All posts tagged ADCS

Enable TLS in Microsoft SQL Server 2022

In a recent post, I described some of the security benefits of using Transport Layer Security (TLS) with Microsoft SQL Server. Configuration changes are required to take full advantage of these capabilities. By default, SQL Server uses an unmanaged, self-signed certificate, which provides little security value. The best practice is to use a certificate issued by the organization’s enterprise PKI. In this guide, I’ll demonstrate how to prepare and deploy a certificate template for SQL server using Active Directory Certificate Services (AD CS), enroll for the certificate, and configure SQL server to use the new certificate for TLS connections.

Note: I have recorded a video demonstration for enabling TLS in Microsoft SQL Server 2022 on my YouTube channel here. Enjoy!

Certificate Requirements

The minimum recommended requirements for a TLS certificate for SQL Server 2022 are:

  • Subject Name = Server’s fully qualified domain name or the alias name of the cluster
  • 2048-bit RSA key with SHA256
  • Server Authentication EKU (1.3.6.1.5.5.7.3.1)

Certificate Template

Administrators must prepare a certificate template in Active Directory (AD) adhering to the requirements listed above. On an issuing certification authority (CA) or an administrative workstation with the Remote Server Administration Tools (RSAT) installed, open the Certificate Templates management console (certtmpl.msc) and perform the following steps.

  1. Right-click the default Web Server template and choose Duplicate Template.
  2. Select the Compatibility tab.
    1. In the Compatibility Settings section, select the latest version of Windows Server supported by your issuing CA servers from the Certification Authority drop-down list.
    1. Select Windows 10/Windows Server 2016 from the Certificate recipient drop-down list.
  3. Select the General tab.
    1. Enter a descriptive name in the Template display name field.
    1. Select a validity period of 1 year with a renewal period of 6 weeks.
  4. Select the Cryptography tab.
    1. Select Key Storage Provider from the Provider Category drop-down list.
    1. Select RSA from the Algorithm name drop-down list.
    1. Enter 2048 in the Minimum key size field.
    1. Select SHA256 from the Request hash drop-down list.
  5. Select the Issuance Requirements tab.
    1. Check the box next to CA certificate manager approval.
  6. Select the Subject Name tab.
    1. Select Supply in the request.
  7. Select the Extensions tab.
    1. Select Application Policies.
    1. Ensure that Server Authentication is the only application policy listed.
  8. Select the Security tab.
    1. Click Add.
    1. Grant Read and Enroll permissions to the SQL Server security group or the SQL server’s computer account.
    1. Ensure no other users/groups have enroll permission.

Once complete, publish the certificate template on all issuing CA servers in the organization.

Enroll Certificate

The certificate enrollment process involves several steps.

Request Certificate

To enroll for a new TLS certificate, open the computer certificate management console (certlm.msc) on the SQL server and perform the following steps.

  1. Right-click on the Personal folder and choose All Tasks > Request New Certificate.
  2. Click Next.
  3. Click Next.
  4. Check the box next to the SQL server certificate template.
  5. Click the More information is required to enroll for this certificate. Click here to configure settings link.
  6. Select the Subject tab.
  7. In the Subject Name section, select Common Name from the Type drop-down list.
  8. Enter the SQL server’s fully qualified domain name (FQDN) or the alias name of the SQL cluster in the Value field.
  9. Click Add.
  10. In the Alternative name section, select DNS from the Type drop-down list.
  11. Enter the SQL server’s fully qualified domain name (FQDN) or the alias name of the SQL cluster in the Value field.
  12. Click Add.
  13. [OPTIONAL] Enter the SQL server’s single-label hostname in the Value field.

Note: Adding the single-label hostname to the Subject Alternative Name list allows administrators or applications to connect to the SQL server using its short name (NetBIOS name) without resulting in a subject name mismatch error.

  1. Click Add.
  2. Click Ok.
  3. Click Enroll. The status should indicate that enrollment is pending.
  4. Click Finish.

Approve Certificate

Once the certificate request is made, the request must now be approved. On an issuing certification authority (CA), or an administrative workstation with the Remote Server Administration Tools (RSAT) installed, open the Certification Authority management console (certsrv.msc) and perform the following steps.

  1. Expand the CA.
  2. Select Pending Requests.
  3. Note the request ID for the pending request. After approval, the request ID will be required later to retrieve the certificate.
  4. Right-click the pending request and choose All Tasks > Issue.

Important Note: I am performing the above tasks in a test lab environment. On a properly configured CA in a production environment, the requestor should not be able to approve their own request. In your environment, you may need to request that a CA administrator review and approve your request.

Install Certificate

Once the certificate has been approved and issued, open an elevated PowerShell or command window on the SQL server and perform the following steps.

  1. Enter certreq.exe -retrieve <request ID>.
  2. Select the CA where the certificate was issued.
  3. Click Ok.
  4. Select a location and enter a name for the file in the File name field.
  5. Click Save.
  6. Enter certreq.exe -accept <path to certificate file>.

Configure Certificate

Once the certificate has been enrolled on the SQL server, expand Personal > Certificates and refresh the view to confirm certificate enrollment. Next, perform the following steps.

  1. Right-click the SQL server certificate and choose All Tasks > Manage Private Keys.
  2. Click Add.
  3. Enter the name of the SQL server domain service account and click Check Names.
  4. If using the default SQL server service account, perform the following steps.
    1. Click on Locations.
      1. Select the local server.
      1. Click Ok.
      1. Enter NT Service\MSSQLSERVER and click Check Names.
  5. Click Ok.
  6. Uncheck Full control. The only permission required is Read.
  7. Click Ok.

SQL Configuration

Next, the new certificate must be assigned to the SQL Server service. Open the SQL Server Configuration Manager (sqlservermanager16.msc) and perform the following steps.

  1. Expand SQL Server Network Configuration.
  2. Right-click Protocols for MSSQLSERVER and choose Properties.
  3. Select the Certificate tab.
    1. Select the new certificate from the Certificate drop-down list.
  4. Select the Flags tab.
    1. Select Yes next to Force Strict Encryption.
  5. Click Ok.

Restart the SQL Server service for the changes to take effect.

Important Note: Selecting Force Strict Encryption will force encryption and certificate validation for all clients connecting to the SQL server. It will override any settings to bypass encryption or certificate checks. Force Strict Encryption may not be compatible with older applications or drivers. Please test thoroughly before enabling this setting.

Video

I’ve published a demonstration video for configuring TLS on Microsoft SQL Server 2022 on YouTube. You can find the video here.

Summary

After completing the configuration steps above, administrators can be assured that all communication between clients and the SQL server is fully protected with TLS using modern cryptography and their enterprise-managed certificate. With TLS enabled for SQL server communication, security is enhanced by encrypting data in transit, ensuring authentication, and protecting sensitive information from interception. In addition, this configuration helps meet compliance requirements.

Additional Information

TLS and Microsoft SQL Server 2022

Always On VPN and SQL Target Principal Name Incorrect

Leave a comment
by Richard M. Hicks on March 3, 2025  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, ADCS, administration, authentication, Certificate Authentication, Certificate Authority, Certificate Services, certificates, Compliance, Cryptography, Encryption, Enterprise, Infrastructure, Microsoft, Operational Support, PKI, public key infrastructure, Security, SQL, SQL Server, SQL Server 2022, SQL Server Management Studio, SSL, SSL and TLS, SSMS, TLS, Transport Layer Security, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 3, 2025

https://directaccess.richardhicks.com/2025/03/03/enable-tls-in-microsoft-sql-server-2022/

Managed Certificates for Remote Desktop Protocol

The Remote Desktop Protocol (RDP) is arguably the most widely used protocol for Windows remote server administration. RDP uses Transport Layer Security (TLS) for server authentication, data encryption, and integrity. However, the default configuration of TLS for RDP in Windows is less than ideal.

RDP Self-Signed Certificate

By default, RDP uses a self-signed certificate for TLS operations. TLS with self-signed certificates is a bad security practice because they are not validated by a trusted certificate authority (CA), making it impossible for clients to verify the authenticity of the server they are connecting to, which can lead to interception attacks.

Certificate Warning

Most administrators have encountered a warning error when connecting to a remote host via RDP using a self-signed RDP certificate.

“The remote computer could not be authenticated due to problems with its security certificate. It may be unsafe to proceed.”

Nmap

You can view the default self-signed certificate with the Nmap utility by running the following command.

nmap.exe -n -p 3389 <hostname> –script ssl-cert

Managed Certificates

A better solution for RDP TLS is to use managed certificates issued by an enterprise Public Key Infrastructure (PKI) such as Microsoft Active Directory Certificate Services (AD CS). AD CS is widely deployed in AD domain environments and can be configured to issue certificates for RDP TLS.

AD CS

To configure AD CS to issue RDP certificates, perform the following steps.

Certificate Template

On an issuing CA or an administrative workstation with the Remote Server Administration Tools (RSAT) installed, open the Certificate Templates management console (certtmpl.msc) and perform the following steps.

*My apologies for the list numbering format issues below. Microsoft Word and WordPress can’t seem to agree on the list format. Hopefully, you can figure it out, though. 🙂

  1. Right-click the Workstation Authentication template and choose Duplicate Template.
  2. Select the Compatibility tab.
    1. Select the operating system (OS) version corresponding to the oldest OS hosting the issuing CA role in your environment from the Certification Authority drop-down list.
    1. Select the OS version corresponding to your environment’s oldest supported server or client OS from the Certificate recipient drop-down list.
  3. Select the General tab.
    1. Enter a descriptive name in the Template display name field.
    1. Select an appropriate validity period for your environment. The best practice is to limit the validity period to one year or less.
  4. Select the Cryptography tab.
    1. From the Provider Category drop-down list, choose Key Storage Provider.
    1. From the Algorithm name drop-down list, choose RSA.
    1. In the Minimum key size field, enter 2048.
    1. From the Request hash drop-down list, choose SHA256.
  5. Select the Subject Name tab.
    1. From the Subject name format drop-down list, select DNS name.
    1. Ensure that DNS name is also checked in the subject alternate name section.
  6. Select the Extensions tab.
    1. Click on Application Policies.
    1. Click Edit.
    1. Select Client Authentication.
    1. Click Remove.
    1. Click Add.
    1. Click New.
    1. Enter Remote Desktop Authentication in the Name field.
    1. Enter 1.3.6.1.4.1.311.54.1.2 in the Object identifier field.
    1. Click Ok.
    1. Select Remote Desktop Authentication.
    1. Click Ok.
  7. Select the Security tab.
    1. Click Domain Computers.
    1. Grant the Read and Enroll permissions.
  8. Click Ok.

Next, open the Certification Authority management console (certsrv.msc) and follow the steps below to publish the certificate.

  1. Expand the CA.
  2. Right-click Certificate Templates and choose New > Certificate Template to Issue.
  3. Select the Remote Desktop Authentication certificate template.
  4. Click Ok.

Group Policy

Next, on a domain controller or a workstation with the RSAT tools installed, open the Group Policy Management console (gmpc.msc) and perform the following steps to create a new GPO to enroll domain computers for the Remote Desktop Authentication certificate

  1. Right-click Group Policy Objects and choose New.
  2. Enter a descriptive name for the GPO in the Name field.
  3. Click Ok.
  4. Right-click the GPO and choose Edit.
  5. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.
  6. Double-click Server authentication certificate template.
  7. Select Enabled.
  8. Enter the name of the Remote Desktop Authentication certificate template in the Certificate Template Name field. Note: Be sure to enter the template name, not the template display name!
  9. Click Ok.

Once complete, link the GPO to the domain or OU to target the servers and workstations to which you wish to deploy the RDP certificate.

Validate Certificate

After updating group policy on a target resource, you’ll find that Nmap now shows the enterprise PKI-issued certificate used for RDP connections.

Additional Information

Understanding the Remote Desktop Protocol (RDP)

4 Comments
by Richard M. Hicks on February 20, 2025  •  Permalink
Posted in Active Directory Certificate Services, AD CS, ADCS, administration, authentication, Certificate Authority, Certificate Services, certificates, Device Management, Enterprise, enterprise mobility, Microsoft, Mobility, Operational Support, public key infrastructure, RDP, Remote Access, Remote Administration, Remote Desktop Protocol, Security, Transport Layer Security, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 20, 2025

https://directaccess.richardhicks.com/2025/02/20/managed-certificates-for-remote-desktop-protocol/

Always On VPN Intermittent 13801 Error

Always On VPN error 13801 is common when establishing an IKEv2 VPN connection. Typically, the issue is related to a configuration error or a problem with certificate deployment. However, administrators may encounter the 13801, an IKE authentication error, intermittently. Configuration errors are binary. If there is a misconfiguration, IKEv2 never works at all. However, a configuration error seems unlikely since the connection works occasionally yet fails at other times.

Client Authentication

The minimum application policy (Enhanced Key Usage, or EKU) requirement for the device authentication certificate for IKEv2 is Client Authentication (1.3.6.1.5.5.7.3.2). When intermittent 13801 errors occur, administrators may find multiple certificates in the local computer certificate store with the Client Authentication EKU issued by different certificate authorities. Commonly, Intune-managed Windows devices may include several certificates with Client Authentication.

Certificate Selection

When Windows attempts to establish an Always On VPN IKEv2 connection, and there are multiple certificates in the local computer certificate with Client Authentication defined, Windows must choose one certificate to use for the connection. If Windows chooses incorrectly, you will receive the 13801 IKE authentication failure error. If Windows selects the right one, the connection succeeds.

Resolution

There are several ways to resolve this issue. The best way is to update the Always On VPN device authentication certificate to include the IP security IKE intermediate application policy (EKU). When Windows encounters multiple client authentication certificates in the local computer certificate store, it will prefer any certificate with the IP security IKE intermediate application policy for IKEv2 VPN connections. Including the IP security IKE intermediate application policy on the Always On VPN device authentication certificate ensures proper certificate selection when multiple client authentication certificates are present.

Note: This change must be made to the Intune certificate enrollment template when using Intune with PKCS or SCEP.

Certificate Template

To update an existing Always On VPN device authentication certificate to include the IP security IKE intermediate application policy, open the certificate templates management console (certtmpl.msc) and perform the following steps.

  1. Right-click the VPN device authentication certificate template and choose Properties.
  2. Select the Extensions tab.
  3. Click on Application Policies.
  4. Click Edit.
  5. Click Add.
  6. Select the IP security IKE intermediate application policy.
  7. Click Ok.
  8. Click Ok.
  9. Click Ok.

Once complete, any certificates issued after this change is applied will now include the IP security Ike intermediate application policy.

Force Renewal

Administrators may wish to update all certificates immediately rather than wait until they renew to receive the new setting. The course of action depends on how certificates are issued.

On-Premises

When issuing certificates using Active Directory Certificate Services (AD CS) on-premises, right-click the Always On VPN device authentication certificate template and choose Reenroll All Certificate Holders. This will force all domain-joined clients with Autoenroll permissions on the template to renew their certificate on their next enrollment cycle, regardless of the certificate’s lifetime.

Intune

Follow the steps below to force re-enrollment for all certificate holders when deploying certificates using Intune.

SCEP Add the IP Security IKE Intermediate application policy to the Intune VPN policy. After this change is applied, Intune will reenroll all endpoints.

PKCS – A new Intune device configuration policy must be created that includes the IP security IKE intermediate application policy. Assign the new policy and remove the old one to replace all certificates.

PowerShell

It’s also possible to resolve this issue using PowerShell. Administrators can use the Set-VpnConnection PowerShell cmdlet to select a certificate based on the root certification authority (CA) or a specific custom application policy defined on the Always On VPN device authentication certificate. Be sure to add the -AllUserConnection switch when working with the device tunnel.

Root CA

Open a PowerShell command window and run the following command.

$RootCA = Get-Child-Item -Path Cert:\LocalMachine\My\<thumbprint of root CA certificate>
Set-VpnConnection -Name <name of VPN profile> -MachineCertificateIssuerFilter $RootCA

Application Policy

Open a PowerShell command window and run the following command.

Set-VpnConnection -Name <name of VPN profile> -MachineCertificateEKUFilter <OID>

Note: When using a custom application policy Windows will return a warning message stating the EKU could not be validated. You can safely disregard this warning.

Intune Remediation

While running PowerShell commands locally might be helpful for troubleshooting and targeted evaluation testing, deploying settings via PowerShell at scale is challenging. For those organizations managing their devices using Microsoft Intune, I’ve published a few detection and remediation scripts on GitHub to perform these tasks.

Summary

The intermittent Always On VPN 13801 IKE authentication credentials are unacceptable error message is best resolved by updating the Always On VPN device authentication certificate to include the IP security IKE intermediate application policy (EKU). Although using PowerShell also works, it doesn’t scale effectively. SCCM or Intune remediations can help, but I’d encourage you to update the certificate template as best practice instead.

Additional Information

Troubleshooting Always On VPN Error 13801

Troubleshooting Always On VPN Error 13806

Troubleshooting Always On VPN Error 13868

Leave a comment
by Richard M. Hicks on February 3, 2025  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, administration, Always On VPN, AOVPN, authentication, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, certificates, Deployment, device tunnel, Enterprise, enterprise mobility, IKEv2, Intune PFX Connector, Microsoft, Mobility, Operational Support, PFX Connector, PKCS, PKI, PowerShell, public key infrastructure, Remote Access, SCEP, Security, Simple Certificate Enrollment Protocol, systems management, troubleshooting, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 3, 2025

https://directaccess.richardhicks.com/2025/02/03/always-on-vpn-intermittent-13801-error/

« Older Posts