- SmartDeploy: Rethinking software deployment to remote workers in times of a pandemic - Thu, Jul 30 2020
- Outlook attachments now blocked in Office 365 - Tue, Nov 19 2019
- PolicyPak MDM Edition: Group Policy and more for BYOD - Tue, Oct 29 2019
The server components of the Always On VPN technology consist of three sections: Certificate Services, Network Policy Server (NPS), and Remote Access. If you do not have a certificate authority, Network Policy Server, and/or a remote access server in your environment, use the generic setup link in the server configuration section. We will only get to the certificate authority setup in this part.
This guide assumes you already have these three services deployed in your environment and you just need to modify the Always On VPN Remote access technology. This guide has also undergone testing against Windows Server 2012 R2 and Windows Server 2016.
Always On VPN Active Directory preparation
Create three new security groups in Active Directory named something like:
- NPS Servers
- VPN Servers
- VPN Users
Store these groups in a protected organizational unit (OU) or container. The default Users container works well for this. The first two groups should contain all of your NPS servers and VPN servers respectively. If you only have one of each, still add them to the group. We'll tie our configurations to groups, and configuring failover will be much easier for you later.
The third group (VPN Users) will control which users can establish a remote connection. This group, along with some later settings, will override the dial-in properties tab you can set individually on user accounts. Add a test user or your account to the VPN Users group now. Be sure to log off and log back in for that security group change to apply.
Group Policy for Always On VPN
In the Group Policy Management Console (GPMC), create and link a new Group Policy Object (GPO) to the root of your domain. Name this GPO Certificate Enrollment and do not change the security scope from Authenticated Users. Edit the GPO and navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies. Right-click on Certificate Services Client – Auto-Enrollment and select Properties. Change Configuration Model to Enabled and check the next two boxes. Click OK.
Repeat these same steps under User Configuration\Policies\Windows Settings\Security Settings\Public Key Policies. Close the GPMC after finishing. Restart any client computer and log into it. Run gpresult /h Report.htm and open the resulting Report.htm file. Ensure you see the computer and user configurations you made.
Configuring Certificate Services for Remote Access
Active Directory Certificate Services (AD CS) provides the authentication mechanism for your Always On VPN setup. It issues users or devices a certificate, and they do not have to enter an identity or password to connect to your network. If you haven't deployed AD CS in your environment already, begin with this guide, and then come back for the remaining Remote Access steps.
We will be creating three certificates in this section. Remote into your certificate authority (CA) and open the Certification Authority MMC. Expand your Certification Authority name. Then right-click on Certificate Templates and click Manage. The Certificate Templates console will open.
VPN user certificate
Right-click on the User template and select Duplicate Template. Select the General tab and name the certificate VPN Users. Uncheck Publish Certificate in Active Directory.
On the Security tab, add the VPN Users group you created earlier, and give it the Enroll and Autoenroll permissions. Remove Domain Users from the security tab.
On the Compatibility tab, change the first drop-down box to Windows Server 2012 R2. Change the second drop-down box to Windows 8.1 / Windows Server 2012 R2.
On the Request Handling tab, uncheck Allow private key to be exported.
On the Cryptography tab, change the Provider Category to Key Storage Provider. Click Requests must use one of the following providers, and place a check next to Microsoft Platform Crypto Provider.
Click OK and close the Certificate Templates console. Close the Certification Authority console as well. Restart the Active Directory Certificate Services service.
Reopen the Certification Authority console. Right-click on Certificate Templates and select New – Certificate Template to Issue. Choose VPN Users and click OK.
Earlier, you should have added a test user or your account to the VPN Users security group. Run a gpupdate as that user. Open certmgr.msc to view the certificates issued to that user (Current User). Expand Personal\Certificates. You should now see a user certificate containing the full name of the user generated from the VPN User Certificate Template. If you do not see it, restart once.
NPS and VPN server certificates
Open the Certification Authority console on your CA again. Right-click on Certificate Templates and select Manage to open the Certificate Templates console. Right click on the RAS and IAS Server template and select Duplicate Template.
On the General tab, change the template Display name to NPS Servers.
On the Security tab, add the NPS Servers security group you created earlier and give this group the Enroll and Autoenroll permissions. Remove the RAS and IAS Servers group from the permissions list.
On the Compatibility tab, change the first drop-down box to Windows Server 2012 R2. Change the second drop-down box to Windows 8.1 / Windows Server 2012 R2. Click OK. Ensure your NPS server(s) is a member of the security group you created earlier.
Before we issue the NPS Servers certificate, we will also create the VPN Server certificate. In the Certificate Templates console, right-click on the RAS and IAS Server template again. Select Duplicate Template.
On the General tab, change the template display name to VPN Servers.
On the Extensions tab, select Application Policies and click Edit. Click Add and select IP Security IKE intermediate. Click OK.
On the Security tab, add the VPN Servers security group you created earlier. Only give this group the Enroll permission. Do not give this group any other permissions. Remove the RAS and IAS Servers group from the Security tab.
On the Subject Name tab, select the supply in the request option and click OK to the warning message. Your VPN server may use a different certificate subject name than the fully qualified domain name (FQDN) of the machine. This is why we can't let the VPN server autoenroll itself.
On the Compatibility tab, change the first drop-down box to Windows Server 2012 R2. Change the second drop-down box to Windows 8.1 / Windows Server 2012 R2. Click OK and close the Certification Templates console. Close the Certification Authority console as well. Restart the Active Directory Certificate Services service.
Open the Certification Authority console. Right-click on Certificate Templates and select New – Certificate Template to Issue. Select your NPS Servers certificate. Do the same thing for your VPN Servers certificate.
Enrolling the NPS and VPN server certificates
Restart the server in the NPS Servers security group. Launch certlm.msc on the NPS Server, and check the Personal certificate store for the NPS Server certificate you issued.
Restart the VPN server once. On the VPN server, you will need to enroll the certificate manually. Launch certlm.msc. Under Personal, right-click on Certificates and select Request new Certificate.
Click Next until you see the Request Certificates page, and then check the VPN Servers certificate box. Click the More information is required link to enter the certificate Subject name. Set the Type to Common Name and enter the external DNS name clients would use to connect to your VPN server. For example, you could use vpn.yourdomain.com.
Below the Subject name, set the Alternative Name type to DNS and enter the Subject value. Finish the Request New Certificate wizard. You should now see the certificate listed in the Personal certificate store. The intended purpose of the certificate should list the IP security Internet Key Exchange (IKE), and the Certificate template should match your VPN Servers template name.
Subscribe to 4sysops newsletter!
This wraps up the initial Active Directory and Group Policy work required for an Always On VPN setup. We also finished the entire internal certificate authority configuration. In our next post, we will configure the NPS rules and the Remote Access setup.
Want to write for 4sysops? We are looking for new authors.
Great article, keen to see the final articles!
As an FYI, was following this to the letter in my test environment but could not get the user certificate deployed. Permissions and certificate was correctly setup.
Turns out the “Microsoft Platform Crypto Provider” requires a TPM chip, as I was using a VM for the client machine (which obviously has no TPM hardware) I would see the error message “Can not find a valid CSP in the local machine” when trying to manually enroll the certificate.
Solution is to also tick “Microsoft Software Key Storage Provider” and have it second in order after “Microsoft Platform Crypto Provider”
MS Article for reference here
Hyper-V gen2 VM supports v-TPM.
Thanks for the article- following on from Ray’s comments above, thought i’d copy and paste the exact event log I get (if you turn on auto enrolment debugging) so that it can be indexed by search engines to make it easier for future people to find with the same error (I spent a while Googling this with no results!)
Certificate enrollment for domain\user for the VPN-User template could not find specified CSPs on the local machine. Enrollment will not be performed.
Anyone with this error look at Ray’s solution above- it’ll help!
Does the CA have the read permission to the certificate template?
Good tip!! Thank you for sharing that!
Love the articles, thanks!
I am having an issue where when I duplicate the user template and attempt to change the Cryptography type, the provider category is greyed out and my only option is “legacy Cryptographic Service Provider. This doesn’t allow me to make the provider change either. I went back and checked my steps to no avail.
(Configured as RootCA server during these steps)
Server 2016 server
2016 DFL and FFL
Domain joined server used for the user template tasks
Do not click Apply or OK at any time prior to step 10. If you click these buttons before entering ALL parameters, many choices become fixed and no longer editable. For example, on the Cryptography tab, if Legacy Cryptographic Storage Provider shows in the Provider Category field, it becomes disabled, preventing any further change. The only alternative is to delete the template and recreate it.
Very good tip! Thank you for posting that!
Just as a side note, I’ve had an issue with issuing certificates to users who don’t have any value in the Email AD field. To get around this I’ve unticked Include e-mail name in subject name and E-mail name after restarting the certificate service certificates issue as expected.
I hope this helps somebody!
It does! Thank you Matt!
With all setup done to the dot I get error on client & VPN event log shows:
and NPS (separate server) shows error:
Are there any changes needed to be made in the CA templates to use SSTP? or can i use the certficate that is made here?
You can use the same cert.
How do I renew a VPN Server Authentication Cert, as its expired.. ?
On checking the VPN servers local Cert, I have noticed the VPN.xxxx.org has expired, however I am unsure of the steps to renew this.
If you open certlm.msc, are you able to right click on that cert and renew or pull a new cert from your CA?
I'm working on deploying Always on VPN , our current CA sits on windows sever 2008 r2 . Would this be possible for certificate enrollment or do we need to migrate CA to 2012 R2 . please advise
A 2008R2 CA is fine – just make to set the cert strength to a higher value than the default one chosen. With 2008R2 approaching end of support, it might not be a bad time to upgrade though.
Thanks for your responds .
Just to confirm Under Cryptographic what will be the best Cryptographic Providers option on 2008 r2 for Users certificate since "Microsoft Platform Crypto Provid"e is unavailable on 2008R2?
At the VPN User Certificate section:
Should you change the 'Request Hash' of the New Template to SHA256 (for example), seeing as the default SHA1 is compromised nowadays?
What should I use as Alternative name (DNS) for the VPN server?
So when your machine is connected I side the network, it dies not try to do VPN connection
Following up on the "no valid CSP Provider" problem, i may add that the problem (for me) was that TPM was disabled in BIOS thus the required CSP was not available. Enable TPM in BIOS if disabled and/or available.
Is the VPN/RRAS server a member server on the AD domain or is it stand alone?
Hello, I have a same issue as Rob. What does apply as a VPN server? The appliance that the clients are connecting to outside the organization? In my case I have a network router, however how do I apply that to Active directory security group? Should I just request certificate from the router using the VPN template?