Skip to content

v1.2 — Azure VPN end-to-end; same YubiKey unlocks AD AND cloud

Latest
Latest

Choose a tag to compare

View all tags
@glennbyron1 glennbyron1 released this 24 Jun 12:43
· 7 commits to main since this release
v1.2
9e33ddf

Headline — Same physical YubiKey now unlocks AD AND Azure VPN

One slot 9a cert, two authentication contexts. Kerberos PKINIT (Event 4768 Pre-Auth Type 16) authenticates AD logon on-prem; EAP-TLS authenticates Azure Point-to-Site VPN in the cloud. The credential never leaves the hardware token. Both authentications validate the same chain to the same internal Lab-CA. One possession factor (the card), one knowledge factor (the PIN), two clouds — without ever provisioning a parallel "VPN credential."

This is the "hybrid trust" claim federal Zero-Trust roles look for. Not "I built two things"; one credential that works in two clouds because both trust the same internal CA.

📄 Build guide: Architecture/Azure-VPN-Guide.md (ARCH-ICAM-013)

Maps to NIST SP 800-53 IA-2, IA-2(11), IA-5(11), AC-17, SC-8, SC-12, SC-17, CM-3, AU-6 · DoD ZTRA Identity + Devices + Networks pillars · NIST SP 800-207 Zero Trust Architecture.

What's new

Phase 9 Azure VPN — built end-to-end

A complete deploy → test → teardown cycle of Azure Point-to-Site VPN with certificate authentication from the lab's internal CA:

  • Cost guardrail ($20/month budget alert wired before any resource was created)
  • VNet 10.20.0.0/16 with the required GatewaySubnet 10.20.255.0/27
  • VpnGw1 VPN Gateway with Standard Static public IP (~40 min deploy)
  • Lab-CA root cert exported from Lab-DC01 via PowerShell Direct, Base64-uploaded to Azure as the P2S trust anchor
  • jdoe's YubiKey-resident smart card cert (slot 9a, the same one used for AD logon since v1.1) authenticated the EAP-TLS exchange
  • P2S client assigned 172.16.0.2 from the VPN address pool; tunnel up
  • Teardown via Remove-AzResourceGroup -Force -AsJob in the same session — total cost ~$0.40 in gateway hours

Slot 5 of Demo-Walkthrough closed — all 8 slots now captured

  • Screenshots/05-vpn-azure-eap-cert-auth-no-password.png — headline: jdoe@lab.local connected to vnet-cac-lab-phase9 over EAP-TLS, duration counter running, no password prompt
  • Screenshots/05b-vpn-ipconfig-172-16-0-2.pngipconfig showing the PPP adapter with the P2S-assigned IP
  • Screenshots/05c-vpn-caption-azure-p2s-eap-tls.png — configuration caption documenting the auth mechanism

PKI architecture discovery — designed two-tier, deployed single-tier

Honest portfolio finding captured in the Azure VPN guide:

  • The lab's design doc describes a two-tier PKI (offline Root CA signs Issuing CA on Lab-DC01)
  • Lab-DC01's Trusted Root store shows CN=LAB-CA as self-signed — Subject == Issuer
  • The separate CN=Lab Root CA cert exists (10-year, valid 2026 → 2036) but has basicConstraints CA:TRUE, pathlen:0 — per RFC 5280, this means the Root can only sign end-entity certs, NOT sub-CAs. So it could not have signed LAB-CA as an intermediate.
  • The deployed PKI is operationally single-tier with LAB-CA as the trust anchor

Captured as a "designed vs deployed" delta in the build guide, not hidden. Future remediation queued.

Install pitfall + working fix path

Three install paths were attempted before one worked. The lesson ships with the build guide so anyone walking the same path doesn't lose an hour:

Path Result
VpnClientSetupAmd64.exe → Run as administrator Blocked by scforceoption=1 GPO elevation prompt for CardIssuer VSC PIN; even with creds entered, installer left system phonebook at 0 bytes
Azure VPN Client app from Microsoft Store + XML import with thumbprint hardcoded Cert picker doesn't enumerate YubiKey-resident certs; Save validation fails with "client certificate must include an issuer" even with <hash> and <issuer> both populated
VpnProfileSetup.ps1 from elevated PowerShell + Tunnel type Automatic ✅ Works — the script bypasses the GUI elevation block; Automatic tunnel type gives Windows IKEv2/SSTP/L2TP fallback

Three Azure VPN docs consolidated to one canonical guide

The original "starter" Azure-VPN-Lab-Guide.md, the build doc Phase9-Azure-VPN-Build-Guide.md, and the roadmap design CAC_PIV_Phase9_Azure_VPN_ConditionalAccess.md are merged into one Architecture/Azure-VPN-Guide.md. Sits parallel to the existing Architecture/WatchGuard-IKEv2-VPN-Guide.md for on-prem.

The new guide covers: CGNAT framing, cost discipline, architecture diagram with trust chain, full 11-step build sequence, lessons learned, PKI discovery, control mapping (NIST + Zero Trust), future phases 9.1/9.3/9.4/9.5/9.6 (designed not built), and honest framing.

What's NOT in v1.2 — designed but not built

Documented in the build guide so the "what's shipped vs what's designed" line is honest:

  • 9.1 Entra ID baseline — M365 Developer tenant + synthetic test users + MFA enrollment
  • 9.3 Conditional Access — the actual DoD pattern, where "VPN = you're in" becomes "policy decides on every connection"
  • 9.4 Device compliance signal — Intune compliance policy + Entra device registration
  • 9.5 Visibility & decisioning — Entra sign-in logs to Log Analytics + basic detections

These will land in a future v1.3 or as their own incremental tags. The Phase 9 design doc is preserved inside the consolidated build guide so the full vision stays visible.

Infrastructure changes

Documentation consolidation

3 source docs deleted: Architecture/Azure-VPN-Lab-Guide.md, Architecture/Phase9-Azure-VPN-Build-Guide.md, Architecture/Roadmap/CAC_PIV_Phase9_Azure_VPN_ConditionalAccess.md

7 cross-references updated across Demo-Walkthrough.md, CSET-Assessment-Guide.md, SSP-Template.md, and TODO.md. Zero broken refs after consolidation.

Screenshots catalog rewritten

Screenshots/README.md reorganized into 5 tiers (Demo-Walkthrough headline shots, Lessons-Learned discovery evidence, session evidence, FIDO2 credential evidence, portfolio reference). Phase 9 slot 5 captures added to the catalog.

For reviewers — start here

Artifact Why it matters
Architecture/Azure-VPN-Guide.md The headline v1.2 deliverable. Complete Azure VPN P2S build with Lab-CA + YubiKey cert auth. Includes the install pitfall lesson and the PKI discovery.
Demo-Walkthrough.md Step 5 The slot 5 marquee shot — same YubiKey unlocks AD AND Azure VPN, no password anywhere
Lab-Kit/Reference/RUNBOOK-YubiKey-Enrollment.md The runbook that produced jdoe's smart card cert; same cert authenticates v1.2's Azure VPN
Architecture/Lessons-Learned/2026-06-16-Silent-VSC-Fallback-Discovery.md The v1.1 acceptance check pattern this build inherits — certutil -scinfo as reader-level verification

Acknowledgments

The "same physical card, two clouds" pattern is a real federal-IT design pattern, not original to this lab. What this lab demonstrates is the buildable proof of it in a homelab with commodity hardware (one YubiKey, free Azure for Students subscription, internal CA). The deploy → test → teardown cost discipline is itself a learnable artifact for cloud-governance interview answers.

Assets 2
Loading