Do I need to create certs when using Azure AD authentication only for p2s connection to an Azure VPN Gateway?

Nick Haywood 25 Reputation points
2023-03-08T21:23:57.47+00:00

I've read through the documentation below and followed the steps for setting up a p2s connection to an Azure VPN gateway using AAD authentication.

https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant

It makes no mention of creating and using certificates.

Likewise the documentation for setting up the client makes no mention of certificate settings either.

https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client

In the Azure VPN Client I am required to select a certificate for server validation. If I select a random one, the connection fails after I authenticate with AAD.

The error in windows is "Unable to verify configured Server Certificate policy. Please validate the Server Certificate Configuration. Error: Generic trust failure."

On Mac it's: "Error getKeyChainSecret: Failed to retrieve KeyChain secret. Status code -25300"

I'm confused because the documentation makes it seem like you only need to make a certificate if you are using certificate based authentication and not just AAD authentication.

Thanks.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,401 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee
    2023-03-09T04:40:54.4566667+00:00

    Hello @Nick Haywood ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know if you need to create certificate when using Azure AD authentication only for P2S VPN connection to an Azure VPN Gateway.

    No, you don't need to create any certificate when using Azure AD authentication only for P2S VPN connection to an Azure VPN Gateway.

    The certificate that is selected in the certificate information section of the Azure VPN client is a "DigiCert Global Root CA" certificate which should be auto-filled/auto-selected when you import the Azure VPN profile.

    If you are adding a connection manually, you should be able to select "DigiCert Global Root CA" from the drop down.

    Below are the step-by-step instructions to configure Azure AD tenant and P2S VPN gateway & client for Azure VPN:

    • Create Azure AD tenant users.
    • Authorize the Azure VPN application. Once the consent is provided, Azure VPN Client shows up under Enterprise Applications within the Azure Active Directory. User's image
    • Create a VPN gateway. NOTE: The Basic SKU is not supported for OpenVPN. Azure AD authentication is supported only for OpenVPN® protocol connections and requires the Azure VPN Client.
    • Configure Point-to-site authentication for the gateway: Address pool: client address pool Tunnel type: OpenVPN (SSL) Authentication type: Azure Active Directory Tenant: https://login.microsoftonline.com/{AzureAD TenantID} Audience: 41b23e61-6c1e-4545-b367-cd054e0ed4b4 Issuer: https://sts.windows.net/{AzureAD TenantID}/ NOTE: Replace the AzureAD TenantID with the tenant ID that corresponds to your configuration. You can locate the tenant ID of the directory that you want to use for authentication in the properties section of your Active Directory page. For help with finding your tenant ID, see How to find your Azure Active Directory tenant ID. User's image
    • Download the Azure VPN Client profile configuration package, extract the downloaded zip file and browse to the AzureVPN folder. Make a note of the location of the “azurevpnconfig.xml” file.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant

      • Download the Azure VPN Client: Download the latest version of the Azure VPN Client install files using one of the following links: Install using Client Install files: https://aka.ms/azvpnclientdownload. Install directly, when signed in on a client computer: Microsoft Store.
    • Now, you can either import the VPN client profile configuration files or manually add the profile to the VPN client.
    • To Import VPN client profile configuration files: On the VPN client app, select Import. User's image
    • Browse to the profile “azurevpnconfig.xml” file and select it. With the file selected, select Open. Specify the name of the profile (if you want to change it) or you can leave the default and select Save. User's image
    • Select Connect to connect to the VPN.
    • To manually add the profile:
    • On the VPN client app, select + Add.
      User's image
    • Fill out the connection information. Select Save.
    • To fill the information, refer the below doc which shows how to get the required details:
    • https://learn.microsoft.com/en-us/azure/vpn-gateway/about-vpn-profile-download
    • In the Certificate Information, select "DigiCert Global Root CA" from the drop down.
      User's image
    • Select Connect to connect to the VPN.
    • Select/type the proper credentials, then select Continue.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client

    Additional Information: I've also seen a few customers using DigiCert Global Root G2 certificate in their Azure VPN client on both Windows & Mac.

    User's image

    Refer: https://github.com/MicrosoftDocs/azure-docs/issues/104907

    NOTE: These DigiCert Global root certificates should already be available on your machines if they have access to Internet and have windows updates allowed.

    Kindly let us know if the above helped or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful