Log or Capture Thumbprints of successful connections

Kenny Parsons 1 Reputation point
2022-04-26T16:42:39.857+00:00

I am trying to audit certificates that we've generated to access our Virtual Network Gateway P2S VPN. Previous owners of the VNG did not track the certificates and we have no way of knowing what certificates are in the wild with valid thumbprints (we allow the root certificate, so if it's signed by the root, it's valid).

So my first thought was to use the metrics and azure resource queries to find successful connections. I used one of the example queries to pull successful connections, but the message only returns the username. It does not show Thumbprints for the connection authentication.

How can I do this audit? I don't want to have to revoke the root cert and resign everyone's client certificate. Is there a way to retrieve the thumbprint of the certificate used to create successful connections?

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,379 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,139 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 47,316 Reputation points Microsoft Employee
    2022-05-10T08:36:24.663+00:00

    Hello @Kenny Parsons ,

    I understand that you would like to log or capture Thumbprints of successful Azure P2S VPN connections for auditing purpose.

    I discussed this requirement with the Azure VPN Product Group team and below are the steps provided by them to see the thumbprints used in auth flows:

    You can check the P2SDiagnosticLog to see the thumbprints used in auth flows. You can perform log analysis by following the first 6 steps in the below doc:
    https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log

    Once you have enabled Diagnostics and configured the Log Analytics, follow the steps below:

    1) Navigate to the Log Analytics Workspace you configured in the Azure Portal
    2) Click on Logs
    3) Paste the following replacing NameOfGateway with the name of your gateway in the Query window and click run

    AzureDiagnostics  
| where Category == "P2SDiagnosticLog" and Resource == "NameOfGateway" and Message contains "Received client certificate with Username"  
| extend Thumbprint = split(Message,"Thumbprint=",1)  
| extend Thumbprint = tostring(Thumbprint[0])  
| distinct  Thumbprint, Resource

    4) Compare the certificate chain for the certificates with the thumbprints from the logs against your current and previous Root Certificate

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.