Effect of enabling certificate authentication on existing SSTP VPN server

James Edmonds 811 Reputation points
2021-07-23T19:36:11.587+00:00

Hi,

My predecessor has deployed an SSTP VPN server using RRAS in our environment.
I'm looking to expand this to include always on VPN, but I'm not overly familiar with the intricacies of RRAS and how it is configured.

My question is;
If the Get-VpnAuthProtocol already shows that UserAuthProtocolAccepted is set to {EAP, MsChapv2, Certificate}, what is the effect of running the command given in MS docs to enable machine certificate auth
$VPNRootCertAuthority = "Common Name of trusted root certification authority"
$RootCACert = (Get-ChildItem -Path cert:LocalMachine\root | Where-Object {$_.Subject -Like "$VPNRootCertAuthority" })
Set-VpnAuthProtocol -UserAuthProtocolAccepted Certificate, EAP -RootCertificateNameToAccept $RootCACert -PassThru

I get the feeling that as certificate auth already shows, all I need to do is set the root CA to use for those incoming certificate authentications?
Will this likely have any impact on existing user level SSTP connections?

Many thanks
James

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,261 questions
Windows Network
Windows Network
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Network: A group of devices that communicate either wirelessly or via a physical connection.
623 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
509 questions
0 comments No comments
{count} votes

Accepted answer
  1. Candy Luo 12,646 Reputation points Microsoft Vendor
    2021-07-26T08:44:22.75+00:00

    Hi ,

    If UserAuthProtocolAccepted is set to {EAP, MsChapv2, Certificate}, then you can add MsChapv2 in the following command:

    $VPNRootCertAuthority = "Common Name of trusted root certification authority"  
    $RootCACert = (Get-ChildItem -Path cert:LocalMachine\root | Where-Object {$_.Subject -Like "$VPNRootCertAuthority" })  
    Set-VpnAuthProtocol -UserAuthProtocolAccepted Certificate, MsChapv2, EAP -RootCertificateNameToAccept $RootCACert -PassThru  
    

    Then, in theory, it should not have any impact on existing SSTP connections.

    Best Regards,
    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 additional answers

Sort by: Most helpful