none
Error Description: 13801: IKE authentication credentials are unacceptable. RRS feed

  • Question

  • Hi There

    I need a solution for this Error Description: 13801: IKE authentication credentials are unacceptable..

    Thanks

    Farhan

    Thursday, August 20, 2015 2:21 PM

Answers

  • Hi Farhan,

    The article provided by Basty_ss lists the possibilities that may cause this issue:

    >The machine certificate used for IKEv2 validation on RAS Server does not have “server Authentication” as the EKU:

    We may check it by the following steps: On VPN server, run mmc, add snap-in “certificates”, expand certificates-personal-certificates, double click the certificate installed, click detail for “enhanced key usage”, verify if there is “server authentication” below.

    >The machine certificate on RAS server has expired.

    If the issue is caused by this reason, you may connect CA administrator, enroll a new certificate that doesn’t expire.

    >The root certificate to validate the RAS server certificate is not present on client.

    If the client and server are domain members, the root certificate will be installed automatically in “trusted root certification authorities”. We may check if the certificate exits.

    > VPN Server Name as given on client doesn’t match with the subjectName of the server certificate.

    On client, Open VPN connection properties, click General, in “host name or IP address of destination” we need to enter the “subject name” of the certificate used by VPN server instead of the IP address of VPN server. The subject name of server’s certificate usually configured as the FQDN of VPN server.

    In my opinion, the forth possibility is most likely to be the cause.

    Best regards,

    Anne he


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, August 24, 2015 2:00 AM
    Moderator

All replies

  • Hi Farhan,

    This is a good TechNet blog with possible causes and fixes:

    http://blogs.technet.com/b/rrasblog/archive/2009/08/12/troubleshooting-common-vpn-related-errors.aspx

    Thursday, August 20, 2015 4:04 PM
  • Hi Farhan,

    The article provided by Basty_ss lists the possibilities that may cause this issue:

    >The machine certificate used for IKEv2 validation on RAS Server does not have “server Authentication” as the EKU:

    We may check it by the following steps: On VPN server, run mmc, add snap-in “certificates”, expand certificates-personal-certificates, double click the certificate installed, click detail for “enhanced key usage”, verify if there is “server authentication” below.

    >The machine certificate on RAS server has expired.

    If the issue is caused by this reason, you may connect CA administrator, enroll a new certificate that doesn’t expire.

    >The root certificate to validate the RAS server certificate is not present on client.

    If the client and server are domain members, the root certificate will be installed automatically in “trusted root certification authorities”. We may check if the certificate exits.

    > VPN Server Name as given on client doesn’t match with the subjectName of the server certificate.

    On client, Open VPN connection properties, click General, in “host name or IP address of destination” we need to enter the “subject name” of the certificate used by VPN server instead of the IP address of VPN server. The subject name of server’s certificate usually configured as the FQDN of VPN server.

    In my opinion, the forth possibility is most likely to be the cause.

    Best regards,

    Anne he


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, August 24, 2015 2:00 AM
    Moderator
  • Hi Anne,

    i try to configure IKEv2 on 2012 R2, which is behind the NAT. What i did:
    server has internal IP 10.10.10.10
    NAT has external IP X.X.X.X
    there are port forwarding rules: 1701, 500 and 4500 to 10.10.10.10
    RADIUS server with policy, that describes which Windows Group has access and authentication protocols

    L2TP IPSec is working. Now i would like to configure IKEv2:
    - on VPN server i requseted a certificate with template IPSec (+Server and Client Authentication) and name vpn1.domain.com. This name resolves to our Router (NAT).
    - on VPN server imported CA root certificate
    - on Client Windows 10 imported CA root certificate

    so, i have valid certificate with Server Authentication EKU and name vpn1.domain.com, which resolved to router\NAT IP

    But i still receive this error 13801. Could you please help me?

    Thank you!

    Saturday, December 26, 2015 4:32 PM
  • so, i created test infrastructure.
    DC-1, VPN-1 (with NPS) and non domain Client Windows 8.
    VPN-1:


    Windows 8:

    And you know, it worked few hours ago. I just configured it - works. i switched Windows 8 behind NAT - it works as well. then i went to configure on Enterprise server - came back - doesn't work. WHY ???

    • Edited by Anahaym Sunday, December 27, 2015 5:30 PM
    Sunday, December 27, 2015 5:25 PM
  • so, IKEv2 doesn't work on 2012 R2. I configured on 2008 R2 same configuration - all fine.
    Tuesday, December 29, 2015 11:23 AM
  • Maybe you should add the IP security IKE intermediate EKU (Certificate Properties - Extensions - Applications Policies).

    "For a certificate to be used to authenticate an IKEv2 connection, then the certificate must specify an EKU field that includes Server Authentication.. If there is more than one server authentication certificate, then additionally include the IP security IKE intermediate EKU. Only one certificate should have both EKU options, otherwise IPsec cannot determine which certificate to use, and might not pick the certificate you intended."

    https://technet.microsoft.com/en-us/library/dd941612%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396


    Dan Visan MCP, MCTS, MCSA

    Sunday, March 20, 2016 5:13 PM
  • Maybe you should add the IP security IKE intermediate EKU (Certificate Properties - Extensions - Applications Policies).

    Please, attentively take a look at my pictures above. it is already there
    Sunday, March 20, 2016 5:53 PM
  • Hi, I have a windows server 2016 dc and a windows 10 client

    I setup an ikev2 vpn on the server with "routing and remote access"

    I use my company certificate "Comodo premium SSL" and I installed any intermediate\root certificate (https://helpdesk.ssls.com/hc/en-us/articles/203184942-Where-do-I-get-a-Bundle-file) on the server and on the client.

    In the GPO I enabled the autoenrollment of the certificates (http://go.microsoft.com/fwlink/?LinkID=133948)

    The VPN works for few days but now the client shows the 13801 error

    I try to reinstall the certificate on the server, I reinstalling all route and remote access but the vpn didn't work...

    Any suggestions? Is there any diagnostic tool that indicates why is given the 13801 error?

    Thanks

    Monday, February 27, 2017 1:29 PM