How to require specific certificate when authenticating to NPS for VPN?


  • I'm following the documentation to configure Always on VPN, and have a question about certificate selection.  

    The documentation instructs a new VPN User Authentication certificate template be created, and explains that: 

    "This template is required because you want to improve the certificate’s overall security by selecting upgraded compatibility levels and choosing the Microsoft Platform Crypto Provider. This last change lets you use the TPM on the client computers to secure the certificate. "

    I like the sound of that, but as I progress further through the configuration, I'm not sure what forces the vpn authentication to use that certificate vs another User Authentication certificate. I just added a new test user to my VPN Users group and they were able to successfully connect to VPN, but when I checked, they had NOT been issued a certificate based on the VPN User Authentication template yet.  (The computer was connected to a hotspot when the user logged in, so they didn't get a cert.)  Just by being a member of the VPN Users group, they were able to authenticate to the NPS server using their EXISTING User certificate.  

    Is there some way to configure the server to require a specific certificate, as opposed to just any user certificate?  (i.e. one using the "Microsoft Platform Crypto Provider", or that was issued with a key attestation policy?)

    If not, what is the point of issuing users these more secure certificates if their existing, less secure, user certificates can be used to authenticate to the server just as well?

    Thursday, June 14, 2018 8:39 PM

All replies

  • Hi,

    Thanks for your question.

    I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.

    If you have any updates during this process, please feel free to let me know.

    Best regards,


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Friday, June 15, 2018 11:31 AM
  • Thank you. I appreciate your effort and look forward to hearing what you find. 


    Friday, June 15, 2018 2:13 PM
  • Did you Setup NPS to use PEAP autentification? That other user cert you have, did it came also from your PKI? If I remember correctly, in user cert template there is nothing special to configure provided by MS whitepaper, so I guess any common user template will apply. But the provider must be your internal PKI. I tested to revoke that user cert, after that the connection will not establish anymore.

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    13 hours 14 minutes ago