDT

This session will cover all aspects of deploying and managing Always On VPN client configuration settings using Microsoft Intune.

Intune Certificate ManagementWednesday, May 3 at 10:00 AM CDT

This session will provide detailed configuration guidance and best practice recommendations for issuing on-premises enterprise PKI certificate using Microsoft Intune.

Attending MMS?

Will you be attending MMSMOA? Let’s connect! Drop in on my sessions, of course, but let’s plan to hang out! I will have copies of my book to give away too, so don’t miss out. Send me a note here or on Twitter, or just find me at the conference. Looking forward to seeing all of you soon!

Leave a comment
by Richard M. Hicks on April 11, 2023  •  Permalink
Posted in Always On VPN, AOVPN, certificates, Endpoint Manager, Enterprise, enterprise mobility, Intune Certificate Connector, Intune PFX Connector, learning, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, NDES, Network Device Enrollment Service, Network Device Enrollment Services, PFX Connector, PKI, PowerShell, public key infrastructure, Remote Access, SCCM, SCEP, Security, Simple Certificate Enrollment Protocol, System Center Configuration Manager, systems management, TPM, Trusted Platform Module, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Workshop
Tagged , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 11, 2023

https://directaccess.richardhicks.com/2023/04/11/always-on-vpn-at-mmsmoa-2023/

Always On VPN Ask Me Anything (AMA) March 2023

It’s that time again! Have questions about Always On VPN? Are you having a specific issue you can’t figure out? Need information about configuration options? Here’s your chance to get your questions answered! Join me next week on Thursday, March 23, 2023, at 10:00 AM PDT (UTC -7) for an opportunity to ask me anything (AMA!) about Microsoft Windows Always On VPN and related technologies.

The AMA will be an open forum session where we can all talk shop about Always On VPN. It’s a great chance to learn new things and share experiences with your peers. We’ll discuss known issues and limitations, best practices, and more.

Update: Missed the session? You can watch it here!

Everyone is welcome. Don’t miss out on this excellent opportunity to connect and learn. Register today!

Can’t make the session? Register anyway and I’ll send you the link to the recording as soon as it is availalbe!

3 Comments
by Richard M. Hicks on March 16, 2023  •  Permalink
Posted in Always On VPN, AMA, AOVPN, enterprise mobility, InTune, MDM, MEM, MEMCM, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, NPS, Operational Support, PKI, Remote Access, RRAS, Security, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Workshop
Tagged , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 16, 2023

https://directaccess.richardhicks.com/2023/03/16/always-on-vpn-ask-me-anything-ama-march-2023/

Always On VPN Authentication Failed Reason Code 16

Strong authentication is essential for remote access to on-premises resources over the public Internet. Using the Protected Extensible Authentication Protocol (PEAP) in combination with user certificates issued by the organization’s internal certification authority (CA) provides high assurance for remote user authentication. It includes the added benefit of making the Always On VPN connection completely seamless for the user, as their certificate is presented to the authentication server transparently during VPN connection establishment. Using PEAP with user certificates is the recommended authentication method for Always On VPN deployments.

Reason Code 16

When configuring Always On VPN to use PEAP with client authentication certificates, administrators may encounter a scenario in which a user has a valid certificate. Yet, their authentication request is rejected by the Network Policy Server (NPS) server when attempting to connect remotely. Looking at the Security event log on the NPS server, administrators will find a corresponding event ID 6273 in the Network Policy Server task category from the Microsoft Windows security auditing event source. In the Authentication Details section, you’ll find that the reason code for the failed request is Reason Code 16, with the following reason specified.

“Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect”.

Password Incorrect?

The reason code indicates the user may have entered an incorrect password. However, the user does not enter their password when using PEAP with client authentication certificates, so there’s no chance the password was entered incorrectly.

TPM

I have increasingly encountered this scenario with many customers deploying Always On VPN over the last year or so. This error is often caused by a known issue with older TPM models. Specifically, those with a TPM specification sub-version of 1.16 and earlier. You can view these TPM details by opening the Windows Settings app and entering ‘security processor’ in the search field.

Workaround

These older TPM models seem to have an issue with RSA-PSS signature algorithms, as described here. If possible, administrators should upgrade devices with older TPM versions to ensure the highest level of security and assurance for their remote users. However, in cases where that is not feasible, administrators can remove RSA-PSS signature algorithms from the registry, which forces the use of a different signature algorithm and seems to restore functionality.

To do this, open the registry editor (regedit.exe) and navigate to the following registry key.

HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\
Configuration\Local\SSL\00010003\

Double-click the Functions entry and remove the following algorithms from the Value data section.

  • RSAE-PSS/SHA256
  • RSAE-PSS/SHA384
  • RSAE-PSS/SHA512

Once complete, reboot the device and test authentication once again.

Intune Proactive Remediation

Administrators using Intune Proactive Remediation will find detection and remediation scripts to make these changes published on GitHub.

Detect-RsaePss.ps1

Remediate-RsaePss.ps1

Additional Information

Windows TPM 2.0 Client Authentication in TLS 1.2 with RSA PSS

Always On VPN NPS Auditing and Logging

Always On VPN NPS RADIUS Configuration Missing

Always On VPN NPS Load Balancing

11 Comments
by Richard M. Hicks on February 13, 2023  •  Permalink
Posted in Active Directory, administration, Always On VPN, AOVPN, authentication, certificates, Cryptography, EAP, Encryption, Enterprise, enterprise mobility, Microsoft, Mobility, network policy server, NPS, Operational Support, PEAP, PKI, public key infrastructure, Remote Access, Security, TPM, troubleshooting, Trusted Platform Module, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 13, 2023

https://directaccess.richardhicks.com/2023/02/13/always-on-vpn-authentication-failed-reason-code-16/

« Older Posts
Newer Posts »