Working around NPS limitations for AADJ Windows devices-SysManSquad | Systems Management Squad #2
Comments
|
Thanks for you workaround, but I'm not quite sure what to fill in at: X509:I>DC=tld,DC=yourdomain,CN=your-CAS>CN=, exspecially at "your-CAS>CN>, can you elaborate? |
|
Hey @bpubben, I think something got truncated when we moved to markdown. I'll fix that in the blog post soon! The path is actually supposed to look like this:
The easiest way to find your value is by:
|
|
Thnx, that was al to get me back in the right direction. I've created my dummy object now, with the Azure Device ID, and it containts the correct altSecurityIdentities. Exporting the device certificiate and importing in on my dummy user gave the same result, so that should work. On my NPS. Is see the device is using the right network & connection request policy, using the device cert, etc. |
|
@bpubben awesome, always happy to help! I have a hunch that May 2022's Windows updates may be keeping this from working for you. The first thing I would try is the solution mentioned here. Basically, you are going to want to add a registry value on your domain controllers to support this type of name mapping (no reboot is needed): Location: Microsoft's deep dive on this is located here. There are some security implications to this change that I haven't had time to investigate. I would read up on this yourself and see if setting that registry value back to I'm hoping that helps get your PoC up-and-running. Feel free to reach back out if the above doesn't help. |
|
We are having the same certificate mapping issue as @Blurn was working before the update. Have applied the reg change but no luck. Devices are authing against a 2012r2 RODC. |
|
For me the reg change helped, applied on a 2019 DC which is also NPS |
|
@Blurn, the problem with the workaround is that it has a timebomb, per the KB: "we will update all devices to Full Enforcement mode by May 9, 2023. If a certificate cannot be strongly mapped, authentication will be denied." In other words, this workaround will stop working! |
|
altSecurityIdentities can be strongly mapped, so it this can work after May 9, 2023. I'm running little script for macos computers from intune. They are joining domain and got PKCS certs with intune configuration profiles. Script is monitoring C:\Program Files\Microsoft Intune\PFXCertificateConnector\PfxRequest\Succeed folder. After new cert is issued script look for macos computer account in AD, adding altSecurityIdentities to computer object for strong cert mapping. So far all is good, After this Kerberos server is then accepting certificate and I can see successful logon on DCs security log, when macos is trying to authenticate to wifi via nps. But NPS is still rejecting login with event ID 6273, reason 8 (The specified user account does not exist.) It's really strange as kerberos ticket is granted. My macos certificates are using following attributes: CN=computername.local.domain and SAN DNS=computername.local.domain they seems to satisfy kerberos server but NPS is still doing some check that fails. |
|
Got it working also with macos and now answering my own question: On PKCS policy I have to change certificate common name to DistinguishedName like CN={{DeviceName}},OU=Devices,DC=domain,DC=local that match computer object created when macos is joining domain. And also add two subject alternative names DNS: CN={{DeviceName}}.domain.local and in UPN: {{DeviceName}}$.domain.local After that NPS started to find user accounts also for macos devices. There's also AltSecurityIdentities attribute on computer object that maps to certificate with certificate serial number. |
|
For me it is working with the registry key CertificateMappingMethods set to 0x15. But I manually configure the mapping with X509IssuerSerialNumber I still receive "user credential mismatch". I found some posts that this is only working for user accounts and not for computer accounts. Any ideas? |
|
@oSLiD3Ro We are mapping macos device certs to computer accounts with serial number. To make it work we had to set certificate CN to full DistinguishedName of computer object and also added two subject alternative names DNS: CN={{DeviceName}}.domain.local and in UPN: {{DeviceName}}$.domain.local |
|
The may 2022 update breaks this script. I was successfull by using this altSecurityIdentities There is a powershell module: Install-Module -Name PKITools |
|
I also tried X509IssuerSerialNumber but that would not work. But the X509SKI did. altSecurityIdentities = X509:c934eca7bbbbbbbbbbbb X509SHA1PublicKey might also work but SKI seems like a good candidate. I also need to get all shared iPads from Intune besides Autopilot devices so I need to rework the example script quite a bit to get all targeted I need. |
|
To get the article up-to-date and provide accurate information to anyone looking at this the first time, I'm planning on updating the post sometime soon to mention the May updates. (@andershannus that is a super cool solution for mapping issue. I will look into working that into the script. Full credit to you for working through that.) |
|
Looking forward to an updated script, I'm in the process of trying to get this working with the registry key method. |
|
@andershannus |
|
been struggling to get this working, I've got the certificates issuing to my devices via NDES without issue, and the objects created but hitting NPS error of "Authentication failed due to a user credentials mismatch.", I've applied the registry key to the domain controller that is acting as the NPS server and it's still not working, I've tried setting "CertificateMappingMethods" reg key to 0x1f and 0x1 and 0x15 and no joy, same error, I've also applied the other regkeys mentioned in the MS article. "StrongCertificateBindingEnforcement"=dword:00000000 Still get the same error, I've also tried to manually replace altSecurityIdentities to show the client's certificate SKI (from the certificate) still not match. Any advice would be helpful, do they regkeys need to be applied to ALL domain controllers? |
|
Perhaps this small excerpt will help.
[image0.png]
…Sent from my iPhone
On 28 Oct 2022, at 20:59, Saqib ***@***.***> wrote:
been struggling to get this working, I've got the certificates issuing to my devices via NDES without issue, and the objects created but hitting NPS error of "Authentication failed due to a user credentials mismatch.", I've applied the registry key to the domain controller that is acting as the NPS server and it's still not working, I've tried setting "CertificateMappingMethods" reg key to 0x1f and 0x1 and 0x15 and no joy, same error, I've also applied the other regkeys mentioned in the MS article. "StrongCertificateBindingEnforcement"=dword:00000000
"CertificateBackdatingCompensation"=dword:01e13380
Still get the same error, I've also tried to manually replace altSecurityIdentities to show the client's certificate SKI (from the certificate) still not match.
Any advice would be helpful.
—
Reply to this email directly, view it on GitHub<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSysManSquad%2Fsysmansquadblog%2Fissues%2F2%23issuecomment-1295349115&data=05%7C01%7Canders%40hannus.eu%7Cec9a6394b4204adf3a0e08dab916824e%7C62b88c3a118b4cc4b2d82c566034ca52%7C0%7C0%7C638025803570775106%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JOaQfL7EeeflFRXlr8ImZbqf39j3xdNtl2atAgQwVBk%3D&reserved=0>, or unsubscribe<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FABO3YQVENU3XOM3LMDGXFZTWFQPAFANCNFSM55KP55TA&data=05%7C01%7Canders%40hannus.eu%7Cec9a6394b4204adf3a0e08dab916824e%7C62b88c3a118b4cc4b2d82c566034ca52%7C0%7C0%7C638025803570775106%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=m73TWPua8o6LO%2FoCOFaT1rtpfvo4%2BtL%2Bphpr081A1Xk%3D&reserved=0>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
thanks... the image is not visible |
Can you share your solution? I have successfully authenticated with X509IssuerSerialNumber but i have done the certificate mapping manually. How can we automate this with Serialnumber, SKI or SHA1PublicKey? |
|
Minor update - after applying all three registry keys as below, to ALL domain controllers my device authenticated. Which is a relief, I was trying to apply these keys to just the domain controller that NPS was installed on (which it turns out was a RODC), as soon as I applied a GPO to set these keys my device authenticated (with the CN binding as in this script). Looking forward to any further discussion you all have around the following:
Welcome any thoughts / ideas. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc |
|
I've pulled together the hash synching from tcppapi's script and bolted it onto Andrew's script (commented out the weak attribute creation), this script does the objects synch from Azure AD Autopilot devices to AD and then adds the certificates thumbprint (format below) to altSecurityIdentities.
I've tested this and it works with clients authenticating. Note:
See my script here.. |
|
One more caveat / - RODCs (Read-Only Domain Controllers) - when our NPS uses a RODC for user lookup etc , then secure binding errors out with the "user credentials mismatch" error, when using a NPS that is connected to a regular domain controller then user lookup with secure binding works with no issue. |
|
I tried to implement your solution @saqib-s in our environment. As expected it worked as soon as i disabled UPN to SPN Mapping on our DCs. Thanks for the updated script! The Problem is that disabling UPN to SPN Mapping breaks smartcard authentication (2FA for various Admin Accounts) and user authentication to the NPS server. (We use user certificates to authenticate our Smartphones to Wifi) I don't quite understand why UPN to SPN Mapping is necessary for the strong certificate mapping to work (but it clearly is). Do you have an idea how we could solve this issue to get all solutions working together? |
|
@KevinLauer glad to hear you found it useful, I can't help you directly with the issue with smart card authentication breaking with the UPN to SAN disable in effect. There does seem to a either/or scenario with implicit / explicit mappings. https://www.serverbrain.org/certificate-security-2003/defining-the-mapping-in-active-directory.html |
|
Will it also work for MacOS devices onboarded to Intune? |
|
I found this as I was feeling out our transition from solely on-prem to AADJ of some fashion. @Blurn, wondering if you'd had a chance to make the updates? I'm trying to go the route mentioned by @andershannus (absent knowing what/if configuration changes are needed with the TameMyCerts module. Unfortunately I picked the day to work on this that the azure portal is down. So until I can pick that back up, has anyone got the whole thing working and avoided the timebomb that has been mentioned? I'm hopeful that by using this approach I can accomplish two things Wifi and Secure DNS updates performed by the clients. Our DHCP servers are not AD integrated and an internal application needs to be able to lookup clients via DNS. |
|
Hi Andrew, 2023-03-11 Any progress with the new blog that also outlines the TameMyCerts configuration? |
|
Hi guys! "I talked to our feature PM about NPS and getting AAD/Intune device support. Please send it to [email protected] #IWork4Dell |
|
Sorry for the radio silence on my end. I was on parental leave and was trying to be as "offline" as possible. I will look at updating the post, or making a follow-up post, ASAP. I still need to do some more testing, but this seems feasible in conjunction with https://github.com/PKISolutions/ADCS-SID-Extension-Policy-Module (TameMyCerts hasn't been updated to include the new extension type). @Martony78 I will email a use case soon. Thanks and sorry again. |
|
Congratulations Andrew on becoming a parent, I'm sure time is hard to find. Looking forward to an updated post, I'm curious how using the new extension type would work for AADJ devices, as I understand that the CA ties the cert to the AD object's SID, so I assume the AD object would have to be created first, then the cert issued? If building a new device, would the SCEP req for a new cert error out until an object is created? |
|
Autopilot devices will create an Entra ID device object right away so an AD computer object should be created before the computer tries to get a certificate but that still demands that the script is run pretty often. I have actually not tried the TameMyScritp solutions as it works good at get and add the SKI from the certificates to the computer objects. But I'm trying right now to make the same solution work with shared iPads but am struggling with NPS finding the dummy computer object. Might be the certificate or it might be something else. NPS reads the correct device name from the certificate but perhaps it's only looking for DeviceUI$ as SamAccountName and that will obviously not work. Will update if I find a solution för iPads. |
|
I modified my Autopilot solution, based on this script, to work with iPads without user affinity. I could never get the NPS to match the certificate to the corresponding computer object in the same way that works just fine with Windows Autopilot computers. I modified the certificate template in Intune to also include UserPrincipalName in the form of {{AzureADDeviceId}}@addomain.com and modified all iPad computer accounts to have the same UserPrincipalName. With that modification, NPS now finds the computer accounts, and the login works. Read somewhere that it was needed for macOS so that is why I tried this. I have not tried to remove DNS from the SAN in the certificate nor remove the SPN on the computer account but I don't think it's needed. I use SKI for altSecurityIdentities as that is easy to work with. |
|
@andershannus Thanks for sharing your insights on this one. CA and MDM newbie here, would be awesome to know how you got your iPads without user affinity to work. I'm trying to achieve the same for macOS and struggling to figure a solution (same as most cases in this thread - macOS device affinity, Intune managed and AAD joined, NPS and NDES on-premises). Some granular info as to how you did it would be at great help for many like me for sure !! Thank you ! |
|
I seem to be stuck on the Radius Auth I am using the same rules for on premise although created a pathway for AAD devices using a regex to recognise the naming. We are using computer authorisation as the user will be checked by global protect after login. NPS recognises the device The error is The connection rule has certificate and PEAP authentication enabled The Wi-Fi profile is being pushed out by intune however this is the first time we have done it this way normally it is done via GPO. Any tips on where the issue might be? Thanks Rob |
|
So I added Certificate / SmartCard into the PEAP properties on the connection request(it was already listed separately outside of PEAP). I am now getting error 16 authentication failed...mismatch. I've tried saqib's script and still the same. Our device cert has subject CN={{AAD_Device_ID}} and UPN=host/{{AAD_Device_ID}} I've made the following modifications to both scripts removing Get-Object here as it fails otherwise Pull latest Autopilot device information$AutopilotDevices = Get-AutopilotDevice and also on Saqibs script 2 changes. Removed .host otherwise there is a casting error. and also added a filter due to the amount of certificates our CA has issued!! Hopefully it is something simple? Thanks Rob |
|
Got it working unsure which fix it was but did the 3 reg keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc and the SAN mapping key thanks all |
|
I would not go into production with "StrongCertificateBindingEnforcement" set to 0, Which disables the strong certificate mapping check. This is not recommended because this will disable all security enhancements. Note this from Microsoft: You should be building your solution to work with secure certificate binding. |
|
Never made production however gone to try this again with views to work towards production and again the devices won't connect Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Client Machine: NAS: RADIUS Client: Authentication Details: This is with the 4 keys mentioned above. The host has a certificate issued from internal cert services. The host has been synced AD. There is an altSecurityIdentities entry Unsure where else to look!!! Really want to move our shared on premise laptops to autopilot but this is proving to be a blocker! I don't want to have to create a separate ssid and definitely don't want a passworded one! Thanks, Robbie |
Working around NPS limitations for AADJ Windows devices-SysManSquad | Systems Management Squad
A community blog and subsidiary of WinAdmins.io
https://sysmansquad.com/2021/04/27/working-around-nps-limitations-for-aadj-windows-devices/
The text was updated successfully, but these errors were encountered: