All posts tagged endpoint manager

Azure Conditional Access Certificates with SID Information Now Available

I recently wrote about changes to certificate-based authentication affecting Always On VPN implementations. These changes were introduced by Microsoft’s security update KB5014754. When the update is installed on domain controllers and enterprise Certification Authorities (CAs), administrators can perform strong user mapping for certificates used for Active Directory authentication. However, when first introduced, the update came with some serious limitations that prevented administrators from enabling full enforcement mode for certificate mapping.

Limitations

When KB5014754 is installed on an enterprise issuing CA, a new certificate extension (1.3.6.1.4.1.311.25.2) is added to the issued certificate that includes the principal’s (user or device) Security Identifier (SID). However, this only occurs when an online template is used. An online template is one with the subject name built from Active Directory information. The SID is not embedded in certificates issued using an offline template. Offline templates are templates where the subject name is supplied in the request. There are two scenarios where this causes problems for Always On VPN.

Microsoft Intune

Certificates delivered with Microsoft Intune via the Intune Certificate Connector use an offline template. This applies to certificates using PKCS or SCEP. Today, the SID is not embedded by issuing CAs using offline templates.

Azure Conditional Access

The short-lived certificate issued by Azure when Conditional Access is configured for Always On VPN did not include the SID. However, that recently changed.

Recent Updates

Today we can scratch Azure Conditional Access off the list of limitations for Always On VPN. Microsoft recently introduced support for the new SID extension in Azure Conditional Access certificates, as shown here.

Now when an Azure Conditional Access certificate is issued to an on-premises user or device account that is synced with Azure Active Directory, Azure Conditional Access will include the SID information in the issued short-lived certificate.

Intune

Unfortunately, we’re still waiting for Microsoft to address the limitation with certificates delivered using Microsoft Intune. Hopefully we’ll see an update for that later this year.  

Additional Information

Certificate-Based Authentication Changes and Always On VPN

Microsoft KB5014754

Digital Certificates and TPM

Microsoft Intune Certificate Connector Service Account and PKCS

2 Comments
by Richard M. Hicks on July 11, 2023  •  Permalink
Posted in AADJ, Active Directory, administration, Always On VPN, AOVPN, authentication, Azure, Azure Active Directory, Azure AD, Azure AD Join, Azure Conditional Access, Azure MFA, Azure VPN, Certificate Connector for Intune, certificates, cloud, Conditional Access, Deployment, Device Management, Endpoint Manager, Enterprise, enterprise mobility, HAADJ, Hybrid Azure AD Join, Infrastructure, InTune, Intune Certificate Connector, Intune PFX Connector, MDM, MEM, MEMCM, MFA, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, Multifactor Authentiction, NDES, Network Device Enrollment Service, Network Device Enrollment Services, NPS, Operational Support, PFX Connector, PKCS, PKI, public cloud, public key infrastructure, Remote Access, SCEP, Security, Simple Certificate Enrollment Protocol, systems management, Update, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on July 11, 2023

https://directaccess.richardhicks.com/2023/07/11/azure-conditional-access-certificates-with-sid-information-now-available/

Always On VPN Trusted Network Detection and Native Azure AD Join

Administrators deploying Microsoft Always On VPN are quickly learning that the native Azure Active Directory join (AADJ) model has significant advantages over the more traditional Hybrid Azure AD join (HAADJ) scenario. Native AADJ is much simpler to deploy and manage than HAADJ while still allowing full single sign-on (SSO) to on-premises resources for remote users. Intune even allows for the import of custom ADMX and ADML administrative templates, further reducing the dependency on on-premises Active Directory for device management.

Remote Management

Although devices aren’t joined to the domain, administrators may still wish to access those clients connected to their network for device discovery or to perform administrative tasks. However, when native AADJ clients connect via Always On VPN, the Public Windows firewall profile is assigned to the VPN tunnel adapter. The Public profile is, of course, more restrictive and blocks most management protocols by default.

Firewall Rules

While adding firewall rules to the Public profile to allow management protocols is possible, this isn’t recommended for security reasons. The Public profile is typically loaded when the device is on an untrusted network. Exposing management protocols on an insecure network is asking for trouble.

Domain Profile

Domain-joined or Hybrid AADJ endpoints will use the Domain Windows firewall profile. This profile is more permissive, allowing many standard management protocols by default. Also, administrators can add rules to allow additional access as required without increasing the risk for devices on untrusted networks.

Trusted Network Detection

So, the trick is to get a native AADJ endpoint to load the Domain profile for the VPN tunnel adapter when connected via Always On VPN. Trusted Network Detection is accomplished by using settings configured on the endpoint using the NetworkListManager Configuration Service Provider (CSP).

Intune and XML

There are two settings administrators can enable AADJ devices to detect a trusted network and load the Domain Windows firewall profile. Unfortunately, these settings can only be applied using Intune and the Custom XML template. Administrators will use the following OMA-URI settings.

AllowedTlsAuthenticationEndpoints

The AllowedTlsAuthenticationEndpoints policy setting defines the URL the device uses to validate a trusted network. The target must be an on-premises web server with a valid TLS certificate using HTTPS. The target must be a highly available internal resource inaccessible from the Internet. DirectAccess administrators will be quite familiar with this concept; it’s the Network Location Server (NLS)!

Use the following OMA-URI to configure the TLS authentication endpoint.

URI: ./Device/Vendor/MSFT/Policy/Config/
NetworkListManager/AllowedTlsAuthenticationEndpoints

String: <![CDATA[https://nls.corp.example.net]]>

ConfiguredTlsAuthenticationNetworkName

The ConfiguredTlsAuthenticationNetworkName policy setting is optional. Administrators can use this setting to provide a friendly name for the authenticated trusted network. The FQDN of the target resource (NLS) is used by default. However, using this setting overrides the default with something more meaningful.

Use the following OMA-URI to configure the TLS authentication network name.

URI: ./Device/Vendor/MSFT/Policy/Config/
NetworkListManager/ConfiguredTlsAuthenticationNetworkName

String: <Friendly network name>

Results

Once configured, you’ll find the Always On VPN tunnel adapter uses the Domain Windows firewall profile and an optional friendly network name.

Additional Information

Deploying Always On VPN with Intune using Custom XML and CSP

Always On VPN CSP Updates

Always On VPN and VpnStrategy with CSP

2 Comments
by Richard M. Hicks on June 26, 2023  •  Permalink
Posted in AADJ, Active Directory, administration, Always On VPN, AOVPN, authentication, Azure Active Directory, Azure AD, Azure AD Join, certificates, Deployment, Device Management, Endpoint Manager, Enterprise, enterprise mobility, Group Policy, HAADJ, Hybrid Azure AD Join, Manage Out, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, OMA-DM, OMA-URI, Operational Support, Remote Access, Security, SSL, SSL and TLS, systems management, TLS, TND, Trusted Network Detection, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on June 26, 2023

https://directaccess.richardhicks.com/2023/06/26/always-on-vpn-trusted-network-detection-and-native-azure-ad-join/

Intune Certificate Connector Configuration Failed

Troubleshooting Always On VPN Error 691 and 812 – Part 2

The Microsoft Intune Certificate Connector must be deployed on-premises to provision and manage enterprise PKI certificates using Intune. The Intune Certificate Connector supports the deployment of SCEP, PKCS, PKCS imported certificates, or any combination of these. The connector can be configured to run under the SYSTEM account or optionally (and recommended) a domain service account. When using a service account, the service account must have permission to log on as a service on the server where the Intune Certificate Connector server.

Access is Denied

Even when all prerequisites are met, administrators may still find the installation of the Intune Certificate Connector fails with the following error message.

“Configuring Microsoft Intune Certificate Connector failed. No changes were made to Feature or Proxy settings. Please try again.”

“Unexpected Failure. Error: System.lnvalidOperationException: Cannot open PFXCertificateConnectorSvc service on computer ‘.’ System.ComponentModel.Win32Exception: Access is denied”

Workaround

After the connector installation fails, open the file explore and navigate to C:\Program Files\Microsoft Intune\PFXCertificateConnector\ConnectorUI. Right-click PFXCertificateConnectorUI.exe and choose ‘Run as administrator’.

Run through the connector installation wizard again, and it should install without issue.

To avoid this problem for future Intune Certificate Connector deployments, administrators can right-click the Intune Certificate Connector installer (IntuneCertificateConnector.exe) and choose ‘Run as administrator’.

Additional Information

Microsoft Intune Certificate Connector Configuration Failure (Part 1)

Microsoft Intune Certificate Connector Service Account and PKCS

Microsoft Intune Learning Resources for Always On VPN Admins

Microsoft Intune Certificate Connector Overview

Leave a comment
by Richard M. Hicks on May 24, 2023  •  Permalink
Posted in Active Directory, administration, Always On VPN, AOVPN, cloud, Deployment, Device Management, device tunnel, Endpoint Manager, Enterprise, enterprise mobility, Infrastructure, InTune, Intune Certificate Connector, Intune PFX Connector, MDM, MEM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, NDES, Operational Support, PFX Connector, PKCS, PKI, public cloud, Remote Access, SCEP, Security, Simple Certificate Enrollment Protocol, troubleshooting, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on May 24, 2023

https://directaccess.richardhicks.com/2023/05/24/intune-certificate-connector-configuration-failed/

« Older Posts
%d bloggers like this: