none
VPN Client fails: The certificate's CN name does not match the passed value

    Question

  • This VPN was working nicely and then something broke RWA .... I didn't have any success fixing that, but now the VPN isn't working and that's much more important .... I'm sure it's a Certificate issue, but haven't been able to pin it down .... We've got Bindings in IIS, SSL in the RD Gateway, the Certificate you choose when you setup Anywhere Access ....  can anyone point me in the right direction to fix this mess?  Thx in advance -- DMiller
    Friday, January 5, 2018 9:45 PM

All replies

  • Hi,

    Please install Remote Access GUI and Command-Line Tools using the following PowerShell command:
    Add-WindowsFeature –Name RSAT-RemoteAccess-MGMT

    Please check certificate:
    1. Open IIS Manager – Default Web Site – Bindings.
    2. Choose the binding for the port 443 and click Edit.
    3. SSL certificate section, please click View.
    4. Select Details tab and check details information of Thumbprint and Subject Alternative Name.
    5. Open Routing and Remote Access Management, right click your server name, select Properties – Security.
    6. Certificate section, click View, check details information of Thumbprint and Subject Alternative Name, make sure they are same as IIS’s certificate.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, January 8, 2018 10:15 AM
    Moderator
  • Thanks for the reply .... I did that and the certificates match .... I restored the System drive back to when the VPN/RWA were working and although RWA seems to work VPN still fails:

    CoId={15355A63-442E-4AB3-8A3F-AA2E43DB3954}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again.

    The certificate's CN name does not match the passed value.

    I don't see much on the Server end except multiple ESSENT errors like this:

    svchost (10776) An attempt to open the file "C:\Windows\system32\LogFiles\Sum\Api.log" for read / write access failed with system error 5 (0x00000005): "Access is denied. ".  The open file operation will fail with error -1032 (0xfffffbf8).

    Thursday, January 11, 2018 12:51 AM
  • Hi,

    This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible.

    I appreciate your patience.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 11, 2018 9:12 AM
    Moderator
  • Can you run this command:

    netsh ras show sstp-ssl-cert
    It should show you want cert is bound to SSTP.


    Robert Pearman Cloud & Datacentre MVP
    @titlerequired | LinkedIn | Google+
    Facebook | Windows Server Essentials.com

    Thursday, January 11, 2018 11:05 AM
    Moderator
  • I think you may be pointing me in the right direction .... the command shows exactly what I would expect; I'm not sure what I should compare it to.  But it appears when I look at the folders with the certificates I have one file with a .CER extension and another with a .PFX.  When you import the Cert's it looks for files with a certain extension and because the Friendly name for both certificates is probably the same nothing jumped out at me and I may have selected the .CER file once and the .PFX file another time based on what was displayed by the Browse button. 

    So in the three places in which I've imported certificates (the Certificate MMC snap-in, the IIS Web Site Bindings and Routing Remote Access Management--as well as Anywhere Access setup) should I delete the certificates in there and re-import either the CER or PFX file?  Researching the difference between the two it sounds like the CER file would be best; I think changing to "All Files" when I browse during the import process will help me get the proper file into the proper place.  If I selected the CER file for one and the PFX for the other could this cause the problem?

    Thank you very much; with a little more information I hope I can get this fixed!

    Thursday, January 11, 2018 12:44 PM
  • You always need to import the PFX on the server because this holds the private key - the cer file will not.

    You can check that by going to the local machine certificate store - find the certificates installed with that CN and see if it shows 'you have a private key for this certificate'.

    However, i dont know if it would allow you to select a certificate in IIS etc, if you did not have the key installed.

    The error you reported suggests the wrong certificate is bound to SSTP.


    Robert Pearman Cloud & Datacentre MVP
    @titlerequired | LinkedIn | Google+
    Facebook | Windows Server Essentials.com

    Friday, January 12, 2018 9:06 AM
    Moderator
  • Thank you so much ... I went to the Certificate Snap-in and looked at Personal Certificates, Trusted Root, and Remote Desktop .... they all looked the same to me but when I opened the Remote Desktop Certificate it did not say "You have a private key" but the other two did.  Should I delete that Certificate from Certificates\Remote Desktop and import the PFX?  Could that be the problem?
    Friday, January 12, 2018 12:42 PM
  • No - that wont affect your VPN. It is a special certificate - not relevant here.

    I need to boot up a VM to check some settings.



    Robert Pearman Cloud & Datacentre MVP
    @titlerequired | LinkedIn | Google+
    Facebook | Windows Server Essentials.com

    Friday, January 12, 2018 1:04 PM
    Moderator
  • Can you go into the Routing and Remote Access MMC - right click server, go to properties then security.

    At the bottom, what certificate does it show?


    Robert Pearman Cloud & Datacentre MVP
    @titlerequired | LinkedIn | Google+
    Facebook | Windows Server Essentials.com

    Friday, January 12, 2018 1:23 PM
    Moderator
  • It just says certificate Default, and Use HTTP unchecked ... however I had populated that field before with the Certificate.  The Server Event log had reported in the past "Certificate deleted" and "Certificate Added" but I don't see any warnings like that recently.  There is an event CertificateServicesClientAuthEnrollment "Certificate for local system" is about to expire or already expired .... that's the first I've seen this; I don't know what it's referring to.

    Friday, January 12, 2018 1:54 PM
  • Just as a curiousity the event log says "Logged 01/12/2018 10:02AM but the time on the system is clearly 9:01AM.
    Friday, January 12, 2018 2:01 PM
  • If it helps the BPA Results for remote desktop services now says:

    SERVER Error The RD Gateway server must be configured to use a valid SSL certificate Configuration

     

    Friday, January 12, 2018 7:09 PM
  • What router do you have in use?

    Robert Pearman Cloud & Datacentre MVP
    @titlerequired | LinkedIn | Google+
    Facebook | Windows Server Essentials.com

    Friday, January 12, 2018 9:15 PM
    Moderator
  • It’s a dlink. Dir 1200 but worked great for both rwa and vpn for two years
    Friday, January 12, 2018 9:21 PM
  • More information--I'm getting desperate.  In IIS when I browse *443 for the Default Website I get a Certificate Error Mismatched Address .... I then Proceed anyway and connect to the Server.  View Certificate does not show the "You have a private key" Robert Pearman had me check into .....

    Perhaps somewhere along the line I imported a .CER instead of a .PFX file but with many hours looking at this I can't figure out how to fix?  

    Saturday, January 13, 2018 2:15 PM
  • Have you run this on the server yet?

    https://gallery.technet.microsoft.com/Windows-Server-Essentials-556159c3?redir=0


    Robert Pearman Cloud & Datacentre MVP
    @titlerequired | LinkedIn | Google+
    Facebook | Windows Server Essentials.com

    Monday, January 15, 2018 12:03 PM
    Moderator
  • Have not seen that before .... I will try after-hours and post relevant results.  Thank You.  
    Monday, January 15, 2018 1:48 PM