bpubben
commented
2 years ago Thanks for you workaround, but I'm not quite sure what to fill in at: X509:I>DC=tld,DC=yourdomain,CN=your-CAS>CN=, exspecially at "your-CAS>CN>, can you elaborate?
Open utterances-bot opened 2 years ago
bpubben
commented
2 years ago Thanks for you workaround, but I'm not quite sure what to fill in at: X509:I>DC=tld,DC=yourdomain,CN=your-CAS>CN=, exspecially at "your-CAS>CN>, can you elaborate?
Blurn
commented
2 years ago Hey @bpubben, I think something got truncated when we moved to markdown. I'll fix that in the blog post soon! The path is actually supposed to look like this:
X509:<I>DC=tld,DC=yourdomain,CN=your-CA<S>CN=
The easiest way to find your value is by:
altSecurityIdentites, you should see a fully derived X509 path that you can use for name mapping
CN=, should be removed
X509:<I>DC=tld,DC=yourdomain,CN=your-CA<S>CN=mydevice123 you would end up with X509:<I>DC=tld,DC=yourdomain,CN=your-CA<S>CN=bpubben
commented
2 years ago Thnx, that was al to get me back in the right direction.
I've created my dummy object now, with the Azure Device ID, and it containts the correct altSecurityIdentities. Exporting the device certificiate and importing in on my dummy user gave the same result, so that should work.
Connection to my WiFi is resulting in a access denied on my NPS (event ID) 6273 however :-(
On my NPS. Is see the device is using the right network & connection request policy, using the device cert, etc.
EAP Type: Microsoft: Smart Card or other certificate
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect. Any ideas? Am I missing something on my NPS, its just a plain setup for device authentication with certificates, which i've done many times before, just not with AADJ devices. @bpubben awesome, always happy to help!
I have a hunch that May 2022's Windows updates may be keeping this from working for you. The first thing I would try is the solution mentioned here.
Basically, you are going to want to add a registry value on your domain controllers to support this type of name mapping (no reboot is needed):
Location: HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel\
Data Type: DWORD
Name: CertificateMappingMethods
Data: 0x1F
Microsoft's deep dive on this is located here. There are some security implications to this change that I haven't had time to investigate. I would read up on this yourself and see if setting that registry value back to 0x1F would have any security issues in your environment.
I'm hoping that helps get your PoC up-and-running. Feel free to reach back out if the above doesn't help.
benmorris2
commented
2 years ago We are having the same certificate mapping issue as @blurn was working before the update. Have applied the reg change but no luck. Devices are authing against a 2012r2 RODC.
bpubben
commented
2 years ago For me the reg change helped, applied on a 2019 DC which is also NPS
rpertusio
commented
2 years ago @Blurn, the problem with the workaround is that it has a timebomb, per the KB:
"we will update all devices to Full Enforcement mode by May 9, 2023. If a certificate cannot be strongly mapped, authentication will be denied."
In other words, this workaround will stop working!
PetriAsi
commented
2 years ago altSecurityIdentities can be strongly mapped, so it this can work after May 9, 2023. If mapping is using certificate serial (SR), sha value (SHA1-PUKEY) , or (SKI) value.
I'm running little script for macos computers from intune. They are joining domain and got PKCS certs with intune configuration profiles.
Script is monitoring C:\Program Files\Microsoft Intune\PFXCertificateConnector\PfxRequest\Succeed folder. After new cert is issued script look for macos computer account in AD, adding altSecurityIdentities to computer object for strong cert mapping. So far all is good, After this Kerberos server is then accepting certificate and I can see successful logon on DCs security log, when macos is trying to authenticate to wifi via nps.
But NPS is still rejecting login with event ID 6273, reason 8 (The specified user account does not exist.) It's really strange as kerberos ticket is granted.
My macos certificates are using following attributes: CN=computername.local.domain and SAN DNS=computername.local.domain they seems to satisfy kerberos server but NPS is still doing some check that fails. Any ideas what attributes could be missing from my certs?
PetriAsi
commented
2 years ago Got it working also with macos and now answering my own question:
On PKCS policy I have to change certificate common name to DistinguishedName like CN={{DeviceName}},OU=Devices,DC=domain,DC=local that match computer object created when macos is joining domain. And also add two subject alternative names DNS: CN={{DeviceName}}.domain.local and in UPN: {{DeviceName}}$.domain.local
After that NPS started to find user accounts also for macos devices. There's also AltSecurityIdentities attribute on computer object that maps to certificate with certificate serial number.
RaphaelEymann
commented
2 years ago For me it is working with the registry key CertificateMappingMethods set to 0x15. But I manually configure the mapping with X509IssuerSerialNumber I still receive "user credential mismatch". I found some posts that this is only working for user accounts and not for computer accounts. Any ideas?
PetriAsi
commented
2 years ago @oSLiD3Ro We are mapping macos device certs to computer accounts with serial number. To make it work we had to set certificate CN to full DistinguishedName of computer object and also added two subject alternative names DNS: CN={{DeviceName}}.domain.local and in UPN: {{DeviceName}}$.domain.local
andershannus
commented
2 years ago The may 2022 update breaks this script. There is a regkey that can be added to enable April 2022 functionality but that would be a temporary solution. https://learn.microsoft.com/en-us/answers/questions/846654/nps-stopped-working-after-may-2022-updates.html
I was successfull by using this altSecurityIdentities
X509:
There is a powershell module: Install-Module -Name PKITools Buy using that one you can get all certificates for the device ID and then select the most recent one and use the SubjectKeyIdentifier and also update that if changed. More complex solution but it will work.
andershannus
commented
2 years ago I also tried X509IssuerSerialNumber but that would not work. But the X509SKI did.
altSecurityIdentities = X509:
X509SHA1PublicKey might also work but SKI seems like a good candidate.
I also need to get all shared iPads from Intune besides Autopilot devices so I need to rework the example script quite a bit to get all targeted I need.
Blurn
commented
2 years ago To get the article up-to-date and provide accurate information to anyone looking at this the first time, I'm planning on updating the post sometime soon to mention the May updates.
(@andershannus that is a super cool solution for mapping issue. I will look into working that into the script. Full credit to you for working through that.)
saqib-s
commented
2 years ago Looking forward to an updated script, I'm in the process of trying to get this working with the registry key method.
RaphaelEymann
commented
2 years ago @andershannus
I think you have altSecurityIdentities = X509:
andershannus
commented
2 years ago The SKI string is not reversed. Serial number weds to be that but I did not try that or see any advantage in choosing that.
I have a working solution but have not decided how often it needs to run. I’m trying with every 15 min for now. This is absolutely a drawback of the strong bind that you can’t populate this before the certificate is generated.
Sent from my iPhone
On 28 Oct 2022, at 11:13, oSLiD3Ro @.***> wrote:
@andershannushttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fandershannus&data=05%7C01%7Canders%40hannus.eu%7Cbf3a721f9cb14c82e21308dab8c4ab24%7C62b88c3a118b4cc4b2d82c566034ca52%7C0%7C0%7C638025452079240575%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=MViC8%2B9ze7TxZk57lZapfpgqJ9vdIV3yySY8K9T2Jyc%3D&reserved=0 I think you have altSecurityIdentities = X509:123456789abcdef and not altSecurityIdentities = X509:123456789abcdef or I am wrong? Did you have to reserve the SKI string like the serial number or just remove the spaces and than add that string?
— Reply to this email directly, view it on GitHubhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSysManSquad%2Fsysmansquadblog%2Fissues%2F2%23issuecomment-1294742159&data=05%7C01%7Canders%40hannus.eu%7Cbf3a721f9cb14c82e21308dab8c4ab24%7C62b88c3a118b4cc4b2d82c566034ca52%7C0%7C0%7C638025452079240575%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=M7nbZFP91tVgMaBtxwXIa7mh%2FdGgVZ9WvI4bUzYVfnc%3D&reserved=0, or unsubscribehttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FABO3YQUXKLCYJGTOGOZXHA3WFOKLHANCNFSM55KP55TA&data=05%7C01%7Canders%40hannus.eu%7Cbf3a721f9cb14c82e21308dab8c4ab24%7C62b88c3a118b4cc4b2d82c566034ca52%7C0%7C0%7C638025452079240575%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5m5VyRC5%2B5IU0OmFnzwY1n8AizBNryQ3aoRCXU%2FHswk%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.***>
saqib-s
commented
2 years ago been struggling to get this working, I've got the certificates issuing to my devices via NDES without issue, and the objects created but hitting NPS error of "Authentication failed due to a user credentials mismatch.", I've applied the registry key to the domain controller that is acting as the NPS server and it's still not working, I've tried setting "CertificateMappingMethods" reg key to 0x1f and 0x1 and 0x15 and no joy, same error, I've also applied the other regkeys mentioned in the MS article. "StrongCertificateBindingEnforcement"=dword:00000000 "CertificateBackdatingCompensation"=dword:01e13380
Still get the same error, I've also tried to manually replace altSecurityIdentities to show the client's certificate SKI (from the certificate) still not match.
Any advice would be helpful, do they regkeys need to be applied to ALL domain controllers?
andershannus
commented
2 years ago Perhaps this small excerpt will help.
[image0.png]
Sent from my iPhone
On 28 Oct 2022, at 20:59, Saqib @.***> wrote:
been struggling to get this working, I've got the certificates issuing to my devices via NDES without issue, and the objects created but hitting NPS error of "Authentication failed due to a user credentials mismatch.", I've applied the registry key to the domain controller that is acting as the NPS server and it's still not working, I've tried setting "CertificateMappingMethods" reg key to 0x1f and 0x1 and 0x15 and no joy, same error, I've also applied the other regkeys mentioned in the MS article. "StrongCertificateBindingEnforcement"=dword:00000000 "CertificateBackdatingCompensation"=dword:01e13380
Still get the same error, I've also tried to manually replace altSecurityIdentities to show the client's certificate SKI (from the certificate) still not match.
Any advice would be helpful.
— Reply to this email directly, view it on GitHubhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSysManSquad%2Fsysmansquadblog%2Fissues%2F2%23issuecomment-1295349115&data=05%7C01%7Canders%40hannus.eu%7Cec9a6394b4204adf3a0e08dab916824e%7C62b88c3a118b4cc4b2d82c566034ca52%7C0%7C0%7C638025803570775106%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JOaQfL7EeeflFRXlr8ImZbqf39j3xdNtl2atAgQwVBk%3D&reserved=0, or unsubscribehttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FABO3YQVENU3XOM3LMDGXFZTWFQPAFANCNFSM55KP55TA&data=05%7C01%7Canders%40hannus.eu%7Cec9a6394b4204adf3a0e08dab916824e%7C62b88c3a118b4cc4b2d82c566034ca52%7C0%7C0%7C638025803570775106%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=m73TWPua8o6LO%2FoCOFaT1rtpfvo4%2BtL%2Bphpr081A1Xk%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.***>
saqib-s
commented
2 years ago thanks... the image is not visible
andershannus
commented
2 years ago The format was all ways messed up. Perhaps this will work.
X 5 0 9 : < S K I > S t r i n g
Sent from my iPhone
On 28 Oct 2022, at 21:25, Saqib @.***> wrote:
thanks... the image is not visible
— Reply to this email directly, view it on GitHubhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSysManSquad%2Fsysmansquadblog%2Fissues%2F2%23issuecomment-1295371146&data=05%7C01%7Canders%40hannus.eu%7C25316daa8aa7461334b008dab91a1b14%7C62b88c3a118b4cc4b2d82c566034ca52%7C0%7C0%7C638025819021514278%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=umW8jjucEM2gNfj04N%2ByhVE5AHqOGunbZvLyDFSAKx4%3D&reserved=0, or unsubscribehttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FABO3YQVV2X3AYFVJNJ6EZVLWFQSAVANCNFSM55KP55TA&data=05%7C01%7Canders%40hannus.eu%7C25316daa8aa7461334b008dab91a1b14%7C62b88c3a118b4cc4b2d82c566034ca52%7C0%7C0%7C638025819021514278%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=rsX0shKvtU5mZTQbRiVMPkRUdvcrVlluIq4VX2spgsU%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.***>
skaggake
commented
2 years ago The SKI string is not reversed. Serial number weds to be that but I did not try that or see any advantage in choosing that. I have a working solution but have not decided how often it needs to run. I’m trying with every 15 min for now. This is absolutely a drawback of the strong bind that you can’t populate this before the certificate is generated.
Can you share your solution? I have successfully authenticated with X509IssuerSerialNumber but i have done the certificate mapping manually. How can we automate this with Serialnumber, SKI or SHA1PublicKey?
saqib-s
commented
2 years ago Minor update - after applying all three registry keys as below, to ALL domain controllers my device authenticated. Which is a relief, I was trying to apply these keys to just the domain controller that NPS was installed on (which it turns out was a RODC), as soon as I applied a GPO to set these keys my device authenticated (with the CN binding as in this script).
Looking forward to any further discussion you all have around the following:
Welcome any thoughts / ideas.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc Value -CertificateBackdatingCompensation Data Type -REG_DWORD Data - 10 years: 0x12CC0300
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel Value - CertificateMappingMethods Data Type -DWORD Data -0x1f
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc Value- StrongCertificateBindingEnforcement Data Tpe - REG_DWORD Data - 0
tcppapi
commented
1 year ago saqib-s
commented
1 year ago I've pulled together the hash synching from tcppapi's script and bolted it onto Andrew's script (commented out the weak attribute creation), this script does the objects synch from Azure AD Autopilot devices to AD and then adds the certificates thumbprint (format below) to altSecurityIdentities.
“X509:<SHA1-PUKEY>123456789abcdef”
I've tested this and it works with clients authenticating.
Note:
See my script here..
saqib-s
commented
1 year ago One more caveat / - RODCs (Read-Only Domain Controllers) - when our NPS uses a RODC for user lookup etc , then secure binding errors out with the "user credentials mismatch" error, when using a NPS that is connected to a regular domain controller then user lookup with secure binding works with no issue.
KevinLauer
commented
1 year ago I tried to implement your solution @saqib-s in our environment. As expected it worked as soon as i disabled UPN to SPN Mapping on our DCs. Thanks for the updated script!
The Problem is that disabling UPN to SPN Mapping breaks smartcard authentication (2FA for various Admin Accounts) and user authentication to the NPS server. (We use user certificates to authenticate our Smartphones to Wifi) We could now match every user and smartcard certificate explicitly with strong mappings, but that does not sound like the best solution either.
I don't quite understand why UPN to SPN Mapping is necessary for the strong certificate mapping to work (but it clearly is). My understanding was that implicit mapping is checked first by SCHANNEL and if there are no matches it checks for explicit mappings. Unfortunately that does not seem to be the case here.
Do you have an idea how we could solve this issue to get all solutions working together?
saqib-s
commented
1 year ago @KevinLauer glad to hear you found it useful, I can't help you directly with the issue with smart card authentication breaking with the UPN to SAN disable in effect.
There does seem to a either/or scenario with implicit / explicit mappings.
https://www.serverbrain.org/certificate-security-2003/defining-the-mapping-in-active-directory.html "Important Explicit mappings cannot be used for smart card logon. Smart card logon only uses an implicit mapping by mapping the UPN in the Subject Alternative Name of the certificate to the UPN of a user account in Active Directory. Explicit mappings can be used for Web authentication, wireless authentication, and VPN authentication."
andershannus
commented
1 year ago This Policy module might be a solution. https://github.com/Sleepw4lker/TameMyCerts
You still need to create all the Autopilot computer objects but the mapping should work without any further automation.
/anders
Sent from my iPhone
On 5 Jan 2023, at 16:52, Saqib @.***> wrote:
@KevinLauerhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FKevinLauer&data=05%7C01%7Canders%40hannus.eu%7Cc042e23f45bd454f6d7a08daef34c9ba%7C62b88c3a118b4cc4b2d82c566034ca52%7C0%7C0%7C638085307255997304%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=VFfTMidYC8m9E4IQ7tdrPedSDaCqJL4uT8n6PgP%2BYJg%3D&reserved=0 glad to hear you found it useful, I can't help you directly with the issue with smart card authentication breaking with the UPN to SAN disable in effect.
There does seem to a either/or scenario with implicit / explicit mappings.
https://www.serverbrain.org/certificate-security-2003/defining-the-mapping-in-active-directory.htmlhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.serverbrain.org%2Fcertificate-security-2003%2Fdefining-the-mapping-in-active-directory.html&data=05%7C01%7Canders%40hannus.eu%7Cc042e23f45bd454f6d7a08daef34c9ba%7C62b88c3a118b4cc4b2d82c566034ca52%7C0%7C0%7C638085307255997304%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=jXKP7xDJlDvyUnJDf8RBX5xfoTR7BV6Nijf3WdZTekg%3D&reserved=0 "Important Explicit mappings cannot be used for smart card logonhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.serverbrain.org%2Factive-directory-infrastructure-2003%2Fsetting-up-a-smart-card-for-user-logon.html&data=05%7C01%7Canders%40hannus.eu%7Cc042e23f45bd454f6d7a08daef34c9ba%7C62b88c3a118b4cc4b2d82c566034ca52%7C0%7C0%7C638085307255997304%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=awpyD8RPeeSHCX5wCV66WfaGAnRrI4N82aP0bp87Ujo%3D&reserved=0. Smart card logon only uses an implicit mapping by mapping the UPN in the Subject Alternative Name of the certificate to the UPN of a user account in Active Directory. Explicit mappings can be used for Web authentication, wireless authenticationhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.serverbrain.org%2Flearning-2008%2Fwireless-group-policy.html&data=05%7C01%7Canders%40hannus.eu%7Cc042e23f45bd454f6d7a08daef34c9ba%7C62b88c3a118b4cc4b2d82c566034ca52%7C0%7C0%7C638085307255997304%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WjvkCHCGhokxqg43cgFqTqn8Xoy864LXd5EIyC8H3AU%3D&reserved=0, and VPN authentication."
— Reply to this email directly, view it on GitHubhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSysManSquad%2Fsysmansquadblog%2Fissues%2F2%23issuecomment-1372395771&data=05%7C01%7Canders%40hannus.eu%7Cc042e23f45bd454f6d7a08daef34c9ba%7C62b88c3a118b4cc4b2d82c566034ca52%7C0%7C0%7C638085307255997304%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WYE8idQP0d9DenuytC4vh9TMG31in1TipvOOJ44LsJk%3D&reserved=0, or unsubscribehttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FABO3YQTPUBMNPBZL7UPKH6TWQ3U2DANCNFSM55KP55TA&data=05%7C01%7Canders%40hannus.eu%7Cc042e23f45bd454f6d7a08daef34c9ba%7C62b88c3a118b4cc4b2d82c566034ca52%7C0%7C0%7C638085307255997304%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ORVmIg2gkiXJqEBcLV8HNN7v3jhjd9%2FD1Rtx0gbOQ2Q%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.***>
mtengmo
commented
1 year ago Will it also work for MacOS devices onboarded to Intune? When do you think you got a PoC of the TameMyCerts ?
jnickell
commented
1 year ago I found this as I was feeling out our transition from solely on-prem to AADJ of some fashion. @blurn, wondering if you'd had a chance to make the updates?
I'm trying to go the route mentioned by @andershannus (absent knowing what/if configuration changes are needed with the TameMyCerts module.
Unfortunately I picked the day to work on this that the azure portal is down. So until I can pick that back up, has anyone got the whole thing working and avoided the timebomb that has been mentioned?
I'm hopeful that by using this approach I can accomplish two things Wifi and Secure DNS updates performed by the clients. Our DHCP servers are not AD integrated and an internal application needs to be able to lookup clients via DNS.
svdbrom
commented
1 year ago Hi Andrew,
2023-03-11 "I am currently working on a new blog post that includes major improvements to the Sync-DummyComputers.ps1 script and also outlines the TameMyCerts configuration. Stay tuned for the link!"
Any progress with the new blog that also outlines the TameMyCerts configuration? Just curious :-)
Martony78
commented
1 year ago Hi guys! I talked to Per Larsen (Intune PM) last week at the Paris MEM Summit 2023, the more evidence we can get, the more chance we have to force MS to move on this.
"I talked to our feature PM about NPS and getting AAD/Intune device support. We are going over the customer evidence again - we do not have enough customers evidence, so if you have more information and more customer evidence you can share. Customer name, size and use case. Thanks Per"
Please send it to mathieu.aitazzouzene@dell.com
Blurn
commented
1 year ago Sorry for the radio silence on my end. I was on parental leave and was trying to be as "offline" as possible. I will look at updating the post, or making a follow-up post, ASAP. I still need to do some more testing, but this seems feasible in conjunction with https://github.com/PKISolutions/ADCS-SID-Extension-Policy-Module (TameMyCerts hasn't been updated to include the new extension type).
@Martony78 I will email a use case soon.
Thanks and sorry again.
saqib-s
commented
1 year ago Congratulations Andrew on becoming a parent, I'm sure time is hard to find. Looking forward to an updated post, I'm curious how using the new extension type would work for AADJ devices, as I understand that the CA ties the cert to the AD object's SID, so I assume the AD object would have to be created first, then the cert issued? If building a new device, would the SCEP req for a new cert error out until an object is created?
andershannus
commented
1 year ago Autopilot devices will create an Entra ID device object right away so an AD computer object should be created before the computer tries to get a certificate but that still demands that the script is run pretty often. I have actually not tried the TameMyScritp solutions as it works good at get and add the SKI from the certificates to the computer objects.
But I'm trying right now to make the same solution work with shared iPads but am struggling with NPS finding the dummy computer object. Might be the certificate or it might be something else. NPS reads the correct device name from the certificate but perhaps it's only looking for DeviceUI$ as SamAccountName and that will obviously not work. Will update if I find a solution för iPads.
andershannus
commented
1 year ago I modified my Autopilot solution, based on this script, to work with iPads without user affinity. I could never get the NPS to match the certificate to the corresponding computer object in the same way that works just fine with Windows Autopilot computers. I modified the certificate template in Intune to also include UserPrincipalName in the form of {{AzureADDeviceId}}@addomain.com and modified all iPad computer accounts to have the same UserPrincipalName. With that modification, NPS now finds the computer accounts, and the login works. Read somewhere that it was needed for macOS so that is why I tried this. I have not tried to remove DNS from the SAN in the certificate nor remove the SPN on the computer account but I don't think it's needed. I use SKI for altSecurityIdentities as that is easy to work with.
CuriousTB
commented
11 months ago @andershannus Thanks for sharing your insights on this one. CA and MDM newbie here, would be awesome to know how you got your iPads without user affinity to work. I'm trying to achieve the same for macOS and struggling to figure a solution (same as most cases in this thread - macOS device affinity, Intune managed and AAD joined, NPS and NDES on-premises). Some granular info as to how you did it would be at great help for many like me for sure !!
Thank you !
RWallis01
commented
8 months ago I seem to be stuck on the Radius Auth I am using the same rules for on premise although created a pathway for AAD devices using a regex to recognise the naming. We are using computer authorisation as the user will be checked by global protect after login.
NPS recognises the device User: Security ID: EMPIRE\0e48f9aa-254c-4$ Account Name: host/0e48f9aa-254c-44f8-8b6b-1bf9fd20b181 Account Domain: EMPIRE Fully Qualified Account Name: EMPIRE\0e48f9aa-254c-4$
The error is Reason Code: 300 Reason: No credentials are available in the security package
The connection rule has certificate and PEAP authentication enabled
The Wi-Fi profile is being pushed out by intune however this is the first time we have done it this way normally it is done via GPO. Any tips on where the issue might be?
Thanks
Rob
RWallis01
commented
8 months ago So I added Certificate / SmartCard into the PEAP properties on the connection request(it was already listed separately outside of PEAP). I am now getting error 16 authentication failed...mismatch. I've tried saqib's script and still the same.
Our device cert has subject CN={{AAD_Device_ID}} and UPN=host/{{AAD_Device_ID}}
I've made the following modifications to both scripts removing Get-Object here as it fails otherwise
$AutopilotDevices = Get-AutopilotDevice
and also on Saqibs script 2 changes. Removed .host otherwise there is a casting error. foreach($CAHost in (Get-CertificationAuthority)){
and also added a filter due to the amount of certificates our CA has issued!! $IssuedRaw = Get-IssuedRequest -CertificationAuthority $CAHost -Property RequestID,ConfigString,CommonName,CertificateHash,RawCertificate -Filter "CertificateTemplate -eq Azure Workstation"
Hopefully it is something simple?
Thanks
Rob
RWallis01
commented
8 months ago Got it working unsure which fix it was but did the 3 reg keys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc Value -CertificateBackdatingCompensation Data Type -REG_DWORD Data - 10 years: 0x12CC0300
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel Value - CertificateMappingMethods Data Type -DWORD Data -0x1f
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc Value- StrongCertificateBindingEnforcement Data Tpe - REG_DWORD Data - 0
and the SAN mapping key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc\UseSubjectAltName
thanks all
saqib-s
commented
8 months ago @RWallis01
I would not go into production with "StrongCertificateBindingEnforcement" set to 0, Which disables the strong certificate mapping check. This is not recommended because this will disable all security enhancements.
Note this from Microsoft: Unless updated to this mode earlier, we will update all devices to Full Enforcement mode by February 11, 2025, or later. If a certificate cannot be strongly mapped, authentication will be denied. https://support.microsoft.com/en-gb/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
You should be building your solution to work with secure certificate binding.
RWallis01
commented
4 months ago Never made production however gone to try this again with views to work towards production and again the devices won't connect
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User: Security ID: EMPIRE\xxxxxxxxx-f7cd-4$ Account Name: host/xxxxxxxx-f7cd-4652-813e-d6d45ddf63d8 Account Domain: EMPIRE Fully Qualified Account Name: EMPIRE\7f9c851e-f7cd-4$
Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - Called Station Identifier: xx-xx-xxx-xx5:eduroam Calling Station Identifier: xx-xx-xx-xx-xx
NAS: NAS IPv4 Address: 172.16.49.150 NAS IPv6 Address: - NAS Identifier: IT OFFICE NAS Port-Type: Wireless - IEEE 802.11 NAS Port: 0
RADIUS Client: Client Friendly Name: IT OFFICE Client IP Address: 172.16.49.150
Authentication Details: Connection Request Policy Name: authenticate azure joined computers Network Policy Name: - Authentication Provider: Windows Authentication Server: xxxxxxxx.xx.x.x.x.x Authentication Type: PEAP EAP Type: Microsoft: Smart Card or other certificate Account Session Identifier: 42384241423946344139333243384446 Logging Results: Accounting information was written to the local log file. Reason Code: 16 Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
This is with the 4 keys mentioned above. The host has a certificate issued from internal cert services. The host has been synced AD. There is an altSecurityIdentities entry
Unsure where else to look!!! Really want to move our shared on premise laptops to autopilot but this is proving to be a blocker! I don't want to have to create a separate ssid and definitely don't want a passworded one!
Thanks,
Robbie
Working around NPS limitations for AADJ Windows devices-SysManSquad | Systems Management Squad
A community blog and subsidiary of WinAdmins.io
https://sysmansquad.com/2021/04/27/working-around-nps-limitations-for-aadj-windows-devices/