Certificate-Based Authentication Changes and Always On VPN

Microsoft introduced important changes affecting certificate-based authentication on Windows domain controllers as part of the May 10, 2022 update KB5014754 that may affect Always On VPN deployments. The update addresses privilege escalation vulnerabilities when a domain controller is processing a certificate-based authentication request. The recommendation from Microsoft is that the update be applied to all Windows domain controllers and Active Directory Certificate Services (AD CS) servers as soon as possible.

Certificate Services

After applying the update to certification authority (CA) servers, a non-critical extension with Object Identifier (OID) 1.3.6.1.4.1.311.25.2 is added to all issued certificates with the user or device security identifier (SID) included. Domain controllers with the update installed will use this information to validate the certificate used for authentication and ensure that it matches the information in Active Directory.

Domain Controllers

The update operates in Compatibility Mode, by default, when applied to domain controllers. Windows monitors authentication requests and records audit events for certificates presented for authentication under the following conditions.

No strong mapping (event ID 39) – The certificate has not been mapped explicitly to a domain account, and the certificate did not include the new SID extension.

Certificate predates account (event ID 40) – A certificate was issued before the user existed in Active Directory, and no explicit mapping could be found.

User’s SID does not match certificate (event ID 41) – A certificate contains the new SID extension, but it does not match the SID of the corresponding user account.

Certificate Mapping

Administrators can map certificates explicitly to accounts in Active Directory, but this results in a significant administrative burden in most environments. A better option is to reissue user and device authentication certificates after applying the KB5014754 update to all issuing CA servers.

Reenroll Certificates

Administrators should reissue user and device authentication certificates after applying the KB5014754 update. Open the Certificate Templates management console (certtmpl.msc), identify the user or device authentication certificate template, then right-click on the template and choose Reenroll All Certificate Holders.

Enforcement Mode

After applying update KB5014754, administrators should monitor domain controller event logs for event IDs 39, 40, and 41. Once all certificates have been updated, and none of these events have been recorded for 30 days, administrators can switch to Full Enforcement Mode by enabling it in the registry on all domain controllers.

Key: HKLM\SYSTEM\CurrentControlSet\Services\KDC
Value: StrongCertificateBindingEnforcement
Type: DWORD
Data: 2

Note: Microsoft will automatically switch to Full Enforcement Mode beginning May 9, 2023.

Known Issues

There have been some reports of authentication issues after installing the KB5014754 update. Early indications are that device authentication certificates missing a Subject Alternative Name (SAN) entry are to blame. Administrators are encouraged to update their device certificates to include the SAN entry. Optionally, but not recommended, administrators can place the update in disabled mode by editing the registry.

Additional Information

KB5014754 – Certificate-based authentication changes on Windows domain controllers

Microsoft Windows Always On VPN Users Prompted for Certificate

Microsoft Windows Always On VPN Clients Prompted for Authentication when Accessing Internal Resources

Always On VPN DPC Demonstration

Recently I wrote about PowerON Platforms’ Always On VPN Dynamic Profile Configurator (DPC). This software solution enables administrators to natively provision and manage Always On VPN client configuration settings using Active Directory and group policy. In that post, I provided some high-level details about the product, along with a brief overview of its advanced features.

Demonstration Video

I have recorded a video demonstrating how to install and configure Always On VPN DPC and use its basic features. You will find that demonstration video here.

Advanced Features

Soon I will share more details about Always On VPN DPC and using its advanced capabilities to solve some common challenges faced by Always On VPN administrators. Stay tuned!

Learn More

Are you interested in learning more about PowerON Platforms Always On VPN DPC? Fill out the form below, and I’ll contact you with more information. In addition, you can visit aovpndpc.com to register for an evaluation license.

Additional Information

Always On VPN with Active Directory Group Policy

Always On VPN Dynamic Profile Configurator (DPC)

Always On VPN with Active Directory Group Policy

Windows Always On VPN is a workload explicitly designed to be implemented and managed using Microsoft Endpoint Manager/Intune. While this is the best way to deploy and manage Always On VPN client configuration settings, it is not the only way. Administrators can also use System Center Configuration Manager (SCCM) by deploying a PowerShell script and XML configuration file to configure Always On VPN. Of course, it’s always possible to run the PowerShell script on individual machines.

Group Policy

Until now, there have been few options for deploying and managing Windows Always On VPN using Active Directory and group policy. This presents a challenge for administrators who still rely on group policy to manage their endpoints. It is possible to deploy the PowerShell script and XML configuration file using a group policy startup script. However, there are many limitations to this approach. Administrators must learn to properly configure the XML file and manage any configuration updates post-implementation.

Always On VPN DPC

The folks at PowerON Platforms have developed the Always On VPN Dynamic Profile Configurator (DPC) to address these shortcomings. Always On VPN DPC allows administrators to deploy and manage Always On VPN client configuration settings using Active Directory and group policy. Their software comes with Active Directory group policy templates that include all the necessary settings and client software that manages the configuration on the endpoint.

Advanced Features

Always On VPN DPC includes advanced features not included in Microsoft Endpoint Manager/Intune or XML. Here’s a sample of helpful custom settings that can be configured using Always On VPN DPC.

  • VpnStrategy
  • Interface metrics
  • Route metrics
  • Dynamically updated Office 365 exclusion route list
  • IKE mobility settings
  • IPv6 routes
  • And more…

Videos

I’ve created a brief introduction video for PowerOn Platforms Always On VPN DPC on YouTube. Soon I’ll be releasing additional videos that cover the installation and configuration of Always On VPN DPC and some of its advanced features, so be sure to subscribe to my YouTube channel.

Learn More

Are you interested in learning more about PowerON Platforms Always On VPN DPC? Fill out the form below, and I’ll contact you with more information. In addition, you can visit aovpndpc.com to register for an evaluation license.

Special Thanks

I want to extend a special thank you to Leo D’Arcy and the entire team at PowerON Platforms for allowing me to preview this software before its wide release. Also, I’m honored that you have graciously accepted my input and feedback for this solution. I’m consistently amazed at how rapidly you’ve corrected issues and implemented new features at my behest. You are all amazing. Thanks again! 😁

Additional Information

AovpnDPC.com

Introducing PowerON Platforms Always On VPN DPC on YouTube.com

%d bloggers like this: