We used Pritunl with OpenVPN and Pritunl Clients before so we only needed to authenticate against azure to get our profiles. That worked pretty well. Now we configured Condtional Access Compliance Policies on Azure Site which required to disabled the OpenVPN Usage for Pritunl. We figured that we need to enable the Single Sign on Authentication on the Pritunl Server configuration to force the compliance policy to always get checked before vpn is enabled. After i configured the Single Sign on Authentication URL on the default settings i thought the client would start to open a browser session to authenticate against azure. That doesnt work. Is there something else we need to disable or something that this will work?
Thank you.
I have looked into the Azure conditional access policies in Entra and have been unable to get it working. The system seems to be mostly focused on controlling access to the Microsoft 365 applications instead of all sign-on requests going through Entra. Using connection authentication with authentication cached disabled in the top right settings will trigger a full sign-in through Entra for every VPN connection. This should allow the conditional access policies to work.
It’s possible there is some configuration in Azure that will allow it to work. Microsoft single sign-on has always had a lot of problems and it seems to be an ongoing issue with Entra.
Hi and thanks for the reply. The problem with conditional access is that it doesnt go for apps even if it says so. It is ressource focused and Pritunl like other apps are using the Microsoft Graph Api as ressource. My problem is that the client doesnt even show the SSO prompt when we hit connect to start the browser. Disabling the auth cache doesnt change anything. The server url of my pritunl server is server1.vpn.example.com and my url for the pritunl webpage (haproxy) is vpn.example.com. I also configured vpn.example.com as Single Sign On Domain and Sync Uri right?
Fixed it. On the top right corner in the general settings i switched the azure SSO method to saml (just an example) and tried the client sso again. That worked like a charm. So i think like you mentioned zach the authentication cache was the problem. However deactivating the authentication cache didnt delete him correctly i think. It was deleted after the sso authentication switch it seemed. After switching back to azure and filling my Tenant App and Sec IDs everything worked.
Thank you
Okay now it stopped working again. I dont think that this relays on idp site because i cannot switch the sso mechanism now and forcing the client to open a browser tab to reauthenticate. It just doesnt do anything on connect.
Azure also caches and skips the full login so it may not be visible when the browser opens but if the browser opens and it shows completion message the process did occur. This can be seen from Chrome developer tools in the network tab with preserve log enabled. There are likely settings in Azure that control that process. But I’ve worked with other users trying to use conditional access and even when it is a full sign-on process it did not trigger any conditional access policies.
Iam a bit further now. i have 3 pritunl hosts like 1.vpn.example.com 2.vpn.example.com 3.vpn.example.com and accessdomain for the pritunl portal is vpn.example.com (thats also the sync domain and sso domain). After i deleted 1 and 2 from my haproxy round robin load balancer it worked for the web login process. After the succesfull login page occurs from pritunl the client is stuck in „Connecting“ now. Is there something else that i need to do? Thank you.
The VPN connection can’t be through any load balancer. Verify all the addresses are configured correctly. Below are all the addresses and how to configure them.
Hosts Tab
Host Public Address: The public IPv4 address or domain of the Pritunl host. This should always be the public IP of the host for all configurations even when using a load balancer.
Host Public IPv6 Address: The public IPv6 address or domain of the Pritunl host. This should always be the public IP of the host for all configurations even when using a load balancer.
Host Sync Address: In the advanced host settings. The public address or domain that the web server of the Pritunl servers can be accessed from. If a load balancer is configured that address should be set here.
Top Right Settings
Connection Single Sign-On Domain: Only shown when using single sign-on connection authentication. The public address or domain that is used to validate single sign-on requests through the Pritunl web server for a new VPN connection. If a load balancer is configured that address should be set here.
Yes thats the case. I attached test host 3.vpn.example.com on my pritunl server. The vpn.example.com domain is sync and sso domain and all users connect to this domain on the webui. The SSO Init with the browser also works now if i only use server 3 on my reverse proxy. But after that successful browser login the client idles on „Connecting“
