Awards
Consulting
Newsletter
Subscribe today!
Connect
- Facebook
- Twitter
- LinkedIn
- YouTube
- GitHub
- Tumblr
My Tweets
RSS Feed
- RSS - Posts
- RSS - Comments
Archives
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- April 2021
- March 2021
- January 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- November 2014
- October 2014
- September 2014
- August 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- July 2012
- June 2012
- May 2012
- April 2012
Categories
Tag Cloud
0x2af9 0x274c 0x800b0101 0x800b0109 0x80090326 2FA 6to4 691 809 812 853 864 892 1803 1809 2012 R2 13801 13806 13868 20227 A10 access access denied ACL Activation active/passive Active Directory Active Directory Certificate Services active directory domain services AD ADC AD CS AD DS administration administrator advertise default route always on Always On VPN Always On VPN. VPN Always On VPN book Always On VPN device tunnel Amazon amazon.com Amazon Web Services anniversary update AOVPN aovpn Always On VPN aovpn book appliance application deliver controller application delivery application delivery controller Application Filter application policy Apress Apress Media ARP assurance attack attack surface audit authentication authenticity automation autopilot availability award AWS Azure Azure AD Azure AD Join Azure Application Gateway Azure Conditional Access Azure infrastructure Azure Load Balancer Azure MFA Azure Traffic Manager Azure Virtual WAN Azure VPN Azure VPN Gateway backup Belgium best practice best practice analyzer best practices BIG-IP BIGIP biometric Bomgar book BPA bug business BYOD CA ccertificate CDN certificate certificate 6to4 certificate authentication certificate authority certificate expiration certificate revocation certificate revocation list certificates certificate selection certificate server certificate template Certification Authority CERT_E_EXPIRED Checkpoint Check Point CIDR cipher cipher suite cipher suites Cisco Cisco Umbrella Citrix Citrix ADC Citrix NetScaler class-based default route class-based routing client client authentication client authentication certificate client deployment client operating system client provisioning clients cloud Cloudflare cloud infrastructure cluster clustering cmdlet CNG code codeplex command line Compliance component event log conditional access conference ConfigMgr configuration configuration error configuration manager Configuration Service Provider connect connected standby connecting connection failure connection status connectivity connectivity assistant consulting consulting services content filter control cookbook Core corporate resource COVID-19 CPU CRL CRL check cryptographic key cryptographic next generation cryptographic service provider cryptography CSP CSR custom cryptography custom IPsec policies custom IPsec policy custom policy DA database datacenter DCA DCA 2.0 DDoS decommission deep-packet inspection deep dive default route Dell demo demonstration denial of service deny access deployment deployment flexibility deployment guide deprecated deprecated feature design development Device Management device tunnel DFS DFS-R DHCP diagnostic log Direct Access DirectAccess DirectAccess. remote access DirectAccess 2012 DirectAccess 2012 R2 DirectAccess alternative DirectAccess alternatives DirectAccess Book DirectAccess clients DirectAccess Connectivity Assistant DirectAccess Deprecated DirectAccess End of Life DirectAccess EOL DirectAccess troubleshooting disaster recovery disconnect distributed file service DMZ DNAT DNS DNS64 DNS registration DNS suffix document management domain domain controller DomainNameInformation DoS DoS Protection Mode DPI DR drinks DTE Dual NIC dynamic password EAP EAP-TLS EC EC2 ECC ECDHE ECDSA education EKU elastic compute cloud elastic IP ELB elliptical curve elliptic curve cryptography. cryptography encapsulation encryption end of life endpoint management endpoint manager enhanced key usage enterprise enterprise edition enterprise mobility Enterprise Networking Enterprise Networking Magazine enterprise VPN entry point EOL error error 0x800b0101 error 619 error 691 error 801 error 809 error 829 Error 853 error 864 error 13806 error 13868 error code error code 809 error code 853 error code 858 error message ERROR_IPSEC_IKE_AUTH_FAIL ERROR_IPSEC_IKE_NO_CERTIFICATE ESTS_TOKEN_ERROR Europe event event ID 6 event ID 1000 event ID 7024 Event ID 20227 event log event viewer exception exceptions Exchange 2013 Exchange OWA Exchange OWA 2010 exclusion route exclusions expired certificate explorer export extensible authentication protocol external load balancer F5 F5 BIG-IP F5 Local Traffic Manager F5 LTM failover failure fallback feature file explorer file replication service file share financial FIPS firewall fix Florida force tunnel force tunneling Forefront Forefront TMG Forefront TMG 2010 Forefront UAG Forefront UAG 2010 Forefront UAG 2010 SP3 Forefront UAG 2010 SP4 Forefront UAG SP3 Forefront Unified Access Gateway formatting Fortinet FQDN fragmentation FRS full NAT Fully Qualified Domain Name future GCM GEO geographic redundancy getting started wizard GitHub Global Protect GlobalProtect global server load balancer Global Server Load Balancing GoToMyPC government GPMC GPO graphical user interface group membership group policy group policy object group policy preferences GSLB GSW GUI guidance guide happy hour hardening hardware load balancer hardware security module hashing health check hibernate high availability hostname hotfix hotfix rollup HP HSM HTTP http.sys HTTPS Hybrid Azure AD Join hybrid cloud Hyper-V hypervisor IaaS ICMP ICMPv6 Ignite Ignite conference IIS IKE IKE authentication credentials are unacceptable ikeext IKE failed to find a valid machine certificate IKEv2 IKEv2 fragmentation iManage iManage Work implementation implementing import Important Links index infrastructure infrastructure as a service insider preview installation integration integrity Internet Internet Information Services Internet Key Exchange Internet Key Exchange version 2 Internet Key Exchange version 2 (IKEv2) interview intrasite automatic tunnel addressing protocol InTune Intune certificate connector Intune Proactive Remediation inutne IP IP-HTTPS ipad IPHTTPS IPsec IPsec SA IPv4 IPv6 IPv6 transition IPv6 transition protocol IPv6 transition technologies IPv6 transition technology IPv6 transition tunnel IPv6 translation Iron Networks iRule ISATAP issue issuing CA issuing certification authority IT/Devconnections Kemp Kemp Load Balancer Kemp Load Master Kemp LoadMaster Kemp LoadMaster Load Balancer Kemp Technologies kerberos Kerberos proxy key storage provider KMS KMS activation known issue k security KSP L2TP L2TP/IPsec L7 Las Vegas layer 7 learn learning LMOS load balancer load balancing LoadMaster LoadMaster Load Balancer local traffic manager Lockdown Lockdown mode log log collection log file logging Logjam LogMeIn LTM M365 MAK malware management management pack Manage Out managing maximum transmission unit MDM MDX media disconnected meeting MEM MEMCM MFA Microsoft Microsoft 365 Microsoft Always On VPN Microsoft Azure Microsoft DirectAccess Microsoft Endpoint Manager Microsoft Ignite Microsoft Ignite conference Microsoft Intune Microsoft Most Valuable Professional Microsoft MVP Microsoft Office Microsoft Outlook Microsoft Surface Microsoft Surface Pro Microsoft Surface Pro 4 Microsoft Surface RT Microsoft System Center Microsoft System Center 2012 Microsoft TechDays Belgium 2013 Microsoft TechEd Microsoft TechEd 2013 Microsoft TechEd Europe 2013 Microsoft TechEd North America 2013 Microsoft VPN Microsoft Windows minimal server interface minimize network connections missing route mitigation mobile mobile device Mobile Device Management Mobility monitor monitoring MSCHAPv2 MTU multi-factor authentication multi-SAN multi-SAN certificate multi-site multicast multifactor authentication multihome multihomed multinetworking multisite multisite DirectAccess MVP NAC name resolution name resolution policy table namespace namespace proxy NAP NAT NAT64 NCA ncasvc NCSI NDES NDES connector NetMotion NetMotion Mobility NetMotion Software Netscaler netsh netsh.exe network Network Access Control Network Access Protection network adapter network address translation network administration network connectivity assistant network connectivity status indicator Network Device Enrollment Service Networking network interface network load balancer network load balancing network location server network policy network policy server Network Policy Server. powerhsell network prefix network security group network virtual appliance network virtualization Nevada next generation firewall NGFW NIC NLB NLS nmap Notes Notes Novell November Update NPS NPS Extension for Azure MFA NRPT NSG NSlookup NTAuth NTAuth Store null cipher null cipher suites NULL encryption NVA OCSP ODJ OEM Office office 365 offline offline domain join offload offloading OID OMA OMA-DM OMA-URI one-time password one-time passwords online responder OpenDNS open source openssl operating system Operational Support operations Operations Manager Ops Manager Orlando OS OTP Outlook PAC PAC file packet capture Packt Publishing PAL Palo Alto Palo Alto Networks partnership path MTU PC PEAP perfmon performance performance IPv6 performance monitor perimeter perimeter network persistence persistence profile persistency group Petri PFE PKI plug-in Pluralsight podcast point-to-site point-to-site connection point-to-site VPN PointSharp PointSharp ID policy policy mismatch POODLE portal portproxy PowerShell PowerShell remoting PPTP pre-order preauthentication prefix preorder prerequisites preview privacy private key Proactive Remediation Proactive Remediations probe productivity professional professional services ProfileXML ProfileXML. Intune protected extensible authentication protocol protection protocol provisioning proxy proxy autoconfiguration proxy server proxy settings psexec public certificate public cloud public key cryptography public key infrastructure public resolver public sector publishing publish route Pulse Secure purpose-built VPN putty QA QoS Quad9 Quad9 DNS Qualys Qualys SSL Labs RA RADIUS ransomware RAS rascient RasClient RasClient 20226 rasclient error 858 rasdial rasman rasmans.dll rasphone RasSstp RDC RDP RDS real server real server check method RealStuff Recommended Reading Redmond redundancy redundnacy reference registry remediation Remote Access remote access IPv6 remote access service remote access VPN remote assistance remote desktop remote desktop connection remote desktop services remote management remote PowerShell remote server administration tools remove remtoe access reporting resolver retail retired revocation revocation check risk roadmap rollup root CA root certificate RootCertificateNameToAccept root certification authority round robin DNS route router routes route table routing Routing and Remote Access Routing and Remote Acc ess Service routing and remote access service routing table RRAS RSA RSAT RunAs Radio SA SAN Satya Nadella scalability SCCM SCCM remote control SCEP schannel school script scripting script package scripts SDX Secure Socket Tunneling Protocol security security advisory security association security group security update selective tunneling self-service password reset self-signed certificates Server Server 2012 Server 2012 Core Server 2012 DirectAccess Server 2012 R2 server authentication Server Core server operating system service account service group service pack session SharePoint SharePoint 2010 SharePoint 2013 signing Simple Certificate Enrollment Protocol simplified deployment single NIC single sign-on site-to-site to VPN site-to-site VPN SKU Skype Skype for Business sleep smart card smart card logon SMB SNAT software SonicWALL SP3 speaking split DNS split tunnel split tunneling SQL SQL server SSD SSH SSL SSL/TLS SSL certificate SSl certificates SSL inspection SSL offload SSL termination SSL VPN SSO SSPR SSTP SSTP. SSL standby strong authentication strongSwan strong user authentication subject alternative name subnet subnet mask subnetting subscription activation support supportability supporting Surface Surface Pro Surface Pro 4 Surface RT svchost.exe Switzerland Symantec sysinternals System Center System Center 2012 System Center Configuration Manager System Center Operations Manager System Center Operations Manager 2012 systeminfo systems management tablet TCP TeamViewer TechDays TechDays 2013 Belgium TechDays San Francisco 2013 TechDaysSF TechDaysSF2014 TechEd TechEd 2012 TechEd 2013 TechEd Europe TechEd Europe 2012 TechEd Europe 2013 TechEd North America TechEd North America 2012 TechEd North America 2013 TechMentor TechMentor 2019 TechMentor Conference TechNet Teredo termination testing Threshold 2 throughput Thunder TLS TLS certificate TLS inspection TLS offload TMG TMG 2010 TND TPM Traffic Filter Traffic Manager traffic routing training TrainSignal transition protocol transition technologies transition technology transition tunnel transport layer security Troopers16 troubleshoot troubleshooting trusted network detection Trusted Platform Module trusted root CA trusted root certification authority tunnel tunnel adapter tunnel adapter IP-HTTPS interface tunnel endpoint tunneling two factor authentication UAG UAG 2010 UAG 2010 SP4 UAG DirectAccess UAG SP3 UAG SP4 UDP UI ULA Umbrella Umbrella Roaming Client unattended mode unicast unicode Unified Remote Access uninstall unique local address unsupported configuration update updates upgrade UseRasCredentials user defined route user interface user tunnel user tunnel authentication utilities utilization v6v4tunnel validation video video training VIP virtual appliance virtual IP address virtualization virtual machine virtual network adapter virtual networking virtual private netowrking virtual private network virtual private networking virtual server Virtual WAN visibility Visual Studio Visual Studio Code VM VMware VNC VPN VPN gateway VPN profile VPN server VpnStrategy VPX VS VS Code vserver vulnerabilities vulnerability WAF wake from hibernate wake from sleep WAN WAP warning Washington web application proxy web filter webinar webprobehost web proxy web proxy server web publishing web server WFAS WHFB whitepaper WID Widows Win10 Windows Windows 7 Windows7 Windows 7 Enterprise Windows 7 SP1 Windows 7 Ultimate Windows 8 Windows 8 Enterprise Windows 8 Pro Windows 8 Professional Windows 8.1 Windows 8.x Windows 8.x/10 Windows 10 Windows10 Windows 10 1803 Windows 10 1809 Windows 10 1903 Windows 10 2004 Windows 10 Always On VPN Windows 10 anniversary update Windows 10 Enterprise Windows 10 November Update Windows 10 pro Windows 10 Professional Windows 10 Technical Preview Windows11 Windows 11 Windows 11 Enterprise Windows DirectAccess windows firewall Windows Firewall with Advanced Security Windows Hello Windows Hello for Business Windows Information Protection Windows Information Protection (WIP) Windows Internal Database Windows RRAS Windows Server Windows Server 1809 Windows Server 2003 Windows Server 2003 R2 Windows Server 2008 R2 Windows Server 2008R2 Windows Server 2012 Windows Server 2012 Core Windows Server 2012 DirectAccess Windows Server 2012 R2 Windows Server 2015 TP5 Windows Server 2016 Windows Server 2016 Technical Preview Windows Server 2016 Technical Preview 5 Windows Server 2019 Windows Server 2022 Windows server core Windows Server Update Services Windows Servr 2012 R2 Windows Sever Windows Update winhttp WinPcap WinRM WinRM quickconfig WIP Wireshark workaround work folders workplace join WorkSite WSAETIMEDOUT WSAHOST_NOT_FOUND WSUS XenApp XML YouTube Zero Trust Zero Trust Network Access Zscaler ZTNA

All posts tagged Certification Authority

Troubleshooting Always On VPN Error 853

Troubleshooting Always On VPN Error 691 and 812 – Part 2

Using Windows Server Network Policy Server (NPS) servers is a common choice for authenticating Microsoft Windows 10 Always On VPN user tunnel connections. The NPS server is joined to the domain and configured with a Network Policy that defines the authentication scheme used by clients for authentication when establishing an Always On VPN connection. Protected Extensible Authentication Protocol (PEAP) using client authentication certificates recommended for most Always On VPN deployment scenarios.

Can’t Connect

Users establishing an Always On VPN user tunnel connection using PEAP and client authentication certificates may encounter a scenario in which a VPN connection attempt fails with the following error message.

“The remote access connection completed, but authentication failed because the certificate that authenticates the client to the server is not valid. Ensure that the certificate used for authentication is valid.”

Error 853

In addition, the Application event log records an event ID 20227 from the RasClient source that includes the following error message.

“The user <username> dialed a connection named <connection name> which has failed. The error code is 853.”

Missing NTAuth Certificate

Error code 853 is commonly caused by a missing issuing Certification Authority (CA) certificate in the NTAuth store on the NPS server. The NPS server must have the issuing CA certificate included in this store to perform authentication using client certificates. You can see the contents of the NTAuth certificate store by opening an elevated command window on the NPS server and running the following command.

certutil.exe -enterprise -viewstore NTAuth

Install Certificate

To install the issuing CA server’s certificate into the NTAuth store, copy the CA certificate to the NPS server, open an elevated command window, then run the following command.

certutil.exe -enterprise -addstore NTAuth <issuing CA certificate>

Once complete, view the store again, and you’ll see the issuing CA certificate listed in the NTAuth certificate store.

Additional Information

Troubleshooting Always On VPN Error Code 858

Troubleshooting Always On VPN Error Code 864

Always On VPN and Windows Server 2019 NPS Bug

Always On VPN Network Policy Server (NPS) Load Balancing

Microsoft Network Policy Server (NPS) Reason Codes

19 Comments

by Richard M. Hicks on August 2, 2021 • Permalink

Posted by Richard M. Hicks on August 2, 2021

https://directaccess.richardhicks.com/2021/08/02/troubleshooting-always-on-vpn-error-853/

Always On VPN Device Tunnel with Azure VPN Gateway

Always On VPN is infrastructure independent, which allows for many different deployment scenarios including on-premises and cloud-based. In Microsoft Azure, the Azure VPN gateway can be configured to support Windows 10 Always On VPN client connections in some scenarios. Recently I wrote about using the Azure VPN gateway for Always On VPN user tunnels. In this post I’ll describe how to configure the Azure VPN gateway to support an Always On VPN device tunnel.

Limitations

There are a few crucial limitations that come with using the Azure VPN gateway for Always On VPN. Importantly, the Azure VPN gateway can support either user tunnels or device tunnels, not both at the same time. In addition, Azure supports only a single VPN gateway per VNet, so deploying an additional VPN gateway in the same VNet to support Always On VPN user tunnels is not an option.

Root CA Certificate

The Always On VPN device tunnel is authenticated using a machine certificate issued to domain-joined Windows 10 Enterprise edition clients by the organization’s internal Certification Authority (CA). The CA’s root certificate must be uploaded to Azure for the VPN gateway to authorize device tunnel connections. The root CA certificate can be exported using the Certification Authority management console (certsrv.msc) or via the command line.

Export Certificate – GUI

Follow the steps below to export a root CA certificate using the Certification Authority management console.

1. On the root CA server, open the Certification Authority management console.
2. Right-click the CA and choose Properties.
3. Select the CA server’s certificate and choose View Certificate.
4. Select the Details tab and click Copy to File.
5. Click Next.
6. Choose Base-64 encoded X.509 (.CER).

7. Click Next.
8. Enter a location to save the file to.
9. Click Next, Finish, and Ok.

Export Certificate – Command Line

Follow the steps below to export a root CA certificate using the command line.

1. On the root CA server, open an elevated command window (not a PowerShell window).
2. Enter certutil.exe -ca.cert root_certificate.cer.
3. Enter certutil.exe -encode root.cer root_certificate_base64.cer.

Copy Public Key

1. Open the saved root certificate file using Notepad.
2. Copy the file contents between the BEGIN CERTIFICATE and END CERTIFICATE tags, as shown here. Use caution and don’t copy the carriage return at the end of the string.

Point-to-Site Configuration

The Azure VPN gateway must be deployed as a Route-Based gateway to support point-to-site VPN connections. Detailed requirements for the gateway can be found here. Once the VPN gateway has been provisioned, follow the steps below to enable point-to-site configuration for Always On VPN device tunnels.

1. In the navigation pane of the Azure VPN gateway settings click Point-to-site configuration.
2. Click the Configure now link and specify an IPv4 address pool to be assigned to VPN clients. This IP address pool must be unique in the organization and must not overlap with an IP address ranges defined in the Azure virtual network.
3. From the Tunnel type drop-down list select IKEv2.
4. In the Root certificates section enter a descriptive name for the certificate in the Name field.
5. Copy and paste the Base64 encoded public key copied previously into the Public certificate data field.
6. Click Save to save the configuration.

VPN Client Configuration

To support the Always On VPN device tunnel, the client must have a certificate issued by the internal CA with the Client Authentication Enhanced Key Usage (EKU). Detailed guidance for deploying a Windows 10 Always On VPN device tunnel can be found here.

Download VPN Configuration

1. Click Point-to-site configuration.
2. Click Download VPN client.
3. Click Save.
4. Open the downloaded zip file and extract the VpnSettings.xml file from the Generic folder.
5. Copy the FQDN in the VpnServer element in VpnSettings.xml. This is the FQDN that will be used in the template VPN connection and later in ProfileXML.

Create a Test VPN Connection

It is recommended to create a test VPN connection to perform validation testing of the Azure VPN gateway before provisioning an Always On VPN device tunnel broadly. On a domain-joined Windows 10 enterprise client, create a new VPN connection using IKEv2 with machine certificate authentication. Use the VPN server FQDN copied from the VpnSettings.xml file previously.

Create an Always On VPN Connection

Once the VPN has been validated using the test profile created previously, an Always On VPN profile can be created and deployed using Intune, SCCM, or PowerShell. The following articles can be used for reference.

Deploy Always On VPN device tunnel using PowerShell

Deploy Always On VPN device tunnel using Intune

IKEv2 Security Configuration

The default IKEv2 security parameters used by the Azure VPN gateway are better than Windows Server, but the administrator will notice that a weak Diffie-Hellman (DH) key (Group 2 – 1024 bit) is used during IPsec phase 1 negotiation.

Use the following PowerShell commands to update the default IKEv2 security parameters to recommended baseline defaults, including 2048-bit keys (DH group 14) and AES-128 for improved performance.

Connect-AzAccount
Select-AzSubscription -SubscriptionName [Azure Subscription Name]

$Gateway = [Gateway Name]
$ResourceGroup = [Resource Group Name]

$IPsecPolicy = New-AzVpnClientIpsecParameter -IpsecEncryption AES128 -IpsecIntegrity SHA256 -SALifeTime 28800 -SADataSize 102400000 -IkeEncryption AES128 -IkeIntegrity SHA256 -DhGroup DHGroup14 -PfsGroup PFS14

Set-AzVpnClientIpsecParameter -VirtualNetworkGatewayName $Gateway -ResourceGroupName $ResourceGroup -VpnClientIPsecParameter $IPsecPolicy

Note: Be sure to update the cryptography settings on the test VPN connection and in ProfileXML for Always On VPN connections to match the new VPN gateway settings. Failing to do so will result in an IPsec policy mismatch error.

Additional Information

Windows 10 Always On VPN User Tunnel with Azure VPN Gateway

Windows 10 Always On VPN IKEv2 Security Configuration

Windows 10 Always On VPN Device Tunnel Configuration using Microsoft Intune

Windows 10 Always On VPN Device Tunnel Configuration using PowerShell

Windows 10 Always On VPN Options for Azure Deployments

Windows 10 Always On VPN IKEv2 Features and Limitations

28 Comments

by Richard M. Hicks on January 6, 2020 • Permalink

Posted by Richard M. Hicks on January 6, 2020

https://directaccess.richardhicks.com/2020/01/06/always-on-vpn-device-tunnel-with-azure-vpn-gateway/

Microsoft Intune NDES Connector Setup Wizard Ended Prematurely

A Windows Server with the Network Device Enrollment Service (NDES) role can be provisioned on-premises to support certificate deployment for non-domain Windows 10 Always On VPN clients. In addition, the Microsoft Intune Connector must be installed and configured on the NDES server to allow Intune-managed clients to request and receive certificates from the on-premises Certification Authority (CA) server.

Setup Wizard Ended Prematurely

When installing the Microsoft Intune Connector, the administrator may encounter a scenario where the setup wizard fails with the following error message.

“Microsoft Intune Connector Setup Wizard ended prematurely because of an error. Your system has not been modified. To install this program at a later time, run Setup Wizard again. Click the Finish button to exit the Setup Wizard.”

Cryptographic Service Provider

This error can occur if the NDES server certificate template is configured to use the Key Storage Provider cryptography service provider (CSP). When configuring the certificate template for the NDES server, the Legacy Cryptography Service Provider must be used, as shown here.

Additional Information

Deploying Windows 10 Always On VPN with Intune using Custom ProfileXML

Windows 10 Always On VPN Device Tunnel Configuration using Microsoft Intune

Deploying Windows 10 Always On VPN with Microsoft Intune

8 Comments

by Richard M. Hicks on November 11, 2019 • Permalink

Posted by Richard M. Hicks on November 11, 2019

https://directaccess.richardhicks.com/2019/11/11/microsoft-intune-ndes-connector-setup-wizard-ended-prematurely/

Troubleshooting Always On VPN Error Code 864

When configuring an Always On VPN connection, the administrator may encounter a scenario in which a VPN connection fails using either Internet Key Exchange version 2 (IKEv2) or Secure Socket Tunneling Protocol (SSTP). On the Windows 10 client the error message states the following.

“Can’t connect to [connection name]. The remote access connection completed, but authentication failed because a certificate that validates the server certificate was not found in the Trusted Root Certification Authorities certificate store.”

In addition, the Application event log records an error message with Event ID 20227 from the RasClient source. The error message states the following.

“The user [username] dialed a connection name [connection name] which has failed. The error code returned on failure is 864.”

NPS Server Certificate

Error code 864 is commonly caused by a missing or invalid server certificate on the Network Policy Server (NPS) performing authentication for VPN clients. The NPS server must have a certificate installed in its local computer certificate store from a trusted certification authority (CA) that includes the following.

Subject Name

The subject name must match the hostname defined in the EAP configuration for VPN clients. This may be the NPS server’s hostname but could also be an alias when NPS load balancing is configured.

Enhanced Key Usage

The NPS server certificate must include the Server Authentication Enhanced Key Usage (EKU).

NPS Policy Configuration

The NPS server certificate must also be selected in the network policy used for VPN client authentication. To confirm correct certificate configuration, open the properties for the Always On VPN network policy and follow the steps below.

1. Select the Constraints tab.
2. Highlight Authentication Methods.
3. Highlight Microsoft: Protected EAP (PEAP) in the EAP Types field.
4. Click Edit.
5. Select the NPS server certificate from the Certificate issued to drop-down list.

Ensure the NPS server certificate is also used for client certificate authentication by performing the following steps.

1. Highlight Smart Card or other certificate.
2. Click Edit.
3. Select the NPS server certificate from the Certificate issued to drop-down list.
4. Click Ok.

Additional Information

Windows 10 Always On VPN Network Policy Server (NPS) Load Balancing

1 Comment

by Richard M. Hicks on October 31, 2019 • Permalink

Posted in Always On VPN, AOVPN, certificates, enterprise mobility, IKEv2, Mobility, network policy server, public key infrastructure, Remote Access, Security, troubleshooting, VPN, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019

Tagged 864, Always On VPN, AOVPN, authentication, certificate, Certification Authority, error, error 864, IKEv2, Microsoft, network policy server, NPS, rascient, SSTP, VPN, warning, Windows, Windows 10

Posted by Richard M. Hicks on October 31, 2019

https://directaccess.richardhicks.com/2019/10/31/troubleshooting-always-on-vpn-error-code-864/

Always On VPN Users Prompted for Certificate

When deploying Windows 10 Always On VPN using Protected Extensible Authentication Protocol (PEAP) authentication with client certificates, administrators may find the VPN connection does not establish automatically. In this specific scenario the client is prompted to select a certificate to use to authenticate to the VPN server.

Multiple Certificates

This can occur when certificates from multiple Certification Authorities (CAs) are issued to the user that include the Client Authentication Enhanced Key Usage (EKU). When this happens, the user is forced to select the correct certificate to use for VPN authentication.

Clearly this is less than ideal, as it not only breaks the seamless and transparent nature of Always On VPN, the user may select the wrong certificate resulting in authentication failure. Ideally the client should be configured to select the correct certificate without user interaction.

Certificate Selection

Follow the steps below to configure automatic certificate selection for VPN authentication.

On a VPN client, right-click the Always On VPN connection and choose Properties.
Select the Security tab.
In the Authentication section click Properties below Use Extensible Authentication Protocol (EAP).
In the Select Authentication Method section click Configure.
In the When connecting section click Advanced.
Check the box next to Certificate Issuer.
Select the root CA used to issue client authentication certificates for VPN authentication.
Click Ok four times to save the configuration.

Once complete, export the EAP configuration to XML from the VPN client and paste the new settings in Intune or in your custom ProfileXML.

Certificate Purpose

By default, a client certificate requires only the Client Authentication EKU to establish a VPN connection. In some cases, this may not be desirable. For example, consider a deployment where Client Authentication certificates are issued to all users for Wi-Fi authentication. Depending on the Network Policy Server (NPS) configuration, these certificates may also be used to authenticate to the VPN.

VPN Specific Certificate

Follow the steps below to create a user authentication certificate template to be used exclusively for VPN authentication.

Certificate Template

On the CA server, open the Certificate Templates management console (certtmpl.msc).
Right-click the certificate template configured for VPN authentication and choose Properties.
Select the Extension tab.
Highlight Application Policies and click Edit.
Click Add.
Click New.
Enter a descriptive name for the new application policy.
Copy the Object identifier for later use and click Ok four times to save the configuration.
If certificate autoenrollment is configured and the certificate is already provisioned to users, right-click the certificate template and choose Reenroll All Certificate holders.

Client Configuration

On the VPN client, follow the steps outlined previously to configure certificate selection.
In addition to choosing a certificate issuer, select Extended Key Usage (EKU).
Uncheck All Purpose.
Select Client Authentication and the following EKUs.
Click Add.
Click Add once more.
Enter the name of the custom EKU policy created previously.
Enter the custom EKU object identifier copied previously from the custom policy.
Click Ok twice.
Uncheck AnyPurpose and the following EKUs.
Click Ok four times to save the configuration.

Once complete, export the EAP configuration to XML from the VPN client and paste the new settings in Intune or in your custom ProfileXML.

Additional Information

Windows 10 Always On VPN Clients Prompted for Authentication when Accessing Internal Resources

Get-EapConfiguration PowerShell Script on GitHub

Windows 10 Always On VPN Hands-On Training

16 Comments

by Richard M. Hicks on May 28, 2019 • Permalink

Posted in Always On VPN, AOVPN, authentication, certificates, enterprise mobility, GitHub, Mobility, ProfileXML, public key infrastructure, Remote Access, Security, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, XML

Posted by Richard M. Hicks on May 28, 2019

https://directaccess.richardhicks.com/2019/05/28/always-on-vpn-users-prompted-for-certificate/

Always On VPN Clients Prompted for Authentication when Accessing Internal Resources

When deploying Windows 10 Always On VPN using Protected Extensible Authentication Protocol (PEAP) with client authentication certificates, the administrator may encounter a scenario in which the user can establish a VPN connection without issue, but when accessing internal resources they are prompted for credentials and receive the following error message.

“The system cannot contact a domain controller to service the authentication request. Please try again later.”

Resolution

This can occur if one or more domain controllers in the enterprise have expired or missing domain controller authentication certificates. To ensure seamless single sign-on to internal resources, ensure that all domain controllers have a certificate issued by the internal certification authority (CA) that includes the Server Authentication (1.3.6.1.5.5.7.3.1), Client Authentication (1.3.6.1.5.5.7.3.2), KDC Authentication (1.3.6.1.5.2.3.5), and Smart Card Logon (1.3.6.1.4.1.311.20.2.2) Enhanced Key Usage (EKU). Administrators can duplicate the Kerberos Authentication template for this purpose.

Additional Information

Windows 10 Always On VPN Certificate Requirements for IKEv2

Windows 10 Always On VPN Hands-On Training

25 Comments

by Richard M. Hicks on May 20, 2019 • Permalink

Posted in Always On VPN, AOVPN, authentication, certificates, Encryption, Enterprise, enterprise mobility, Mobility, Remote Access, routing and remote access service, RRAS, Security, troubleshooting, VPN, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019

Posted by Richard M. Hicks on May 20, 2019

https://directaccess.richardhicks.com/2019/05/20/always-on-vpn-clients-prompted-for-authentication-when-accessing-internal-resources/

Always On VPN SSL Certificate Requirements for SSTP

The Windows Server 2016 Routing and Remote Access Service (RRAS) is commonly deployed as a VPN server for Windows 10 Always On VPN deployments. Using RRAS, Always On VPN administrators can take advantage of Microsoft’s proprietary Secure Socket Tunneling Protocol (SSTP) VPN protocol. SSTP is a Transport Layer Security (TLS) based VPN protocol that uses HTTPS over the standard TCP port 443 to encapsulate and encrypt communication between the Always On VPN client and the RRAS VPN server. SSTP is a firewall-friendly protocol that ensures ubiquitous remote network connectivity. Although IKEv2 is the protocol of choice when the highest level of security is required for VPN connections, SSTP can still provide very good security when implementation best practices are followed.

SSTP Certificate

Since SSTP uses HTTPS for transport, a common SSL certificate must be installed in the Local Computer/Personal/Certificates store on the RRAS VPN server. The certificate must include the Server Authentication Enhanced Key Usage (EKU) at a minimum. Often SSL certificates include both the Server Authentication and Client Authentication EKUs, but the Client Authentication EKU is not strictly required. The subject name on the certificate, or at least one of the Subject Alternative Name entries, must match the public hostname used by VPN clients to connect to the VPN server. Multi-SAN (sometimes referred to as UC certificates) and wildcard certificates are supported.

Certification Authority

It is recommended that the SSL certificate used for SSTP be issued by a public Certification Authority (CA). Public CAs typically have their Certificate Revocation Lists (CRLs) hosted on robust, highly available infrastructure. This reduces the chance of failed VPN connection attempts caused by the CRL being offline or unreachable.

Using an SSL certificate issued by an internal, private CA is supported if the CRL for the internal PKI is publicly available.

Key Type

RSA is the most common key type used for SSL certificates. However, Elliptic Curve Cryptography (ECC) keys offer better security and performance, so it is recommended that the SSTP SSL certificate be created using an ECC key instead.

To use an ECC key, be sure to specify the use of a Cryptographic Next Generation (CNG) key and select the ECDSA_P256 Microsoft Software Key Storage Provider (CSP) (or greater) when creating the Certificate Signing Request (CSR) for the SSTP SSL certificate.

Most public CAs will support certificate signing using ECC and Elliptic Curve Digital Signature Algorithm (ECDSA). If yours does not, find a better CA. 😉

Forward Secrecy

Forward secrecy (sometimes referred to as perfect forward secrecy, or PFS) ensures that session keys can’t be compromised even if the server’s private key is compromised. Using forward secrecy for SSTP is crucial to ensuring the highest levels of security for VPN connections.

To enforce the use of forward secrecy, the TLS configuration on the VPN server should be prioritized to prefer cipher suites with Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange.

Authenticated Encryption

Authenticated encryption (AE) and authenticated encryption with associated data (AEAD) is a form of encryption that provides better data protection and integrity compared to older block or stream ciphers such as CBC or RC4.

To enforce the use of authenticated encryption, the TLS configuration on the VPN server should be prioritized to prefer cipher suites that support Galois/Counter Mode (GCM) block ciphers.

Important Note: In Windows Server 2016, GCM ciphers can be used with both RSA and ECC certificates. However, in Windows Server 2012 R2 GCM ciphers can only be used when an ECC certificate is used.

SSL Offload

Offloading SSL to a load balancer or application delivery controller (ADC) can be enabled to improve scalability and performance for SSTP VPN connections. I will cover SSL offload for SSTP in detail in a future post.

Summary

SSTP can provide good security for VPN connections when implementation and security best practices are followed. For optimum security, use an SSL certificate with an EC key and optimize the TLS configuration to use forward secrecy and authenticated cipher suites.

Additional Information

Always On VPN ECDSA SSL Certificate Request for SSTP

Always On VPN and Windows Server Routing and Remote Access Service (RRAS)

Always On VPN Protocol Recommendations for Windows Server RRAS

Always On VPN Certificate Requirements for IKEv2

3 Important Advantages of Always On VPN over DirectAccess

Microsoft SSTP Specification on MSDN

36 Comments

by Richard M. Hicks on July 16, 2018 • Permalink

Posted by Richard M. Hicks on July 16, 2018

https://directaccess.richardhicks.com/2018/07/16/always-on-vpn-ssl-certificate-requirements-for-sstp/

Always On VPN Certificate Requirements for IKEv2

Internet Key Exchange version 2 (IKEv2) is one of the VPN protocols supported for Windows 10 Always On VPN deployments. When the VPN server is Windows Server 2016 with the Routing and Remote Access Service (RRAS) role configured, a computer certificate must first be installed on the server to support IKEv2. There are some unique requirements for this certificate, specifically regarding the subject name and Enhanced Key Usage (EKU) configuration. In addition, some deployment scenarios may require a certificate to be provisioned to the client to support IKEv2 VPN connections.

Server Certificate

The IKEv2 certificate on the VPN server must be issued by the organization’s internal private certification authority (CA). It must be installed in the Local Computer/Personal certificate store on the VPN server. The subject name on the certificate must match the public hostname used by VPN clients to connect to the server, not the server’s hostname. For example, if the VPN server’s hostname is VPN1 and the public FQDN is vpn.example.net, the subject field of the certificate must include vpn.example.net, as shown here.

In addition, the certificate must include the Server Authentication EKU (1.3.6.1.5.5.7.3.1and the IP security IKE intermediate EKU (1.3.6.1.5.5.8.2.2).

Client Certificate

Client certificate requirements vary depending on the type of VPN tunnel and authentication method being used.

User Tunnel

No certificates are required on the client to support IKEv2 when using MSCHAPv2, EAP-MSCHAPv2, or Protected EAP (PEAP) with MSCHAPv2. However, if the option to verify the server’s identity by validating the certificate is selected when using PEAP, the client must have the certificates for the root CA and any subordinate CAs installed in its Trusted Root Certification and Intermediate Certificate Authorities certificate stores, respectively.

User Tunnel with Certificate Authentication

Using certificate authentication for the user tunnel is the recommended best practice for Always On VPN deployments. A client certificate must be installed in the Current User/Personal store to support PEAP authentication with smart card or certificate authentication. The certificate must include the Client Authentication EKU (1.3.6.1.5.5.7.3.2).

Device Tunnel

A computer certificate must be installed in the Local Computer/Personal certificate store to support IKEv2 machine certificate authentication and the Always On VPN device tunnel. The certificate must include the Client Authentication EKU (1.3.6.1.5.5.7.3.2).

More information about configuring the Always On VPN device tunnel can be found here.

Additional Information

Always On VPN with Trusted Platform Module (TPM) Certificates

Always On VPN Protocol Recommendations for Windows Server 2016 RRAS

Always On VPN and Windows Server RRAS

Always On VPN Training

171 Comments

by Richard M. Hicks on April 30, 2018 • Permalink

Posted in Always On VPN, AOVPN, certificates, enterprise mobility, Mobility, PKI, public key infrastructure, Remote Access, Security, Windows 10, Windows Server 2016

Posted by Richard M. Hicks on April 30, 2018

https://directaccess.richardhicks.com/2018/04/30/always-on-vpn-certificate-requirements-for-ikev2/

Enabling Secure Remote Administration for the NetMotion Mobility Console

During the initial setup of a NetMotion Mobility gateway server, the administrator must choose to allow either Secure (HTTPS) or Non-secure (HTTP) connections when using the web-based Mobility Console.

Configuring HTTPS

Security best practices dictate HTTPS should be enabled to protect credentials used to log on to the gateway remotely. Immediately after selecting the Secure (https:) option, the administrator is prompted to enter server certificate information. Enter this information and click OK to continue and complete the rest of the configuration as necessary.

Self-Signed Certificate

When logging in to the Mobility console, the administrator is presented with a certificate error indicating there is a problem with the website’s security certificate. This is because the certificate is self-signed by the NetMotion Mobility gateway server and is not trusted.

PKI Issued Certificate

The recommended way to resolve this is to request a certificate from a trusted certification authority (CA). To do this, open the Mobility Management Tool on the Mobility gateway server and click on the Web Server tab.

Click on the Server Certificate button and then click New in the Certificate Request section.

In the SAN (subject alternative name) field of the Optional Extension section enter the Fully Qualified Domain Name (FQDN) of the server using the syntax dns:fqdn. Include both the FQDN and the single-label hostname (short name) separated by a comma to ensure both names work without issue. For example:

dns:nm1.lab.richardhicks.net,dns:nm1

Before requesting a certificate from a CA, the root and any intermediate CA certificates must first be imported. Click the Import button next to each, as required.

Click Copy in the Certificate Request section to copy the Certificate Signing Request (CSR) to the clipboard and then save it to a text file. Now submit the CSR to be signed by the CA using the certreq.exe command. Open an elevated command or PowerShell window and enter the following commands.

certreq.exe -attrib “CertificateTemplate:[TemplateName]” -submit [Path_to_CSR_file]

For example:

certreq.exe -attrib “CertificateTemplate:LabWebServer” -submit certreq.txt

Select a CA from the list and click OK, then save the certificate response when prompted.

Click Response and specify the location of the certificate response file saved in the previous step.

Once complete, the newly issued certificate will be in place. Click Close to complete the process.

Click Yes when prompted to restart the Mobility console.

Trusted Certificate

Opening the Mobility Console no longer produces a certificate error message with a certificate installed from a trusted CA.

In addition, if you followed the guidance above and included the single-label hostname in the SAN field, accessing the server using the short name will also work without issue.

Summary

Always select the option to use HTTPS to ensure the highest level of security and protection of credentials when remotely administering a NetMotion Mobility gateway server. For optimal security and to provide the best user experience, use a certificate issued and managed by a trusted CA to prevent certificate errors when opening the Mobility console.

Additional Information

NetMotion Mobility as an Alternative to DirectAccess

NetMotion Mobility Device Tunnel Configuration

Comparing NetMotion Mobility and DirectAccess Part 1 – Security

Comparing NetMotion Mobility and DirectAccess Part 2 – Performance

DirectAccess and NetMotion Mobility Webinar

3 Comments

by Richard M. Hicks on February 1, 2018 • Permalink

Posted in Encryption, NetMotion, NetMotion Mobility, Remote Access, Security, SSL and TLS, Windows Server 2012 R2, Windows Server 2016

Tagged CA, certificate, certificates, Certification Authority, HTTPS, management, Mobility, NetMotion, NetMotion Mobility, PKI, Remote Access, remote management, SSL, TLS

Posted by Richard M. Hicks on February 1, 2018

https://directaccess.richardhicks.com/2018/02/01/enabling-secure-remote-administration-for-the-netmotion-mobility-console/

KEMP LoadMaster Load Balancer Certificate Format Invalid

When implementing a KEMP LoadMaster load balancer, one of the first configuration tasks performed is importing root and intermediate Certification Authority (CA) certificates. When doing this, it is not uncommon to encounter the following error message.

Certificate Format Invalid.

To resolve this issue, .CER files must first be converted to .PEM format before being imported in to the LoadMaster. Using OpenSSL, .CER files can quickly be converted to .PEM with the following command.

openssl x509 -inform der -in example.cer -out example.pem

Optionally, .CER files can be converted to .PEM online here.

If the root and/or intermediate certificates are from an internal PKI, export the certificates using the Base-64 encoded x.509 (.CER) option. Certificates exported using this format can be imported directly in to the LoadMaster without first having to be converted to .PEM.

Pro tip: When entering the Certificate Name, it is not necessary to enter a file extension. The name will be appended with .PEM automatically upon import.

Additional Resources

DirectAccess Deployment Guide for KEMP LoadMaster Load Balancers

Maximize Your Investment in Windows 10 with KEMP LoadMaster Load Balancers

DirectAccess and the FREE KEMP LoadMaster Load Balancer

Configure KEMP LoadMaster Load Balancer for DirectAccess Network Location Server (NLS)

Planning and Implementing DirectAccess Video Training Course on Pluralsight

Implementing DirectAccess with Windows Server 2016 Book

1 Comment

by Richard M. Hicks on May 10, 2017 • Permalink

Posted in ADC, application delivery controller, DirectAccess, High Availability, Kemp, Load Balancing, LoadMaster, SSL and TLS, troubleshooting, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2012 R2, Windows Server 2016

Tagged ADC, application delivery controller, CA, certificate, certificates, Certification Authority, DirectAccess, error, Kemp, load balancer, load balancing, LoadMaster, openssl, Remote Access, troubleshooting

Posted by Richard M. Hicks on May 10, 2017

https://directaccess.richardhicks.com/2017/05/10/kemp-loadmaster-load-balancer-certificate-format-invalid/

Awards

Consulting

Newsletter

Connect

RSS Feed

Archives

Categories

Tag Cloud

All posts tagged Certification Authority

Can’t Connect

Error 853

Missing NTAuth Certificate

Install Certificate

Additional Information

Share this:

Like this:

Limitations

Root CA Certificate

Export Certificate – GUI

Export Certificate – Command Line

Copy Public Key

Point-to-Site Configuration

VPN Client Configuration

Download VPN Configuration

Create a Test VPN Connection

Create an Always On VPN Connection

IKEv2 Security Configuration

Additional Information

Share this:

Like this:

Setup Wizard Ended Prematurely

Cryptographic Service Provider

Additional Information

Share this:

Like this:

NPS Server Certificate

Subject Name

Enhanced Key Usage

NPS Policy Configuration

Additional Information

Share this:

Like this:

Multiple Certificates

Certificate Selection

Certificate Purpose

VPN Specific Certificate

Certificate Template

Client Configuration

Additional Information

Share this:

Like this:

Resolution

Additional Information

Share this:

Like this:

SSTP Certificate

Certification Authority

Key Type

Forward Secrecy

Authenticated Encryption

SSL Offload

Summary

Additional Information

Share this:

Like this:

Server Certificate

Client Certificate

User Tunnel

User Tunnel with Certificate Authentication

Device Tunnel

Additional Information

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Always On VPN Book

DirectAccess Book

Recent Posts