MSEndpointMgr
Home » SSO » SSO to domain resources from Azure AD Joined Devices – The MEGA Series – Part 2 – Configure Active Directory and Certificates

SSO to domain resources from Azure AD Joined Devices – The MEGA Series – Part 2 – Configure Active Directory and Certificates

  1. SSO to domain resources from Azure AD Joined Devices Overview
  2. Configure Active Directory and Certificates
  3. Configure the VPN Server (RRAS)
  4. Configure the Network Policy Server (NPS)
  5. Set up a Device Enrollment Service (NDES)
  6. Install Azure AD Application Proxy to publish the Device Enrollment Service (NDES)
  7. Configure Certificate Templates in Intune
  8. Create a Simple Certificate Enrollment Protocol (SCEP) Profile in Intune
  9. Creating the Always On VPN Profile in Intune

A great resource for anything VPN related is Richard Hicks blog which can be found at https://directaccess.richardhicks.com/

I must also extend a warm thank you to Richard for helping with security hardening guidance on aspects of this post

Introduction

Welcome to Part 2 of this 9 Part blog series. In Part 1 we did a fairly comprehensive overview of SSO to domain resources from Azure AD joined devices. The initial intent of this series was to help you setup a simple VPN solution. In Part 2 we will re-zero that focus and look at the Active Directory and Certificate requirements for an VPN solution to facilitate a workplace connection from internet connected devices

There is an assumption that you already have an Active Directory and Domain integrated PKI infrastructure (ADCS) in place in order to carry out the configurations covered in this post

Solution Overview

Below are the fundamental components we will use to setup a simple, Microsoft VPN solution.

Solution Overview

1 . Domain Controller – Microsoft Active Directory Domain Services (AD DS)
The Domain Controller is required to authenticate users and services

2 . Certificate Authority – Microsoft Active Directory Certificate Services (AD CS)
The Certificate Authority is required to issue certificates to users/devices and other VPN components like NDES/NPS and the VPN Server

3 . Microsoft Network Policy Server (NPS)
The Network Policy Server is required to authenticate requests from Radius clients

4 . VPN Gateway – Microsoft Routing and Remote Access Server (RRAS)
The VPN Gateway will terminate VPN connections for client devices

5 . Microsoft Network Device Enrollment Service (NDES)
The Network Device Enrollment Server is required to request certificates on behalf of users

6 . Microsoft Azure AD Application Proxy Connector
The Azure AD Application Proxy is required to publish the NDES Server URL to the internet – securely

Microsoft Active Directory Domain Services (AD DS)

The Domain Controller is required to authenticate users and services. If your intention is to connect back to your corporate network to access resources, from an Azure AD Joined device, we can assume that you are running a Hybrid identity and synchronizing user identities to Azure AD.

A Hybrid identity means having a common user identity for authentication and authorization both on-premises, with Active Directory and in the cloud – with Azure AD.

The Active Directory requirement is quite minimal. You will need:-

  • At least one Domain Name System (DNS) server
  • Minimum of Windows Server 2012 R2 (KDS Root Key Required for gMSA)
  • Minimum of Windows Server 2008 R2 Active Directory Schema (to create a gMSA)
  • Security Groups
  • Group Managed Service Account (gMSA)

Security Groups

Whether assigning permissions or certificates to users or devices, it is normally a good idea to use Groups for assignment. You will need to create the following AD Security Groups

  1. AOVPN-Servers
  2. AOVPN-Users
  3. NDES-Servers
  4. NPS-Servers

Use this PowerShell snippet to do it quickly. The Groups will be created in the “Users” OU by default

$Groups = @("AOVPN-Servers","AOVPN-Users","NDES-Servers","NPS-Servers")
Foreach ($Group in $Groups){
    New-ADGroup -GroupScope "Global" -Name $Group
}
AD Groups

Group Managed Service Account (gMSA)

My good friend, and fellow MSEndpointMgr geek, Michael @michaelm blogged on the benefits of using a gMSA for NDES. You can find that blog below

Securing SCEP/NDES for Intune with gMSA – MSEndpointMgr

The main security benefit of using a gMSA for NDES is that password management is handled automatically by windows. We will discuss NDES in more detail later in the blog series. For now, we just need to create the gMSA

KDS Root Key

The KDS Root key must exist before attempting to create a gMSA

In order to create a gMSA, you must have a KDS Root Key. Verify you have a KDS Root key by running the Get-KDSRootKey cmdlet

Get-KDSRootKey
Root Key Present

If the Root Key is missing, you will get the following error when trying to create a gMSA

Root key Missing

If you have not already created a KDS Root Key, read the following article before running the command

https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/create-the-key-distribution-services-kds-root-key

Using Add-KdsRootKey -EffectiveImmediately will add a root key to the target DC which will be used by the KDS service immediately. However, other domain controllers will not be able to use the root key until replication is successful.

Run the following command to add a KDS Root Key immediately

Add-KdsRootKey -EffectiveImmediately
Add-KdsRootKey

Verify event 4004 was generated in the KdsSvc event log to indicate the operation was successful

Event 4004

Create the gMSA

The account used to create a gMSA must be a member of Domain AdminsAccount Operators, or have ability to create msDS-GroupManagedServiceAccount objects

Use this PowerShell snippet to do it quickly. The gMSA will be created in the “Managed Service Accounts” OU by default

$DomainName = (Get-CimInstance Win32_ComputerSystem).Domain
$Name = "gMSA_ndes"
$AllowedPrincipals = "NDES-Servers"
$DNSHostName = "$($Name).$($DomainName)"
$PasswordInterval = 30
New-ADServiceAccount -Name $Name -DNSHostName $DNSHostName -ManagedPasswordIntervalInDays $PasswordInterval -PrincipalsAllowedToRetrieveManagedPassword $AllowedPrincipals -Enabled $true

Verify the gMSA_ndes gMSA was created

Get-ADServiceAccount
Managed Service Accounts OU

Microsoft Active Directory Certificate Services (AD CS)

The Certificate Authority is required to issue certificates to VPN users and other infrastructure components like NDES/NPS and the VPN Server. Lets look at that in more detail

For the solution we will need to create 3 Certificate Templates

  1. VPN Server
  2. NPS Server
  3. User
  4. Device

In this series, we wont be configuring the device tunnel for AOVPN. Typically, for Azure AD Joined devices, we should only need ADHOC access to those business applications/services that we haven’t been able to port to the cloud. Authentication is handled by the Cloud Authentication Provider (Cloud AP) so we don’t need an established tunnel to our DC’s before the user logs on. Kerberos auth to those legacy on-premises resources happens at time of resource access. There may be use cases for a device tunnel but they won’t be covered in this series.

Create the VPN Server Certificate Template

We will cover the VPN Server configuration later in this series. Before we do that, we need to prepare the Certificate Template.

We will be using IKEv2 protocol for our VPN solution and the certificate template configuration will reflect that. A good overview of the different protocols available for an VPN connection can be found on Richard Hicks blog.

https://directaccess.richardhicks.com/2018/01/22/always-on-vpn-protocol-recommendations-for-windows-server-routing-and-remote-access-service-rras

Do not click OK or Apply in the template creation wizard until instructed. If you do, some properties will become un-editable and you may have to start the template creation process over again

1 . On the server hosting ADCS, open the Certificate Authority console certsrv

certsrv.msc

2 . Navigate to and right click Certificate Templates and select Manage

Select Manage

3 . Locate the RAS and IAS Server template and select Duplicate Template

Duplicate Template

4 . Select the General tab and change the Template display name value to VPN Server Authentication. The Template name value will automatically change to VPNServerAuthentication

Template Name

5 . Select the Security tab and highlight RAS and IAS Servers group. Click Remove. We don’t require other servers in this Active Directory group to enroll this certificate

Remove existing group

6 . Click Add to add the group AOVPN-Servers. With the group AOVPN-Servers highlighted, tick both Enroll and autoenroll in the Allow column

Tick Enroll and Autenroll

Clients will access this server from the Internet. We will manually enroll this certificate because the publicly accessible Subject Name we will use on the VPN Server will be different to the VPN Server DNS name. We can still tick Autoenroll to allow the server to update the certificate automatically as long as we also have Use subject information from existing certificates for autoenrollment renewal requests ticked on the Subject Name tab

For auto update of the VPN Server certificate to work, you will also need to create a GPO to allow auto enrollment of certificates for the VPN Servers. An example of how to configure auto enrollment can be found below:-

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment

7 . Select the Compatibility tab and make the following changes:-

  • Certification Authority = Windows Server 2016
  • Certificate recipient = Windows 10 / Windows Server 2016

Click OK on the “Resulting Change” pop-up dialog boxes

8 . Select the Extensions tab and highlight Application Policies

Extensions tab

In order to allow the server to filter other certificates with the Server Authentication EKU correctly, we need to add the IP Security IKE intermediate application policy.

  • Click Edit
  • Click Add
  • Select the Application Policy IP security IKE intermediate
  • Click OK
Add Application Policy

It is also very important to remove Client Authentication from the Application Policy to prevent the certificate from being used maliciously for client authentication. Select Client Authentication and click Remove and click OK

Remove Client Authentication

9 . Verify the IP security IKE intermediate Application Policy is added and Client Authentication has been removed

Verify Application Policy

10 . Select the Subject Name tab. Select Supply in the request and tick Use subject information from existing certificates for autoenrollment renewal requests

Subject Name

11 . Click Apply and/or OK to save the VPN Server Authentication template

Template Created

12 . Close the Certificate Templates console

13 . Navigate to and select Certificate Templates, select New > Certificate Template to Issue

New Template to Issue

14 . Select the VPN Server Authentication template and click OK

Select Template to Issue

15 . Verify the VPN Server Authentication template is listed as available to be issued

Template Available

Create the NPS Server Certificate Template

We will cover the NPS Server configuration later in this series. Before we do that, we need to prepare the Certificate Template

Do not click OK or Apply in the template creation wizard until instructed. If you do, some properties will become un-editable and you may have to start the template creation process over again

1 . On the server hosting ADCS, open the Certificate Authority console certsrv

certsrv.msc

2 . Navigate to and right click Certificate Templates and select Manage

Select Manage

3 . Locate the RAS and IAS Server template and select Duplicate Template

Duplicate Template

4 . Select the General tab and change the Template display name value to NPS Server Authentication. The Template name value will automatically change to NPSServerAuthentication

Template Name

5 . Select the Security tab and highlight RAS and IAS Servers group. Click Remove. We don’t require other servers in this Active Directory group to enroll this certificate.

Remove existing group

6 . Click Add to add the group NPS-Servers. With the group NPS-Servers highlighted, tick both Enroll and Autoenroll in the Allow column

Tick Enroll and Autoenroll

For auto update of the NPS Server certificate to work, you will also need to create a GPO to allow auto enrollment of certificates for the NPS Servers. An example of how to configure auto enrollment can be found below:-

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment

7 . Select the Compatibility tab and make the following changes:-

  • Certification Authority = Windows Server 2016
  • Certificate recipient = Windows 10 / Windows Server 2016

Click OK on the “Resulting Change” pop-up dialog boxes

8 . Click Apply and/or OK to save the NPS Server Authentication template

9 . Close the Certificate Templates console

10 . Navigate to and select Certificate Templates, select New > Certificate Template to Issue

New Template to Issue

11 . Select the NPS Server Authentication template and click OK

Select Template to Issue

12 . Verify the NPS Server Authentication template is listed as available to be issued

Template Available

Create the VPN User Certificate Template

We will cover the User/SCEP configuration later in this series. Before we do that, we need to prepare the Certificate Template

Do not click OK or Apply in the template creation wizard until instructed. If you do, some properties will become un-editable and you may have to start the template creation process over again

1 . On the server hosting ADCS, open the Certificate Authority console certsrv

certsrv.msc

2 . Navigate to and right click Certificate Templates and select Manage

Select Manage

3 . Locate the User template and select Duplicate Template

Duplicate Template

4 . Select the General tab and change the Template display name value to VPN User Authentication. The Template name value will automatically change to VPNUserAuthentication

Template Name

5 . Untick Publish certificate in Active Directory

Untick Publish certificate in Active Directory

If you do not untick the option to Publish certificate in Active Directory then all certificates enrolled by the gMSA_ndes service account will be added to the userCertificate attribute on the gMSA_ndes object in Active Directory. If you enroll lots of certificates with this service account that could lead to performance issues over time

6 . Select the Security tab and highlight the Domain Users group. Click Remove. We don’t require all Domain Users to enroll this certificate

Remove Existing Group

7 . Click Add to add the service account gMSA_ndes. With the service account gMSA_ndes highlighted, tick both Read and Enroll in the Allow column

Tick Read and Enroll

8 . Select the Compatibility tab and make the following changes:-

  • Certification Authority = Windows Server 2016
  • Certificate recipient = Windows 10 / Windows Server 2016

Click OK on the “Resulting Change” pop-up dialog boxes

Compatibility Settings

9 . Select the Request Handling tab and Untick Allow private key to be exported

Request Handling

10 . Select the Cryptography tab and under Provider Category, select Key Storage Provider

Cryptography

11 . While still on the Cryptography tab, select Requests must use one of the following providers and tick Microsoft Platform Crypto Provider. Also ensure Request hash is set to SHA256

Cryptography

If your devices do not have a TPM, also tick Microsoft Software Key Storage Provider. If you do this, ensure that Microsoft Platform Crypto Provider appears first in the list.

12 . Select the Subject Name tab. Select Supply in the request

Subject Name

Configuring Supply in the request would normally be consider insecure but security will be enforced by the Intune policy module for NDES and only the gMSA_ndes service account has permissions to enroll a certificate using this template

13 . Click Apply and/or OK to save the VPN User Authentication template

14 . Close the Certificate Templates console

15 . Navigate to and select Certificate Templates, select New > Certificate Template to Issue

New Template to Issue

16 . Select the VPN User Authentication template and click OK

Select Template to Issue

17 . Verify the VPN User Authentication template is listed as available to be issued

Template Available

Summary

In this post we identified the components required for our simple VPN solution. We looked at the prerequisites for Active Directory Domain Services and Active Directory Certificate Services and configured the required Certificate Templates. As we continue to build the solution in Part 3, we will be focusing on the configuration of the VPN Server.

(12536)

Ben Whitmore

Microsoft MVP - Enterprise Mobility, Microsoft Certified Trainer and Microsoft 365 Certified: Enterprise Administrator Expert. Community driven and passionate Senior Cloud Consultant at CloudWay with 20 years experience in driving adoption and technology change within the Enterprise.

1 comment

  • With windows hello for business (keybased deployment) you can gain the same with the kerberos proxy service, and at the same time, get rid of passwords

Sponsors

Subscribe

Do you want to be notified of new posts on our site?

Please enter your email address below:

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.