Always On VPN and SQL Target Principal Name Incorrect

Microsoft Always On VPN provides seamless and transparent remote access to corporate applications and data. In most cases, accessing resources over the VPN works the same as on-premises. However, a few folks have asked recently about an issue they found when using the SQL Server Management Studio (SMSS) to connect to a remote SQL server over Always On VPN.

Principal Name Incorrect

Administrators may encounter the following error message when using SMSS to connect to Microsoft SQL servers over an Always On VPN connection.

“The target principal name is incorrect. Cannot generate SSPI context. (Microsoft SQL Server)”

Resolution

There are a few different ways to resolve this issue. Choose the option that works best in your environment.

VPN Configuration

For Always On VPN deployments with Windows 11 24H2 and later clients, add the following setting to your XML configuration file.

<UseRasCredentials>false</UseRasCredentials>

For clients older than Windows 11 24H2, you must edit the rasphone.pbk file setting as follows.

UseRasCredentials=0

Group Policy

Optionally, a Group Policy Object (GPO) can be created and applied to target endpoints. For testing, you can enable this setting using the local group policy editor (gpedit.msc). Using either method, enable the following group policy setting.

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network access: Do not allow storage of passwords and credentials for network authentication = Enabled

Registry Editor

This method can be used for local testing. Open the Windows Registry Editor (regedit.exe) on a test client and create the following entry.

Key = HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Name = DisableDomainCreds
Type = DWORD
Value = 1

PowerShell

The following PowerShell command will also create the required registry entry. Administrators can run the command interactively or deploy it via automation.

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Lsa’ -Name DisableDomainCreds -Value 1

Additional Information

Always On VPN Short Name Access Failure

Always On VPN and Entra Conditional Access

Microsoft recently introduced Entra Private Access, an identity-centric Zero Trust Network Access (ZTNA) solution to provide secure remote access to on-premises resources. With Entra Private Access, administrators can leverage Entra Conditional Access to enforce policy-based access control for network access. However, Entra Private Access isn’t for everyone. It does not provide full feature parity with Always On VPN, and there are also licensing considerations. However, for those organizations using Always On VPN, the good news is that you can integrate Entra Conditional Access with Always On VPN today to gain some of the security benefits it provides.

Conditional Access

Microsoft Entra Conditional Access is a security feature that enables administrators to create and enforce policies that specify how users can access resources. In the specific case of Always On VPN, conditional access is critical to ensuring legitimate access to authenticated users on authorized devices.

Signals

Conditional access policies use a wide variety of signals for policy enforcement, such as:

  • User Identity: Who is making this access request?
  • User Properties: Is this user a member of a specific group?
  • Location: Where is this access request originating?
  • Device Management: Is this device joined to Entra ID?
  • Device State: Is this device compliant with security policies?
  • Device Platform: Is this a Windows device?
  • Risk Level: Is this login considered risky?

Access Control

Based on these signals, administrators can design a conditional access policy to enforce granular access control, such as:

  • Grant access only from managed devices
  • Deny access from untrusted locations
  • Require additional context-based authentication (e.g., multifactor authentication)
  • Enforce specific authentication types (e.g., phishing-resistant credentials)
  • Allow access only from specific device platforms (e.g., Windows only)
  • Require Entra hybrid-joined device
  • Block access when a device is not compliant with security policies

Always On VPN

Entra Conditional Access works with Always On VPN by issuing a special, short-lived user authentication certificate once the user has been authorized. The Always On VPN infrastructure can be configured to use this certificate to grant access to the VPN. Integrating conditional access with Always On VPN can significantly improve the security posture of organizations using this feature.

More To Come

My next post will provide detailed, prescriptive guidance for configuring Always On VPN to support Entra Conditional Access. Stay tuned!

Additional Information

Microsoft Entra Conditional Access Overview

Always On VPN Intermittent 13801 Error

Always On VPN error 13801 is common when establishing an IKEv2 VPN connection. Typically, the issue is related to a configuration error or a problem with certificate deployment. However, administrators may encounter the 13801, an IKE authentication error, intermittently. Configuration errors are binary. If there is a misconfiguration, IKEv2 never works at all. However, a configuration error seems unlikely since the connection works occasionally yet fails at other times.

Client Authentication

The minimum application policy (Enhanced Key Usage, or EKU) requirement for the device authentication certificate for IKEv2 is Client Authentication (1.3.6.1.5.5.7.3.2). When intermittent 13801 errors occur, administrators may find multiple certificates in the local computer certificate store with the Client Authentication EKU issued by different certificate authorities. Commonly, Intune-managed Windows devices may include several certificates with Client Authentication.

Certificate Selection

When Windows attempts to establish an Always On VPN IKEv2 connection, and there are multiple certificates in the local computer certificate with Client Authentication defined, Windows must choose one certificate to use for the connection. If Windows chooses incorrectly, you will receive the 13801 IKE authentication failure error. If Windows selects the right one, the connection succeeds.

Resolution

There are several ways to resolve this issue. The best way is to update the Always On VPN device authentication certificate to include the IP security IKE intermediate application policy (EKU). When Windows encounters multiple client authentication certificates in the local computer certificate store, it will prefer any certificate with the IP security IKE intermediate application policy for IKEv2 VPN connections. Including the IP security IKE intermediate application policy on the Always On VPN device authentication certificate ensures proper certificate selection when multiple client authentication certificates are present.

Note: This change must be made to the Intune certificate enrollment template when using Intune with PKCS or SCEP.

Certificate Template

To update an existing Always On VPN device authentication certificate to include the IP security IKE intermediate application policy, open the certificate templates management console (certtmpl.msc) and perform the following steps.

  1. Right-click the VPN device authentication certificate template and choose Properties.
  2. Select the Extensions tab.
  3. Click on Application Policies.
  4. Click Edit.
  5. Click Add.
  6. Select the IP security IKE intermediate application policy.
  7. Click Ok.
  8. Click Ok.
  9. Click Ok.

Once complete, any certificates issued after this change is applied will now include the IP security Ike intermediate application policy.

Force Renewal

Administrators may wish to update all certificates immediately rather than wait until they renew to receive the new setting. The course of action depends on how certificates are issued.

On-Premises

When issuing certificates using Active Directory Certificate Services (AD CS) on-premises, right-click the Always On VPN device authentication certificate template and choose Reenroll All Certificate Holders. This will force all domain-joined clients with Autoenroll permissions on the template to renew their certificate on their next enrollment cycle, regardless of the certificate’s lifetime.

Intune

Follow the steps below to force re-enrollment for all certificate holders when deploying certificates using Intune.

SCEP Add the IP Security IKE Intermediate application policy to the Intune VPN policy. After this change is applied, Intune will reenroll all endpoints.

PKCS – A new Intune device configuration policy must be created that includes the IP security IKE intermediate application policy. Assign the new policy and remove the old one to replace all certificates.

PowerShell

It’s also possible to resolve this issue using PowerShell. Administrators can use the Set-VpnConnection PowerShell cmdlet to select a certificate based on the root certification authority (CA) or a specific custom application policy defined on the Always On VPN device authentication certificate. Be sure to add the -AllUserConnection switch when working with the device tunnel.

Root CA

Open a PowerShell command window and run the following command.

$RootCA = Get-Child-Item -Path Cert:\LocalMachine\My\<thumbprint of root CA certificate>
Set-VpnConnection -Name <name of VPN profile> -MachineCertificateIssuerFilter $RootCA

Application Policy

Open a PowerShell command window and run the following command.

Set-VpnConnection -Name <name of VPN profile> -MachineCertificateEKUFilter <OID>

Note: When using a custom application policy Windows will return a warning message stating the EKU could not be validated. You can safely disregard this warning.

Intune Remediation

While running PowerShell commands locally might be helpful for troubleshooting and targeted evaluation testing, deploying settings via PowerShell at scale is challenging. For those organizations managing their devices using Microsoft Intune, I’ve published a few detection and remediation scripts on GitHub to perform these tasks.

Summary

The intermittent Always On VPN 13801 IKE authentication credentials are unacceptable error message is best resolved by updating the Always On VPN device authentication certificate to include the IP security IKE intermediate application policy (EKU). Although using PowerShell also works, it doesn’t scale effectively. SCCM or Intune remediations can help, but I’d encourage you to update the certificate template as best practice instead.

Additional Information

Troubleshooting Always On VPN Error 13801

Troubleshooting Always On VPN Error 13806

Troubleshooting Always On VPN Error 13868