All posts in category ProfileXML

Always On VPN Servers and Failover

When configuring Microsoft Always On VPN, one of the first and most crucial settings is defining the public hostname of the VPN server to which clients connect. If you’re deploying Always On VPN client configuration settings using Intune—either with the native VPN policy template or a custom XML profile—you’ll see that multiple server entries are supported. Intune even allows administrators to define a “default server.” At first glance, this might suggest that the client will try the default server first and automatically fail over to the others if it’s unavailable. Unfortunately, that’s not how it works.

Intune VPN Template

When using the native Intune VPN device configuration template, administrators will find multiple entry fields for the servers in the Base VPN section.

In the example below, the Global VPN entry is marked as ‘default’.

Custom XML

When defining VPN settings using XML configuration, administrators can also list multiple servers.

Interestingly, the VPNv2 CSP used by custom XML profiles doesn’t support the concept of a “default server” at all.

How It Really Works

Defining multiple servers in the Always On VPN profile does not enable automatic failover. The client connects only to the first server in the list. The so-called “default server” setting in Intune is ignored, and the GUI even allows you to mark all servers as default, which is meaningless.

However, the configuration isn’t entirely useless. If you define multiple servers, they’ll appear on the client side as manual options. If the first server becomes unavailable, the user can open the Settings app, navigate to the advanced settings of the Always On VPN profile, and select an alternate server to connect manually.

Summary

Although Intune and XML configurations allow multiple VPN servers, Always On VPN does not provide automatic failover. Clients only attempt to connect to the first server in the list, and the “default server” setting in Intune has no effect. Multiple entries are still useful, but only for manual server selection by end-users when the primary server is down. For true automated high availability and redundancy, consider an external solution such as Azure Traffic Manager.

Additional Information

Always On VPN Multisite with Azure Traffic Manager

1 Comment
by Richard M. Hicks on September 8, 2025  •  Permalink
Posted in administration, Always On VPN, AOVPN, Azure Traffic Manager, Deployment, Device Management, device tunnel, Enterprise, enterprise mobility, Geographic Redundnacy, global server load balancer, High Availability, InTune, Load Balancing, Microsoft, Microsoft Intune, Mobile Device Management, Mobility, OMA-DM, OMA-URI, Operational Support, ProfileXML, Remote Access, System Center Configuration Manager, systems management, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on September 8, 2025

https://directaccess.richardhicks.com/2025/09/08/always-on-vpn-servers-and-failover/

Always On VPN DPC 5.2.0 Now Available

I’m pleased to announce that Always On VPN Dynamic Profile Configurator (DPC) version 5.2.0 is now available. My good friend Leo D’Arcy has been hard at work for the last few months squashing some bugs and adding a few new features to DPC. If you are running a previous release of Always On VPN DPC, either open source or commercial, it’s time to upgrade.

Important!! DPC 5.2.0 has a bug that prevents the service from stopping. This has been addressed in DPC 5.2.1. Guidance for upgrading from DPC 5.2.0 to 5.2.1 can be found here.

Reminder: We’re on Discord. Join the conversation today!

What’s New in DPC 5.2.0

Always On VPN DPC 5.2.0 has some compelling new features.

  • Exclude Routes from DNS – DPC has a feature that allows administrators to add routes to the routing table using DNS. When this setting is enabled, DPC will attempt to resolve the specified hostname to an IP address and add it to the VPN’s routing table when creating the profile. With 5.2.0, this capability has been extended to exclusion routes, allowing administrators to exclude resources by host name.
  • Write Event Logs to Disk – This setting allows administrators to optionally write DPC event information to a text file in addition to logging them in the event log. Writing event log information to a text file on disk can make troubleshooting easier in some scenarios.
  • Delay Profile Updates – This new feature ensures reliable VPN profile creation after group policy updates take place.

Bug Fixes

In addition to new capabilities, Always On VPN DPC 5.2.0 includes fixes for many outstanding issues.

  • DPC name resolution issue where duplicate IP addresses are returned, resulting in failed route additions when using ‘Allow Routes from DNS’.
  • Missing events in the DPC operational event log.
  • Enabling ‘Disable Disconnect Button’ or ‘Disable Advanced Edit Button’ settings results in a profile mismatch warning.
  • Added resiliency to DPC name resolution when one or more name resolution requests fail.

Group Policy Template

As a reminder, any time there are new features in DPC, there will be corresponding changes to Group Policy administrative template and template language files. Be sure to update your ADMX and ADML files in the group policy central store to take advantage of these new capabilities in DPC 5.2.0.

Recommendation

If you are running any release of Always On VPN DPC, commercial or open source, consider upgrading now to gain access to new features and operational reliability improvements. You can find DPC v5.2.0 on GitHub here.

Additional Information

Always On VPN DPC v5.2.0 Available Now

Always On VPN Dynamic Profile Configurator (DPC)

Always On VPN DPC Now Open Source

Migrating from Always On VPN DPC Commercial to Open Source

Always On VPN DPC with Microsoft Intune

Microsoft Always On VPN on Discord

Always On VPN DPC

Leave a comment
by Richard M. Hicks on August 12, 2025  •  Permalink
Posted in administration, Always On VPN, AOVPN, AovpnDPC, Device Management, device tunnel, Discord, DNS, DPC, Dynamic Profile Configurator, Enterprise, enterprise mobility, Group Policy, Microsoft, Mobility, Name Resolution, Open Source, Operational Support, ProfileXML, Remote Access, systems management, troubleshooting, Update, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , ,

Posted by Richard M. Hicks on August 12, 2025

https://directaccess.richardhicks.com/2025/08/12/always-on-vpn-dpc-5-2-0-now-available/

Always On VPN and SQL Target Principal Name Incorrect

Microsoft Always On VPN provides seamless and transparent remote access to corporate applications and data. In most cases, accessing resources over the VPN works the same as on-premises. However, a few folks have asked recently about an issue they found when using the SQL Server Management Studio (SMSS) to connect to a remote SQL server over Always On VPN.

Principal Name Incorrect

Administrators may encounter the following error message when using SMSS to connect to Microsoft SQL servers over an Always On VPN connection.

“The target principal name is incorrect. Cannot generate SSPI context. (Microsoft SQL Server)”

Resolution

There are a few different ways to resolve this issue. Choose the option that works best in your environment.

VPN Configuration

For Always On VPN deployments with Windows 11 24H2 and later clients, add the following setting to your XML configuration file.

<UseRasCredentials>false</UseRasCredentials>

For clients older than Windows 11 24H2, you must edit the rasphone.pbk file setting as follows.

UseRasCredentials=0

Group Policy

Optionally, a Group Policy Object (GPO) can be created and applied to target endpoints. For testing, you can enable this setting using the local group policy editor (gpedit.msc). Using either method, enable the following group policy setting.

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network access: Do not allow storage of passwords and credentials for network authentication = Enabled

Registry Editor

This method can be used for local testing. Open the Windows Registry Editor (regedit.exe) on a test client and create the following entry.

Key = HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Name = DisableDomainCreds
Type = DWORD
Value = 1

PowerShell

The following PowerShell command will also create the required registry entry. Administrators can run the command interactively or deploy it via automation.

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Lsa’ -Name DisableDomainCreds -Value 1

Additional Information

Always On VPN Short Name Access Failure

1 Comment
by Richard M. Hicks on February 13, 2025  •  Permalink
Posted in Active Directory, administration, Always On VPN, AOVPN, authentication, Certificate Authentication, Deployment, Device Management, Enterprise, enterprise mobility, Group Policy, InTune, Kerberos, Microsoft, Microsoft Intune, Mobile Device Management, Mobility, Operational Support, PowerShell, ProfileXML, Remote Access, Remote Administration, RSAT, Security, SMSS, SQL, SQL Server, SQL Server Management Studio, troubleshooting, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 13, 2025

https://directaccess.richardhicks.com/2025/02/13/always-on-vpn-and-sql-target-principal-name-incorrect/

« Older Posts