Cameron's questions

I am trying to create a Windows Always On VPN connection between an AD and AAD joined Windows 10 client and a StrongSwan VPN server. The Windows client has multiple "Client Authentication" certificates in its machine store, one from our internal AD CA, and one from Microsoft Intune MDM.

When using a user tunnel with EAP authentication, we can specify an issuer fingerprint so that the VPN client picks the correct certificate, however, this same option does not seem to be available when using "Certificate" authentication for device VPNs:

This value can be one of the following:

• Certificate

Or from the rasphone UI, no options are available either:

End result is that it tries to authenticate using the Intune MDM certificate instead of the one issued by our CA, and strongswan is configured to only accept connections with certificates issued by our CA.

Is there any way to tell Windows to use a certificate issued by a particular CA when connecting to a VPN with a machine cert?

Having a problem where a Windows 10 client connected to the domain via DirectAccess isn't updating the client DNS records on the domain's nameserver. Instead, it appears to be trying to update the public DNS infrastructure.

When I run ipconfig /registerdns, I get the following in Event Viewer:

The system failed to register host (A or AAAA) resource records for network adapter
with settings:

           Adapter Name : {1D45B42E-3DE0-40FF-9306-C6017F422CD3}
           Host Name : D8058
           Primary Domain Suffix : ad.isg.global
           DNS server list :
                 1.0.0.1, 1.1.1.1, 2606:4700:4700::1111, 2606:4700:4700::1001
           Sent update to server : <?>
           IP Address(es) :
             2a01:4b00:xxxx:xxxx:xxxx:xxxx:xxxx:cbac, 2a01:4b00:xxxx:xxxx:xxxx:xxxx:xxxx:cbac, 172.16.100.72

Either the DNS server does not support the DNS dynamic update protocol or the authoritative zone for the specified DNS domain name does not accept dynamic updates.

To register the DNS host (A or AAAA) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.

Note that the 2801 address is the computer's IPv6 address on the client's local network (publicly routable), and 172.16.100.72 is the IPv4 address on the local network. 1.1.1.1 and 1.0.0.1 are the DNS servers provided by the client router's DHCP server.

In other words, it appears to be trying to update the record on the public DNS infrastructure, rather than the domain's DNS server. I have confirmed on Wireshark that it is trying to send the update requests to 1.1.1.1.

DNS resolution for network servers is working completely fine, however:

> ping dc01

Pinging dc01.redacted.network [fda4:9e55:xxxx:xxxx::xxxx:300a] with 32 bytes of data:
Reply from fda4:9e55:xxxx:xxxx::xxxx:300a: time=21ms
Reply from fda4:9e55:xxxx:xxxx::xxxx:300a: time=11ms

> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2a01:4b00:xxxx:xxxx:xxxx:xxxx:xxxx:cbac
   IPv6 Address. . . . . . . . . . . : 2a01:4b00:xxxx:xxxx:xxxx:xxxx:xxxx:cbac
   Temporary IPv6 Address. . . . . . : 2a01:4b00:xxxx:xxxx:xxxx:xxxx:xxxx:8e46
   Temporary IPv6 Address. . . . . . : 2a01:4b00:xxxx:xxxx:xxxx:xxxx:xxxx:8e46
   Link-local IPv6 Address . . . . . : fe80::4186:420e:3109:cbac%3
   IPv4 Address. . . . . . . . . . . : 172.16.100.72
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::7a8a:20ff:fe41:a8bf%3
                                       172.16.100.1

Tunnel adapter Microsoft IP-HTTPS Platform Interface:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : fda4:9e55:xxxx:xxxx:xxxx:xxxx:xxxx:ca42
   Temporary IPv6 Address. . . . . . : fda4:9e55:xxxx:xxxx:xxxx:xxxx:xxxx:f3e1
   Link-local IPv6 Address . . . . . : fe80::145a:43a2:73ff:ca42%5
   Default Gateway . . . . . . . . . :

> Get-DnsClientNrptPolicy

Namespace                        : .redacted.network
QueryPolicy                      :
SecureNameQueryFallback          :
DirectAccessIPsecCARestriction   :
DirectAccessProxyName            :
DirectAccessDnsServers           : fda4:9e55:xxxx:xxxx::1
DirectAccessEnabled              :
DirectAccessProxyType            : NoProxy
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired   : False
NameServers                      :
DnsSecIPsecCARestriction         :
DnsSecQueryIPsecEncryption       :
DnsSecQueryIPsecRequired         : False
DnsSecValidationRequired         : False
NameEncoding                     : Utf8WithoutMapping

Namespace                        : DirectAccess-NLS.redacted.network
QueryPolicy                      :
SecureNameQueryFallback          :
DirectAccessIPsecCARestriction   :
DirectAccessProxyName            :
DirectAccessDnsServers           :
DirectAccessEnabled              :
DirectAccessProxyType            : UseDefault
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired   : False
NameServers                      :
DnsSecIPsecCARestriction         :
DnsSecQueryIPsecEncryption       :
DnsSecQueryIPsecRequired         : False
DnsSecValidationRequired         : False
NameEncoding                     : Utf8WithoutMapping

Client DNS record updates are working fine on other DirectAccess clients. The only difference I am aware of is that this network has a native IPv6 address, but that could be a red herring.

I have created an ADFS server according to the guide on technet. However, when attempting to add a secondary ADFS server using the latter part of this guide on technet, the process fails.

PS > Import-Module ADFS
PS > $serviceAccountCredential = Get-Credential -Message "Enter the credential for the Federation Service Account."
PS > Add-AdfsFarmNode `
>> -CertificateThumbprint:"REDACTED" `
>> -OverwriteConfiguration:$true `
>> -PrimaryComputerName:"awsfed01.ad.redacted.com" `
>> -ServiceAccountCredential:$serviceAccountCredential
>>
Add-AdfsFarmNode : MSIS7711: PolicyOperationFault
At line:1 char:1
+ Add-AdfsFarmNode `
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Add-AdfsFarmNode], FaultException
    + FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Deployment.Commands.JoinFarmCommand


Message                                 Context                                                                  Status
-------                                 -------                                                                  ------
Unable to synchronize local database... DeploymentTask                                                            Error

The following errors now appear in the event log on the server I am attempting to configure every five minutes:

Source: AD FS, Event ID 344:

There was an error doing synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur. 

Source: AD FS, Event ID 345:

There was a communication error during AD FS configuration database synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur. 

Additional Data 

Master Name : awsfed01.ad.redacted.com 
Endpoint Uri : http://awsfed01.ad.redacted.com/adfs/services/policystoretransfer 
Exception details: 
System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.
   at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)

The primary ADFS server's Security Audit Log contains an audit failures every time the secondary attempts to connect with the following details:

An account failed to log on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       msa-adfs$
    Account Domain:     RDC

Failure Information:
    Failure Reason:     An Error occured during Logon.
    Status:         0x80090302
    Sub Status:     0xC0000418

Process Information:
    Caller Process ID:  0x0
    Caller Process Name:    -

Network Information:
    Workstation Name:   AWSFED20
    Source Network Address: -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:      NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

Environment details

• I am using Windows Server 2012 R2 with ADFS 3.0
• My domain is ad.redacted.com (or RDC\). Additionally, I have redacted.com and redacted.co.uk as UPNs.
• I am using the WID database, not an external SQL server.
• I used a manually created a gMSA service account for my primary ADFS installation named RDC\msa-adfs$ - and am using this same account when trying to configure the secondary ADFS server. I configured its SPN - in accordance with various sources around the internet - to the following:
  • host/adfs.ad.redacted.com
  • http/adfs
  • host/adfs.ad.redacted.com
  • http/adfs
• The primary ADFS server's name is awsfed01.ad.redacted.com
• The secondary ADFS server - that I'm trying to configure - name is awsfed02.ad.redacted.com
• There is a DNS CNAME record for adfs.ad.redacted.com pointing at awsfed01.ad.redacted.com
• I used a SSL certificate signed by an external CA, with adfs.ad.redacted.com as the primary domain, and the following Subject Alternative Names:
  • adfs.ad.redacted.com
  • enterpriseregistration.ad.redacted.com
  • enterpriseregistration.redacted.com
  • enterpriseregistration.redacted.co.uk
• Both ADFS servers are configured with the Windows firewall enabled, but the network is configured to permit all traffic between them

I have tried configuring this multiple times from a blank server. Each time, the secondary ADFS server fails in the same way with the same error message.

Update: Reproduce with PowerShell

To try and reproduce this as reliably as possible, I have recreated what I'm doing with PowerShell.

Prerequisites: * Domain controller awsdc01 for domain ad.redacted.com aka RDC\ * Two federation servers: awsfed10, awsfed20 in a group named ADFS Servers

On awsdc01:

   New-ADServiceAccount -Name msa-adfs `
       -DNSHostName adfs.ad.redacted.com `
       -PrincipalsAllowedToRetrieveManagedPassword "ADFS Servers" 
       -ServicePrincipalNames "http/adfs.ad.redacted.com"

Executed successfully.

On awsfed10:

   Install-WindowsFeature adfs-federation –IncludeManagementTools
   Add-WindowsFeature RSAT-AD-PowerShell

   $password = ConvertTo-SecureString -String "Redacted" -Force -AsPlainText
   Import-PfxCertificate -FilePath C:\files\cert.pfx  cert:\localMachine\my -Password $password

   Import-Module ActiveDirectory
   Import-Module ADFS

   Install-ADServiceAccount msa-adfs
   Install-AdfsFarm -CertificateThumbprint:"XXX" -FederationServiceName:"adfs.ad.redacted.com" -GroupServiceAccountIdentifier RDC\msa-adfs$
   Initialize-ADDeviceRegistration -ServiceAccountName RDC\msa-adfs$
   Enable-AdfsDeviceRegistration

All executed successfully.

On awsfed20:

  Install-WindowsFeature adfs-federation –IncludeManagementTools
   Add-WindowsFeature RSAT-AD-PowerShell

   $password = ConvertTo-SecureString -String "Redacted" -Force -AsPlainText
   Import-PfxCertificate -FilePath C:\files\cert.pfx  cert:\localMachine\my -Password $password

   Import-Module ActiveDirectory
   Import-Module ADFS

   Install-ADServiceAccount msa-adfs
   Install-AdfsFarm -CertificateThumbprint:"XXX" -PrimaryComputerName:"awsfed10.ad.redacted.com" -GroupServiceAccountIdentifier RDC\msa-adfs$

Failed with the same errors as above.

I'm trying to deploy printers via Group Policy. Posts around the internet suggest using the Group Policy Preferences approach (User/Preferences/Control Panel Settings/Printers) is the preferred method.

However, the printer is failing to deploy, and the following error appears in the event viewer:

The user 'Epson Printer' preference item in the 'Group Policy Object {GUID}' Group Policy object did not apply because it failed with error code '0x80070bcb The specified printer driver was not found on the system and needs to be downloaded.' This error was suppressed.

Various sources around the internet, including Microsoft Technet, suggest that the Point and Print Restrictions GPO policy needs to be modified in order for the drivers to be allowed to install without prompt.

This policy exists in both the User Configuration tree under User/Policies/Administrative Templates/Control Panel/Printers; and the Computer Configuration tree under Computer/Policies/Administrative Templates/Printers.

I have tried two approaches:

• Setting both User and Computer Point and Print Restrictions policy to Disabled.
• Setting both User and Computer Point and Print Restrictions policy to the configuration described in the above Technet article (screen capture of policy)

After each attempt, I performed a full directory replication, and on the test computer executed gpupdate /force from both an elevated admin and normal user command prompt, rebooted, then executed gpresult /H result.html to validate the settings have been applied.

However, I am still getting the above error in the event viewer and the printer is not installing.

If I manually add the printer with Add Printer in the control panel, the driver installs fine. Additionally if I use the "traditional" approach of deploying printer connections via Computer/Windows Settings/Deployed Printers, the printer driver and printer appear to install fine, but then I can't use some of the newer features supported by the GPP approach.

The Domain Controller is Windows Server 2012 R2 and the clients are Windows 10 Enterprise. All computers are up to date with the latest patches.

What is the durability for keys generated by and stored on AWS Key Management Service?

The Cryptographic Details Document states:

Durability The durability of cryptographic keys is designed to equal that of the highest durability services in AWS

But I can't find clarification anywhere on what exactly that might be.

I know that S3 is highly durable (99.999999999%), and finding anyone ever having experienced data loss on that service is practically impossible. Given the above, statement I would assume AWS KMS to have similar or greater levels of durability than S3.

Has a documented loss of an AWS KMS key ever occured?