AlwaysOn VPN with Conditional Access not working

%3CLINGO-SUB%20id%3D%22lingo-sub-1816728%22%20slang%3D%22en-US%22%3EAlwaysOn%20VPN%20with%20Conditional%20Access%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1816728%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20currently%20working%20on%20a%20project%20to%20implement%20Always%20On%20VPN%20with%20conditional%20access.%3C%2FP%3E%3CP%3EI%20use%20SCEP%20profiles%20to%20issue%20certificates%20to%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20VPN%20is%20deployed%20via%20a%20custom%20profile%20by%20specifying%20the%20EAP%20XML%20file.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEverything%20works%20perfectly%20for%20the%20VPN%20part%20without%20the%20conditional%20access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20then%20followed%20Microsoft's%20procedure%20for%20setting%20up%20conditional%20access%20and%20that's%20where%20the%20problems%20start.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fremote%2Fremote-access%2Fvpn%2Fad-ca-vpn-connectivity-windows10%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fremote%2Fremote-access%2Fvpn%2Fad-ca-vpn-connectivity-windows10%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDuring%20connection%20a%20VPN%20error%20is%20displayed%20%22Incorrect%20setting%22%20on%20the%20client.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20then%20see%20the%20Azure%20AD%20certificate%20in%20the%20customer's%20personal%20store.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20client's%20Windows%20events%20I%20get%20error%2020227%20(Connection%20failed.%20Error%20code%20returned%3A%2087.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20strangest%20thing%20is%20that%20twice%20I%20was%20able%20to%20validate%20the%20conditional%20access%20with%20the%20double%20authentication.%20But%20after%20validation%2C%20the%20connection%20was%20looping.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECertification%20Authority%20(Win2019)%3CBR%20%2F%3EVPN%20Server%20(Win2019)%3CBR%20%2F%3ENPS%20Server%20(Win2019)%3CBR%20%2F%3ENDES%20Server%20(Win2019)%3CBR%20%2F%3EWindows%2010%20Enterprise%20Client%20(Hybrid%20Azure%20Joined)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20anyone%20has%20an%20idea%20where%20the%20problem%20may%20be%20coming%20from%2C%20I'll%20take%20it!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank's%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1822723%22%20slang%3D%22en-US%22%3ERe%3A%20AlwaysOn%20VPN%20with%20Conditional%20Access%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1822723%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20a%20few%20tests%2C%20here%20is%20the%20state%20of%20progress%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDuring%20the%20VPN%20connection%2C%20I%20get%20maintenance%20the%20following%20error%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20couldn't%20log%20in%20because%20we%20couldn't%20find%20a%20certificate%20for%20single%20sign-on.%20(Event%2020227%20ID%20874)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20my%20XML%20file%2C%20here%20is%20the%20information%20concerning%20the%20SSO%20part%20%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CDEVICECOMPLIANCE%3E%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CENABLED%3Etrue%3C%2FENABLED%3E%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CSSO%3E%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CENABLED%3Etrue%3C%2FENABLED%3E%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CEKU%3E1.3.6.1.5.5.7.3.2%3C%2FEKU%3E%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3CISSUERHASH%3Ed4ee17ac6c7363c15083eebc1d056e3339bebb10%3C%2FISSUERHASH%3E%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FSSO%3E%3CBR%20%2F%3E%3C%2FDEVICECOMPLIANCE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20logs%2C%20I%20can%20see%20that%20the%20client%20contacts%20Azure%20AD%20and%20requests%20a%20user%20action.%20Then%20the%20error%20occurs.%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1867772%22%20slang%3D%22en-US%22%3ERe%3A%20AlwaysOn%20VPN%20with%20Conditional%20Access%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1867772%22%20slang%3D%22en-US%22%3EHello%20everyone%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20can%20now%20make%20my%20VPN%20connection%20with%20conditional%20access.%20The%20IssuerHash%20was%20not%20the%20right%20one.%3CBR%20%2F%3E%3CBR%20%2F%3ENow%20I%20have%20another%20question%3A%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20it%20possible%20to%20request%20dual%20authentication%20for%20each%20VPN%20connection%3F%20Currently%2C%20I%20have%20the%20impression%20that%20the%20connection%20is%20kept%20in%20memory%20(I%20was%20only%20asked%20for%20it%20once).%20Is%20this%20due%20to%20the%20VPN%20certificate%20issued%20by%20Azure%20which%20is%20renewed%20automatically%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%20in%20advance.%3C%2FLINGO-BODY%3E
Occasional Contributor

I am currently working on a project to implement Always On VPN with conditional access.

I use SCEP profiles to issue certificates to users.

 

The VPN is deployed via a custom profile by specifying the EAP XML file.

 

Everything works perfectly for the VPN part without the conditional access.

 

I then followed Microsoft's procedure for setting up conditional access and that's where the problems start.

 

https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/ad-ca-vpn-connectivity-wind...

 

During connection a VPN error is displayed "Incorrect setting" on the client.

 

I can then see the Azure AD certificate in the customer's personal store.

 

In the client's Windows events I get error 20227 (Connection failed. Error code returned: 87.)

 

The strangest thing is that twice I was able to validate the conditional access with the double authentication. But after validation, the connection was looping.

 

Certification Authority (Win2019)
VPN Server (Win2019)
NPS Server (Win2019)
NDES Server (Win2019)
Windows 10 Enterprise Client (Hybrid Azure Joined)

 

If anyone has an idea where the problem may be coming from, I'll take it!

 

Thank's in advance.

2 Replies

Hello,

 

After a few tests, here is the state of progress:

 

During the VPN connection, I get maintenance the following error:

 

We couldn't log in because we couldn't find a certificate for single sign-on. (Event 20227 ID 874)

 

In my XML file, here is the information concerning the SSO part :

 

<DeviceCompliance>
      <Enabled>true</Enabled>
      <Sso>
            <Enabled>true</Enabled>
           <Eku>1.3.6.1.5.5.7.3.2</Eku>
           <IssuerHash>d4ee17ac6c7363c15083eebc1d056e3339bebb10</IssuerHash>
      </Sso>
</DeviceCompliance>

 

In the logs, I can see that the client contacts Azure AD and requests a user action. Then the error occurs.

Thank you

Hello everyone,

I can now make my VPN connection with conditional access. The IssuerHash was not the right one.

Now I have another question:

Is it possible to request dual authentication for each VPN connection? Currently, I have the impression that the connection is kept in memory (I was only asked for it once). Is this due to the VPN certificate issued by Azure which is renewed automatically?

Thank you in advance.