Microsoft Always On VPN provides seamless and transparent remote access to corporate applications and data. In most cases, accessing resources over the VPN works the same as on-premises. However, a few folks have asked recently about an issue they found when using the SQL Server Management Studio (SMSS) to connect to a remote SQL server over Always On VPN.
Principal Name Incorrect
Administrators may encounter the following error message when using SMSS to connect to Microsoft SQL servers over an Always On VPN connection.
“The target principal name is incorrect. Cannot generate SSPI context. (Microsoft SQL Server)”
Resolution
There are a few different ways to resolve this issue. Choose the option that works best in your environment.
VPN Configuration
For Always On VPN deployments with Windows 11 24H2 and later clients, add the following setting to your XML configuration file.
<UseRasCredentials>false</UseRasCredentials>
For clients older than Windows 11 24H2, you must edit the rasphone.pbk file setting as follows.
UseRasCredentials=0
Group Policy
Optionally, a Group Policy Object (GPO) can be created and applied to target endpoints. For testing, you can enable this setting using the local group policy editor (gpedit.msc). Using either method, enable the following group policy setting.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network access: Do not allow storage of passwords and credentials for network authentication = Enabled
Registry Editor
This method can be used for local testing. Open the Windows Registry Editor (regedit.exe) on a test client and create the following entry.
Key = HKLM\SYSTEM\CurrentControlSet\Control\Lsa Name = DisableDomainCreds Type = DWORD Value = 1
PowerShell
The following PowerShell command will also create the required registry entry. Administrators can run the command interactively or deploy it via automation.
Always On VPN Dynamic Profile Configurator (DPC) is a software solution that enables administrators to deploy and manage Always On VPN client configuration settings using Active Directory and Group Policy or Microsoft Intune. DPC began life as a commercial product. Recently, DPC has been released to the public via open source. DPC open source allows administrators everywhere to deploy the solution without cost. If you’re not using DPC today, I’d strongly recommend it. If you were previously a DPC commercial customer, you’ll want to migrate to DPC open source soon.
Migrating from DPC commercial to open source requires the administrator to deploy a Group Policy Object (GPO) and client software in a specific order to avoid disruption to end users. Perform the following steps to complete the migration.
GPO Files
Download the DPC v5.0 (open source) group policy settings file (ADMX) file here and the language definition (ADML) file here.
After downloading the files, copy dpc.admx to the following location.
Once complete, allow domain controller replication to finish before deploying DPC group policy settings.
New GPO
Create a new GPO that will contain the VPN client configuration settings. Do NOT copy the original DPC commercial GPO. Starting with a blank GPO is best to ensure proper operation and prevent conflicts. Also, please note the location for DPC settings has changed. The new location for DPC v5.0 settings is:
You can now link the GPO to the applicable OU(s) or complete this task before deploying the new software.
Migration Tool
The easiest way to migrate from DPC commercial to open source is to migrate the settings from the current GPO to a new one. A PowerShell script is available to simplify this task. You can download the Migrate-DpcConfig.ps1 PowerShell script here.
Note: It is not strictly required to migrate your current settings from DPC commercial. Although this migration script makes importing settings easier, nothing prevents you from creating a new GPO for DPC open source and starting from scratch if you wish.
Prerequisites
The PowerShell migration script requires the installation of the Remote Server Administration Tools (RSAT). Specifically, the Group Policy Management tools are needed. Although it’s possible to run this script on a domain controller, it is not recommended. The best practice is to install the RSAT tools on an administrative workstation or server.
You can install the necessary RSAT feature on Windows 11 by opening an elevated PowerShell or command window and running the following command.
On Windows Server, you can install the Group Policy Management tools by opening an elevated PowerShell command window and running the following command.
Install-WindowsFeature -Name GPMC
Once complete, restart the server to complete the installation process.
Import Settings
To migrate the DPC settings, open an elevated PowerShell command window and run the following command.
.\Migrate-DpcSetting.ps1 -PreviousGPOName <name of old DPC GPO> -NewGPOName <name of new DPC GPO>
For example,
.\Migrate-DpcSetting.ps1 -PreviousGPOName ‘Always On VPN DPC’ -NewGPOName ‘Always On VPN DPC – Open Source’
Apply GPO
If not done earlier, link the new DPC open-source GPO to the applicable OU(s). Do NOT unlink or delete the old GPO until all endpoints have been upgraded to the DPC v5.0 client.
Install Software
Once the new GPO has been configured and applied in Active Directory, the next step is to upgrade the DPC commercial client to the DPC open source client (v5.0). Software can be deployed via GPO using Active Directory software installation, SCCM, or any other method you use in your environment to deploy software. No switches or additional parameters are required to perform the upgrade. Simply run the .MSI file on the device, and the upgrade will occur automatically.
Important Note: Administrators must ensure that the new GPO settings are applied to the endpoint before installing the DPC v5.0 client.
Clean Up
After all endpoints have been upgraded to DPC v5.0, administrators can remove the DPC commercial GPO from AD. In addition, the commercial DPC ADMX and ADML files can be removed from domain controllers if desired.
Need Help?
If you’d like assistance migrating DPC commercial to open source, please don’t hesitate to reach out! I’m available to answer questions or provide remote assistance if necessary. You can reach me on the DPC-Chat channel on Discord here. Alternatively, you can fill out the form below, and I’ll provide more information.
A while back, I wrote about the monitoring and reporting options for Windows Server Routing and Remote Access (RRAS) servers supporting Microsoft Always On VPN. In that article, I outlined how administrators can use the Routing and Remote Access Management console (rrasmgmt.msc) or the Remote Access Management console (ramgmtui.exe) to perform configuration tasks and review current user and device activity. However, neither solution is ideal in a distributed environment with multiple RRAS servers. Thankfully, there’s a new option available to address this crucial limitation today.
Centralized Reporting
I’m excited to announce the availability of a cloud-based, centralized reporting solution for Windows Server RRAS and Always On VPN from the folks at PowerON Platforms. Created by the folks that brought us the Dynamic Profile Configurator (DPC) solution for managing Always On VPN client configuration settings, PowerON Platforms’ new reporting solution allows administrators to aggregate configuration, performance, and user activity data from multiple individual RRAS servers across their organization.
Important! I’ll be joining the folks at PowerON Platforms for a webinar on Thursday, January 18 to introduce and demonstrate this new Always On VPN reporting solution. Register now!
Summary View
The Summary view page provides a consolidated high-level look at the environment’s health status and capacity of VPN servers. Administrators can quickly see if any servers are unhealthy and view current usage details to assess the capacity of the deployment.
Server Overview
The Server Overview page provides a more detailed look at individual server health status and configuration. Here, you’ll find information about the number of active and available connections and the TLS certificate status. In addition, you’ll find detailed information about provisioned CPU and RAM, disk space utilization, and system uptime. You will also see information about the size of the reporting database on disk and the number of IKEv2 and SSTP VPN ports provisioned.
VPN Server Configuration
The VPN Server Configuration page looks into the IP address pool configuration and current utilization. In addition, this page provides an in-depth look at the VPN server TLS certificate health status. Currently, configured authentication and accounting servers are also shown.
Server Performance
The Server Performance page shows granular details about resource utilization on RRAS servers. This includes CPU and memory utilization, disk space usage, and database size. Administrators can view aggregated data or select individual servers. The view can be further customized by filtering by date.
Connection History
The Connection History page details concurrent connections observed on all VPN servers. Data can be filtered by date, individual server, and user or device name.
Client Distribution
The Client Distribution page provides an intuitive graphical display of client activity by server and tunnel type. In addition, it includes details about usage by individual clients and the number of connections made by individual endpoints.
Connection Detail
The Connection Detail page allows administrators to view user activity across all servers in the organization. Once again, data can be filtered by date, individual server, and user or device name. This view provides granular details on user activity, enabling the administrator to drill down to view specific resources accessed over the VPN for individual sessions.
Data Flow
The Data Flow page displays information about data transfer through the VPN server.
Summary
The Always On VPN cloud-based centralized reporting solution for Microsoft Always On VPN by PowerON Platforms is sure to be helpful for organizations managing distributed RRAS server deployments. The reporting solution aggregates data from all RRAS servers in the enterprise, providing a holistic view of configuration, health status, and user activity in one management console. This consolidated visibility is crucial for capacity planning and configuration maintenance, making the identification of performance bottlenecks or misconfigured servers easy. Also, the ability to view certificate expiration status for all servers in the organization is sure to prevent outages. Security administrators will find the solution helpful for forensic reporting and to identify sources of data leakage and exfiltration.
Are you interested in learning more about PowerON Platforms Always On VPN reporting? Would you like an interactive solution demonstration or an evaluation license to trial the product in your environment? Fill out the form below, and I’ll contact you with more details.
