From f11c8139d7340f866cf435bf471d6dc35133b96f Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Tue, 10 Nov 2020 09:24:57 +0100 Subject: [PATCH 1/4] Update vpn-conditional-access.md Updating the note describing prerequisites for using SSO with information relevant for AAD only joined devices. --- .../identity-protection/vpn/vpn-conditional-access.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index fc09e68a62..002d10e812 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -77,7 +77,9 @@ Two client-side configuration service providers are leveraged for VPN device com - Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification > [!NOTE] -> Currently, it is required that certificates used for obtaining Kerberos tickets must be issued from an on-premises CA, and that SSO must be enabled in the user’s VPN profile. This will enable the user to access on-premises resources. +> Currently, it is required that certificates used for obtaining Kerberos tickets must be issued from an on-premises CA, and that SSO must be enabled in the user’s VPN profile. This will enable the user to access on-premises resources. +> +> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has in Subject and SAN (Subject Alternative Name) the user UPN from AzureAD, the VPN profile must be modified to ensure the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing entry **UseRasCredentials** from 1 (default) to 0 (zero). ## Client connection flow From ea38b9d7d7c0644c7d50a5b031f9fdd2a195981a Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Wed, 11 Nov 2020 11:41:25 +0100 Subject: [PATCH 2/4] Update vpn-conditional-access.md --- .../security/identity-protection/vpn/vpn-conditional-access.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index 002d10e812..fa1a76285a 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -79,7 +79,7 @@ Two client-side configuration service providers are leveraged for VPN device com > [!NOTE] > Currently, it is required that certificates used for obtaining Kerberos tickets must be issued from an on-premises CA, and that SSO must be enabled in the user’s VPN profile. This will enable the user to access on-premises resources. > -> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has in Subject and SAN (Subject Alternative Name) the user UPN from AzureAD, the VPN profile must be modified to ensure the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing entry **UseRasCredentials** from 1 (default) to 0 (zero). +> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name) , the VPN profile must be modified to ensure the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing entry **UseRasCredentials** from 1 (default) to 0 (zero). ## Client connection flow From 02c827d6519422a73e2deff16618d5425aeaac76 Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Fri, 13 Nov 2020 08:41:35 +0100 Subject: [PATCH 3/4] Update windows/security/identity-protection/vpn/vpn-conditional-access.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../security/identity-protection/vpn/vpn-conditional-access.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index fa1a76285a..7368d59e07 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -79,7 +79,7 @@ Two client-side configuration service providers are leveraged for VPN device com > [!NOTE] > Currently, it is required that certificates used for obtaining Kerberos tickets must be issued from an on-premises CA, and that SSO must be enabled in the user’s VPN profile. This will enable the user to access on-premises resources. > -> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name) , the VPN profile must be modified to ensure the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing entry **UseRasCredentials** from 1 (default) to 0 (zero). +> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero). ## Client connection flow From 776ea6eefc2364f08d6d3c2cc8f325e0914b032e Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Fri, 13 Nov 2020 08:45:06 +0100 Subject: [PATCH 4/4] Update windows/security/identity-protection/vpn/vpn-conditional-access.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../security/identity-protection/vpn/vpn-conditional-access.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index 7368d59e07..9aee353de2 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -74,7 +74,7 @@ Two client-side configuration service providers are leveraged for VPN device com - Collects TPM data used to verify health states - Forwards the data to the Health Attestation Service (HAS) - Provisions the Health Attestation Certificate received from the HAS - - Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification + - Upon request, forward the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification > [!NOTE] > Currently, it is required that certificates used for obtaining Kerberos tickets must be issued from an on-premises CA, and that SSO must be enabled in the user’s VPN profile. This will enable the user to access on-premises resources.