In part two of the Always On VPN guide, we will configure Active Directory, Group Policy, and server certificates.

Joseph Moody

Joseph Moody is a network admin for a public school system and helps manage 5,500 PCs. He is a Microsoft Most Valuable Professional (MVP) in Cloud and Datacenter Management and blogs at DeployHappiness.com.

The server components of the Always On VPN technology consist of three sections: Certificate Services, Network Policy Server (NPS), and Remote Access. If you do not have a certificate authority, Network Policy Server, and/or a remote access server in your environment, use the generic setup link in the server configuration section. We will only get to the certificate authority setup in this part.

This guide assumes you already have these three services deployed in your environment and you just need to modify the Always On VPN Remote access technology. This guide has also undergone testing against Windows Server 2012 R2 and Windows Server 2016.

Always On VPN Active Directory preparation ^

Create three new security groups in Active Directory named something like:

  • NPS Servers
  • VPN Servers
  • VPN Users

Store these groups in a protected organizational unit (OU) or container. The default Users container works well for this. The first two groups should contain all of your NPS servers and VPN servers respectively. If you only have one of each, still add them to the group. We'll tie our configurations to groups, and configuring failover will be much easier for you later.

The third group (VPN Users) will control which users can establish a remote connection. This group, along with some later settings, will override the dial-in properties tab you can set individually on user accounts. Add a test user or your account to the VPN Users group now. Be sure to log off and log back in for that security group change to apply.

Group Policy for Always On VPN ^

In the Group Policy Management Console (GPMC), create and link a new Group Policy Object (GPO) to the root of your domain. Name this GPO Certificate Enrollment and do not change the security scope from Authenticated Users. Edit the GPO and navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies. Right-click on Certificate Services Client – Auto-Enrollment and select Properties. Change Configuration Model to Enabled and check the next two boxes. Click OK.

Certificate Auto Enrollment Properties

Certificate Auto Enrollment Properties

Repeat these same steps under User Configuration\Policies\Windows Settings\Security Settings\Public Key Policies. Close the GPMC after finishing. Restart any client computer and log into it. Run gpresult /h Report.htm and open the resulting Report.htm file. Ensure you see the computer and user configurations you made.

Configuring Certificate Services for Remote Access ^

Active Directory Certificate Services (AD CS) provides the authentication mechanism for your Always On VPN setup. It issues users or devices a certificate, and they do not have to enter an identity or password to connect to your network. If you haven't deployed AD CS in your environment already, begin with this guide, and then come back for the remaining Remote Access steps.

We will be creating three certificates in this section. Remote into your certificate authority (CA) and open the Certification Authority MMC. Expand your Certification Authority name. Then right-click on Certificate Templates and click Manage. The Certificate Templates console will open.

VPN user certificate

Right-click on the User template and select Duplicate Template. Select the General tab and name the certificate VPN Users. Uncheck Publish Certificate in Active Directory.

On the Security tab, add the VPN Users group you created earlier, and give it the Enroll and Autoenroll permissions. Remove Domain Users from the security tab.

On the Compatibility tab, change the first drop-down box to Windows Server 2012 R2. Change the second drop-down box to Windows 8.1 / Windows Server 2012 R2.

Changing Certificate Compatibility settings

Changing Certificate Compatibility settings

On the Request Handling tab, uncheck Allow private key to be exported.

On the Cryptography tab, change the Provider Category to Key Storage Provider. Click Requests must use one of the following providers, and place a check next to Microsoft Platform Crypto Provider.

Configuring the Microsoft Platform Crypto Provider

Configuring the Microsoft Platform Crypto Provider

Click OK and close the Certificate Templates console. Close the Certification Authority console as well. Restart the Active Directory Certificate Services service.

Reopen the Certification Authority console. Right-click on Certificate Templates and select New – Certificate Template to Issue. Choose VPN Users and click OK.

Earlier, you should have added a test user or your account to the VPN Users security group. Run a gpupdate as that user. Open certmgr.msc to view the certificates issued to that user (Current User). Expand Personal\Certificates. You should now see a user certificate containing the full name of the user generated from the VPN User Certificate Template. If you do not see it, restart once.

Issuing the VPN User certificate

Issuing the VPN User certificate

NPS and VPN server certificates

Open the Certification Authority console on your CA again. Right-click on Certificate Templates and select Manage to open the Certificate Templates console. Right click on the RAS and IAS Server template and select Duplicate Template.

On the General tab, change the template Display name to NPS Servers.

On the Security tab, add the NPS Servers security group you created earlier and give this group the Enroll and Autoenroll permissions. Remove the RAS and IAS Servers group from the permissions list.

On the Compatibility tab, change the first drop-down box to Windows Server 2012 R2. Change the second drop-down box to Windows 8.1 / Windows Server 2012 R2. Click OK. Ensure your NPS server(s) is a member of the security group you created earlier.

Before we issue the NPS Servers certificate, we will also create the VPN Server certificate. In the Certificate Templates console, right-click on the RAS and IAS Server template again. Select Duplicate Template.

On the General tab, change the template display name to VPN Servers.

On the Extensions tab, select Application Policies and click Edit. Click Add and select IP Security IKE intermediate. Click OK.

Enabling the IP Security IKE extension

Enabling the IP Security IKE extension

On the Security tab, add the VPN Servers security group you created earlier. Only give this group the Enroll permission. Do not give this group any other permissions. Remove the RAS and IAS Servers group from the Security tab.

On the Subject Name tab, select the supply in the request option and click OK to the warning message. Your VPN server may use a different certificate subject name than the fully qualified domain name (FQDN) of the machine. This is why we can't let the VPN server autoenroll itself.

On the Compatibility tab, change the first drop-down box to Windows Server 2012 R2. Change the second drop-down box to Windows 8.1 / Windows Server 2012 R2. Click OK and close the Certification Templates console. Close the Certification Authority console as well. Restart the Active Directory Certificate Services service.

Open the Certification Authority console. Right-click on Certificate Templates and select New – Certificate Template to Issue. Select your NPS Servers certificate. Do the same thing for your VPN Servers certificate.

Enrolling the NPS and VPN server certificates

Restart the server in the NPS Servers security group. Launch certlm.msc on the NPS Server, and check the Personal certificate store for the NPS Server certificate you issued.

The NPS Server certification template issued to NPS

The NPS Server certification template issued to NPS

Restart the VPN server once. On the VPN server, you will need to enroll the certificate manually. Launch certlm.msc. Under Personal, right-click on Certificates and select Request new Certificate.

Click Next until you see the Request Certificates page, and then check the VPN Servers certificate box. Click the More information is required link to enter the certificate Subject name. Set the Type to Common Name and enter the external DNS name clients would use to connect to your VPN server. For example, you could use vpn.yourdomain.com.

Below the Subject name, set the Alternative Name type to DNS and enter the Subject value. Finish the Request New Certificate wizard. You should now see the certificate listed in the Personal certificate store. The intended purpose of the certificate should list the IP security Internet Key Exchange (IKE), and the Certificate template should match your VPN Servers template name.

The VPN Server certificate issued to the Always On server

The VPN Server certificate issued to the Always On server

This wraps up the initial Active Directory and Group Policy work required for an Always On VPN setup. We also finished the entire internal certificate authority configuration. In our next post, we will configure the NPS rules and the Remote Access setup.

Win the monthly 4sysops member prize for IT pros

5+
Share
19 Comments
  1. Ray 2 years ago

    Great article, keen to see the final articles!

    As an FYI, was following this to the letter in my test environment but could not get the user certificate deployed. Permissions and certificate was correctly setup.

    Turns out the "Microsoft Platform Crypto Provider" requires a TPM chip, as I was using a VM for the client machine (which obviously has no TPM hardware) I would see the error message "Can not find a valid CSP in the local machine" when trying to manually enroll the certificate.

    Solution is to also tick "Microsoft Software Key Storage Provider" and have it second in order after "Microsoft Platform Crypto Provider"

    MS Article for reference here

    10+

    Users who have LIKED this comment:

    • avatar
    • LukeNie 1 year ago

      Hyper-V gen2 VM supports v-TPM.

      0

    • TJD 1 year ago

      Thanks for the article- following on from Ray's comments above, thought i'd copy and paste the exact event log I get (if you turn on auto enrolment debugging) so that it can be indexed by search engines to make it easier for future people to find with the same error (I spent a while Googling this with no results!)

      Certificate enrollment for domain\user for the VPN-User template could not find specified CSPs on the local machine. Enrollment will not be performed.

      Anyone with this error look at Ray's solution above- it'll help!

      thanks

      0

      • Author
        Joseph Moody 1 year ago

        Does the CA have the read permission to the certificate template?

        0

  2. Author
    Joseph Moody 2 years ago

    Good tip!! Thank you for sharing that!

    1+

  3. Jason W 9 months ago

    Love the articles, thanks!

    I am having an issue where when I duplicate the user template and attempt to change the Cryptography type, the provider category is greyed out and my only option is "legacy Cryptographic Service Provider. This doesn't allow me to make the provider change either. I went back and checked my steps to no avail.

    (Configured as RootCA server during these steps)

    Server 2016 server

    2016 DFL and FFL

    Domain joined server used for the user template tasks

    Any thoughts?

    0

  4. dc 7 months ago

    Do not click Apply or OK at any time prior to step 10. If you click these buttons before entering ALL parameters, many choices become fixed and no longer editable. For example, on the Cryptography tab, if Legacy Cryptographic Storage Provider shows in the Provider Category field, it becomes disabled, preventing any further change. The only alternative is to delete the template and recreate it.

    https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-server-infrastructure

    0

  5. Matt Waddell 7 months ago

    Just as a side note, I've had an issue with issuing certificates to users who don't have any value in the Email AD field.  To get around this I've unticked Include e-mail name in subject name and E-mail name after restarting the certificate service certificates issue as expected.

    I hope this helps somebody!

    Thanks

    1+

  6. seb 7 months ago

    With all setup done to the dot I get error on client & VPN event log shows:

    and NPS (separate server) shows error:

     

    0

  7. Greg 4 months ago

    Are there any changes needed to be made in the CA templates to use SSTP? or can i use the certficate that is made here?

    0

  8. Harris 3 months ago

    How do I renew a VPN Server Authentication Cert, as its expired.. ?

    On checking the VPN servers local Cert, I have noticed the VPN.xxxx.org has expired, however I am unsure of the steps to renew this.

    0

    • Author
      Joseph Moody 3 months ago

      If you open certlm.msc, are you able to right click on that cert and renew or pull a new cert from your CA?

      0

  9. Franics 3 months ago

    Hi Guys

    I'm working on deploying Always on VPN , our current CA sits on windows sever 2008 r2 . Would this be possible for certificate enrollment or do we need to migrate CA to 2012 R2 . please advise

    Thanks

    0

    • Author
      Joseph Moody 3 months ago

      A 2008R2 CA is fine - just make to set the cert strength to a higher value than the default one chosen. With 2008R2 approaching end of support, it might not be a bad time to upgrade though.

      0

      • Franics 3 months ago

        Thanks for your responds . 

        Just to confirm Under Cryptographic what will be the best  Cryptographic Providers option on 2008 r2 for Users certificate  since "Microsoft Platform Crypto Provid"e is unavailable on 2008R2? 

         

         

        0

  10. Niall C 3 months ago

    At the VPN User Certificate section: 

    Should you change the 'Request Hash' of the New Template to SHA256 (for example), seeing as the default SHA1 is compromised nowadays?

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account