Problem with Always On VPN and conditional access

SRae 6 Reputation points

Hi All,

I've got a proof of concept environment set up for Windows 10 Always On VPN and have followed the deployment guide here >

Everything works perfectly with the policy settings getting pushed to the client via InTune, but as soon as I follow the steps to enable conditional access, I run into problems. I understand that with conditional access enabled, the client authenticates with a short lived certificate provided by Azure instead of the client certificates obtained from our internal CA. I can see the Azure VPN client certificate appearing in the test client certificate store as expected, but my NPS server is rejecting the connection with reason code 7 - IAS_NO_SUCH_DOMAIN. I suspect the issue is due to my UPN in Azure AD being a different domain from our internal AD DNS namespace (.com vs .local). I've checked and confirmed that the Azure VPN root cert is in the trusted root list on my NPS server. I've also made sure that the reg changes have been made on my NPS server to ignore CRL checking.

Any ideas or pointers would be hugely appreciated.


Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,753 questions
{count} votes