locked
Windows Phone 8.1 VPN and certificates RRS feed

  • Question

  • We're using Windows Intune/SCCM for MDM. I created a VPN profile for Juniper Junos Pulse using certificate authentication and applied it to iOS, Android, Windows and Windows Phone.

    A SCEP client certificate is deployed successfully on all those devices and I'm easily able to connect through VPN on all, except Windows Phone, error 2250 is received. If I connect through the Junos Pulse VPN provider on Windows Phone to an SSL realm that doesn't require certificate authentication it connects just fine.

    Certificate authentication on Windows Phone 8.1 using Junos Pulse seems to be supported: http://www.juniper.net/techpubs/en_US/junos-pulse5.0/information-products/topic-collections/win-phone-junos-pulse.pdf

    My question is, is it really supported, since there's no option on Windows Phone to create a Junos Pulse VPN (IKEv2 has that option) VPN profile using certificate authentication? Any additional details are appreciated.

    Tuesday, August 26, 2014 8:17 AM

Answers

  • I was able to find the issue. I have tested the Scenario with a Surface RT 8.1. I enrolled the device to SCCM/Intune and get a certficate with NDES. Then I have added a VPN Connection and try to connect. Windows ask for SmartCard. But the certficate isn't Smartcard. So I added second VPN Connection to a Microsoft VPN and try to connect with same certificate. No question about Smartcard and the connection is established fine. Than I could remind the Options of certficate profiles (TPM or Software Key Storage). I' ve selected TPM in my initial configuration. I changed it to Software Key Storage and reenroll to Intune to force certficate deployment. After receiving the new certificate I tried again on my Surface and the Juniper VPN Connection were established. I reenrolled my Windows Phone to Intune and after I received the new certificate I were able to connect my Windows Phone to Juniper VPN too.

    So I think the Problem is that the Juniper 3rd Party api is not allowed to access TPM or it is done the wrong way.

    I hope this helps.

    Kind regards

    Denis  

     
    • Proposed as answer by Denis.Beuermann Friday, September 26, 2014 6:59 AM
    • Marked as answer by CypherMike Friday, September 26, 2014 1:04 PM
    Friday, September 26, 2014 6:55 AM

All replies

  • We tested further and Junos Pulse certificate authentication is supported on Windows Phone.

    The problem we're having is when we deploy the certificate to Windows Phone through  SCEP. While the same deployed certificate works just fine on iOS, Android and Windows 8.1, it doesn't on Windows Phone. It gets installed, but it seems it's invalid.

    If I export a certificate received through SCEP (same template) from a Windows 8.1 client, e-mail it to Windows Phone and import it, it works great. Please help us out, since this is the last step in rolling out MDM to our user base.

    Thursday, August 28, 2014 4:44 AM
  • Same problem here. We have deployed certificates with NDES/SCEP in an Intune/SCCM environment. With our Windows Phone 8.1 devices I unable to connect with the "Junos Pulse VPN" provider. With Windows 8.1 Computer it works.

    I don't try your workaround (mail the certificate). Do you have any solution?

    Kind regards

    Denis

    Tuesday, September 23, 2014 8:56 AM
  • I was able to find the issue. I have tested the Scenario with a Surface RT 8.1. I enrolled the device to SCCM/Intune and get a certficate with NDES. Then I have added a VPN Connection and try to connect. Windows ask for SmartCard. But the certficate isn't Smartcard. So I added second VPN Connection to a Microsoft VPN and try to connect with same certificate. No question about Smartcard and the connection is established fine. Than I could remind the Options of certficate profiles (TPM or Software Key Storage). I' ve selected TPM in my initial configuration. I changed it to Software Key Storage and reenroll to Intune to force certficate deployment. After receiving the new certificate I tried again on my Surface and the Juniper VPN Connection were established. I reenrolled my Windows Phone to Intune and after I received the new certificate I were able to connect my Windows Phone to Juniper VPN too.

    So I think the Problem is that the Juniper 3rd Party api is not allowed to access TPM or it is done the wrong way.

    I hope this helps.

    Kind regards

    Denis  

     
    • Proposed as answer by Denis.Beuermann Friday, September 26, 2014 6:59 AM
    • Marked as answer by CypherMike Friday, September 26, 2014 1:04 PM
    Friday, September 26, 2014 6:55 AM
  • Thank you, thank you, thank you!

    Works great now.

    Friday, September 26, 2014 1:04 PM