azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from DESKTOP-0O8A1RL at 2026-05-11 15:10:14

Browse Source 
Author: Mike Swanson
Machine: DESKTOP-0O8A1RL
Timestamp: 2026-05-11 15:10:14
This commit is contained in:
Mike Swanson
2026-05-11 15:10:15 -07:00
parent afd6fdeced
commit 2adb4b9e92
1 changed files with 168 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

168
clients/peaceful-spirit/session-logs/2026-05-11-session.md
View File

@@ -209,3 +209,171 @@ Get-Certificate -Template Machine → CX509PolicyServerUrl::_GetStringProperty
- Vault: `clients/peaceful-spirit/server.sops.yaml`, `clients/peaceful-spirit/vpn.sops.yaml`
- Prior session log: `clients/peaceful-spirit/session-logs/2026-05-10-session.md`
- MaraHomeNew OpenVPN config: `C:\Users\PeacefulSpiritMassag\OpenVPN\config\PST-NW-VPN-Windows\PST-NW-VPN-Windows.ovpn`
---
## Update: 15:07 PT — Machine cert auth working on MaraHomeNew; HP/Surface PFXs generated
## User
- **User:** Mike Swanson (mike)
- **Machine:** DESKTOP-0O8A1RL
- **Role:** admin
- **Session span:** Continuation of 2026-05-11 session (afternoon)
## Session Summary
The session began by resuming from a prior troubleshooting effort where MaraHomeNew had "IKE authentication credentials are unacceptable" after switching to MachineCertificate auth. The installed cert (bf2b2482) had correct EKUs but the wrong identity: Subject and SAN both showed CN=PST-SERVER.PEACEFULSPIRIT.local because the Machine template was configured to build the Subject from the submitting machine's AD identity (msPKI-Certificate-Name-Flag=0x18000000), and PST-SERVER had submitted the CSR in the prior session. The template was corrected by setting msPKI-Certificate-Name-Flag to 0x1 (ENROLLEE_SUPPLIES_SUBJECT). The wrong cert was deleted, a new CSR was generated on MaraHomeNew with the correct Subject and SAN, transferred via SCP over OpenVPN to PST-SERVER for local CA submission, and the resulting cert (D067E07B) was accepted on MaraHomeNew.
With the correct cert installed, rasdial still returned the same error. Get-VpnAuthProtocol on PST-SERVER revealed that UserAuthProtocolAccepted only contained EAP and MsChapv2 — Certificate was not listed. Set-VpnAuthProtocol was used to add Certificate, RemoteAccess was restarted, and rasdial "Peaceful Spirit VPN" succeeded.
Win32-OpenSSH was installed on PST-SERVER during this session, enabling direct SSH access from DESKTOP-0O8A1RL via OpenVPN. SSH key auth was configured using the existing id_ed25519 key; the administrators_authorized_keys file required SYSTEM+Administrators-only permissions — presence of an Authenticated Users ACE caused key auth to fail silently. SSH access is now working and was used for all subsequent PST-SERVER administration.
To onboard Maras-HP-Laptop and PST-SURFACE without requiring OpenVPN bootstrap on each machine, a PFX-based cert deployment workflow was designed: generate exportable certs on PST-SERVER centrally, export as password-protected PFX, deploy to each machine with Import-PfxCertificate + Add-VpnConnection. The gen_certs.ps1 script ran successfully after a fix (MachineKeySet=FALSE initially used, caused template context conflict; corrected to MachineKeySet=TRUE). PFXs for both machines were generated and SCP'd to DESKTOP-0O8A1RL.
## Key Decisions
- Changed msPKI-Certificate-Name-Flag from 0x18000000 to 0x1 (ENROLLEE_SUPPLIES_SUBJECT): the prior value caused the CA to build Subject/SAN from the submitting machine's AD DNS identity rather than the CSR content. This is a domain-wide template change; acceptable for this environment.
- Used SCP over OpenVPN for CSR/cert transfer (MaraHomeNew → PST-SERVER → MaraHomeNew) rather than RMM base64 method — SSH now installed on PST-SERVER made this viable and faster.
- "Certificate" is the correct enum value for Set-VpnAuthProtocol, not "MachineCertificate" — confirmed via PowerShell ValidateSet error. Valid values: EAP, Certificate, MsChapv2, Chap, PAP, PreSharedKey.
- PFX-based onboarding for HP and Surface: generates private key on PST-SERVER with Exportable=TRUE. Less ideal from key hygiene standpoint but eliminates the need for each machine to have an OpenVPN bootstrap path before cert enrollment.
- MachineKeySet=TRUE required in certreq INF when template is the Machine template: MachineKeySet=FALSE causes "User context template conflicts with machine context" rejection at certreq -submit.
## Problems Encountered
- **Wrong cert Subject/SAN (CN=PST-SERVER instead of MaraHomeNew)**: Machine template msPKI-Certificate-Name-Flag=0x18000000 caused CA to use submitting machine identity. Fixed by setting flag to 0x1 and reissuing cert.
- **IKE authentication failure persisted after correct cert**: RRAS UserAuthProtocolAccepted did not include Certificate. Fixed via Set-VpnAuthProtocol + Restart-Service RemoteAccess.
- **RMM polling was reading wrong field**: Commands completing with output, but code was checking "output" field; actual output is in "stdout". Fixed once full JSON response was inspected.
- **Win32-OpenSSH key auth silently failing**: administrators_authorized_keys had Authenticated Users:(RX) ACE which Win32-OpenSSH rejects as insecure. Fixed via icacls /inheritance:r removing user ACEs.
- **PFX cert generation — MachineKeySet=FALSE conflicts with Machine template**: certreq -submit returned "User context template conflicts with machine context." Fixed by changing INF to MachineKeySet=TRUE and checking Cert:\LocalMachine\My instead of CurrentUser\My.
- **SCP path format with Win32-OpenSSH**: Windows-style paths (C:\\ProgramData\\file) failed; Unix-style (/C:/ProgramData/file) required for Win32-OpenSSH sftp-server.
---
## Configuration Changes
### PST-SERVER
- `msPKI-Certificate-Name-Flag` on Machine cert template: `0x18000000``0x1` (ENROLLEE_SUPPLIES_SUBJECT)
- LDAP path: `CN=Machine,CN=Certificate Templates,...,DC=PEACEFULSPIRIT,DC=local`
- Win32-OpenSSH installed at `C:\Program Files\OpenSSH\OpenSSH-Win64\`; sshd service Automatic/Running; firewall TCP 22 inbound allow
- `C:\ProgramData\ssh\administrators_authorized_keys`: acg-admin@pst-cc-ucg key (pre-existing) + guru@DESKTOP-0O8A1RL; permissions SYSTEM:(F) BUILTIN\Administrators:(F) only
- RRAS UserAuthProtocolAccepted: added Certificate (was EAP, MsChapv2 only); RemoteAccess restarted
- Certs issued: Maras-HP-Laptop (RequestId 66, thumbprint 4CADDE8F940FC3EEFC37919B6A4541A913801296) and PST-SURFACE (RequestId 67, thumbprint 197FF22A97F26EF19DECF9E752B1B88C7E7ED42E)
- PFX files: `C:\ProgramData\Maras-HP-Laptop.pfx`, `C:\ProgramData\PST-SURFACE.pfx` (password: PstVpn2026!)
- Temp files (safe to delete): gen_certs.ps1, diag_out.txt, Maras-HP-Laptop.{inf,req,cer,pfx}, PST-SURFACE.{inf,req,cer,pfx}, machine2.req/cer
### MaraHomeNew
- Wrong cert bf2b2482 (CN=PST-SERVER) removed from Cert:\LocalMachine\My
- New cert installed: thumbprint D067E07B4A670AF5C6DE27250EB533B06F28FD6A, CN=MaraHomeNew.PEACEFULSPIRIT.local, SAN DNS=MaraHomeNew.PEACEFULSPIRIT.local, valid to 5/10/2027
- "Peaceful Spirit VPN" AllUserConnection: AuthenticationMethod MachineCertificate, confirmed working via rasdial
### DESKTOP-0O8A1RL
- ~/.ssh/known_hosts: stale 192.168.0.2 entries cleared; new ED25519 host key for PST-SERVER accepted
---
## Credentials & Secrets
| Item | Value |
|------|-------|
| PST-SERVER SSH | sysadmin@192.168.0.2, key: ~/.ssh/id_ed25519 (DESKTOP-0O8A1RL) |
| PST-SERVER domain admin | PEACEFULSPIRIT\sysadmin / r3tr0gradE99! |
| PFX password (HP + Surface) | PstVpn2026! |
| VPN credential | PEACEFULSPIRIT\pst-admin / 24Hearts$ |
| UCG SSH key | ~/.ssh/pst-cc-ucg / Gptf*77ttb123!@# |
---
## Infrastructure & Servers
| Component | Value |
|-----------|-------|
| PST-SERVER SSH | port 22, key auth from DESKTOP-0O8A1RL (requires OpenVPN to PST-CC active) |
| PST-SERVER OpenSSH path | C:\Program Files\OpenSSH\OpenSSH-Win64\ |
| Machine template NameFlag | 0x1 (ENROLLEE_SUPPLIES_SUBJECT) — changed this session |
| RRAS UserAuthProtocolAccepted | EAP, MsChapv2, Certificate |
| MaraHomeNew cert | D067E07B (CN=MaraHomeNew.PEACEFULSPIRIT.local, to 5/10/2027) |
| Maras-HP-Laptop cert | 4CADDE8F (CA RequestId 66) — PFX on PST-SERVER + local Temp |
| PST-SURFACE cert | 197FF22A (CA RequestId 67) — PFX on PST-SERVER + local Temp |
| PFX local copies | C:\Users\guru\AppData\Local\Temp\Maras-HP-Laptop.pfx, PST-SURFACE.pfx |
---
## Commands & Outputs
### Fix Machine template Subject Name source (PST-SERVER as sysadmin)
```powershell
$t = [ADSI]"LDAP://CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=PEACEFULSPIRIT,DC=local"
$t.Properties["msPKI-Certificate-Name-Flag"].Value = 1
$t.CommitChanges()
# Returns 1 — confirmed
```
### Reissue cert for MaraHomeNew
```powershell
# On MaraHomeNew
certreq -new C:\Windows\Temp\machine2.inf C:\Windows\Temp\machine2.req
scp C:\Windows\Temp\machine2.req sysadmin@192.168.0.2:/C:/ProgramData/machine2.req
# On PST-SERVER
certreq -submit -config "PST-SERVER.PEACEFULSPIRIT.local\PEACEFULSPIRIT-PST-SERVER-CA" C:\ProgramData\machine2.req C:\ProgramData\machine2.cer
# Back on MaraHomeNew
scp sysadmin@192.168.0.2:/C:/ProgramData/machine2.cer C:\Windows\Temp\machine2.cer
certreq -accept C:\Windows\Temp\machine2.cer
# Result: D067E07B4A670AF5C6DE27250EB533B06F28FD6A
```
### Add Certificate to RRAS auth (PST-SERVER via SSH)
```powershell
Set-VpnAuthProtocol -UserAuthProtocolAccepted EAP, MsChapv2, Certificate
Restart-Service RemoteAccess
# Valid enum: EAP, Certificate, MsChapv2, Chap, PAP, PreSharedKey
```
### VPN test result
```
rasdial "Peaceful Spirit VPN"
Connecting to Peaceful Spirit VPN...
[SUCCESS]
```
### Win32-OpenSSH install on PST-SERVER
```powershell
& "C:\Program Files\OpenSSH\OpenSSH-Win64\install-sshd.ps1"
Start-Service sshd; Set-Service sshd -StartupType Automatic
netsh advfirewall firewall add rule name="OpenSSH" dir=in action=allow protocol=TCP localport=22
```
### SSH from DESKTOP-0O8A1RL (requires OpenVPN active)
```bash
ssh -i ~/.ssh/id_ed25519 sysadmin@192.168.0.2
```
### PFX deployment command (target machine, run as admin)
```powershell
Import-PfxCertificate -FilePath .\MachineName.pfx -CertStoreLocation Cert:\LocalMachine\My -Password (ConvertTo-SecureString "PstVpn2026!" -AsPlainText -Force)
Add-VpnConnection -Name "Peaceful Spirit VPN" -ServerAddress "98.190.129.150" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -AllUserConnection -SplitTunneling -Force
```
---
## Pending / Incomplete Tasks
| Task | Status | Notes |
|------|--------|-------|
| Deploy cert + VPN to Maras-HP-Laptop via RMM | **PENDING** | PFX at C:\Users\guru\AppData\Local\Temp\Maras-HP-Laptop.pfx. RMM agent: 13cb3629 |
| Deploy cert + VPN to PST-SURFACE via RMM | **PENDING** | PFX at C:\Users\guru\AppData\Local\Temp\PST-SURFACE.pfx. RMM agent: 4a993b61 |
| Test pre-login VPN on all 3 machines | **PENDING** | MaraHomeNew rasdial confirmed. HP and Surface pending cert deployment. |
| Test VPN at Windows login screen (pre-login) | **PENDING** | rasdial works in user session. Need to verify AllUserConnection triggers at logon screen. |
| Clean up temp files on PST-SERVER | **PENDING** | C:\ProgramData\: fix_acl.ps1, acl_result.txt, verify_acl.ps1, gen_certs.ps1, *.inf, *.req, *.cer, *.pfx, diag_out.txt |
| Remove TEMP firewall rules on PST-SERVER | **PENDING** | TEMP-CertEnroll-RPC (TCP 135) and TEMP-CertEnroll-DCOM (TCP 49152-65535) from prior session |
| Identify OpenVPN Connect profiles on HP/Surface | **PENDING** | OpenVPN Connect running (4 procs each) but no .ovpn files in standard paths |
---
## Reference Information
- PST-SERVER SSH: `ssh -i ~/.ssh/id_ed25519 sysadmin@192.168.0.2` (OpenVPN to PST-CC required)
- PFX deploy one-liner: Import-PfxCertificate + Add-VpnConnection (see Commands section)
- RMM agents: MaraHomeNew c778b6a3, Maras-HP-Laptop 13cb3629, PST-SURFACE 4a993b61, PST-SERVER 6b6106a7
- SCP to/from PST-SERVER: use `/C:/path/to/file` format (not `C:\`)
- gen_certs.ps1 at C:\ProgramData\gen_certs.ps1 on PST-SERVER — reusable for future machines
- Machine template NameFlag GUID reference: ENROLLEE_SUPPLIES_SUBJECT = 0x1, prior value 0x18000000 (DNS_AS_CN | ALT_REQUIRE_DNS)