From 2adb4b9e92ffc19ce4dec4b79c180695ee4549ef Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Mon, 11 May 2026 15:10:15 -0700 Subject: [PATCH] sync: auto-sync from DESKTOP-0O8A1RL at 2026-05-11 15:10:14 Author: Mike Swanson Machine: DESKTOP-0O8A1RL Timestamp: 2026-05-11 15:10:14 --- .../session-logs/2026-05-11-session.md | 168 ++++++++++++++++++ 1 file changed, 168 insertions(+) diff --git a/clients/peaceful-spirit/session-logs/2026-05-11-session.md b/clients/peaceful-spirit/session-logs/2026-05-11-session.md index c32e2fc..15b4374 100644 --- a/clients/peaceful-spirit/session-logs/2026-05-11-session.md +++ b/clients/peaceful-spirit/session-logs/2026-05-11-session.md @@ -209,3 +209,171 @@ Get-Certificate -Template Machine → CX509PolicyServerUrl::_GetStringProperty - Vault: `clients/peaceful-spirit/server.sops.yaml`, `clients/peaceful-spirit/vpn.sops.yaml` - Prior session log: `clients/peaceful-spirit/session-logs/2026-05-10-session.md` - MaraHomeNew OpenVPN config: `C:\Users\PeacefulSpiritMassag\OpenVPN\config\PST-NW-VPN-Windows\PST-NW-VPN-Windows.ovpn` + +--- + +## Update: 15:07 PT — Machine cert auth working on MaraHomeNew; HP/Surface PFXs generated + +## User +- **User:** Mike Swanson (mike) +- **Machine:** DESKTOP-0O8A1RL +- **Role:** admin +- **Session span:** Continuation of 2026-05-11 session (afternoon) + +## Session Summary + +The session began by resuming from a prior troubleshooting effort where MaraHomeNew had "IKE authentication credentials are unacceptable" after switching to MachineCertificate auth. The installed cert (bf2b2482) had correct EKUs but the wrong identity: Subject and SAN both showed CN=PST-SERVER.PEACEFULSPIRIT.local because the Machine template was configured to build the Subject from the submitting machine's AD identity (msPKI-Certificate-Name-Flag=0x18000000), and PST-SERVER had submitted the CSR in the prior session. The template was corrected by setting msPKI-Certificate-Name-Flag to 0x1 (ENROLLEE_SUPPLIES_SUBJECT). The wrong cert was deleted, a new CSR was generated on MaraHomeNew with the correct Subject and SAN, transferred via SCP over OpenVPN to PST-SERVER for local CA submission, and the resulting cert (D067E07B) was accepted on MaraHomeNew. + +With the correct cert installed, rasdial still returned the same error. Get-VpnAuthProtocol on PST-SERVER revealed that UserAuthProtocolAccepted only contained EAP and MsChapv2 — Certificate was not listed. Set-VpnAuthProtocol was used to add Certificate, RemoteAccess was restarted, and rasdial "Peaceful Spirit VPN" succeeded. + +Win32-OpenSSH was installed on PST-SERVER during this session, enabling direct SSH access from DESKTOP-0O8A1RL via OpenVPN. SSH key auth was configured using the existing id_ed25519 key; the administrators_authorized_keys file required SYSTEM+Administrators-only permissions — presence of an Authenticated Users ACE caused key auth to fail silently. SSH access is now working and was used for all subsequent PST-SERVER administration. + +To onboard Maras-HP-Laptop and PST-SURFACE without requiring OpenVPN bootstrap on each machine, a PFX-based cert deployment workflow was designed: generate exportable certs on PST-SERVER centrally, export as password-protected PFX, deploy to each machine with Import-PfxCertificate + Add-VpnConnection. The gen_certs.ps1 script ran successfully after a fix (MachineKeySet=FALSE initially used, caused template context conflict; corrected to MachineKeySet=TRUE). PFXs for both machines were generated and SCP'd to DESKTOP-0O8A1RL. + +## Key Decisions + +- Changed msPKI-Certificate-Name-Flag from 0x18000000 to 0x1 (ENROLLEE_SUPPLIES_SUBJECT): the prior value caused the CA to build Subject/SAN from the submitting machine's AD DNS identity rather than the CSR content. This is a domain-wide template change; acceptable for this environment. +- Used SCP over OpenVPN for CSR/cert transfer (MaraHomeNew → PST-SERVER → MaraHomeNew) rather than RMM base64 method — SSH now installed on PST-SERVER made this viable and faster. +- "Certificate" is the correct enum value for Set-VpnAuthProtocol, not "MachineCertificate" — confirmed via PowerShell ValidateSet error. Valid values: EAP, Certificate, MsChapv2, Chap, PAP, PreSharedKey. +- PFX-based onboarding for HP and Surface: generates private key on PST-SERVER with Exportable=TRUE. Less ideal from key hygiene standpoint but eliminates the need for each machine to have an OpenVPN bootstrap path before cert enrollment. +- MachineKeySet=TRUE required in certreq INF when template is the Machine template: MachineKeySet=FALSE causes "User context template conflicts with machine context" rejection at certreq -submit. + +## Problems Encountered + +- **Wrong cert Subject/SAN (CN=PST-SERVER instead of MaraHomeNew)**: Machine template msPKI-Certificate-Name-Flag=0x18000000 caused CA to use submitting machine identity. Fixed by setting flag to 0x1 and reissuing cert. +- **IKE authentication failure persisted after correct cert**: RRAS UserAuthProtocolAccepted did not include Certificate. Fixed via Set-VpnAuthProtocol + Restart-Service RemoteAccess. +- **RMM polling was reading wrong field**: Commands completing with output, but code was checking "output" field; actual output is in "stdout". Fixed once full JSON response was inspected. +- **Win32-OpenSSH key auth silently failing**: administrators_authorized_keys had Authenticated Users:(RX) ACE which Win32-OpenSSH rejects as insecure. Fixed via icacls /inheritance:r removing user ACEs. +- **PFX cert generation — MachineKeySet=FALSE conflicts with Machine template**: certreq -submit returned "User context template conflicts with machine context." Fixed by changing INF to MachineKeySet=TRUE and checking Cert:\LocalMachine\My instead of CurrentUser\My. +- **SCP path format with Win32-OpenSSH**: Windows-style paths (C:\\ProgramData\\file) failed; Unix-style (/C:/ProgramData/file) required for Win32-OpenSSH sftp-server. + +--- + +## Configuration Changes + +### PST-SERVER +- `msPKI-Certificate-Name-Flag` on Machine cert template: `0x18000000` → `0x1` (ENROLLEE_SUPPLIES_SUBJECT) + - LDAP path: `CN=Machine,CN=Certificate Templates,...,DC=PEACEFULSPIRIT,DC=local` +- Win32-OpenSSH installed at `C:\Program Files\OpenSSH\OpenSSH-Win64\`; sshd service Automatic/Running; firewall TCP 22 inbound allow +- `C:\ProgramData\ssh\administrators_authorized_keys`: acg-admin@pst-cc-ucg key (pre-existing) + guru@DESKTOP-0O8A1RL; permissions SYSTEM:(F) BUILTIN\Administrators:(F) only +- RRAS UserAuthProtocolAccepted: added Certificate (was EAP, MsChapv2 only); RemoteAccess restarted +- Certs issued: Maras-HP-Laptop (RequestId 66, thumbprint 4CADDE8F940FC3EEFC37919B6A4541A913801296) and PST-SURFACE (RequestId 67, thumbprint 197FF22A97F26EF19DECF9E752B1B88C7E7ED42E) +- PFX files: `C:\ProgramData\Maras-HP-Laptop.pfx`, `C:\ProgramData\PST-SURFACE.pfx` (password: PstVpn2026!) +- Temp files (safe to delete): gen_certs.ps1, diag_out.txt, Maras-HP-Laptop.{inf,req,cer,pfx}, PST-SURFACE.{inf,req,cer,pfx}, machine2.req/cer + +### MaraHomeNew +- Wrong cert bf2b2482 (CN=PST-SERVER) removed from Cert:\LocalMachine\My +- New cert installed: thumbprint D067E07B4A670AF5C6DE27250EB533B06F28FD6A, CN=MaraHomeNew.PEACEFULSPIRIT.local, SAN DNS=MaraHomeNew.PEACEFULSPIRIT.local, valid to 5/10/2027 +- "Peaceful Spirit VPN" AllUserConnection: AuthenticationMethod MachineCertificate, confirmed working via rasdial + +### DESKTOP-0O8A1RL +- ~/.ssh/known_hosts: stale 192.168.0.2 entries cleared; new ED25519 host key for PST-SERVER accepted + +--- + +## Credentials & Secrets + +| Item | Value | +|------|-------| +| PST-SERVER SSH | sysadmin@192.168.0.2, key: ~/.ssh/id_ed25519 (DESKTOP-0O8A1RL) | +| PST-SERVER domain admin | PEACEFULSPIRIT\sysadmin / r3tr0gradE99! | +| PFX password (HP + Surface) | PstVpn2026! | +| VPN credential | PEACEFULSPIRIT\pst-admin / 24Hearts$ | +| UCG SSH key | ~/.ssh/pst-cc-ucg / Gptf*77ttb123!@# | + +--- + +## Infrastructure & Servers + +| Component | Value | +|-----------|-------| +| PST-SERVER SSH | port 22, key auth from DESKTOP-0O8A1RL (requires OpenVPN to PST-CC active) | +| PST-SERVER OpenSSH path | C:\Program Files\OpenSSH\OpenSSH-Win64\ | +| Machine template NameFlag | 0x1 (ENROLLEE_SUPPLIES_SUBJECT) — changed this session | +| RRAS UserAuthProtocolAccepted | EAP, MsChapv2, Certificate | +| MaraHomeNew cert | D067E07B (CN=MaraHomeNew.PEACEFULSPIRIT.local, to 5/10/2027) | +| Maras-HP-Laptop cert | 4CADDE8F (CA RequestId 66) — PFX on PST-SERVER + local Temp | +| PST-SURFACE cert | 197FF22A (CA RequestId 67) — PFX on PST-SERVER + local Temp | +| PFX local copies | C:\Users\guru\AppData\Local\Temp\Maras-HP-Laptop.pfx, PST-SURFACE.pfx | + +--- + +## Commands & Outputs + +### Fix Machine template Subject Name source (PST-SERVER as sysadmin) +```powershell +$t = [ADSI]"LDAP://CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=PEACEFULSPIRIT,DC=local" +$t.Properties["msPKI-Certificate-Name-Flag"].Value = 1 +$t.CommitChanges() +# Returns 1 — confirmed +``` + +### Reissue cert for MaraHomeNew +```powershell +# On MaraHomeNew +certreq -new C:\Windows\Temp\machine2.inf C:\Windows\Temp\machine2.req +scp C:\Windows\Temp\machine2.req sysadmin@192.168.0.2:/C:/ProgramData/machine2.req +# On PST-SERVER +certreq -submit -config "PST-SERVER.PEACEFULSPIRIT.local\PEACEFULSPIRIT-PST-SERVER-CA" C:\ProgramData\machine2.req C:\ProgramData\machine2.cer +# Back on MaraHomeNew +scp sysadmin@192.168.0.2:/C:/ProgramData/machine2.cer C:\Windows\Temp\machine2.cer +certreq -accept C:\Windows\Temp\machine2.cer +# Result: D067E07B4A670AF5C6DE27250EB533B06F28FD6A +``` + +### Add Certificate to RRAS auth (PST-SERVER via SSH) +```powershell +Set-VpnAuthProtocol -UserAuthProtocolAccepted EAP, MsChapv2, Certificate +Restart-Service RemoteAccess +# Valid enum: EAP, Certificate, MsChapv2, Chap, PAP, PreSharedKey +``` + +### VPN test result +``` +rasdial "Peaceful Spirit VPN" +Connecting to Peaceful Spirit VPN... +[SUCCESS] +``` + +### Win32-OpenSSH install on PST-SERVER +```powershell +& "C:\Program Files\OpenSSH\OpenSSH-Win64\install-sshd.ps1" +Start-Service sshd; Set-Service sshd -StartupType Automatic +netsh advfirewall firewall add rule name="OpenSSH" dir=in action=allow protocol=TCP localport=22 +``` + +### SSH from DESKTOP-0O8A1RL (requires OpenVPN active) +```bash +ssh -i ~/.ssh/id_ed25519 sysadmin@192.168.0.2 +``` + +### PFX deployment command (target machine, run as admin) +```powershell +Import-PfxCertificate -FilePath .\MachineName.pfx -CertStoreLocation Cert:\LocalMachine\My -Password (ConvertTo-SecureString "PstVpn2026!" -AsPlainText -Force) +Add-VpnConnection -Name "Peaceful Spirit VPN" -ServerAddress "98.190.129.150" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -AllUserConnection -SplitTunneling -Force +``` + +--- + +## Pending / Incomplete Tasks + +| Task | Status | Notes | +|------|--------|-------| +| Deploy cert + VPN to Maras-HP-Laptop via RMM | **PENDING** | PFX at C:\Users\guru\AppData\Local\Temp\Maras-HP-Laptop.pfx. RMM agent: 13cb3629 | +| Deploy cert + VPN to PST-SURFACE via RMM | **PENDING** | PFX at C:\Users\guru\AppData\Local\Temp\PST-SURFACE.pfx. RMM agent: 4a993b61 | +| Test pre-login VPN on all 3 machines | **PENDING** | MaraHomeNew rasdial confirmed. HP and Surface pending cert deployment. | +| Test VPN at Windows login screen (pre-login) | **PENDING** | rasdial works in user session. Need to verify AllUserConnection triggers at logon screen. | +| Clean up temp files on PST-SERVER | **PENDING** | C:\ProgramData\: fix_acl.ps1, acl_result.txt, verify_acl.ps1, gen_certs.ps1, *.inf, *.req, *.cer, *.pfx, diag_out.txt | +| Remove TEMP firewall rules on PST-SERVER | **PENDING** | TEMP-CertEnroll-RPC (TCP 135) and TEMP-CertEnroll-DCOM (TCP 49152-65535) from prior session | +| Identify OpenVPN Connect profiles on HP/Surface | **PENDING** | OpenVPN Connect running (4 procs each) but no .ovpn files in standard paths | + +--- + +## Reference Information + +- PST-SERVER SSH: `ssh -i ~/.ssh/id_ed25519 sysadmin@192.168.0.2` (OpenVPN to PST-CC required) +- PFX deploy one-liner: Import-PfxCertificate + Add-VpnConnection (see Commands section) +- RMM agents: MaraHomeNew c778b6a3, Maras-HP-Laptop 13cb3629, PST-SURFACE 4a993b61, PST-SERVER 6b6106a7 +- SCP to/from PST-SERVER: use `/C:/path/to/file` format (not `C:\`) +- gen_certs.ps1 at C:\ProgramData\gen_certs.ps1 on PST-SERVER — reusable for future machines +- Machine template NameFlag GUID reference: ENROLLEE_SUPPLIES_SUBJECT = 0x1, prior value 0x18000000 (DNS_AS_CN | ALT_REQUIRE_DNS)