Hello, I was working with some Juniper technicians setting up a Juniper SSL VPN to use third party smart card certificates to logon to the VPN. They had us setup a certificate server authentication piece for validating the certificate presented to the Juniper device. Then they had us setup a secondary authentication method to check the Active Directory account (extracted from the SAN field in the certificate). We found out that the AD check was simply checking the existence of the account and not checking whether it was locked or disabled. We inserted logic that checks for the following based on the User Principle Name - UserAccountControl = 512 or 262656 and ms-DS-User-Account-Control-Computed = 0. With this we are checking to see if the account is a Normal Account (512) or a Normal Account that requires a smartcard for interactive logon (262656) and finally a check to ensure the account is not locked. We would prefer to have full Kerberos logon to the VPN but the Juniper technician was not sure how to achieve that because of the hybrid nature of the certificates we are using. Does anyone have any ideas of how to better authenticate to the Juniper SSL VPN using third party certificates? Thank you for your time and consideration.

VPN authentication in this scenario would typically be done through Radius. If you set the Juniper device to use a NPS server, you could then have the RADIUS server base the authentication attempt on the current state of the account. This would also require adding the third party CA as to the NTAuth store in Active Directory (done through the PKIView.msc console) Brian

For the secondary authentication method we are using a Service Account to connect with Active Directory to validate the user account based on the UPN in the Subject Alternative Name field of the smart card logon certificate presented to the Juniper device. The problem we found was that Juniper was simply checking for the existence of the account and not validating. We determined this by disabling an account and successfully logging onto the VPN. The same was true for locked accounts. Also, we already have the Issuing CA certificate in the NTAuth Certificates store in AD for accomplishing network logon with the third party smart cards. Thank you for the response as it shows me we are at least headed in the right direction. Any other helpful hints or ideas would be appreciated.