Forum Discussion

Fred06's avatar
Fred06
Copper Contributor
Oct 25, 2020

AlwaysOn VPN with Conditional Access not working

I am currently working on a project to implement Always On VPN with conditional access. I use SCEP profiles to issue certificates to users.   The VPN is deployed via a custom profile by specifying...
Fred06's avatar
Fred06
Copper Contributor
Oct 27, 2020

Hello,

 

After a few tests, here is the state of progress:

 

During the VPN connection, I get maintenance the following error:

 

We couldn't log in because we couldn't find a certificate for single sign-on. (Event 20227 ID 874)

 

In my XML file, here is the information concerning the SSO part :

 

<DeviceCompliance>
      <Enabled>true</Enabled>
      <Sso>
            <Enabled>true</Enabled>
           <Eku>1.3.6.1.5.5.7.3.2</Eku>
           <IssuerHash>d4ee17ac6c7363c15083eebc1d056e3339bebb10</IssuerHash>
      </Sso>
</DeviceCompliance>

 

In the logs, I can see that the client contacts Azure AD and requests a user action. Then the error occurs.

Thank you

  • Fred06's avatar
    Fred06
    Copper Contributor
    Nov 09, 2020
    Hello everyone,

    I can now make my VPN connection with conditional access. The IssuerHash was not the right one.

    Now I have another question:

    Is it possible to request dual authentication for each VPN connection? Currently, I have the impression that the connection is kept in memory (I was only asked for it once). Is this due to the VPN certificate issued by Azure which is renewed automatically?

    Thank you in advance.

Resources