All posts tagged Windows 11

Azure Conditional Access Certificates with SID Information Now Available

I recently wrote about changes to certificate-based authentication affecting Always On VPN implementations. These changes were introduced by Microsoft’s security update KB5014754. When the update is installed on domain controllers and enterprise Certification Authorities (CAs), administrators can perform strong user mapping for certificates used for Active Directory authentication. However, when first introduced, the update came with some serious limitations that prevented administrators from enabling full enforcement mode for certificate mapping.

Limitations

When KB5014754 is installed on an enterprise issuing CA, a new certificate extension (1.3.6.1.4.1.311.25.2) is added to the issued certificate that includes the principal’s (user or device) Security Identifier (SID). However, this only occurs when an online template is used. An online template is one with the subject name built from Active Directory information. The SID is not embedded in certificates issued using an offline template. Offline templates are templates where the subject name is supplied in the request. There are two scenarios where this causes problems for Always On VPN.

Microsoft Intune

Certificates delivered with Microsoft Intune via the Intune Certificate Connector use an offline template. This applies to certificates using PKCS or SCEP. Today, the SID is not embedded by issuing CAs using offline templates.

Azure Conditional Access

The short-lived certificate issued by Azure when Conditional Access is configured for Always On VPN did not include the SID. However, that recently changed.

Recent Updates

Today we can scratch Azure Conditional Access off the list of limitations for Always On VPN. Microsoft recently introduced support for the new SID extension in Azure Conditional Access certificates, as shown here.

Now when an Azure Conditional Access certificate is issued to an on-premises user or device account that is synced with Azure Active Directory, Azure Conditional Access will include the SID information in the issued short-lived certificate.

Intune

Unfortunately, we’re still waiting for Microsoft to address the limitation with certificates delivered using Microsoft Intune. Hopefully we’ll see an update for that later this year.  

Additional Information

Certificate-Based Authentication Changes and Always On VPN

Microsoft KB5014754

Digital Certificates and TPM

Microsoft Intune Certificate Connector Service Account and PKCS

3 Comments
by Richard M. Hicks on July 11, 2023  •  Permalink
Posted in AADJ, Active Directory, administration, Always On VPN, AOVPN, authentication, Azure, Azure Active Directory, Azure AD, Azure AD Join, Azure Conditional Access, Azure MFA, Azure VPN, Certificate Connector for Intune, certificates, cloud, Conditional Access, Deployment, Device Management, Endpoint Manager, Enterprise, enterprise mobility, HAADJ, Hybrid Azure AD Join, Infrastructure, InTune, Intune Certificate Connector, Intune PFX Connector, MDM, MEM, MEMCM, MFA, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, Multifactor Authentiction, NDES, Network Device Enrollment Service, Network Device Enrollment Services, NPS, Operational Support, PFX Connector, PKCS, PKI, public cloud, public key infrastructure, Remote Access, SCEP, Security, Simple Certificate Enrollment Protocol, systems management, Update, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on July 11, 2023

https://directaccess.richardhicks.com/2023/07/11/azure-conditional-access-certificates-with-sid-information-now-available/

Always On VPN Masterclass at ViaMonstra Online Academy – September 2023

I’m pleased to announce that my popular Always On VPN Deep Dive Workshop training event is coming to the ViaMonstra Online Academy! Many of you have requested a virtual, live, online training event for Microsoft Always On VPN, so here’s your opportunity to learn all about this secure remote access technology without having to leave the comfort of your home or office.

Live and Online

This live, online 4-day virtual training event will take place September 18-20, 2023. The cost for the training is $3,195.00 and will include ten training modules and numerous hands-on labs. Don’t miss out on this excellent opportunity to learn more about designing, implementing, managing, and support Always On VPN. Space is limited, so register today!

Additional Information

Always On VPN Masterclass at ViaMonstra Online Academy

Always On VPN Free Mini-Course at ViaMonstra Online Academy

Leave a comment
by Richard M. Hicks on June 29, 2023  •  Permalink
Posted in Always On VPN, AOVPN, Infrastructure, InTune, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, Remote Access, Training, VPN, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Workshop
Tagged , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on June 29, 2023

https://directaccess.richardhicks.com/2023/06/29/always-on-vpn-masterclass-at-viamonstra-online-academy-september-2023/

Always On VPN Ask Me Anything (AMA) June 2023

It’s that time again! Have questions about Always On VPN? Are you having a specific issue you can’t figure out? Need information about configuration options? Here’s your chance to get your questions answered! Join me next week on Thursday, June 29, 2023, at 10:00 AM PDT (UTC -7) for an opportunity to ask me anything (AMA!) about Microsoft Windows Always On VPN and related technologies.

Missed out on this event? You can find the session recording on YouTube here.

The AMA will be an open forum session where we can all talk shop about Always On VPN. It’s a great chance to learn new things and share experiences with your peers. We’ll discuss known issues and limitations, best practices, and more.

Everyone is welcome. Don’t miss out on this excellent opportunity to connect and learn. Register today!

Can’t make the session? Register anyway and I’ll send you the link to the recording as soon as it is availalbe!

3 Comments
by Richard M. Hicks on June 19, 2023  •  Permalink
Posted in Always On VPN, AMA, AOVPN, enterprise mobility, InTune, MDM, MEM, MEMCM, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, NPS, Operational Support, PKI, Remote Access, RRAS, Security, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Workshop
Tagged , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on June 19, 2023

https://directaccess.richardhicks.com/2023/06/19/always-on-vpn-ask-me-anything-ama-june-2023/

« Older Posts
Newer Posts »