none
How to require specific certificate when authenticating to NPS for VPN?

    Question

  • I'm following the documentation to configure Always on VPN, and have a question about certificate selection.  

    The documentation instructs a new VPN User Authentication certificate template be created, and explains that: 

    "This template is required because you want to improve the certificate’s overall security by selecting upgraded compatibility levels and choosing the Microsoft Platform Crypto Provider. This last change lets you use the TPM on the client computers to secure the certificate. "

    I like the sound of that, but as I progress further through the configuration, I'm not sure what forces the vpn authentication to use that certificate vs another User Authentication certificate. I just added a new test user to my VPN Users group and they were able to successfully connect to VPN, but when I checked, they had NOT been issued a certificate based on the VPN User Authentication template yet.  (The computer was connected to a hotspot when the user logged in, so they didn't get a cert.)  Just by being a member of the VPN Users group, they were able to authenticate to the NPS server using their EXISTING User certificate.  

    Is there some way to configure the server to require a specific certificate, as opposed to just any user certificate?  (i.e. one using the "Microsoft Platform Crypto Provider", or that was issued with a key attestation policy?)

    If not, what is the point of issuing users these more secure certificates if their existing, less secure, user certificates can be used to authenticate to the server just as well?

    Thursday, June 14, 2018 8:39 PM

All replies

  • Hi,

    Thanks for your question.

    I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.

    If you have any updates during this process, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Friday, June 15, 2018 11:31 AM
  • Thank you. I appreciate your effort and look forward to hearing what you find. 

    Steve

    Friday, June 15, 2018 2:13 PM
  • Did you Setup NPS to use PEAP autentification? That other user cert you have, did it came also from your PKI? If I remember correctly, in user cert template there is nothing special to configure provided by MS whitepaper, so I guess any common user template will apply. But the provider must be your internal PKI. I tested to revoke that user cert, after that the connection will not establish anymore.

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Tuesday, June 19, 2018 4:24 PM
  • Yes NPS is configured for PEAP. We have the PKI infrastructure already in place, and users auto enroll with the CA for user certs. I added this new template to the existing CA, and configured it so that members of the vpn users goup auto enroll for this new cert as well. I like that the new template is configured to store the private key in the TPM, especially considering its purpose. I'd like that to be required for the vpn Auth. If the existing user cert can be used instead, it sort of defeats the purpose of creating the new, more secure template for vpn Auth, doesn't it?
    Wednesday, June 20, 2018 5:34 PM
  • I like that the new template is configured to store the private key in the TPM, especially considering its purpose. I'd like that to be required for the vpn Auth. If the existing user cert can be used instead, it sort of defeats the purpose of creating the new, more secure template for vpn Auth, doesn't it?

    Yep, I´m not high expert on PKI, but as PKI best practise, it is recommened that you use one cert for multiple purpose rather than multiple certs for different purpose. I guess this is because of the compatibility, that the clients don´t need to select/choose/guess the certificates from the store.

    If you feel, that this VPN purposed User cert is more secure than you existing one, how about to change it to this new one, and don´t provide your old, existing template anymore. Just make sure, that this VPN cert is compatible with your existing needs.

    I might be wrong. You might want to double check with CA guys: https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverDS OR https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity


    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.


    • Edited by yannara Wednesday, June 20, 2018 7:28 PM
    Wednesday, June 20, 2018 7:28 PM
  • @Michael - Has your research turned anything up?

    Steve

    Monday, June 25, 2018 1:17 PM
  • Hi,

    I’m very sorry for my delay.

    All certificates that are used for network access authentication with EAP-TLS, PEAP-TLS, and PEAP-MS-CHAP v2 must meet the requirements for X.509 certificates and work for connections that use Secure Socket Layer/Transport Level Security (SSL/TLS). Both client and server certificates have additional requirements.

    We’ll need to make sure that the specified certificate template fits PEAP and EAP requirements mentioned in the following MS article, 

    Configure Certificate Templates for PEAP and EAP Requirements

    https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-cert-requirements

    Hope above information can help you.

    Highly appreciate your effort and time. If you have any question and concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, July 04, 2018 10:02 AM