azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from DESKTOP-0O8A1RL at 2026-05-11 13:45:09

Browse Source 
Author: Mike Swanson
Machine: DESKTOP-0O8A1RL
Timestamp: 2026-05-11 13:45:09
This commit is contained in:
Mike Swanson
2026-05-11 13:45:10 -07:00
parent 1c0df9b1bd
commit afd6fdeced
5 changed files with 211 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
clients/grabb-durando/AI (1).msg Normal file
View File

Binary file not shown.

BIN
clients/grabb-durando/AI (2).msg Normal file
View File

Binary file not shown.

BIN
clients/grabb-durando/AI.msg Normal file
View File

Binary file not shown.

BIN
clients/grabb-durando/AI_Demand_Review_Phase_Two_Package.msg Normal file
View File

Binary file not shown.

211
clients/peaceful-spirit/session-logs/2026-05-11-session.md Normal file
View File

@@ -0,0 +1,211 @@
# Peaceful Spirit — IKEv2 Pre-Login VPN: Machine Cert Enrollment Prep
**Date:** 2026-05-11
**Client:** Peaceful Spirit (Country Club site)
**Ticket scope:** Pre-login IKEv2 VPN for Mara — machine certificate auth path
## User
- **User:** Mike Swanson (mike)
- **Machine:** DESKTOP-0O8A1RL
- **Role:** admin
- **Session span:** Continuation of 2026-05-10 session
---
## Session Summary
The session resumed from a prior effort to enable pre-login IKEv2 VPN for Mara on three machines (MaraHomeNew, Maras-HP-Laptop, PST-SURFACE), which had been blocked by error 812. The PST-SERVER CA was confirmed to be trusted and correctly configured, but the Machine certificate template had the AutoEnroll flag set to "Access is denied" due to missing permissions for the Domain Computers group. Multiple attempts to correct this failed due to access restrictions, incorrect credentials, and tool limitations, until a PowerShell script run as sysadmin successfully added the AutoEnroll right.
Despite this, certificate enrollment on the client machines failed due to lack of access to the PST-SERVER DCOM endpoint, which is required for enrollment but blocked without the IKEv2 VPN. The NPS policy was confirmed to allow PEAP and MSCHAPv2 for the WseRemoteAccessUsers group, and the OpenVPN configuration on MaraHomeNew was identified as a potential workaround to enable access to PST-SERVER.
The user agreed to update the OpenVPN config on MaraHomeNew to connect to the Country Club site (UCG at 98.190.129.150), which would allow access to the internal network for certificate enrollment. The session was interrupted before completing the enrollment process.
---
## Key Decisions
- Used a PowerShell script (fix_acl.ps1) run as sysadmin via scheduled task to grant AutoEnroll rights to Domain Computers — direct ADSI from SYSTEM context failed ("Access is denied"), dsacls failed to resolve both name and GUID formats on Server 2016.
- Identified domain admin credentials as sysadmin / r3tr0gradE99! (not pst-admin, which is a domain user but not domain admin).
- Determined that cert enrollment failure was due to remote machines having no route to PST-SERVER DCOM (192.168.0.2) — not a permissions problem after the ACL fix, but a network path problem.
- Chose OpenVPN as the bootstrap path to get MaraHomeNew onto the office LAN for cert enrollment, rather than attempting manual cert generation on PST-SERVER and PFX transfer (which would require non-standard key handling).
- NPS confirmed functional: order-1 policy allows PEAP (0x19) and MSCHAPv2 (0x1a), WseRemoteAccessUsers condition, Ignore-User-Dialin-Properties=TRUE, Allow-Dial-In=TRUE — no NPS policy changes needed.
---
## Problems Encountered
- **AutoEnroll permission denied on Machine template**: SYSTEM context (PST-SERVER$ machine account, in Domain Controllers group) and ADSI/dsacls all failed to write the ACL. Resolved by writing a PS script to disk via RMM, then registering a scheduled task to run it as sysadmin (domain admin). Script ran successfully and ACL was confirmed via secondary sysadmin-context query.
- **dsacls doesn't resolve Certificate-AutoEnrollment name or GUID on Server 2016**: Both `Certificate-AutoEnrollment` string and `{a2a8902a-...}` GUID returned "No GUID Found." Resolved by using PowerShell ActiveDirectoryAccessRule with the GUID directly, run as domain admin.
- **certutil -autoenroll not available on Windows 10/11 clients**: Only exists on Server. Switched to certreq/Get-Certificate approaches.
- **certreq and Get-Certificate failed on all 3 Mara machines**: `CERTSRV_E_PROPERTY_EMPTY` / "no default enrollment policy server." Root cause: machines are remote and cannot reach PST-SERVER (192.168.0.2) via DCOM — Certificate Enrollment Policy Service not installed on PST-SERVER, enrollment falls back to DCOM which requires LAN access.
- **Catch-22**: Need machine cert to establish IKEv2 VPN, but need IKEv2 VPN (or another LAN path) to enroll the machine cert from the domain CA. Resolution path: use OpenVPN to reach the office LAN first.
- **pst-admin vs sysadmin**: First several ACL attempts used wrong credentials (pst-admin / 24Hearts$). User corrected — domain admin is sysadmin / r3tr0gradE99!.
---
## Configuration Changes
### PST-SERVER (via RMM — persisted in AD)
- Modified certificate template ACL: added AutoEnroll extended right (GUID a2a8902a-4010-11d1-a7b0-0060b0576642) for Domain Computers (SID S-1-5-21-1105246401-3156558273-4088333098-515) on the Machine/Computer template in CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=PEACEFULSPIRIT,DC=local
- Method: scheduled task as sysadmin running `C:\ProgramData\fix_acl.ps1` (temp file, can be deleted)
- Wrote and left temporary files: `C:\ProgramData\fix_acl.ps1`, `C:\ProgramData\acl_result.txt`, `C:\ProgramData\verify_acl.ps1`, `C:\ProgramData\acl_verify.txt` — safe to delete
### Mara Machines (already deployed in previous session, unchanged this session)
- AllUserConnection VPN profile "Peaceful Spirit VPN" on MaraHomeNew, Maras-HP-Laptop, PST-SURFACE
- TunnelType: IKEv2, Auth: EAP, AllUserConnection: True, SplitTunneling: True
- Server: 98.190.129.150
- EAP XML: needs verification (XML object rendering issue prevented reading type value)
### Not Changed
- NPS policies on PST-SERVER: no changes this session; PST-VPN-Test was already deleted
- UCG: no changes
- VPN profiles on Mara machines: no changes
---
## Credentials & Secrets
| Item | Value |
|------|-------|
| PST-SERVER domain admin | PEACEFULSPIRIT\sysadmin / r3tr0gradE99! |
| PST-SERVER SSH | sysadmin / r3tr0gradE99! |
| VPN credential | PEACEFULSPIRIT\pst-admin / 24Hearts$ (domain user, in WseRemoteAccessUsers) |
| UCG SSH key | ~/.ssh/pst-cc-ucg / password: Gptf*77ttb123!@# |
| VPN PSK (L2TP) | z5zkNBds2V9eIkdey09Zm6Khil3DAZs8 |
| NPS RADIUS shared secret | PST-RADIUS-UCG-2026!@# |
| pst-admin (domain user) | 24Hearts$ |
| OpenVPN config user on MaraHomeNew | `C:\Users\PeacefulSpiritMassag\OpenVPN\config\PST-NW-VPN-Windows\PST-NW-VPN-auth.txt` (creds unknown) |
Note: pst-admin is NOT domain admin. sysadmin is domain admin.
Vault paths:
- `clients/peaceful-spirit/server.sops.yaml` — PST-SERVER, UCG details
- `clients/peaceful-spirit/vpn.sops.yaml` — VPN credentials, PSK, network
---
## Infrastructure & Servers
| Component | Value |
|-----------|-------|
| PST-SERVER IP (LAN) | 192.168.0.2 |
| PST-SERVER OS | Windows Server 2016 Essentials (build 14393) |
| PST-SERVER domain | PEACEFULSPIRIT.local |
| PST-SERVER roles | AD DS, DNS, RRAS (VPN server), NPS, Enterprise Root CA |
| CA name | PEACEFULSPIRIT-PST-SERVER-CA |
| CA thumbprint | 56DAF43C60F246BF2C80A671EE9812C727D8C298 (valid 3/8/2061) |
| PST-SERVER machine cert | DB71981ABE4CBA1DE96FEEEAF178F6259663B543 (CN=PST-SERVER.PEACEFULSPIRIT.local, valid 5/9/2027) |
| UCG-PST-CC WAN IP | 98.190.129.150 |
| UCG VPN endpoint | UDP 500/4500 → forwarded to 192.168.0.2 (PST-SERVER RRAS) |
| PST network | 192.168.0.0/24 |
| GuruRMM client | Peaceful Spirit (00015eae-50e5-4102-93fa-ab0fdb135c08) |
| GuruRMM site | Country Club (7b32983d-982a-4a5c-af07-45a23453f589) |
| PST-SERVER agent ID | 6b6106a7-8515-4b6b-857d-0dc6ede53f35 |
| MaraHomeNew agent ID | c778b6a3-c646-4454-a065-8c8bdcb1578e |
| Maras-HP-Laptop agent ID | 13cb3629-5043-4bd6-b977-6968eeccf804 |
| PST-SURFACE agent ID | 4a993b61-59b3-42f4-bdb5-d4362941f7d6 |
| Domain Computers SID | S-1-5-21-1105246401-3156558273-4088333098-515 |
| WseRemoteAccessUsers SID | S-1-5-21-1105246401-3156558273-4088333098-1113 |
### CA / Machine Cert State on Mara Machines
| Machine | CA in Trusted Root | Machine Cert in LocalMachine\My |
|---------|-------------------|--------------------------------|
| MaraHomeNew | YES (56DAF43C) | No |
| Maras-HP-Laptop | Not checked | No |
| PST-SURFACE | Not checked | No |
### OpenVPN on Mara Machines
| Machine | Status | Config Location |
|---------|--------|----------------|
| MaraHomeNew | Not running | `C:\Users\PeacefulSpiritMassag\OpenVPN\config\PST-NW-VPN-Windows\PST-NW-VPN-Windows.ovpn` (remote 64.139.88.249:1194 TCP, NW site) |
| Maras-HP-Laptop | OpenVPN Connect running (4 processes) | No config in standard paths |
| PST-SURFACE | OpenVPN Connect running (4 processes) | No config in standard paths |
---
## Commands & Outputs
### Grant AutoEnroll to Domain Computers on Machine template (PST-SERVER via sysadmin scheduled task)
```powershell
# Script written to C:\ProgramData\fix_acl.ps1, run as PEACEFULSPIRIT\sysadmin
$sid = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1105246401-3156558273-4088333098-515")
$guid = [Guid]"a2a8902a-4010-11d1-a7b0-0060b0576642"
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid, "ExtendedRight", "Allow", $guid, "None")
$t = [ADSI]"LDAP://CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=PEACEFULSPIRIT,DC=local"
$acl = $t.psbase.ObjectSecurity
$acl.AddAccessRule($ace)
$t.psbase.CommitChanges()
```
Result: "SUCCESS" — confirmed via ACL query: `PEACEFULSPIRIT\Domain Computers | Allow` on AutoEnroll GUID.
### NPS Order-1 Policy (from netsh nps show np)
```
Name = {502F03DC-1EC9-49A9-811A-99BA53619319}
Processing order = 1
Policy source = 2 (Windows Server Solutions)
Condition0 = 0x1fb5 "S-1-5-21-1105246401-3156558273-4088333098-1113" (WseRemoteAccessUsers)
Ignore-User-Dialin-Properties = TRUE
NP-Allow-Dial-in = TRUE
NP-Allowed-EAP-Type = "19000000..." (PEAP type 25) + "1a000000..." (MSCHAPv2 type 26)
NP-Authentication-Type = 0x3, 0x9, 0x4, 0xa, 0x5
```
### OpenVPN config on MaraHomeNew
```
client
dev tun
proto tcp
remote 64.139.88.249 1194 <- NW site, NOT CC
auth-user-pass PST-NW-VPN-auth.txt
remote-cert-tls server
cipher AES-256-CBC
auth SHA1
key-direction 1
redirect-gateway def1
```
Mike will replace with config pointing to CC site (UCG 98.190.129.150:1194) to enable LAN access for cert enrollment.
### Certificate enrollment failures on Mara machines
```
certutil -autoenroll → CertUtil: Unknown arg: -autoenroll (not available on Win10/11)
certreq -enroll -machine -q Machine → Template not found + CERTSRV_E_PROPERTY_EMPTY
Get-Certificate -Template Machine → CX509PolicyServerUrl::_GetStringProperty: CERTSRV_E_PROPERTY_EMPTY
(no enrollment policy server; DCOM unreachable from remote)
```
---
## Pending / Incomplete Tasks
| Task | Status | Notes |
|------|--------|-------|
| Place CC OpenVPN config on MaraHomeNew | **PENDING (Mike)** | Mike will add config pointing to 98.190.129.150:1194 (UCG at CC). Auth-user-pass with credentials file, or cert-based. Need to replace PST-NW-VPN-auth.txt with CC site credentials. |
| Connect MaraHomeNew via OpenVPN to CC | **PENDING** | Once CC config is in place, trigger openvpn --config ... via RMM (or manually). Verify route to 192.168.0.2. |
| Enroll machine cert on MaraHomeNew via certreq | **PENDING** | Once on office LAN: `certreq -enroll -machine -q -config "PST-SERVER.PEACEFULSPIRIT.local\PEACEFULSPIRIT-PST-SERVER-CA" Machine` |
| Verify machine cert enrolls correctly | **PENDING** | Check Cert:\LocalMachine\My for CN=MaraHomeNew.PEACEFULSPIRIT.local from PEACEFULSPIRIT-PST-SERVER-CA |
| Enroll machine certs on Maras-HP-Laptop and PST-SURFACE | **PENDING** | Same process once MaraHomeNew is confirmed working. HP and Surface also have OpenVPN Connect installed. |
| Configure RRAS to accept machine cert auth for IKEv2 | **PENDING** | May need additional RRAS config after certs are enrolled; verify if current config auto-detects machine certs |
| Update Mara machines' VPN profiles to MachineCertificate auth | **PENDING** | Change AuthenticationMethod from Eap to MachineCertificate; remove EAP XML |
| Test pre-login VPN connection on MaraHomeNew | **PENDING** | After machine cert enrolled and VPN profile updated |
| Verify EAP XML type in current "Peaceful Spirit VPN" profile | **PENDING** | Get-VpnConnection returned XmlElement object instead of string; need to verify type 25 vs 26 |
| Identify Mara's OpenVPN Connect profile source on HP and Surface | **PENDING** | OpenVPN Connect running but no .ovpn files found in standard paths — check ConnectHandler user data or registry |
| Clean up temp files on PST-SERVER | **PENDING** | `C:\ProgramData\fix_acl.ps1`, `acl_result.txt`, `verify_acl.ps1`, `acl_verify.txt` — safe to delete |
| Confirm PST-VPN-Test NPS policy is gone | **DONE** | Not listed in netsh nps show np output |
| Grant AutoEnroll on Machine template for Domain Computers | **DONE** | ACL write confirmed via sysadmin-context query |
---
## Reference Information
- GuruRMM API: `https://rmm.azcomputerguru.com/api/`
- PST-SERVER agent: `https://rmm.azcomputerguru.com/api/agents/6b6106a7-8515-4b6b-857d-0dc6ede53f35`
- MaraHomeNew agent: `https://rmm.azcomputerguru.com/api/agents/c778b6a3-c646-4454-a065-8c8bdcb1578e`
- Maras-HP-Laptop agent: `https://rmm.azcomputerguru.com/api/agents/13cb3629-5043-4bd6-b977-6968eeccf804`
- PST-SURFACE agent: `https://rmm.azcomputerguru.com/api/agents/4a993b61-59b3-42f4-bdb5-d4362941f7d6`
- Peaceful Spirit client in RMM: ID `00015eae-50e5-4102-93fa-ab0fdb135c08`
- Country Club site in RMM: ID `7b32983d-982a-4a5c-af07-45a23453f589`
- Certificate AutoEnroll GUID: `a2a8902a-4010-11d1-a7b0-0060b0576642`
- Certificate Enroll GUID: `0e10c968-78fb-11d2-90d4-00c04f79dc55`
- Vault: `clients/peaceful-spirit/server.sops.yaml`, `clients/peaceful-spirit/vpn.sops.yaml`
- Prior session log: `clients/peaceful-spirit/session-logs/2026-05-10-session.md`
- MaraHomeNew OpenVPN config: `C:\Users\PeacefulSpiritMassag\OpenVPN\config\PST-NW-VPN-Windows\PST-NW-VPN-Windows.ovpn`