locked
SSTP EAP RRS feed

  • Question

  • SSTP Environment Windows Server 2008 R2.
    Server02R with RRAS and CA (standalone) services, and Server02N with NPS Services.
    I want to secure more connection to SSTP VPN Server with client certificate EAP. So on the CA i create an request for client certificate and then I export and import on the local machine. Connection without EAP types works fine with user domain name and password. Problem only is when i check on the security tab in VPN Connection Use Extensible Authentication Protocol (EAP) witj drop down menu Microsoft: Smart Card or other certificate (encryption enabled)
    On the Server02N with NPS services role in Connection Request Policy I crete new on with settings Override network policy authentication settings and check Microsoft smart card or other certificate and on the edit I`ve got a certificate for Server02R (sstp.example.com). When User trying to connecto to sstp vpn server he has 691 error problem. In the logs on RRAS server I`ve got eroors 20255 and 20271 with message:
    CoId={0E740F79-5576-44F2-8FE2-A12A4B2055BE}: The following error occurred in the Point to Point Protocol module on port: VPN0-127, UserName: Kris SSTP Mix. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error. What What am I doing wrong? Please help me because I don`t have any idea wit that. Thanks in advance.
    • Edited by kampoli Thursday, November 22, 2012 8:48 AM
    Thursday, November 22, 2012 8:02 AM

All replies

  • Hi,

    Thanks for your post.

    Please note that it’s not recommend to deployment EAP-TLS authentication (Smart Card or other certificate) by using standalone CA. Because you need to manually request the computer and user certificate, and export/import it with private key on the right container. For easy management issuing, such as auto-enrollment, you should use Enterprise CA. Then, use this CA to issue a server certificate for NPS server. Based on the EAP-TLS authentication method you choose, deploy the certificate template for user and client computer.

    Certificate Requirements for PEAP and EAP

    http://technet.microsoft.com/en-us/library/cc731363

    Best Regards,

    Aiden

    If you have any feedback on our support, please click here


    Aiden Cao
    TechNet Community Support

    Friday, November 23, 2012 2:22 AM
  • Hi,

    How are things going? I just want to check if the information provided was helpful. If there is any update or concern, please feel free to let us know.

    Best Regards,
    Aiden

    If you have any feedback on our support, please click here


    Aiden Cao
    TechNet Community Support

    Monday, November 26, 2012 4:46 AM
  • I know that is not recomended but in this case it is only solutions for few computers, so it will be no problem with import and export, in the future I will migrate this CA to Enterprise PKI but in this moment I can`t. I have got a problem with generate request certificate to stand alone CA becasue I don`t have certicates tepmlates - only in Ent. Can U tell me how am I generate this EAP certificate for client authentication? I`m trying to generate with this steps:

    Crate and submit request to this CA > Identifying Information > Type of ceertificate Needed [here i must check Other ... and OID which number is for EAP Client Certificate?> Key Options > Crate new key set [Microsoft RSA SChannel Cryptopgraphic Provider] Key Usage: Exchange Key size: 2048. Automatic key container [checked] > Mark provate key as exportable [checked] > Additional Options: Request format [CMC] > Hask Algorithm: [sha1] > SUBMIT

    Monday, November 26, 2012 7:45 AM
  • Hi,

    Sorry for the delay.

    Your steps are correct. The Web enrollment pages on a standard CA are built in by default, and they allow you to define certificate values and settings, and the advanced certificate request option provides a Web page where you can specify values such as the Identifying Information (for the certificate Subject) and select commonly used certificates (such as client authentication) so that you do not need to type in the OID.

    Best Regards,

    Aiden

    If you have any feedback on our support, please click here


    Aiden Cao
    TechNet Community Support

    Thursday, November 29, 2012 5:20 AM
  • So please help me what is wrong with EAP Configuration. All the time I have 691 error during connection with certificate. On NPS I configured in Connection Request Policy with override network policy authentication settings (picture1), in the Network Connection Policy I`ve got only one Conditions that allows day and time restrictions  all the time.  So if I don`t must generate certificate with OID so please tell me that in that configuration is evertyhing ok, and which CSP should be checked: Microsoft Enhanced RSA and AES or Microsoft RSA SChannel Cryptographic Provider  (picture2) with 2048 Key Size. Evertyhing looks fine but all the time same error:

    CoId={3316E1E0-56C3-46F2-89D5-FD46F4A42262}: The following error occurred in the Point to Point Protocol module on port: VPN0-127, UserName: Test RSA . The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

    Additional: This cert is not add in user account, and test computer are not in the domain.

    Thursday, November 29, 2012 7:59 AM
  • Hi,

    Thank you for your question.
    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Best Regards,
    Aiden

    If you have any feedback on our support, please click here


    Aiden Cao
    TechNet Community Support

    Tuesday, December 4, 2012 1:34 AM
  • Hi,

    If you would like to use EAP-TLS, please remove the EAP Type "Protested EAP (PEAP)" and only leave the "Smart Card or other certificate". Also, please ensure the certificate meets the requirement in the following article:

    http://support.microsoft.com/kb/814394

    Best Regards

    Scott Xie


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, December 4, 2012 8:58 AM
  • Ok but I don`t have Enterpirse CA and I don`t know how to generate specific certifiate for Protected EAP, and how to bind to user or computer. Sencond, when i don`t have Ent CA how domain controllers know about users who has an access to VPN ? I wrote higher steb by step how I create new certificate, but I don`t any constructed answer for that and whats next. Is that any way to use standalone CA with SSTP ?

    I`ve got silmle question, in fact two how to generate cert for PEAP in standalone CA, and then whats are the next steps because DC must knows about certificate generate on standlone CA.  

    Thursday, December 13, 2012 1:20 PM
  • Hi,

    The client certificate requires to be applied via Enterprise CA. If you only have standalone CA, I suggest you not to use EAP-TLS, but use PEAP with EAP-TLS authentication. PEAP with EAP-TLS authentication only require the NPS server to apply a server authentication certificate. It could be applied via standalone CA. There isn't anything need to do on the DC since DC doesn't need to know about the certificate. The only things need to do is:

    1. Apply the server side certificate which meets the requirement in the article:

    http://support.microsoft.com/kb/814394

    2. Install root CA certificate in the trust root store on the clients to make the clients trust the certificate on the server.

    Best Regards

    Scott Xie


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, December 14, 2012 8:02 AM
  • Ok. I recreate my vpn environment for SSTP. Now is SSTP (RRAS services) and NPS Server (CA Enterprise and Radius). Evertyhing work fine with authenticated users from Active Directory using Radius. Now i want to implement EAP Certificate for client computer but I don`t know which certificate template I must choose to deploy to client ?

    Monday, December 17, 2012 11:31 AM
  • Hi,

    To use EAP with a VPN, the server and clients must have a user certificate (X.509). You can duplicate the "user" template and ensure the certificate meets the requirement in the following article:

    http://support.microsoft.com/kb/814394

    Best Regards

    Scott Xie


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, December 18, 2012 9:50 AM
  • Hi Scott. Thanks for the solution, everything works fine but i have got a little problem. I can duplicate "user" template but it not enable in the certificate templates. After I create a request for certificate i see only default user certificate and when I click show all i see my duplicate but he is disabled. Problem in this solution is because user can export certificate to another computer and connect to the network. DC are 2003 and CA Ent is on Windows Server 2008 R2 Enterprise. I found that the actually certificate have version 3.1, but when I crete duplicate user certifate from template version is 100.2, why ?

    Thanks in advance.

    • Edited by kampoli Wednesday, December 19, 2012 7:43 AM
    Wednesday, December 19, 2012 6:44 AM
  • Hi,

    When you click "show all", what is the exact error? I'm afraid I only heard the status of the template will be "unavailabe", but not "disabled". Could you please capture a screenshot about that?

    Best Regards

    Scott Xie


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, December 19, 2012 9:56 AM
  • Scott, You are right about the status - unavailable not disabled. I create duplicate using CA 2003 and 2008 and problem is the same. I want to create user certificate, that user cannot export to anoter computer. Sorry about questions but it is my first step with Windows CA. Thanks again. Regards,

    Kamil 

    Wednesday, December 19, 2012 10:19 AM
  • Hi Kamil,

    The error should be caused by that the users don't have permission to enroll the certificate. Please provide the users the read and enroll permission in the template. I attach a screenshot for your reference:

    Best Regards

    Scott Xie


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, December 20, 2012 8:50 AM
  • Scott, is not this. I checked this option after duplicate user certificate but I don`t see this duplicate certificate under my server CA in certificates templates folder, I see it only in certificate templates under Enterprise PKI.  
    Thursday, December 20, 2012 9:40 AM
  • Hi,

    Did you issue the certificate template for your CA after duplicating the template? To issue the template,

    1. In the CA console, select the Certificate Templates container.

    2. Right-click Certificate Templates, and then click New, Certificate Template to Issue.

    3. In the Enable Certificate Templates dialog box, select the certificate template or templates that you want the CA to issue, and then click OK

    4. Restart CA and then the newly selected certificate template or templates will appear in the details pane.

    Also i suggest you check the permission on the certificate template to ensure the user who needs to request this certificate has at least read and enroll permission.

    Reference: Deploying Certificate Templates: http://technet.microsoft.com/en-us/library/cc770794(v=WS.10).aspx

    Regards,

    Denny


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Saturday, December 22, 2012 4:10 AM
  • Hi,

    I think you can check the issue mentioned by Denny to see if you had issued the certificate template for your CA.

    Best Regards

    Scott Xie


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, December 28, 2012 9:08 AM
  • Hi Scott. Solution propose by Denny works fine, and many thanks for that. Last question I think ... when I create request for client certificate and use default template user everything works fine, but when I duplicate this user as template, and uncheck that the private key is not exported I have an error during connection that I cant use this certificate which  is not be might use with external authentication protocol.

    For example I don`t change any other option, I checked the permissions, and other tabs and everything looks fine. Where is the problem ? This is the last step to finish.

    Thursday, January 10, 2013 11:13 AM