Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, December 4, 2017 2:55 PM
Hello!
Stupid question: what certificates should vpn clients use to make a IKEv2 connection - user certificates or computer certificates?
After googling for a long time I realized that the articles I've managed to find (quite a bit I'd say) may read rather contradicting information, for example:
1) https://technet.microsoft.com/en-us/library/ff687731(v=ws.10).aspx?f=255&MSPPError=-2147217396
"IKEv2 supports computer certificate and Extensible Authentication Protocol (EAP)-based authentication. NPS is required only when using EAP-based authentication."
2) /en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-overview
"Configure certificate autoenrollment in Group Policy
You can configure Group Policy on the domain controller so that domain members automatically request user and computer certificates.
This allows VPN users to automatically request and retrieve user certificates that authenticate VPN connections. Likewise, this policy allows NPS servers to automatically request server authentication certificates. (You will manually enroll certificates on VPN servers.)
.......
Create the User Authentication template
You can use this section to configure a custom client–server authentication template.
This template is required because you want to improve the certificate’s overall security by selecting upgraded compatibility levels and choosing the Microsoft Platform Crypto Provider. Microsoft Platform Crypto Provider lets you use the Trusted Platform Module (TPM) on client computers to secure the certificate.
Note
For more information about TPM, see Trusted Platform Module Technology Overview.
To configure the User Authentication template
-
- On the CA, open Certification Authority.
- In the navigation pane, right-click Certificate Templates*, and click* Manage*.*
- In the Certificate Templates console, right-click User*, and click* Duplicate Template*.*
- On the Properties of New Template dialog box, on the General tab, complete the following steps:
- In Template display name*, type* VPN User Authentication*.*
- Clear the Publish certificate in Active Directory check box.
- On the Security tab, complete the following steps:
-
- Click Add*.*
- On the Select Users, Computers, Service Accounts, or Groups dialog box, type VPN Users*, and click* OK*.*
- In Group or user names*, click* VPN Users*.*
- In Permissions for VPN Users*, select the* Enroll and Autoenroll check boxes in the Allow column.
- ......"
So as you see while 1) "says" IKEv2 supports either computer certificates or EAP, the 2) "says**" ~let's create user** certificates for IKEv2 ... ???
Any links to the IKEv2 documentation in Windows Server 2016 will be greatly appreciated!
Thank you in advance,
Michael
All replies (7)
Tuesday, December 12, 2017 2:25 AM ✅Answered
Hi ,
Sorry for the delayed response. I was on vacation and I came today.
>>*Do I understand it right that Use a certificate on this computer in the EAP section can mean only ****User ***certifciate?
As far as I know, your understanding is right.
Best Regards,
Candy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, December 5, 2017 9:45 AM
Hi Michael,
>>what certificates should vpn clients use to make a IKEv2 connection - user certificates or computer certificates?
As the name indicates, they are used to identify a computer or a user, authenticating the client to the server and establishing precisely who they are.The difference is that the computer account applies to the machine, and the user account applies to the user.
You could choose one of them to make a IKEv2 connection. In addition, No authentication methods require both computer certificate and user certificate/account.
>*>while 1) "says" IKEv2 supports either computer certificates or EAP, the 2) "says" ~let's create user certificates for IKEv2 ... *
Here is a article talking about the steps of setting up VPN Server on Windows Server 2016 with computer certificate, for your reference:
**How To Set Up VPN Server on Windows Server 2016 **
http://www.techsupportpk.com/2017/01/set-up-vpn-server-on-windows-server-2016.html
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Best Regards,
Candy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, December 7, 2017 2:14 AM
Hi Michael,
Just checking in to see if the information provided was helpful.
Please let us know if you would like further assistance.
Best Regards,
Candy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, December 8, 2017 1:41 AM
Hi Michael,
If you have other concerns, welcome to feedback.
Best Regards,
Candy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, December 8, 2017 3:11 PM
Hi Candy,
Thank you for your help!
Regards,
Michael
Friday, December 8, 2017 3:16 PM
P.S.
Do I understand it right that Use a certificate on this computer in the EAP section can mean only User certifciate?
Tuesday, December 12, 2017 7:36 AM
Hi Candy,
Thank you so much for your help!!!
Regards,
Michael