Ithy - Securing Your AOVPN: Essential Permissions for Computer Authentication Certificates

Key Highlights for AOVPN Computer Authentication Certificates

Granular Permissions: Configure specific security permissions on your certificate templates to control which Active Directory groups can enroll for AOVPN computer certificates, ensuring only authorized devices receive them.
Auto-Enrollment for Efficiency: Leverage Group Policy to enable auto-enrollment for computer certificates, streamlining deployment and renewal for domain-joined machines, reducing manual intervention.
Critical Extended Key Usages (EKUs): Ensure the computer certificate template includes the "Client Authentication" EKU and that the Subject Alternative Name (SAN) contains the computer's FQDN for proper device tunnel functionality.

Deploying Always On VPN (AOVPN) effectively hinges on a robust Public Key Infrastructure (PKI), with proper certificate management being paramount. Specifically, the configuration of computer authentication certificates is critical for establishing secure device tunnels, which allow machines to connect to the corporate network before user login. This comprehensive guide details the essential permissions and configurations required for AOVPN computer authentication certificates to ensure a seamless and secure remote access solution.

Understanding AOVPN Certificate Types and Their Roles

Always On VPN relies on various certificates for different components of its infrastructure. For a robust and secure AOVPN deployment, you typically need certificates for:

VPN Servers: These certificates authenticate the VPN server to the clients.
Network Policy Servers (NPS): Used by the NPS to authenticate itself to the VPN server during RADIUS communication.
User Certificates: Essential for user tunnels, authenticating individual users to the VPN.
Computer Certificates: Crucial for device tunnels, enabling machines to connect before a user logs in. This is our primary focus.

Each of these certificates plays a distinct role in the authentication process and requires specific permissions and configurations on the Certificate Authority (CA) templates. The proper setup of these templates within Active Directory Certificate Services (AD CS) is the cornerstone of a functional AOVPN.

A diagram illustrating certificate-based authentication flow in a network environment.

Illustration of Certificate-Based Authentication in a Network

Configuring Certificate Authority Templates for Computer Authentication

The core of setting up AOVPN computer authentication certificates lies in configuring the appropriate certificate templates on your Certificate Authority (CA). This involves duplicating an existing template, modifying its properties, and setting precise security permissions.

Duplicating and Naming the Template

To begin, you should duplicate an existing computer certificate template. Microsoft documentation often suggests starting with the "Computer" or "Workstation Authentication" template as a base.

Right-click on the appropriate template in the Certificate Templates Console and select Duplicate Template.
On the General tab, give your new template a descriptive name, such as "AOVPN Computer Authentication" or "VPN Computers."
Ensure that the "Publish certificate in Active Directory" checkbox is cleared. This is important to prevent unnecessary publication of every computer certificate in AD.

Setting Compatibility and Request Handling

Adjusting compatibility settings ensures the template works with your environment and client operating systems.

On the Compatibility tab, set the "Certification Authority" to at least Windows Server 2012 R2 or Windows Server 2016, depending on your CA version.
For "Certificate recipient," select Windows 8.1 / Windows Server 2012 R2 or later to ensure broad client compatibility.
On the Request Handling tab, ensure that "Allow private key to be exported" is not checked for security reasons. Also, consider enabling "For renewal, enroll subject with same key" if you want to reuse keys during renewal (though this is less common for machine certs than for user certs where TPM may be involved).

Crucial Security Permissions for Enrollment

This is one of the most critical steps. You must define which Active Directory groups can enroll for this certificate template.

Navigate to the Security tab of your duplicated template.
Add a security group specifically created for your AOVPN client computers, for example, "AOVPN Computers" or "VPN Clients." This group should contain the Active Directory computer objects that will be using the AOVPN device tunnel.
Grant this AOVPN Computers group the following permissions:
- Read: Necessary for the group members to view the template.
- Enroll: Allows members to request new certificates based on this template.
- Autoenroll: Allows for automatic issuance and renewal of certificates via Group Policy.
It is generally recommended to remove the "Domain Computers" group from the security tab or at least remove their "Enroll" and "Autoenroll" permissions on this specific AOVPN template to restrict which computers can obtain these specialized certificates. Only the designated "AOVPN Computers" group should have enrollment rights.

The "RAS and IAS Servers" group is usually removed from computer certificate templates, as it's typically relevant for VPN and NPS server certificates, not client computer certificates.

Subject Name and Extended Key Usages (EKUs)

Properly configuring the Subject Name and Extended Key Usages (EKUs) is vital for the certificate to be correctly utilized by AOVPN.

On the Subject Name tab:
- Select Supply in the request. This allows the client to specify the subject name during the certificate request, ensuring the certificate contains the computer's Fully Qualified Domain Name (FQDN) in the Subject Alternative Name (SAN) field.
- Ensure that the FQDN of the machine is listed in the SAN of the certificate. This is crucial for device tunnel functionality.
On the Extensions tab, for Application Policies (also known as Extended Key Usages or EKUs):
- Ensure that Client Authentication is present. This EKU specifies that the certificate can be used for client authentication, which is precisely what the AOVPN device tunnel requires.
- For IKEv2 connections, the IP Security (IPsec) IKE Intermediate application policy might also be relevant, but Client Authentication is the primary requirement for device tunnels.

A common issue when AOVPN fails to connect is the absence of an associated private key with the certificate or incorrect EKUs. Ensuring the certificate is correctly issued with the "Client Authentication" EKU and a private key is vital for its functionality.

Implementing Auto-Enrollment via Group Policy

Once the certificate template is configured, you need to enable auto-enrollment for your client computers through Group Policy. This streamlines the certificate issuance and renewal process, making it automatic for all domain-joined machines within the scope of the GPO.

Open Group Policy Management Editor.
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
Right-click on Certificate Services Client - Auto-Enrollment and select Properties.
Configure the settings to enable certificate auto-enrollment for computers. This will allow machines to automatically request and renew certificates based on the templates they have "Autoenroll" permissions for.

The radar chart above visualizes the critical aspects of AOVPN computer certificate configuration. The "Ideal Configuration" dataset represents high proficiency across all dimensions, from precise security permissions to correct EKU settings and effective auto-enrollment. In contrast, "Common Challenges" highlights areas where misconfigurations often occur, such as insufficient security permissions, missing EKUs, or issues with private key association. This chart underscores the importance of a holistic approach to certificate management for AOVPN, where a weakness in any single area can compromise the entire VPN solution. Achieving a high score in all these areas is indicative of a robust and secure AOVPN deployment.

Common Pitfalls and Troubleshooting Tips

Even with careful configuration, issues can arise. Here are some common problems and their solutions related to AOVPN computer authentication certificates:

Certificate Not Being Issued or Found (Code 798)

If clients are not receiving certificates or encounter an error like "A certificate could not be found that can be used with this extensible authentication protocol. Code 798," consider the following:

Private Key Issue: Ensure the certificate has an associated private key. AOVPN typically doesn't allow exporting private keys with the certificate, so the client must generate the key during enrollment.
Permissions on Template: Double-check the security permissions on your AOVPN computer certificate template. Ensure the "AOVPN Computers" group has Read, Enroll, and Autoenroll permissions. Remove "Domain Computers" if they have conflicting permissions.
Certificate Store: Verify the certificate is correctly installed in the client's "Personal\Certificates" store (accessible via certlm.msc).
EKU Availability: Confirm the certificate includes the necessary Client Authentication EKU. Without it, the VPN client won't consider the certificate suitable.
FQDN in SAN: For device tunnels, the FQDN of the client machine must be included in the Subject Alternative Name (SAN) of the certificate. If "Supply in the request" was not set, or the client didn't correctly request its FQDN, this can cause issues.

Auto-Enrollment Renewal Not Working

If certificates aren't renewing automatically:

Autoenroll Permission: Confirm the "Autoenroll" permission is checked for your AOVPN Computers group on the certificate template.
Group Policy Application: Verify that the Group Policy Object (GPO) for auto-enrollment is applied to the correct Organizational Unit (OU) containing your client computers.
Certificate Services Client Settings: In Group Policy, ensure the "Certificate Services Client - Auto-Enrollment" settings are enabled for auto-enrollment.

Prompted to Select a Certificate

If users are prompted to manually select a certificate when connecting, even with auto-enrollment, it might indicate multiple certificates being available or an issue with certificate selection logic.

Multiple Certificates: This usually happens when multiple valid certificates exist in the user's or computer's personal store. Configure the AOVPN client profile to explicitly filter for certificates with the required EKU to ensure only the correct one is used.
ProfileXML Configuration: When deploying AOVPN profiles via Intune or Configuration Manager, ensure your ProfileXML explicitly defines the criteria for certificate selection, such as EKU or issuer details, to prevent ambiguity.

Active Directory Certificate Services (AD CS) Updates

Recent Windows updates (e.g., KB5014754 from May 2022) have introduced changes to certificate-based authentication on domain controllers. These updates can affect AOVPN deployments, especially concerning certificate mapping and privilege escalation vulnerabilities. Staying informed about such updates and their potential impact on your PKI and AOVPN is crucial.

Summary of Required Permissions and Configurations

The table below summarizes the key permissions and configurations necessary for AOVPN Computer Authentication Certificates.

Configuration Aspect	Required Permissions/Settings	Why It's Important
Certificate Template Name	Descriptive name (e.g., "AOVPN Computer")	Easy identification and management.
Publish in Active Directory	Cleared (unchecked)	Avoids cluttering AD with unnecessary certificate entries.
Compatibility Settings	CA: Windows Server 2012 R2/2016+, Recipient: Windows 8.1/2012 R2+	Ensures broad compatibility with modern Windows clients and servers.
Request Handling	"Allow private key to be exported" unchecked	Enhances security by preventing private key theft.
Security Permissions	"AOVPN Computers" group: Read, Enroll, Autoenroll. "Domain Computers" group: Remove Enroll/Autoenroll or remove group entirely.	Strictly controls which computers can obtain these certificates and enables automatic deployment.
Subject Name	"Supply in the request" checked; FQDN in SAN	Allows the client to specify its FQDN, crucial for device tunnel authentication.
Extended Key Usage (EKU)	Client Authentication (must be present)	Defines the certificate's intended use for client authentication.
Group Policy for Auto-Enrollment	Enabled for Computer Configuration > Public Key Policies > Certificate Services Client - Auto-Enrollment	Automates certificate issuance and renewal, reducing administrative overhead.

Video Resource: Creating User and Computer Certificates with Auto Enrollment

For a visual walkthrough of setting up user and computer certificates with auto-enrollment, which forms the foundation for AOVPN certificate deployment, the following video provides an excellent resource. While it covers general certificate creation, the principles for permissions and auto-enrollment are directly applicable to AOVPN computer authentication certificates.

How to Create User and Computer Certificates with Auto Enrollment on Windows Server 2019

This video provides a practical demonstration of configuring Active Directory Certificate Services (AD CS) for certificate auto-enrollment. It specifically highlights the steps involved in duplicating certificate templates, defining permissions for specific groups, and enabling auto-enrollment through Group Policy. Understanding these foundational steps is paramount for successfully deploying AOVPN computer authentication certificates, as the process for device certificates closely mirrors the general procedure for computer certificates. The video illustrates how granting "Enroll" and "Autoenroll" permissions to the designated computer groups is critical for ensuring that machines can seamlessly obtain and renew their required certificates, which is a common point of failure in AOVPN setups.

Frequently Asked Questions (FAQ)

What is the primary purpose of an AOVPN Computer Authentication certificate?

The primary purpose of an AOVPN Computer Authentication certificate is to enable the device tunnel, allowing a machine to connect to the corporate network via VPN before a user logs in. This is crucial for applying computer-based Group Policy objects, scripts, and updates even when no user is logged in.

Can I use the default "Computer" template for AOVPN Computer Authentication?

While you might use the default "Computer" template as a base, it is strongly recommended to duplicate it and create a custom template for AOVPN. This allows you to apply specific security permissions, extended key usages (EKUs), and subject name settings tailored for AOVPN requirements without affecting other computer certificate deployments in your environment.

What are the risks if the "Autoenroll" permission is not set for the AOVPN Computers group?

If the "Autoenroll" permission is not set, computers will not automatically request or renew their AOVPN certificates. This would require manual enrollment, which is inefficient and prone to errors, potentially leading to connection failures when certificates expire or are missing.

Why is it important to have the computer's FQDN in the Subject Alternative Name (SAN)?

For AOVPN device tunnels, the VPN server and Network Policy Server (NPS) often perform checks against the certificate's Subject Alternative Name (SAN). Including the computer's FQDN in the SAN ensures that the device can be correctly identified and authenticated during the VPN connection process, preventing authentication failures.

What is the "Client Authentication" EKU and why is it essential for AOVPN?

The "Client Authentication" Extended Key Usage (EKU) is an application policy that specifies that a certificate can be used to authenticate a client to a server. For AOVPN, this EKU is essential because the client computer uses its certificate to authenticate itself to the VPN server and NPS, establishing trust for the device tunnel.

Conclusion

Properly setting permissions on AOVPN Computer Authentication certificates is a fundamental step in ensuring a secure and efficient Always On VPN deployment. By carefully configuring certificate templates, defining precise security permissions for dedicated Active Directory groups, and enabling auto-enrollment via Group Policy, organizations can streamline the provisioning and management of device certificates. Adhering to these best practices, along with ensuring correct EKUs and Subject Alternative Name configurations, will significantly reduce common connectivity issues and bolster the overall security posture of your remote access infrastructure.