question

JamesEdmonds-7766 avatar image
0 Votes"
JamesEdmonds-7766 asked CandyLuo-MSFT commented

Effect of enabling certificate authentication on existing SSTP VPN server

Hi,

My predecessor has deployed an SSTP VPN server using RRAS in our environment.
I'm looking to expand this to include always on VPN, but I'm not overly familiar with the intricacies of RRAS and how it is configured.

My question is;
If the Get-VpnAuthProtocol already shows that UserAuthProtocolAccepted is set to {EAP, MsChapv2, Certificate}, what is the effect of running the command given in MS docs to enable machine certificate auth
$VPNRootCertAuthority = "Common Name of trusted root certification authority"
$RootCACert = (Get-ChildItem -Path cert:LocalMachine\root | Where-Object {$_.Subject -Like "$VPNRootCertAuthority" })
Set-VpnAuthProtocol -UserAuthProtocolAccepted Certificate, EAP -RootCertificateNameToAccept $RootCACert -PassThru

I get the feeling that as certificate auth already shows, all I need to do is set the root CA to use for those incoming certificate authentications?
Will this likely have any impact on existing user level SSTP connections?

Many thanks
James


windows-10-networkwindows-server-infrastructurewindows-platform-network
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered CandyLuo-MSFT commented

Hi ,

If UserAuthProtocolAccepted is set to {EAP, MsChapv2, Certificate}, then you can add MsChapv2 in the following command:

 $VPNRootCertAuthority = "Common Name of trusted root certification authority"
 $RootCACert = (Get-ChildItem -Path cert:LocalMachine\root | Where-Object {$_.Subject -Like "$VPNRootCertAuthority" })
 Set-VpnAuthProtocol -UserAuthProtocolAccepted Certificate, MsChapv2, EAP -RootCertificateNameToAccept $RootCACert -PassThru

Then, in theory, it should not have any impact on existing SSTP connections.

Best Regards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you.

I will give this a go and report back.

Many thanks
James

0 Votes 0 ·

I will wait for your updates.

0 Votes 0 ·

Can confirm it did NOT impact user SSTP connections :)

Thank you.

0 Votes 0 ·
Show more comments