none
Always ON VPN with NPS doesn´t work - "The connection was prevented because of a policy configured on your ras/vpn server"

    Question

  • I´m piloting VPN Always ON solution on Windows 10. Previously I had only VPN Server 2016 running without NPS and everything was working (I used MS Chap v2 + IKEv2). This solution was not secure enough and certificates didn´t matter, only the user account.

    Okay, now I got NPS installed on my other DC and the client/server refuses to connect with the error: The connection was prevented because of a policy configured on your ras/vpn server

    Troubleshoting I already made;

    - Firewall is off everywhere
    - Double checked the security configurations from Whitepaper on W10 Client, VPN server and on NPS server to match Microsoft Protected EAP (PEAP)
    - Certificates are not expired
    - Re-created VPN profile manually on W10, (tried with sign-in info=Certificate or User & Password).

    Whitepaper was located somewhere here before: 

    https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment

    I´m good with RRAS but NPS is new for me.


    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.


    • Edited by yannara Monday, June 11, 2018 4:06 PM
    Monday, June 11, 2018 4:04 PM

Answers

  • Hi,

    Thanks for your question.

    This error 812 ( the connection was prevented because of a policy configured on your ras/vpn server ) may be caused by VPN sever authentication protocol setting mismatches which that of the VPN clientwhen Authentication protocol is set via NPS. We may refer to the following link for more information.

    https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/

    Did you use user/password or certificate for VPN authentication with PEAP?

    We’ll make sure that certificate authentication is added to PEAP when configuring network policy on NPS as the following figure.


    Meanwhile, we need to ensure that we use PEAP authentication and configure it correctly on VPN client like below.


    If the issue persists, please also check the event viewer for more error message so that we could find more clue.

    Hope this helps. I look forward hearing your good news. If you have any question and concern, please feel free to let me know.

    Best regards,

    Michae


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by yannara Friday, June 15, 2018 8:05 AM
    Tuesday, June 12, 2018 6:37 AM
  • I found the reason. For PEAP, I had to add NPS and PKI server names in the VPN profile and selected using Cert instead of Smart Card. I didn´t read MS whitepaper clear enough / until the end.

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    • Marked as answer by yannara Friday, June 15, 2018 8:05 AM
    Friday, June 15, 2018 8:05 AM

All replies

  • Hi,

    Thanks for your question.

    This error 812 ( the connection was prevented because of a policy configured on your ras/vpn server ) may be caused by VPN sever authentication protocol setting mismatches which that of the VPN clientwhen Authentication protocol is set via NPS. We may refer to the following link for more information.

    https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/

    Did you use user/password or certificate for VPN authentication with PEAP?

    We’ll make sure that certificate authentication is added to PEAP when configuring network policy on NPS as the following figure.


    Meanwhile, we need to ensure that we use PEAP authentication and configure it correctly on VPN client like below.


    If the issue persists, please also check the event viewer for more error message so that we could find more clue.

    Hope this helps. I look forward hearing your good news. If you have any question and concern, please feel free to let me know.

    Best regards,

    Michae


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by yannara Friday, June 15, 2018 8:05 AM
    Tuesday, June 12, 2018 6:37 AM
  • The temporary solution was to add in NPS additional authentication protocol next to PEAP, I directly added "smartcard or certificate" option next to the PEAP in NPS network policy. After that, the communication startered to establish.

    I know want to learn, that is the absolute best security protocol to use here. I already excluded MS-chap v2 and protocols beneath it. But, when using smart card or certificate directly in NPS, it seems to be that VPN connection does not care, is the user certificate revocated or not. I started to test security part here first thing, and connection will establish even without cert.  If I shut down NPS, connection will not establish.

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.


    • Edited by yannara Tuesday, June 12, 2018 11:02 AM
    Tuesday, June 12, 2018 11:02 AM
  • You might also check the VPN Server certificate being used, and ensure that it matches the address that the vpn client machine is connecting to.  For example, if your VPN server certificate is issued with the Name set to CN = 'vpn.contoso.com' and the SAN of DNS ='vpn.contoso.com', your client has to be trying to connect to vpn.contoso.com.  If you set the client VPN connection to point to the IP of that server instead of the dnsname, it will fail to connect.

    Also, when configuring the PEAP settings as Michael described, in the box labeled 'connect to these servers', you should fill in the FQDN of the NPS server, NOT the RRAS server.  

    Thursday, June 14, 2018 8:21 PM
  • I found the reason. For PEAP, I had to add NPS and PKI server names in the VPN profile and selected using Cert instead of Smart Card. I didn´t read MS whitepaper clear enough / until the end.

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    • Marked as answer by yannara Friday, June 15, 2018 8:05 AM
    Friday, June 15, 2018 8:05 AM
  • Yannara, can you explain more please. I too have error 812. None of the forums I've read mention adding the poi server. Do you mean the client profile or the vpn server? And where do you specify using cert instead of smartcard. Thanks

    Ian Burnell, London (UK)

    Monday, July 30, 2018 6:31 PM
  • Yannara, can you explain more please. I too have error 812. None of the forums I've read mention adding the poi server. Do you mean the client profile or the vpn server? And where do you specify using cert instead of smartcard. Thanks

    Ian Burnell, London (UK)


    Sure. In this thread, there are screenshots above posted by Michael (MSFT). You need to specify the first profile manually and also include these settings. After you have checked your manual/reference profile works, just capture it with PS1. The idea is, that when you use most secure connection, you need to specify CA and NPS server names in profile (screenshots). 

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Monday, July 30, 2018 6:46 PM
  • In my instance this turned out to be duff certificates. I had to reissue the CRL file and redo the template certificates

    I wasn't able to determine the Certificates to be at fault this until I downloaded an IAS logviewer from a 3rd party site. Seems very poor that M$ don't provide a useful tool for NPS log files


    Ian Burnell, London (UK)

    Wednesday, August 1, 2018 10:20 AM
  • In my instance this turned out to be duff certificates. I had to reissue the CRL file and redo the template certificates

    I wasn't able to determine the Certificates to be at fault this until I downloaded an IAS logviewer from a 3rd party site. Seems very poor that M$ don't provide a useful tool for NPS log files


    Ian Burnell, London (UK)


    DId you enable NPS loging and monitoring?

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Wednesday, August 1, 2018 11:00 AM