All posts in category public cloud

Intune Certificate Connector Configuration Failed

Troubleshooting Always On VPN Error 691 and 812 – Part 2

The Microsoft Intune Certificate Connector must be deployed on-premises to provision and manage enterprise PKI certificates using Intune. The Intune Certificate Connector supports the deployment of SCEP, PKCS, PKCS imported certificates, or any combination of these. The connector can be configured to run under the SYSTEM account or optionally (and recommended) a domain service account. When using a service account, the service account must have permission to log on as a service on the server where the Intune Certificate Connector server.

Access is Denied

Even when all prerequisites are met, administrators may still find the installation of the Intune Certificate Connector fails with the following error message.

“Configuring Microsoft Intune Certificate Connector failed. No changes were made to Feature or Proxy settings. Please try again.”

“Unexpected Failure. Error: System.lnvalidOperationException: Cannot open PFXCertificateConnectorSvc service on computer ‘.’ System.ComponentModel.Win32Exception: Access is denied”

Workaround

After the connector installation fails, open the file explore and navigate to C:\Program Files\Microsoft Intune\PFXCertificateConnector\ConnectorUI. Right-click PFXCertificateConnectorUI.exe and choose ‘Run as administrator’.

Run through the connector installation wizard again, and it should install without issue.

To avoid this problem for future Intune Certificate Connector deployments, administrators can right-click the Intune Certificate Connector installer (IntuneCertificateConnector.exe) and choose ‘Run as administrator’.

Additional Information

Microsoft Intune Certificate Connector Configuration Failure (Part 1)

Microsoft Intune Certificate Connector Service Account and PKCS

Microsoft Intune Learning Resources for Always On VPN Admins

Microsoft Intune Certificate Connector Overview

Intune Certificate Connector Service Account and PKCS

Microsoft Always On VPN administrators have two choices when deploying enterprise PKI certificates using Intune; PKCS and SCEP. I prefer using PKCS because it is easier to configure and manage. Also, PKCS requires no inbound connectivity, simplifying the deployment and reducing the organization’s public attack surface. Provisioning certificates using Intune is inherently risky. However, there are some steps administrators can take to mitigate much of this risk.

PKCS Security

The service account is the most critical aspect of configuring the Intune Certificate Connector for PKCS securely. The service account has permission to enroll for an exceedingly dangerous published certificate template. Specifically, the PKCS certificate template has the deadly combination of supplying the subject information in the request, and the Client Authentication enhanced key usage (EKU). Further, the scenario does not allow administrative approval to be enabled on the certificate template. If an attacker were to gain access to this certificate template, they could enroll as any principal they chose, including a domain administrator, and their request would be processed automatically. Subsequently, they could authenticate to Active Directory using only the certificate without knowing the account’s password.

Service Account

Using a Group Managed Service Account (GMSA) would be ideal in this scenario. However, the Intune Certificate Connector does not support using GMSA when using PKCS. With that, administrators must use a regular domain service account instead, which introduces additional risk. To enhance the overall security of the solution, consider performing the following PKCS service account hardening tasks when using the Intune Certificate Connector to issue PKCS certificates with Intune.

Standard User

The service account should be a standard domain user with no special privileges. The service should be dedicated to PKCS and not shared with other services in the enterprise. Create the account from scratch (do not duplicate another account!), and use a long, complex password. Document this password securely. In addition, ensure the PKCS service account is not a member of any other security groups. It does not require local administrator access, either.

Account Hardening

After creating the service account, click the Log On To button and ensure the account can only log on to the server(s) where you have installed the Intune Certificate Connector.

Next, check the box next to Account is sensitive and cannot be delegated in the Account options section.

In addition, select the option Deny access in the Network Access Permission section of the Dial-In properties page.

Finally, uncheck Enable remote control on the Remote control properties page.

Local Access Rights

Open the Local Group Policy Editor (gpedit.msc) on each server where you installed the Intune Certificate Connector. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Enable the following policy settings for the PKCS service account.

Deny access to this computer from the network
Deny log on as a batch job
Deny log on locally
Deny log on through Remote Desktop Services

Optionally these settings can be enforced on the Intune Certificate Connector server using Active Directory group policy.

Disclaimer

I am not an Active Directory security expert! The guidance provided here is based on my many years of Windows administrative experience, conversations with Identity and Access security professionals, and published guidance found on the Internet. If you have suggestions to further improve service account security, don’t hesitate to let me know! Please share in the comments, below.

Additional Information

Overview of the Certificate Connector for Microsoft Intune

Configure and use PKCS Certificates with Microsoft Intune

Microsoft Intune Certificate Connector Service Account Requirements

9 Tips for Preventing Active Directory Servie Accounts Misuse

How to Manage and Secure Service Accounts

Always On VPN DPC with Intune

In the past, I’ve written about PowerON Platforms’ Always On VPN Dynamic Profile Configurator (DPC), a software solution administrators can use to provision and manage Always On VPN client configuration settings using Active Directory and group policy. In addition to streamlining the deployment and management of Always On VPN client settings, DPC has many advanced features and capabilities to ensure optimal security, performance, and connection reliability.

Optimizations

Many settings required to fine-tune and optimize Always On VPN connections are not exposed in the Intune UI or XML. They must be configured by manipulating configuration files, setting registry keys, and running PowerShell commands. Much of this can be automated using Intune Proactive Remediation, but it is far from ideal. Administrators must configure Always On VPN using one method, then deploy optimizations using another. In addition, Proactive Remediation suffers from timing issues where some settings are not applied immediately, resulting in degraded or inoperable VPN connections until changes take effect.

Always On VPN DPC

Always On VPN DPC allows administrators to configure many advanced settings quickly and conveniently using the familiar Group Policy Management console (gpmc.msc). DPC dramatically reduces the administrative burden associated with Always On VPN client management. In addition, DPC enables many of these options by default, ensuring optimal security and reliable operation. Also, DPC immediately implements all configuration settings, eliminating the need to reboot to apply configuration changes.

Intune and ADMX

Historically, Always On VPN DPC could only be used when managing endpoints exclusively with Active Directory group policy. However, DPC can now be used with Microsoft Endpoint Manager/Intune thanks to a new feature that allows administrators to import custom ADMX and ADML administrative templates to Microsoft Endpoint Manager (MEM).

Note: This feature is in public preview at the time of this writing.

DPC and Intune

The combination of DPC and Intune brings with it many advantages. Using DPC with Microsoft Endpoint Manager/Intune offers administrators simplified deployment and many advanced features provided by Always On VPN DPC. In addition, customers who have deployed DPC on-premises can now migrate seamlessly to Microsoft Endpoint Manager/Intune management without giving up DPC’s valuable features.

Learn More

Enter your contact details in the form below for more information regarding Always On VPN DPC. Also, visit https://aovpndpc.com/ to register for a free Always On VPN DPC trial.

Additional Information

Always On VPN with Active Directory Group Policy

Introduction to Always On VPN DPC

Always On VPN DPC Advanced Features

Always On VPN DPC Video Demonstrations

What’s New in Always On VPN DPC v3.0

Always On VPN DPC Free Trial

2 Comments

by Richard M. Hicks on October 10, 2022 • Permalink

Posted by Richard M. Hicks on October 10, 2022

https://directaccess.richardhicks.com/2022/10/10/always-on-vpn-dpc-with-intune/

Richard M. Hicks Consulting, Inc.

Awards

Pluralsight

Consulting

Newsletter

All posts in category public cloud

Intune Certificate Connector Configuration Failed