{"id":5923,"date":"2022-08-01T23:47:03","date_gmt":"2022-08-01T23:47:03","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=5923"},"modified":"2022-08-01T23:47:03","modified_gmt":"2022-08-01T23:47:03","slug":"kb5014754-certificate-based-authentication-changes-on-windows-2012-domain-controllers","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/kb5014754-certificate-based-authentication-changes-on-windows-2012-domain-controllers","title":{"rendered":"KB5014754: Certificate-based authentication changes on Windows 2012 domain controllers"},"content":{"rendered":"
Customer has 2012 DC’s with NPS and the Azure MFA extension for their Cisco Meraki Client VPN<\/div>
\u00a0<\/div>
All staff were not able to connect to the VPN from 8am. I have not found why it started at this time. Users before this were able to log in…<\/div>
\u00a0<\/div>
Event Viewer showed\u00a0Unknown username or bad password in use.<\/i><\/div>
\u00a0<\/div>

\"\"<\/p><\/div>

\u00a0<\/div>
The NPS MFA extension leads you down a path that isn’t correct (for me). Dont trust this.<\/div>
\u00a0<\/div>

\"\"<\/p><\/div>

\u00a0<\/div>
Also dont trust the reason codes in the NPS logs<\/div>
You may see reason code 21, <Reason-Code data_type=”0″>21<\/Reason-Code><\/Event> Further pointing to MFA extension issues.<\/div>
https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2008-R2-and-2008\/dd197464(v=ws.10)<\/a><\/div>
\u00a0<\/div>
\u00a0<\/div>
To prove its not MFA related you can run the Check tool
https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/howto-mfa-nps-extension#:~:text=NPS%20extension%20health%20check%20script<\/a><\/div>
\u00a0<\/div>
Run with powershell and select option 1 to temporarily remove the MFA requirement and attempt a login to prove its not MFA.<\/div>
\u00a0<\/div><\/div>
New errors in NPS logs.<\/div>
I was getting\u00a0<Reason-Code data_type=”0″>16<\/Reason-Code> Not the most helpful and there are LOTS of results. But\u00a0I found the below recent article which fixed it for me.\u00a0<\/div>
\u00a0<\/div>
I did apply these keys for all the domain controllers. But that might be overkill and unnecessary. The real fix is to get off server 2012.<\/div>
\u00a0<\/div>
https:\/\/support.microsoft.com\/en-gb\/topic\/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16<\/a><\/div>
\u00a0<\/div>
KB5014754: Certificate-based authentication changes on Windows domain controllers<\/a><\/div>
Note Certain fields, such as Issuer, Subject, and Serial Number, are reported in a \u201cforward\u201d format.You must reverse this format when you add the mapping string to the altSecurityIdentities attribute. For example, to add the X509IssuerSerialNumber mapping to a user, search the \u201cIssuer\u201d and \u201cSerial Number\u201d fields of the certificate that you want to map to the user.<\/div>
support.microsoft.com<\/div><\/td><\/tr><\/tbody><\/table>
?<\/i><\/div><\/div><\/div>
\u00a0<\/div>
This isn’t complete yet, after enabling MFA I now have TLS and cipher errors from the MFA plugin.\u00a0<\/div>
\u00a0<\/div>
But hopefully this will be an easy fix.<\/div>
\u00a0<\/div>

\"\"<\/p><\/div>","protected":false},"excerpt":{"rendered":"

Customer has 2012 DC’s with NPS and the Azure MFA extension for their Cisco Meraki Client VPN\u00a0All staff were not able to connect to the VPN from […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[2193,3865,1193,2460,1351],"class_list":["post-5923","post","type-post","status-publish","format-standard","hentry","category-research","tag-2193","tag-based-auth","tag-certificate","tag-meraki","tag-vpn"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t