All posts tagged Azure

Always On VPN Short Name Access Failure

Using Microsoft Endpoint Manager (Intune), administrators can provision Always On VPN to devices that are Azure AD joined only. Users accessing on-premises resources from these devices can still use seamless single sign-on, making this deployment option popular for organizations moving to the cloud.

Short Names

After deploying Always On VPN to Windows 10 devices that are Azure AD joined only and configured to use client certificate authentication, administrators may find that users cannot access on-premises resources by their short name, such as \\app1. The connection fails and returns the following error message.

“Windows can’t find <servername/sharename>. Check the spelling and try again.”

FQDN

Interestingly, on-premises resources are accessible using their fully qualified domain name (FQDN), such as \\app1.corp.example.net.

Troubleshooting

Testing name resolution using the short name works as expected, and the resource is reachable at the network layer, as shown here.

Workaround

This issue is related to how Windows performs authentication when connected via VPN. To resolve this issue, edit the rasphone.pbk file and change the value of UseRasCredentials to 0. Rasphone.pbk can be found in the $env:AppData\Microsoft\Network\Connections\Pbk folder.

After updating this setting, restart the VPN connection for the change to take effect.

Proactive Remediations

While helpful for testing, editing rasphone.pbk manually obviously does not scale well. To address this, consider using Intune Proactive Remediations. Intune Proactive Remediations allows administrators to deploy detection and remediation PowerShell scripts to monitor specific settings and update them if or when they change. Proactive Remediations will ensure the setting is applied consistently across all managed endpoints.

GitHub Repository

I have created a new GitHub repository dedicated to PowerShell scripts for Endpoint Manager Proactive Remediations for Always On VPN. There you will find detection and remediation scripts for the UseRasCredentials settings change described in this article.

PowerShell

Administrators can also implement this setting by running the following PowerShell command.

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Lsa’ -Name DisableDomainCreds -Value 1

Group Policy

Another option for implementing this setting is by enabling the following Active Directory Group Policy setting.

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network access: Do not allow storage of passwords and credentials for network authentication

Additional Information

Always On VPN Endpoint Manager Proactive Remediation Scripts on GitHub

Endpoint Manager Proactive Remediations Tutorial

21 Comments
by Richard M. Hicks on September 20, 2021  •  Permalink
Posted in Always On VPN, AOVPN, authentication, Azure Active Directory, Azure AD, Azure AD Join, certificates, cloud, DNS, EAP, Endpoint Manager, Enterprise, enterprise mobility, extensible authentication protocol, GitHub, InTune, MEM, MEMCM, Microsoft Endpoint Manager, Microsoft Intune, Mobility, Name Resolution, Operational Support, PEAP, PowerShell, Protected EAP, public cloud, Remote Access, SCCM, System Center Configuration Manager, systems management, troubleshooting, user tunnel, VPN, Windows 10
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on September 20, 2021

https://directaccess.richardhicks.com/2021/09/20/always-on-vpn-short-name-access-failure/

Always On VPN Authentication Failure with Azure Conditional Access

Always On VPN Clients Prompted for Authentication when Accessing Internal Resources

Integrating Microsoft Azure Conditional Access with Windows 10 Always On VPN has several important benefits. The most important is that it allows administrators to improve their security posture by enforcing access polices that can be dynamically applied. For example, requiring multifactor authentication (MFA) for privileged users (e.g., administrators) or sign-ins that appear to be risky, the type of device they are connecting with, the health of the endpoint, and much more.

Authentication Failure

When configuring Always On VPN to support Azure Conditional Access, administrators may expeirence a failed authentication during preliminary testing. Specifically, an event ID 20227 from the RasClient source may be encountered with the following error message.

“The user <username> dialed a connection named <connection name> which has failed. The error code returned on failure is 812.”

Looking at the event logs on the Network Policy Server (NPS) server reveals an event ID 6273 from the Microsoft Windows security auditing source with Reason Code 258 and the following Reason.

“The revocation function was unable to check revocation for the certificate.”

Root Cause

When Azure Conditional Access is configured for Always On VPN, a short-lived certificate (1 hour lifetime) is provisioned by Azure. This certificate does not include revocation information because, by design, a short-lived certificate does not need to be revoked. However, by default NPS always checks revocation when client authentication certificates are used for authentication. Since the certificate does not include this information, certificate revocation fails.

Resolution

The way to resolve this issue is to disable certificate revocation checking for Protected Extensible Authentication Protocol (PEAP) authentication requests. To do this, open an elevated PowerShell window on the NPS server and run the following command.

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13\’ -Name IgnoreNoRevocationCheck -PropertyType DWORD -Value 1 -Force

Once complete, restart the NPS server for the changes to take effect.

Additional Information

Windows 10 Always On VPN Network Policy Server (NPS) Load Balancing

Windows 10 Always On VPN Network Policy Server (NPS) Server 2019 Bug

24 Comments
by Richard M. Hicks on August 29, 2021  •  Permalink
Posted in Always On VPN, AOVPN, Azure, Azure Active Directory, Azure AD, Azure Conditional Access, Azure MFA, Azure VPN, Azure VPN Gateway, certificates, Conditional Access, EAP, Enterprise, enterprise mobility, HAADJ, Hybrid Azure AD Join, MFA, Mobility, Multifactor Authentiction, network policy server, NPS, Operational Support, PowerShell, Protected EAP, Remote Access, RRAS, user tunnel, VPN, Windows 10
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on August 29, 2021

https://directaccess.richardhicks.com/2021/08/29/always-on-vpn-authentication-failure-with-azure-conditional-access/

Always On VPN Device Tunnel and Custom Cryptography Native Support Now in Intune

Always On VPN Device Tunnel and Custom Cryptography Native Support Now in IntuneMicrosoft recently announced support for native Windows 10 Always On VPN device tunnel configuration in Intune. Previously administrators had to use the complicated and error-prone custom XML configuration to deploy the Windows 10 Always On VPN device tunnel to their clients. That is no longer required with this recent Intune update. In addition, administrators may now specify custom cryptography settings for IPsec Security Association (SA) parameters for IKEv2 for both device tunnel and user tunnel connections. This effectively eliminates the requirement to use custom ProfileXML for most deployment scenarios.

Device Tunnel Configuration in Intune

Follow the steps below to configure and deploy a Windows 10 Always On VPN device tunnel using the native Intune user interface.

Create Profile

1. Open the Microsoft Endpoint Manager admin center (devicemanagement.microsoft.com).
2. Navigate to Devices > Configuration Policies.
3. Click Create profile.
4. Choose Windows 10 and later from the Platform drop-down list.
5. Choose VPN from the Profile drop-down list.
6. Click Create.

Profile Settings

Proceed with the profile configuration as you would normally, providing the VPN connection name, VPN server name(s), and choosing the option to register IP addresses with internal DNS. Next use the following steps to define a device tunnel connection and specify custom cryptography for IPsec SA parameters for IKEv2.

Configure a Device Tunnel

1. Select IKEv2 from the Connection type drop-down list.
2. Click Enable in the Always On section.
3. Select Machine Certificates from the Authentication method section.
4. If the computer certificate is provisioned using Intune, select the client authentication certificate (not required if the computer certificate is provisioned using on-premises Active Directory).
5. Click Enable in the Device Tunnel section.

Define Custom Cryptography

Follow the steps below to implement minimum security baseline cryptography settings for IKEv2.

IKE Security Association Parameters

1. Select AES-128 from the Encryption algorithm drop-down list.
2. Select SHA2-256 from the Integrity check algorithm drop-down list.
3. Select 14 from the Diffie-Hellman group drop-down list.

Child Security Association Parameters

1. Select CBC-AES-128 from the Cipher transform algorithm drop-down list.
2. Select HMAC-SHA256-128 from the Authentication transform algorithm drop-down list.
3. Select 14 from the Perfect forward secrecy (pfs) group drop-down list.

Always On VPN Device Tunnel and Custom Cryptography Native Support Now in Intune

Important Note: The IPsec security association parameters outlined above are the minimum recommend security baseline for IKEv2 and are compatible with all supported versions of Windows Server RRAS. It is recommended that authenticated cipher suites (GCM) be used whenever possible. However, GCM ciphers are not supported for encryption prior to Window Server 1803. Administrators should review these security settings and adjust the parameters to meet their specific security requirements.

Server Configuration

When defining custom cryptography settings for IKEv2 for device tunnel deployment, it is critical that the server be configured using identical parameters. Failure to use matching cryptography settings on the client and server will result in error code 13868, which indicates an IPsec policy mismatch.

A PowerShell script to configure IKEv2 security association parameter minimum security baselines on the RRAS server as outlined above can be found here. The commands to make these changes on the Azure VPN gateway can be found in this post.

Caveats

While Microsoft has made great strides to ensure better support for Always On VPN configuration using the native Intune UI, there are a few critical settings are still not supported. In these scenarios the administrator must deploy Always On VPN using custom XML, as described here and here.

Custom Cryptography

IKEv2 custom cryptography settings are only exposed when IKEv2 is selected as the connection type. It appears that defining custom cryptography settings for IKEv2 when the connection type is set to Automatic is not supported at this time. If you wish to specify the Automatic connection type and use custom cryptography settings for IKEv2 you will need to deploy the device tunnel using custom ProfileXML.

IPv6

IPv6 routing when configuring split tunneling for Always On VPN in Intune is not supported.

Always On VPN Device Tunnel and Custom Cryptography Native Support Now in Intune

Additional Information

Windows 10 Always On VPN Policy Mismatch Error

Windows 10 Always On VPN Device Tunnel with Azure VPN Gateway

Windows 10 Always On VPN IKEv2 Load Balancing and NAT

Windows 10 Always On VPN IKEv2 Fragmentation

Windows 10 Always On VPN IKEv2 Security Configuration

17 Comments
by Richard M. Hicks on July 27, 2020  •  Permalink
Posted in Always On VPN, AOVPN, cloud, Device Management, device tunnel, Enterprise, enterprise mobility, IKEv2, Manage Out, MEMCM, Microsoft Endpoint Manager, Microsoft Intune, Mobility, public cloud, Remote Access, Security, systems management, VPN, Windows 10
Tagged , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on July 27, 2020

https://directaccess.richardhicks.com/2020/07/27/always-on-vpn-device-tunnel-and-custom-cryptography-native-support-now-in-intune/

« Older Posts
Newer Posts »