none
TMG SSTP VPN (Certificate Replacement)

    Question

  • Hello Guys,

    Yesterday I was trying to connect to my corporate network through VPN (TMG SSTP). Only to get this message:

    "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file."

    I checked the Certificate and it was expired. 
    I issued a new certificate and replaced it in the TMG VPN configuration.

    I have tried to establish the VPN connection many times but I am still getting the same error message!

    Today and after about 24 hours it is still the same.

    Any idea if there is anything else I need to do?

    Thanks


    MCP, MCSA 2000, MCSE 2000, MCSA 2003, MCSE 2003, MCSA Security 2000, MCSE Security 2000, MCSA Security 2003, MCSE Security 2003, MCTS, MCITP: Enterprise Administrator. "It isn't important to be better than others. It's important to be better than you were yesterday"

    Wednesday, September 11, 2013 6:33 AM

Answers

  • Thanks for the update Black Spider.  This is happening because HTTP.SYS is still listening on the old/expired certificate.  Here is what we need to do:

    1. Run the following command on the TMG server to check the SSL certificate bound to HTTP.sys

    netsh http show sslcert

    Please look at the certificate with IP:Port pair as x.x.x.x:443 and note down the Certificate hash value (x.x.x.x is the TMG Server's IP address on which SSTP is configured to listen)

    3. Check the old/expired SSTP certificate in Local Computer à Personal Store and look for "Thumbprint".  It will have the same value as the Certificate hash value from the netsh command output in the previous step

    4. Remove the old/expired certificate binding from HTTPS Listener

    netsh http delete sslcert ipport=x.x.x.x:443

    5. Confirm that the new/valid SSTP certificate was installed in the Local Computer à Personal Store on the TMG server, please make a note of its "Thumbprint" or Hash value

    6. Bind the new certificate to the HTTPS Listener (assuming new certificate has SHA1 certificate hash as abcd)
    netsh http add sslcert ipport=x.x.x.x:443 certhash=abcd appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

    7. Run the netsh command from Step 1 to ensure that you see the new/valid certificate hash for the binding

    8. Restart the TMG firewall service or reboot the server and test the VPN connection

    Please let me know how this goes.


    Mohit Kumar [MSFT]| Technical Lead | CSS Security



    Thursday, September 26, 2013 10:34 PM

All replies

  • Hi,

    Please try to troubleshooting through the steps below:

    1. Confirm the time zone and time are the same on your TMG server, CA, and client device.
    2. Check your certificate validity period that why it is expired(compare validity period with your client local time)
    3. Please make sure that your client device downloaded the correct CRL.

    There are some information on how to create SSTP VPN on TMG for your reference:

    http://www.definit.co.uk/2011/03/configuring-sstp-vpn-connections-threat-management-gateway-2010/

    http://www.youtube.com/watch?v=chdrUaQV_xE

    If problem persists, please feel free to contact me.

    Best Regards

    Quan Gu

    Thursday, September 12, 2013 2:15 AM
    Moderator
  • Hi,

    1- Time zone and time are the same on TMG server CA and client. I used "net time" to make sure of that.

    2- Certificate was expired, I renewed it and it is valid till 2015

    3- Can we force the computer to download the latest crl?

    Still facing the same issue even with a renewed certificate.

    Regards


    MCP, MCSA 2000, MCSE 2000, MCSA 2003, MCSE 2003, MCSA Security 2000, MCSE Security 2000, MCSA Security 2003, MCSE Security 2003, MCTS, MCITP: Enterprise Administrator. "It isn't important to be better than others. It's important to be better than you were yesterday"

    Monday, September 23, 2013 9:43 AM
  • hi,

    You can download the latest CRL list through the URL below:

    http://x.x.x.x/certsrv  (x.x.x.x is CA's address)

    After that, you can manually import the CRL :

    http://technet.microsoft.com/en-us/library/aa996972(v=exchg.65).aspx

    Monday, September 23, 2013 12:14 PM
    Moderator
  • Still The Same.

    MCP, MCSA 2000, MCSE 2000, MCSA 2003, MCSE 2003, MCSA Security 2000, MCSE Security 2000, MCSA Security 2003, MCSE Security 2003, MCTS, MCITP: Enterprise Administrator. "It isn't important to be better than others. It's important to be better than you were yesterday"

    Monday, September 23, 2013 1:34 PM
  • Hi,

    Thank you for your patience and support.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Best Regards

    Quan Gu

    Tuesday, September 24, 2013 5:09 AM
    Moderator
  • Hello,

    Hope you're well.  Please open a browser on your test client and browse to <a href="https:///sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/">https://<NameofSSTPCertificate>/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ where NameofSSTPCertificate is the name being used to connect to the SSTP service on your TMG server.  Check the certificate being returned to the client for validity to ensure it is the new/valid certificate that you've recently installed and not the old/expired certificate.

    Please update the thread with your findings from the above mentioned test. 


    Mohit Kumar [MSFT]| Technical Lead | CSS Security

    Thursday, September 26, 2013 1:28 AM
  • Hey Mohit,

    This is so strange I am still getting the old one, even though the old one has been replaced!

    Valid from ‎Sunday, ‎September ‎04, ‎2011 1:46:55 PM

    Valid to ‎Tuesday, ‎September ‎03, ‎2013 1:46:55 PM

    Any suggestions?  Many Thanks.


    MCP, MCSA 2000, MCSE 2000, MCSA 2003, MCSE 2003, MCSA Security 2000, MCSE Security 2000, MCSA Security 2003, MCSE Security 2003, MCTS, MCITP: Enterprise Administrator. "It isn't important to be better than others. It's important to be better than you were yesterday"


    • Edited by Black Spider Thursday, September 26, 2013 8:27 AM
    Thursday, September 26, 2013 8:27 AM
  • Thanks for the update Black Spider.  This is happening because HTTP.SYS is still listening on the old/expired certificate.  Here is what we need to do:

    1. Run the following command on the TMG server to check the SSL certificate bound to HTTP.sys

    netsh http show sslcert

    Please look at the certificate with IP:Port pair as x.x.x.x:443 and note down the Certificate hash value (x.x.x.x is the TMG Server's IP address on which SSTP is configured to listen)

    3. Check the old/expired SSTP certificate in Local Computer à Personal Store and look for "Thumbprint".  It will have the same value as the Certificate hash value from the netsh command output in the previous step

    4. Remove the old/expired certificate binding from HTTPS Listener

    netsh http delete sslcert ipport=x.x.x.x:443

    5. Confirm that the new/valid SSTP certificate was installed in the Local Computer à Personal Store on the TMG server, please make a note of its "Thumbprint" or Hash value

    6. Bind the new certificate to the HTTPS Listener (assuming new certificate has SHA1 certificate hash as abcd)
    netsh http add sslcert ipport=x.x.x.x:443 certhash=abcd appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

    7. Run the netsh command from Step 1 to ensure that you see the new/valid certificate hash for the binding

    8. Restart the TMG firewall service or reboot the server and test the VPN connection

    Please let me know how this goes.


    Mohit Kumar [MSFT]| Technical Lead | CSS Security



    Thursday, September 26, 2013 10:34 PM
  • Hello,

    Any update on this?


    Mohit Kumar [MSFT]| Technical Lead | CSS Security

    Friday, October 04, 2013 2:27 PM
  • Hi,

    Is there any updates?

    Best Regards

    Quan Gu

    Wednesday, October 09, 2013 5:19 AM
    Moderator
  • Sorry guys, I am on vacation and will not be able to update you anytime soon.

    Thanks for your follow up.



    MCP, MCSA 2000, MCSE 2000, MCSA 2003, MCSE 2003, MCSA Security 2000, MCSE Security 2000, MCSA Security 2003, MCSE Security 2003, MCTS, MCITP: Enterprise Administrator. "It isn't important to be better than others. It's important to be better than you were yesterday"

    Thursday, October 10, 2013 7:44 PM
  • Do you've an update for us?

    Mohit Kumar [MSFT]| Technical Lead | CSS Security

    Wednesday, December 04, 2013 10:27 PM
  • Thanks for following up. Unfortunately I do not have an update on this issue because I have left the company and sent the link of this post to the new guy but he never updated me.

    I really wanted to try this method you have provided but right now it is almost impossible as I also left the whole region too. :)

    Best Regards 

    BlackSpider

     

    MCP, MCSA 2000, MCSE 2000, MCSA 2003, MCSE 2003, MCSA Security 2000, MCSE Security 2000, MCSA Security 2003, MCSE Security 2003, MCTS, MCITP: Enterprise Administrator. "It isn't important to be better than others. It's important to be better than you were yesterday"

    Friday, December 06, 2013 10:30 PM