- SSO to domain resources from Azure AD Joined Devices Overview
- Configure Active Directory and Certificates
- Configure the VPN Server (RRAS)
- Configure the Network Policy Server (NPS)
- Configure the Network Device Enrollment Service (NDES)
- Install Azure AD Application Proxy to publish the Device Enrollment Service (NDES)
- Configure Certificate Templates in Intune
- Create a Simple Certificate Enrollment Protocol (SCEP) Profile in Intune
- Creating the Always On VPN Profile in Intune
A great resource for anything VPN related is Richard Hicks blog which can be found at https://directaccess.richardhicks.com/
I must also extend a warm thank you to Richard for helping with security hardening guidance on aspects of this post
Introduction
Welcome to Part 2 of this 9 Part blog series. In Part 1 we did a fairly comprehensive overview of SSO to domain resources from Azure AD joined devices. The initial intent of this series was to help you setup a simple VPN solution. In Part 2 we will re-zero that focus and look at the Active Directory and Certificate requirements for an VPN solution to facilitate a workplace connection from internet connected devices
There is an assumption that you already have an Active Directory and Domain integrated PKI infrastructure (ADCS) in place in order to carry out the configurations covered in this post
Solution Overview
Below are the fundamental components we will use to setup a simple, Microsoft VPN solution.
1 . Domain Controller – Microsoft Active Directory Domain Services (AD DS)
The Domain Controller is required to authenticate users and services
2 . Certificate Authority – Microsoft Active Directory Certificate Services (AD CS)
The Certificate Authority is required to issue certificates to users/devices and other VPN components like NDES/NPS and the VPN Server
3 . Microsoft Network Policy Server (NPS)
The Network Policy Server is required to authenticate requests from Radius clients
4 . VPN Gateway – Microsoft Routing and Remote Access Server (RRAS)
The VPN Gateway will terminate VPN connections for client devices
5 . Microsoft Network Device Enrollment Service (NDES)
The Network Device Enrollment Server is required to request certificates on behalf of users
6 . Microsoft Azure AD Application Proxy Connector
The Azure AD Application Proxy is required to publish the NDES Server URL to the internet – securely
Microsoft Active Directory Domain Services (AD DS)
The Domain Controller is required to authenticate users and services. If your intention is to connect back to your corporate network to access resources, from an Azure AD Joined device, we can assume that you are running a Hybrid identity and synchronizing user identities to Azure AD.
A Hybrid identity means having a common user identity for authentication and authorization both on-premises, with Active Directory and in the cloud – with Azure AD.
The Active Directory requirement is quite minimal. You will need:-
- At least one Domain Name System (DNS) server
- Minimum of Windows Server 2012 R2 (KDS Root Key Required for gMSA)
- Minimum of Windows Server 2008 R2 Active Directory Schema (to create a gMSA)
- Security Groups
- Group Managed Service Account (gMSA)
Security Groups
Whether assigning permissions or certificates to users or devices, it is normally a good idea to use Groups for assignment. You will need to create the following AD Security Groups
- AOVPN-Servers
- AOVPN-Users
- NDES-Servers
- NPS-Servers
Use this PowerShell snippet to do it quickly. The Groups will be created in the “Users” OU by default
$Groups = @("AOVPN-Servers","AOVPN-Users","NDES-Servers","NPS-Servers") Foreach ($Group in $Groups){ New-ADGroup -GroupScope "Global" -Name $Group }
Service Account
We need to create a service account for NDES and the Certificate connector which will have permissions to both revoke and request certificates from the CA
1 . On the Domain Controller, open Active Directory Users and Computers
2 . Right click an appropriate OU and select New > User
2 . Enter the following information and then click Next
- First Name: NDES
- Last Name: Service Account
- User logon name: ndes_svc_acc
Choose an account name that doesn’t appear in this blog series for security reasons
3 . Configure a very secure password, tick Password never expires and click Next
4 . Click Finish
This account will only be used for the Intune Certificate Connector and Certificate revocation so its a good idea to limit which computers the account can log on to
5 . Open the newly created user account and click the Account tab
6 . Click Log On To and select The following computers
7 . In the Computer name box, type the name of the Enterprise CA and the NDES server, respectively clicking Add and then click OK
8 . Press OK to finish configuring the account
Microsoft Active Directory Certificate Services (AD CS)
The Certificate Authority is required to issue certificates to VPN users and other infrastructure components like NDES/NPS and the VPN Server. Lets look at that in more detail
For the solution we will need to create 3 Certificate Templates
- VPN Server
- NPS Server
- User
Device
In this series, we wont be configuring the device tunnel for AOVPN. Typically, for Azure AD Joined devices, we should only need ADHOC access to those business applications/services that we haven’t been able to port to the cloud. Authentication is handled by the Cloud Authentication Provider (Cloud AP) so we don’t need an established tunnel to our DC’s before the user logs on. Kerberos auth to those legacy on-premises resources happens at time of resource access. There may be use cases for a device tunnel but they won’t be covered in this series.
Create the VPN Server Certificate Template
We will cover the VPN Server configuration later in this series. Before we do that, we need to prepare the Certificate Template.
We will be using IKEv2 protocol for our VPN solution and the certificate template configuration will reflect that. A good overview of the different protocols available for an VPN connection can be found on Richard Hicks blog.
Do not click OK or Apply in the template creation wizard until instructed. If you do, some properties will become un-editable and you may have to start the template creation process over again
1 . On the server hosting ADCS, open the Certificate Authority console certsrv
2 . Navigate to and right click Certificate Templates and select Manage
3 . Locate the RAS and IAS Server template and select Duplicate Template
4 . Select the General tab and change the Template display name value to VPN Server Authentication. The Template name value will automatically change to VPNServerAuthentication
5 . Select the Security tab and highlight RAS and IAS Servers group. Click Remove. We don’t require other servers in this Active Directory group to enroll this certificate
6 . Click Add to add the group AOVPN-Servers. With the group AOVPN-Servers highlighted, tick both Enroll and autoenroll in the Allow column
Clients will access this server from the Internet. We will manually enroll this certificate because the publicly accessible Subject Name we will use on the VPN Server will be different to the VPN Server DNS name. We can still tick Autoenroll to allow the server to update the certificate automatically as long as we also have Use subject information from existing certificates for autoenrollment renewal requests ticked on the Subject Name tab
For auto update of the VPN Server certificate to work, you will also need to create a GPO to allow auto enrollment of certificates for the VPN Servers. An example of how to configure auto enrollment can be found below:-
https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment
7 . Select the Compatibility tab and make the following changes:-
- Certification Authority = Windows Server 2016
- Certificate recipient = Windows 10 / Windows Server 2016
Click OK on the “Resulting Change” pop-up dialog boxes
8 . Select the Extensions tab and highlight Application Policies
In order to allow the server to filter other certificates with the Server Authentication EKU correctly, we need to add the IP Security IKE intermediate application policy.
- Click Edit
- Click Add
- Select the Application Policy IP security IKE intermediate
- Click OK
It is also very important to remove Client Authentication from the Application Policy to prevent the certificate from being used maliciously for client authentication. Select Client Authentication and click Remove and click OK
9 . Verify the IP security IKE intermediate Application Policy is added and Client Authentication has been removed
10 . Select the Subject Name tab. Select Supply in the request and tick Use subject information from existing certificates for autoenrollment renewal requests
11 . Click Apply and/or OK to save the VPN Server Authentication template
12 . Close the Certificate Templates console
13 . Navigate to and select Certificate Templates, select New > Certificate Template to Issue
14 . Select the VPN Server Authentication template and click OK
15 . Verify the VPN Server Authentication template is listed as available to be issued
Create the NDES Server Certificate Template
We will cover the NDES Server configuration later in this series. Before we do that, we need to prepare the Certificate Template
Do not click OK or Apply in the template creation wizard until instructed. If you do, some properties will become un-editable and you may have to start the template creation process over again
1 . On the server hosting ADCS, open the Certificate Authority console certsrv
2 . Navigate to and right click Certificate Templates and select Manage
3 . Locate the Web Server template and select Duplicate Template
4 . Select the General tab and change the Template display name value to NDES Server Authentication. The Template name value will automatically change to NDESServerAuthentication
5 . Select the Security tab and add the group NDES-Servers. Tick Read, Enroll and Autoenroll permissions
For auto update of the NDES Server certificate to work, you will also need to create a GPO to allow auto enrollment of certificates for the NPS Servers. An example of how to configure auto enrollment can be found below:-
https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment
6 . Select the Compatibility tab and make the following changes:-
- Certification Authority = Windows Server 2016
- Certificate recipient = Windows 10 / Windows Server 2016
Click OK on the “Resulting Change” pop-up dialog boxes
7 . On the Subject Name tab, ensure Build from this Active Directory information is selected. Select Common Name from the Subject name format drop down list and tick DNS Name
Because we are using Azure AD App Proxy to publish the MSCEP URL, the DNS name will be automatically translated for us so there is no need to add an external DNS name
8 . On the Extensions tab, select Application Policies and click Edit
9 . Click Add, select Client Authentication and click OK twice
10 . Click Apply and/or OK to save the NDES Server Authentication template
11 . Close the Certificate Templates console
12 . Navigate to and select Certificate Templates, select New > Certificate Template to Issue
13 . Select the NDES Server Authentication template and click OK
14 . Verify the NDES Server Authentication template is listed as available to be issued
Create the NPS Server Certificate Template
We will cover the NPS Server configuration later in this series. Before we do that, we need to prepare the Certificate Template
Do not click OK or Apply in the template creation wizard until instructed. If you do, some properties will become un-editable and you may have to start the template creation process over again
1 . On the server hosting ADCS, open the Certificate Authority console certsrv
2 . Navigate to and right click Certificate Templates and select Manage
3 . Locate the RAS and IAS Server template and select Duplicate Template
4 . Select the General tab and change the Template display name value to NPS Server Authentication. The Template name value will automatically change to NPSServerAuthentication
5 . Select the Security tab and highlight RAS and IAS Servers group. Click Remove. We don’t require other servers in this Active Directory group to enroll this certificate
6 . Click Add to add the group NPS-Servers. With the group NPS-Servers highlighted, tick both Enroll and Autoenroll in the Allow column
For auto update of the NPS Server certificate to work, you will also need to create a GPO to allow auto enrollment of certificates for the NPS Servers. An example of how to configure auto enrollment can be found below:-
https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment
7 . Select the Compatibility tab and make the following changes:-
- Certification Authority = Windows Server 2016
- Certificate recipient = Windows 10 / Windows Server 2016
Click OK on the “Resulting Change” pop-up dialog boxes
8 . Click Apply and/or OK to save the NPS Server Authentication template
9 . Close the Certificate Templates console
10 . Navigate to and select Certificate Templates, select New > Certificate Template to Issue
11 . Select the NPS Server Authentication template and click OK
12 . Verify the NPS Server Authentication template is listed as available to be issued
Create the VPN User Certificate Template
We will cover the User/SCEP configuration later in this series. Before we do that, we need to prepare the Certificate Template
Do not click OK or Apply in the template creation wizard until instructed. If you do, some properties will become un-editable and you may have to start the template creation process over again
1 . On the server hosting ADCS, open the Certificate Authority console certsrv
2 . Navigate to and right click Certificate Templates and select Manage
3 . Locate the User template and select Duplicate Template
4 . Select the General tab and change the Template display name value to VPN User Authentication. The Template name value will automatically change to VPNUserAuthentication
5 . Untick Publish certificate in Active Directory
If you do not untick the option to Publish certificate in Active Directory then all certificates enrolled by the gMSA_ndes service account will be added to the userCertificate attribute on the gMSA_ndes object in Active Directory. If you enroll lots of certificates with this service account that could lead to performance issues over time
6 . Select the Security tab and highlight the Domain Users group. Click Remove. We don’t require all Domain Users to enroll this certificate
7 . Click Add to add the service account ndes_svc_acc. With the service account ndes_svc_acc highlighted, tick both Read and Enroll in the Allow column
8 . Select the Compatibility tab and make the following changes:-
- Certification Authority = Windows Server 2016
- Certificate recipient = Windows 10 / Windows Server 2016
Click OK on the “Resulting Change” pop-up dialog boxes
9 . Select the Request Handling tab and Untick Allow private key to be exported
10 . Select the Cryptography tab and under Provider Category, select Key Storage Provider
11 . While still on the Cryptography tab, select Requests must use one of the following providers and tick Microsoft Platform Crypto Provider. Also ensure Request hash is set to SHA256
If your devices do not have a TPM, also tick Microsoft Software Key Storage Provider. If you do this, ensure that Microsoft Platform Crypto Provider appears first in the list.
12 . Select the Subject Name tab. Select Supply in the request
Configuring Supply in the request would normally be consider insecure but security will be enforced by the Intune policy module for NDES and only the gMSA_ndes service account has permissions to enroll a certificate using this template
13 . Click Apply and/or OK to save the VPN User Authentication template
14 . Close the Certificate Templates console
15 . Navigate to and select Certificate Templates, select New > Certificate Template to Issue
16 . Select the VPN User Authentication template and click OK
17 . Verify the VPN User Authentication template is listed as available to be issued
Summary
In this post we identified the components required for our simple VPN solution. We looked at the prerequisites for Active Directory Domain Services and Active Directory Certificate Services and configured the required Certificate Templates. As we continue to build the solution in Part 3, we will be focusing on the configuration of the VPN Server.
With windows hello for business (keybased deployment) you can gain the same with the kerberos proxy service, and at the same time, get rid of passwords