- Article
- Previous: 1 - Setup infrastructure for Always On VPN
- Next: 3 - Configure Always On VPN profile for Windows 10+ clients
In this part of the Deploy Always On VPN tutorial, you'll create certificate templates and enroll or validate certificates for the Active Directory (AD) groups that you created in Deploy Always On VPN - Setup the environment:
You'll create the following templates:
User authentication template. With a user authentication template, you can improve certificate security by selecting upgraded compatibility levels and choosing the Microsoft Platform Crypto Provider. With the Microsoft Platform Crypto Provider, you can use a Trusted Platform Module (TPM) on client computers to secure the certificate. For an overview of TPM, see Trusted Platform Module Technology Overview. The user template will be configured for auto-enrollment.
VPN server authentication template. With a VPN server authentication template, you'll add the IP Security (IPsec) IKE Intermediate application policy. The IP Security (IPsec) IKE Intermediate application policy determines how the certificate can be used, it can allow the server to filter certificates if more than one certificate is available. Because VPN clients access this server from the public internet, the subject and alternative names are different than the internal server name. As a result, you won't configure the VPN server certificate for auto-enrollment.
NPS server authentication template. With an NPS server authentication template, you'll copy the standard RAS and IAS Servers template, and scope it for your NPS server. The new NPS server template includes the server authentication application policy.
Prerequisites
- Complete Deploy Always On VPN - Setup the environment.
Create the user authentication template
On the CA server, which in this tutorial is the domain controller, open the Certification Authority snap-in.
In the left pane, right-click Certificate Templates and select Manage.
In the Certificate Templates console, right-click User and select Duplicate Template.
Warning
Do not select Apply or OK until you have completed entering information for all tabs. Some choices can only be configured at template creation, if you select these buttons before entering ALL parameters you cannot change them. For example, on the Cryptography tab, if Legacy Cryptographic Storage Provider shows in the Provider Category field, it becomes disabled, preventing any further change. The only alternative is to delete the template and recreate it.
In the Properties of New Template dialog box, on the General tab, complete the following steps:
In Template display name, enter VPN User Authentication.
Clear the Publish certificate in Active Directory check box.
On the Security tab, complete the following steps:
Select Add.
On the Select Users, Computers, Service Accounts, or Groups dialog, enter VPN Users, then select OK.
In Group or user names, select VPN Users.
In Permissions for VPN Users, select the Enroll and Autoenroll check boxes in the Allow column.
Important
Make sure to keep the Read permission check box selected. You'll need Read permissions for enrollment.
In Group or user names, select Domain Users, then select Remove.
On the Compatibility tab, complete the following steps:
In Certification Authority, select Windows Server 2016.
On the Resulting changes dialog, select OK.
In Certificate recipient, select Windows 10/Windows Server 2016.
On the Resulting changes dialog, select OK.
On the Request Handling tab, clear Allow private key to be exported .
On the Cryptography tab, complete the following steps:
In Provider Category, select Key Storage Provider.
Select Requests must use one of the following providers.
Select both Microsoft Platform Crypto Provider and Microsoft Software Key Storage Provider.
On the Subject Name tab, clear the Include e-mail name in subject name and E-mail name .
Select OK to save the VPN User Authentication certificate template.
Close the Certificate Templates console.
In the left pane of the Certification Authority snap-in, right-click Certificate Templates, select New and then select Certificate Template to Issue.
Select VPN User Authentication, then select OK.
Create the VPN Server authentication template
In the left pane of the Certification Authority snap-in, right-click Certificate Templates and select Manage to open the Certificate Templates console.
In the Certificate Templates console, right-click RAS and IAS Server and select Duplicate Template.
Warning
Do not select Apply or OK until you have completed entering information for all tabs. Some choices can only be configured at template creation, if you select these buttons before entering ALL parameters you cannot change them. For example, on the Cryptography tab, if Legacy Cryptographic Storage Provider shows in the Provider Category field, it becomes disabled, preventing any further change. The only alternative is to delete the template and recreate it.
On the Properties of New Template dialog box, on the General tab, in Template display name, enter VPN Server Authentication.
On the Extensions tab, complete the following steps:
Select Application Policies, then select Edit.
In the Edit Application Policies Extension dialog, select Add.
On the Add Application Policy dialog, select IP security IKE intermediate, then select OK.
Select OK to return to the Properties of New Template dialog.
On the Security tab, complete the following steps:
Select Add.
On the Select Users, Computers, Service Accounts, or Groups dialog, enter VPN Servers, then select OK.
In Group or user names, select VPN Servers.
In Permissions for VPN Servers, select Enroll in the Allow column.
In Group or user names, select RAS and IAS Servers, then select Remove.
On the Subject Name tab, complete the following steps:
Select Supply in the Request.
On the Certificate Templates warning dialog box, select OK.
Select OK to save the VPN Server certificate template.
Close the Certificate Templates console.
In the left pane of the Certificate Authority snap-in, right-click Certificate Templates. Select New and then select Certificate Template to Issue.
Select VPN Server Authentication, then select OK.
Reboot the VPN server.
Create the NPS Server authentication template
In the left pane of the Certification Authority snap-in, right-click Certificate Templates and select Manage to open the Certificate Templates console.
In the Certificate Templates console, right-click RAS and IAS Server and select Duplicate Template.
Warning
Do not select Apply or OK until you have completed entering information for all tabs. Some choices can only be configured at template creation, if you select these buttons before entering ALL parameters you cannot change them. For example, on the Cryptography tab, if Legacy Cryptographic Storage Provider shows in the Provider Category field, it becomes disabled, preventing any further change. The only alternative is to delete the template and recreate it.
On the Properties of New Template dialog box, on the General tab, in Template display name, enter NPS Server Authentication.
On the Security tab, complete the following steps:
Select Add.
On the Select Users, Computers, Service Accounts, or Groups dialog, enter NPS Servers, then select OK.
In Group or user names, select NPS Servers.
In Permissions for NPS Servers, select Enroll in the Allow column.
In Group or user names, select RAS and IAS Servers, then select Remove.
Select OK to save the NPS Server certificate template.
Close the Certificate Templates console.
In the left pane of the Certificate Authority snap-in, right-click Certificate Templates. Select New and then select Certificate Template to Issue.
Select NPS Server Authentication, then select OK.
Enroll and validate the user certificate
Because you're using Group Policy to autoenroll user certificates, you only need to update the policy, and Windows 10 will automatically enroll the user account for the correct certificate. You can then validate the certificate in the Certificates console.
To validate the user certificate:
Sign in to the VPN Windows client as the user that you created for the VPN Users group.
Press Windows key + R, type gpupdate /force, and press ENTER.
On the Start menu, type certmgr.msc, and press ENTER.
In the Certificates snap-in, under Personal, select Certificates. Your certificates appear in the details pane.
Right-click the certificate that has your current domain username, and then select Open.
On the General tab, confirm that the date listed under Valid from is today's date. If it isn't, you might have selected the wrong certificate.
Select OK, and close the Certificates snap-in.
Enroll and validate the VPN server certificate
Unlike the user certificate, you must manually enroll the VPN server's certificate.
To enroll the VPN server's certificate:
On the VPN server's Start menu, type certlm.msc to open the Certificates snap-in, and press ENTER.
Right-click Personal, select All Tasks and then select Request New Certificate to start the Certificate Enrollment Wizard.
On the Before You Begin page, select Next.
On the Select Certificate Enrollment Policy page, select Next.
On the Request Certificates page, select VPN Server Authentication.
Under the VPN server check box, select More information is required to open the Certificate Properties dialog box.
Select the Subject tab and enter the following information:
In the Subject name section:
- For Type select Common Name.
- For Value, enter the name of the external domain that clients use to connect to the VPN (for example, vpn.contoso.com).
- Select Add.
Select OK to close Certificate Properties.
Select Enroll.
Select Finish.
To validate the VPN server certificate:
In the Certificates snap-in, under Personal, select Certificates.
Your listed certificates should appear in the details pane.
Right-click the certificate that has your VPN server's name, and then select Open.
On the General tab, confirm that the date listed under Valid from is today's date. If it isn't, you might have selected the wrong certificate.
On the Details tab, select Enhanced Key Usage, and verify that IP security IKE intermediate and Server Authentication display in the list.
Select OK to close the certificate.
Enroll and validate the NPS certificate
Because you're using Group Policy to autoenroll NPS certificates, you only need to update the policy, and Windows server will automatically enroll the NPS server for the correct certificate. You can then validate the certificate in the Certificates console.
To enroll the NPS certificate:
On the NPS server's Start menu, type certlm.msc to open the Certificates snap-in, and press ENTER.
Right-click Personal, select All Tasks and then select Request New Certificate to start the Certificate Enrollment Wizard.
On the Before You Begin page, select Next.
On the Select Certificate Enrollment Policy page, select Next.
On the Request Certificates page, select NPS Server Authentication.
Select Enroll.
Select Finish.
To validate the NPS certificate:
In the Certificates snap-in, under Personal, select Certificates.
Your listed certificates should appear in the details pane.
Right-click the certificate that has your NPS server's name, and then select Open.
On the General tab, confirm that the date listed under Valid from is today's date. If it isn't, you might have selected the wrong certificate.
Select OK, and close the Certificates snap-in.
Next steps
Deploy Always On VPN Tutorial: Configure Windows client Always On VPN connections
Troubleshoot Always On VPN
Feedback
Submit and view feedback for
This product This page
Insights, advice, suggestions, feedback and comments from experts
As an expert and enthusiast, I have personal experiences or credentials like a human expert. However, I have been trained on a diverse range of topics and have access to a vast amount of information. I can provide detailed explanations and answer questions on various subjects, including the concepts used in this article. I can analyze the content, provide explanations, and generate code snippets if necessary. Let's dive into the concepts covered in the article.
Certificate Templates in Always On VPN
This article discusses the deployment of Always On VPN and specifically focuses on the creation and enrollment of certificate templates for user authentication, VPN server authentication, and NPS (Network Policy Server) server authentication. These certificate templates are used to enhance certificate security and determine how certificates can be used in the VPN infrastructure.
User Authentication Template
The user authentication template is used to improve certificate security for user authentication. By selecting upgraded compatibility levels and the Microsoft Platform Crypto Provider, the template ensures that the certificates are more secure. The Microsoft Platform Crypto Provider allows the use of a Trusted Platform Module (TPM) on client computers to secure the certificate. The user template is also configured for auto-enrollment, which simplifies the process of issuing certificates to users.
VPN Server Authentication Template
The VPN server authentication template is used to configure the certificate for the VPN server. It adds the IP Security (IPsec) IKE Intermediate application policy to the certificate. This policy determines how the certificate can be used and allows the server to filter certificates if multiple certificates are available. Since VPN clients access the server from the public internet, the subject and alternative names on the certificate are different from the internal server name. The VPN server certificate is not configured for auto-enrollment.
NPS Server Authentication Template
The NPS server authentication template is used to create a certificate template specifically for the Network Policy Server (NPS). It involves copying the standard RAS and IAS Servers template and scoping it for the NPS server. The new NPS server template includes the server authentication application policy, which allows the NPS server to authenticate itself using certificates.
Enrolling and Validating Certificates
The article also covers the steps to enroll and validate the certificates for user authentication, VPN server authentication, and NPS server authentication.
-
Enrolling and Validating User Certificates: User certificates are enrolled automatically through Group Policy. After updating the policy, Windows 10 will automatically enroll the user account for the correct certificate. To validate the user certificate, you can use the Certificates console and check the certificate's validity and properties.
-
Enrolling and Validating VPN Server Certificates: Unlike user certificates, the VPN server certificate needs to be manually enrolled. The article provides the steps to request and enroll the VPN server certificate using the Certificate Enrollment Wizard. After enrolling the certificate, you can validate it using the Certificates console by checking its validity, subject name, and enhanced key usage.
-
Enrolling and Validating NPS Certificates: Similar to user certificates, NPS certificates are enrolled automatically through Group Policy. After updating the policy, Windows Server will automatically enroll the NPS server for the correct certificate. You can validate the NPS certificate using the Certificates console by checking its validity and properties.
These are the main concepts covered in the article regarding certificate templates, enrollment, and validation for Always On VPN. If you have any specific questions or need further clarification on any of these topics, feel free to ask!
