All posts in category Security

Arizona Systems Management User Group March 2025

I’m excited to announce that I’ll be speaking at the Arizona Systems Management User Group (AZSMUG) at their next user group meeting on Friday, March 7, at 9:00 AM MST. I am presenting on the topic of Certificate Deployment Strategies with Microsoft Intune.

Intune and Certificates

My session at AZSMUG will provide an overview of issuing and managing certificates with Microsoft Intune. We’ll begin by examining common scenarios for certificate authentication and explore various delivery methods, including PKCS and SCEP. Additionally, we’ll discuss supporting technologies such as the Network Device Enrollment Service (NDES) and review deployment strategies and high availability options for the Intune Certificate Connector. The session will also cover Cloud PKI for Intune, integration with on-premises Active Directory, and best practices for securing certificate lifecycles and key management in enterprise environments.

Register Now

If you are in the Phoenix area and would like to attend the user group meeting on Friday, March 7, you will find the registration link here. Hope to see you there!

Additional Information

Arizona Systems Management User Group

Intune and Certificates Masterclass

Leave a comment
by Richard M. Hicks on February 14, 2025  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, ADCS, administration, authentication, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, Certificate-Based Authentication, certificates, cloud, Cloud PKI, Entra, Entra Certificate-Based Authentication, Event, InTune, Intune Certificate Connector, Intune PFX Connector, learning, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Entra, Microsoft Entra ID, Microsoft Intune, Mobile Device Management, Mobility, NDES, Network Device Enrollment Service, Network Device Enrollment Services, network policy server, NPS, PFX Connector, PKCS, PKI, public key infrastructure, SCCM, SCEP, Security, Simple Certificate Enrollment Protocol, System Center Configuration Manager, systems management, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 14, 2025

https://directaccess.richardhicks.com/2025/02/14/arizona-systems-management-user-group-march-2025/

Always On VPN and SQL Target Principal Name Incorrect

Microsoft Always On VPN provides seamless and transparent remote access to corporate applications and data. In most cases, accessing resources over the VPN works the same as on-premises. However, a few folks have asked recently about an issue they found when using the SQL Server Management Studio (SMSS) to connect to a remote SQL server over Always On VPN.

Principal Name Incorrect

Administrators may encounter the following error message when using SMSS to connect to Microsoft SQL servers over an Always On VPN connection.

“The target principal name is incorrect. Cannot generate SSPI context. (Microsoft SQL Server)”

Resolution

There are a few different ways to resolve this issue. Choose the option that works best in your environment.

VPN Configuration

For Always On VPN deployments with Windows 11 24H2 and later clients, add the following setting to your XML configuration file.

<UseRasCredentials>false</UseRasCredentials>

For clients older than Windows 11 24H2, you must edit the rasphone.pbk file setting as follows.

UseRasCredentials=0

Group Policy

Optionally, a Group Policy Object (GPO) can be created and applied to target endpoints. For testing, you can enable this setting using the local group policy editor (gpedit.msc). Using either method, enable the following group policy setting.

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network access: Do not allow storage of passwords and credentials for network authentication = Enabled

Registry Editor

This method can be used for local testing. Open the Windows Registry Editor (regedit.exe) on a test client and create the following entry.

Key = HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Name = DisableDomainCreds
Type = DWORD
Value = 1

PowerShell

The following PowerShell command will also create the required registry entry. Administrators can run the command interactively or deploy it via automation.

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Lsa’ -Name DisableDomainCreds -Value 1

Additional Information

Always On VPN Short Name Access Failure

1 Comment
by Richard M. Hicks on February 13, 2025  •  Permalink
Posted in Active Directory, administration, Always On VPN, AOVPN, authentication, Certificate Authentication, Deployment, Device Management, Enterprise, enterprise mobility, Group Policy, InTune, Kerberos, Microsoft, Microsoft Intune, Mobile Device Management, Mobility, Operational Support, PowerShell, ProfileXML, Remote Access, Remote Administration, RSAT, Security, SMSS, SQL, SQL Server, SQL Server Management Studio, troubleshooting, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 13, 2025

https://directaccess.richardhicks.com/2025/02/13/always-on-vpn-and-sql-target-principal-name-incorrect/

Always On VPN Security Updates February 2025

After a few months without any security updates directly affecting Microsoft Always On VPN administrators, the February 2025 security updates include fixes for two vulnerabilities in Windows Server Routing and Remote Access Service (RRAS) servers, commonly deployed to support Always On VPN.

RRAS Updates

This month’s updates for Windows Server RRAS cover the following publicly announced CVEs.

Importance

Both updates are for heap-based buffer overflow Remote Code Execution (RCE) vulnerabilities. These vulnerabilities are rated as important and require user interaction to execute, making exploitation less likely.

KB5014754

Importantly, this month’s release enables full enforcement of strong certificate mapping on Windows domain controllers by default. Full enforcement for strong certificate mapping was first introduced with Microsoft security update KB5014754. I’ve written about this recently, so hopefully, everyone is prepared! If your Always On VPN connections begin to fail after applying the February 2025 security updates to your domain controllers, your certificates may not be strongly mapped. Fortunately, there’s a workaround. You can learn more here.

Additional Information

Microsoft February 2025 Security Updates

Strong Certificate Mapping Enforcement February 2025

KB5014754 Certificate-based Authentication Changes on Windows Domain Controllers

Leave a comment
by Richard M. Hicks on February 11, 2025  •  Permalink
Posted in Always On VPN, AOVPN, Microsoft, routing and remote access service, RRAS, Security, Security Update, Update, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , ,

Posted by Richard M. Hicks on February 11, 2025

https://directaccess.richardhicks.com/2025/02/11/always-on-vpn-security-updates-february-2025/

« Older Posts
Newer Posts »