MSEndpointMgr

SSO to domain resources from Azure AD Joined Devices – The MEGA Series – Part 2 – Configure Active Directory and Certificates

  1. SSO to domain resources from Azure AD Joined Devices Overview
  2. Configure Active Directory and Certificates
  3. Configure the VPN Server (RRAS)
  4. Configure the Network Policy Server (NPS)
  5. Configure the Network Device Enrollment Service (NDES)
  6. Install Azure AD Application Proxy to publish the Device Enrollment Service (NDES)
  7. Configure Certificate Templates in Intune
  8. Create a Simple Certificate Enrollment Protocol (SCEP) Profile in Intune
  9. Creating the Always On VPN Profile in Intune

A great resource for anything VPN related is Richard Hicks blog which can be found at https://directaccess.richardhicks.com/

I must also extend a warm thank you to Richard for helping with security hardening guidance on aspects of this post

Introduction

Welcome to Part 2 of this 9 Part blog series. In Part 1 we did a fairly comprehensive overview of SSO to domain resources from Azure AD joined devices. The initial intent of this series was to help you setup a simple VPN solution. In Part 2 we will re-zero that focus and look at the Active Directory and Certificate requirements for an VPN solution to facilitate a workplace connection from internet connected devices

There is an assumption that you already have an Active Directory and Domain integrated PKI infrastructure (ADCS) in place in order to carry out the configurations covered in this post

Solution Overview

Below are the fundamental components we will use to setup a simple, Microsoft VPN solution.

Solution Overview

1 . Domain Controller – Microsoft Active Directory Domain Services (AD DS)
The Domain Controller is required to authenticate users and services

2 . Certificate Authority – Microsoft Active Directory Certificate Services (AD CS)
The Certificate Authority is required to issue certificates to users/devices and other VPN components like NDES/NPS and the VPN Server

3 . Microsoft Network Policy Server (NPS)
The Network Policy Server is required to authenticate requests from Radius clients

4 . VPN Gateway – Microsoft Routing and Remote Access Server (RRAS)
The VPN Gateway will terminate VPN connections for client devices

5 . Microsoft Network Device Enrollment Service (NDES)
The Network Device Enrollment Server is required to request certificates on behalf of users

6 . Microsoft Azure AD Application Proxy Connector
The Azure AD Application Proxy is required to publish the NDES Server URL to the internet – securely

Microsoft Active Directory Domain Services (AD DS)

The Domain Controller is required to authenticate users and services. If your intention is to connect back to your corporate network to access resources, from an Azure AD Joined device, we can assume that you are running a Hybrid identity and synchronizing user identities to Azure AD.

A Hybrid identity means having a common user identity for authentication and authorization both on-premises, with Active Directory and in the cloud – with Azure AD.

The Active Directory requirement is quite minimal. You will need:-

  • At least one Domain Name System (DNS) server
  • Minimum of Windows Server 2012 R2 (KDS Root Key Required for gMSA)
  • Minimum of Windows Server 2008 R2 Active Directory Schema (to create a gMSA)
  • Security Groups
  • Group Managed Service Account (gMSA)

Security Groups

Whether assigning permissions or certificates to users or devices, it is normally a good idea to use Groups for assignment. You will need to create the following AD Security Groups

  1. AOVPN-Servers
  2. AOVPN-Users
  3. NDES-Servers
  4. NPS-Servers

Use this PowerShell snippet to do it quickly. The Groups will be created in the “Users” OU by default

$Groups = @("AOVPN-Servers","AOVPN-Users","NDES-Servers","NPS-Servers")
Foreach ($Group in $Groups){
    New-ADGroup -GroupScope "Global" -Name $Group
}
AD Groups

Service Account

We need to create a service account for NDES and the Certificate connector which will have permissions to both revoke and request certificates from the CA

1 . On the Domain Controller, open Active Directory Users and Computers

2 . Right click an appropriate OU and select New > User

New User

2 . Enter the following information and then click Next

  • First Name: NDES
  • Last Name: Service Account
  • User logon name: ndes_svc_acc

Choose an account name that doesn’t appear in this blog series for security reasons

Create Account

3 . Configure a very secure password, tick Password never expires and click Next

Configure Password

4 . Click Finish

This account will only be used for the Intune Certificate Connector and Certificate revocation so its a good idea to limit which computers the account can log on to

5 . Open the newly created user account and click the Account tab

Account tab

6 . Click Log On To and select The following computers

Log On To

7 . In the Computer name box, type the name of the Enterprise CA and the NDES server, respectively clicking Add and then click OK

Add computers

8 . Press OK to finish configuring the account

Microsoft Active Directory Certificate Services (AD CS)

The Certificate Authority is required to issue certificates to VPN users and other infrastructure components like NDES/NPS and the VPN Server. Lets look at that in more detail

For the solution we will need to create 3 Certificate Templates

  1. VPN Server
  2. NPS Server
  3. User
  4. Device

In this series, we wont be configuring the device tunnel for AOVPN. Typically, for Azure AD Joined devices, we should only need ADHOC access to those business applications/services that we haven’t been able to port to the cloud. Authentication is handled by the Cloud Authentication Provider (Cloud AP) so we don’t need an established tunnel to our DC’s before the user logs on. Kerberos auth to those legacy on-premises resources happens at time of resource access. There may be use cases for a device tunnel but they won’t be covered in this series.

Create the VPN Server Certificate Template

We will cover the VPN Server configuration later in this series. Before we do that, we need to prepare the Certificate Template.

We will be using IKEv2 protocol for our VPN solution and the certificate template configuration will reflect that. A good overview of the different protocols available for an VPN connection can be found on Richard Hicks blog.

https://directaccess.richardhicks.com/2018/01/22/always-on-vpn-protocol-recommendations-for-windows-server-routing-and-remote-access-service-rras

Do not click OK or Apply in the template creation wizard until instructed. If you do, some properties will become un-editable and you may have to start the template creation process over again

1 . On the server hosting ADCS, open the Certificate Authority console certsrv

certsrv.msc

2 . Navigate to and right click Certificate Templates and select Manage

Select Manage

3 . Locate the RAS and IAS Server template and select Duplicate Template

Duplicate Template

4 . Select the General tab and change the Template display name value to VPN Server Authentication. The Template name value will automatically change to VPNServerAuthentication

Template Name

5 . Select the Security tab and highlight RAS and IAS Servers group. Click Remove. We don’t require other servers in this Active Directory group to enroll this certificate

Remove existing group

6 . Click Add to add the group AOVPN-Servers. With the group AOVPN-Servers highlighted, tick both Enroll and autoenroll in the Allow column

Tick Enroll and Autenroll

Clients will access this server from the Internet. We will manually enroll this certificate because the publicly accessible Subject Name we will use on the VPN Server will be different to the VPN Server DNS name. We can still tick Autoenroll to allow the server to update the certificate automatically as long as we also have Use subject information from existing certificates for autoenrollment renewal requests ticked on the Subject Name tab

For auto update of the VPN Server certificate to work, you will also need to create a GPO to allow auto enrollment of certificates for the VPN Servers. An example of how to configure auto enrollment can be found below:-

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment

7 . Select the Compatibility tab and make the following changes:-

  • Certification Authority = Windows Server 2016
  • Certificate recipient = Windows 10 / Windows Server 2016

Click OK on the “Resulting Change” pop-up dialog boxes

8 . Select the Extensions tab and highlight Application Policies

Extensions tab

In order to allow the server to filter other certificates with the Server Authentication EKU correctly, we need to add the IP Security IKE intermediate application policy.

  • Click Edit
  • Click Add
  • Select the Application Policy IP security IKE intermediate
  • Click OK
Add Application Policy

It is also very important to remove Client Authentication from the Application Policy to prevent the certificate from being used maliciously for client authentication. Select Client Authentication and click Remove and click OK

Remove Client Authentication

9 . Verify the IP security IKE intermediate Application Policy is added and Client Authentication has been removed

Verify Application Policy

10 . Select the Subject Name tab. Select Supply in the request and tick Use subject information from existing certificates for autoenrollment renewal requests

Subject Name

11 . Click Apply and/or OK to save the VPN Server Authentication template

Template Created

12 . Close the Certificate Templates console

13 . Navigate to and select Certificate Templates, select New > Certificate Template to Issue

New Template to Issue

14 . Select the VPN Server Authentication template and click OK

Select Template to Issue

15 . Verify the VPN Server Authentication template is listed as available to be issued

Template Available

Create the NDES Server Certificate Template

We will cover the NDES Server configuration later in this series. Before we do that, we need to prepare the Certificate Template

Do not click OK or Apply in the template creation wizard until instructed. If you do, some properties will become un-editable and you may have to start the template creation process over again

1 . On the server hosting ADCS, open the Certificate Authority console certsrv

certsrv.msc

2 . Navigate to and right click Certificate Templates and select Manage

Select Manage

3 . Locate the Web Server template and select Duplicate Template

Duplicate Template

4 . Select the General tab and change the Template display name value to NDES Server Authentication. The Template name value will automatically change to NDESServerAuthentication

Template Name

5 . Select the Security tab and add the group NDES-Servers. Tick Read, Enroll and Autoenroll permissions

Template Security

For auto update of the NDES Server certificate to work, you will also need to create a GPO to allow auto enrollment of certificates for the NPS Servers. An example of how to configure auto enrollment can be found below:-

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment

6 . Select the Compatibility tab and make the following changes:-

  • Certification Authority = Windows Server 2016
  • Certificate recipient = Windows 10 / Windows Server 2016

Click OK on the “Resulting Change” pop-up dialog boxes

Template Compatibility

7 . On the Subject Name tab, ensure Build from this Active Directory information is selected. Select Common Name from the Subject name format drop down list and tick DNS Name

Template Subject Name

Because we are using Azure AD App Proxy to publish the MSCEP URL, the DNS name will be automatically translated for us so there is no need to add an external DNS name

8 . On the Extensions tab, select Application Policies and click Edit

Application Policies

9 . Click Add, select Client Authentication and click OK twice

Add Client Authentication

10 . Click Apply and/or OK to save the NDES Server Authentication template

11 . Close the Certificate Templates console

12 . Navigate to and select Certificate Templates, select New > Certificate Template to Issue

New Template to Issue

13 . Select the NDES Server Authentication template and click OK

Select Template to issue

14 . Verify the NDES Server Authentication template is listed as available to be issued

Template ready for issue

Create the NPS Server Certificate Template

We will cover the NPS Server configuration later in this series. Before we do that, we need to prepare the Certificate Template

Do not click OK or Apply in the template creation wizard until instructed. If you do, some properties will become un-editable and you may have to start the template creation process over again

1 . On the server hosting ADCS, open the Certificate Authority console certsrv

certsrv.msc

2 . Navigate to and right click Certificate Templates and select Manage

Select Manage

3 . Locate the RAS and IAS Server template and select Duplicate Template

Duplicate Template

4 . Select the General tab and change the Template display name value to NPS Server Authentication. The Template name value will automatically change to NPSServerAuthentication

Template Name

5 . Select the Security tab and highlight RAS and IAS Servers group. Click Remove. We don’t require other servers in this Active Directory group to enroll this certificate

Remove existing group

6 . Click Add to add the group NPS-Servers. With the group NPS-Servers highlighted, tick both Enroll and Autoenroll in the Allow column

Tick Enroll and Autoenroll

For auto update of the NPS Server certificate to work, you will also need to create a GPO to allow auto enrollment of certificates for the NPS Servers. An example of how to configure auto enrollment can be found below:-

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment

7 . Select the Compatibility tab and make the following changes:-

  • Certification Authority = Windows Server 2016
  • Certificate recipient = Windows 10 / Windows Server 2016

Click OK on the “Resulting Change” pop-up dialog boxes

Template Compatibility

8 . Click Apply and/or OK to save the NPS Server Authentication template

9 . Close the Certificate Templates console

10 . Navigate to and select Certificate Templates, select New > Certificate Template to Issue

New Template to Issue

11 . Select the NPS Server Authentication template and click OK

Select Template to Issue

12 . Verify the NPS Server Authentication template is listed as available to be issued

Template Available

Create the VPN User Certificate Template

We will cover the User/SCEP configuration later in this series. Before we do that, we need to prepare the Certificate Template

Do not click OK or Apply in the template creation wizard until instructed. If you do, some properties will become un-editable and you may have to start the template creation process over again

1 . On the server hosting ADCS, open the Certificate Authority console certsrv

certsrv.msc

2 . Navigate to and right click Certificate Templates and select Manage

Select Manage

3 . Locate the User template and select Duplicate Template

Duplicate Template

4 . Select the General tab and change the Template display name value to VPN User Authentication. The Template name value will automatically change to VPNUserAuthentication

Template Name

5 . Untick Publish certificate in Active Directory

Untick Publish certificate in Active Directory

If you do not untick the option to Publish certificate in Active Directory then all certificates enrolled by the gMSA_ndes service account will be added to the userCertificate attribute on the gMSA_ndes object in Active Directory. If you enroll lots of certificates with this service account that could lead to performance issues over time

6 . Select the Security tab and highlight the Domain Users group. Click Remove. We don’t require all Domain Users to enroll this certificate

Remove Existing Group

7 . Click Add to add the service account ndes_svc_acc. With the service account ndes_svc_acc highlighted, tick both Read and Enroll in the Allow column

Read and Enroll

8 . Select the Compatibility tab and make the following changes:-

  • Certification Authority = Windows Server 2016
  • Certificate recipient = Windows 10 / Windows Server 2016

Click OK on the “Resulting Change” pop-up dialog boxes

Compatibility Settings

9 . Select the Request Handling tab and Untick Allow private key to be exported

Request Handling

10 . Select the Cryptography tab and under Provider Category, select Key Storage Provider

Cryptography

11 . While still on the Cryptography tab, select Requests must use one of the following providers and tick Microsoft Platform Crypto Provider. Also ensure Request hash is set to SHA256

Cryptography

If your devices do not have a TPM, also tick Microsoft Software Key Storage Provider. If you do this, ensure that Microsoft Platform Crypto Provider appears first in the list.

12 . Select the Subject Name tab. Select Supply in the request

Subject Name

Configuring Supply in the request would normally be consider insecure but security will be enforced by the Intune policy module for NDES and only the gMSA_ndes service account has permissions to enroll a certificate using this template

13 . Click Apply and/or OK to save the VPN User Authentication template

14 . Close the Certificate Templates console

15 . Navigate to and select Certificate Templates, select New > Certificate Template to Issue

New Template to Issue

16 . Select the VPN User Authentication template and click OK

Select Template to Issue

17 . Verify the VPN User Authentication template is listed as available to be issued

Template Available

Summary

In this post we identified the components required for our simple VPN solution. We looked at the prerequisites for Active Directory Domain Services and Active Directory Certificate Services and configured the required Certificate Templates. As we continue to build the solution in Part 3, we will be focusing on the configuration of the VPN Server.

Ben Whitmore

Microsoft MVP - Enterprise Mobility, Microsoft Certified Trainer and Microsoft 365 Certified: Enterprise Administrator Expert. Community driven and passionate Customer Engineer Lead at Patch My PC with over 2 decades of experience in driving adoption and technology change within the Enterprise.

1 comment

  • With windows hello for business (keybased deployment) you can gain the same with the kerberos proxy service, and at the same time, get rid of passwords

Sponsors

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.