locked
VPN - Error 853: non valid client certificate RRS feed

  • Question

  • Hi,

    I have interesting problem with TMG VPN. I have two firewalls (ISA2006 and TMG with different IP addresses) which are connect to same NPS & RADIUS server on the same domain and subnet. If I establish VPN connection from my computer to ISA server everything work fine but if i try to establish connection from same client to TMG server I received 853 error. Same VPN type, same client certificate, same firewall settings. If I change Authentication from "Microsoft: Smart Card or other certificate" to "MS-CHAP v2" everything work fine.

    For better understanding here is picture:

    Thanks a lot.

    Friday, January 20, 2012 7:54 AM

Answers

  • Hi Petrrtep,

     

    Thanks for posting here.

     

    For TMG issue, it is recommend you to get further support in the Forefront  TMG/ISA  Forum .This will provide access to others who read the public forum regularly who will either share their knowledge..

     

    Forefront TMG and ISA Server

    http://social.technet.microsoft.com/Forums/en-US/Forefrontedgegeneral/threads

     

    Thanks

     

    Tiger Li


    Tiger Li

    TechNet Community Support

    Tuesday, January 24, 2012 3:55 AM
  • Hi,

    only for your information. After reinstal OS everything works without any problem with same configuration. I don't like certificates : )

    • Marked as answer by Petrrtep Friday, January 27, 2012 12:46 PM
    Friday, January 27, 2012 12:46 PM

All replies

  • Hi,

    Error 853 means, that the certifcate used by the client isn´t valid. The client can connect to your ISA server, so the error is on your TMG. there can be more reasons: Is the certficate of your CA´s (RootCA, SubCA´s) installed in the trusted CA? Can your TMG access the revokationlist´s? If you open the client´s certificate on TMG, is it shown as valid?

    kind regards,

    M. Hivner

    Saturday, January 21, 2012 3:28 PM
  •  

    Hi M. Hivner,

    thank you for your reply.

    Yes, all certificates on TMG is allright. Even before I reinstall TMG role on TMG server I had not any problem with this.

     

     

    Monday, January 23, 2012 12:25 PM
  • I tried L2TP with computer certificate and MS-CHAP v2 authentication and everything work fine. I don't undestand why I have problem with user certificate authentication.
    Monday, January 23, 2012 2:19 PM
  • hi,

    if you open the user/smartcard certificate on your tmg, is it shown as valid? How is the connectionrequest policiy configured, authentication dirct on server or forwarding to radiusremoteserver?

    Regards

    M.Hivner 

     

    Monday, January 23, 2012 2:53 PM
  •  

    I don't use Smart Card, I use Personal Certificate.

    Connection Request Policy is configured for Authenticate requests on this server and as I said in first post if I established VPN connection via ISA server (same NPS & RADIUS server) everything is ok, so problem must be in TMG server only.

    I requested new certificate for TMG server but without any success, still same error.

    I supposed that I need special certificate (computer certificate issued to DNS name) on TMG only if I want L2TP VPN type without preshared key. So if I want PPTP VPN type with certificate authentication I have to have valid RootCA in Trusted RootCA on NPS server and I don't need any special certificate on TMG, is it correct? Because if it will be true the only problem is in TMG Firewall Policy.

    • Edited by Petrrtep Monday, January 23, 2012 4:20 PM
    Monday, January 23, 2012 3:06 PM
  • yes, the problem must be in TMG server. The error message you get says, there is still a problem with the user/client certificate. You can connect through isa server, so the user certificate is ok, but it´s not accepted by the TMG, therefore I asked you, what happens if you opens the user certificate on TMG. Is it shown as valid? On TMG, how is your remoteaccess policy configured? Can you post a screenshot from this settings, please?
    Monday, January 23, 2012 4:13 PM
  • Hi Petrrtep,

     

    Thanks for posting here.

     

    For TMG issue, it is recommend you to get further support in the Forefront  TMG/ISA  Forum .This will provide access to others who read the public forum regularly who will either share their knowledge..

     

    Forefront TMG and ISA Server

    http://social.technet.microsoft.com/Forums/en-US/Forefrontedgegeneral/threads

     

    Thanks

     

    Tiger Li


    Tiger Li

    TechNet Community Support

    Tuesday, January 24, 2012 3:55 AM
  •  therefore I asked you, what happens if you opens the user certificate on TMG. Is it shown as valid? 

    Do you mean Personal container in Current User Certificates?

    Yes, no problem here is it:

     

    Tuesday, January 24, 2012 11:33 AM
  • Hi Tiger Li,

    thank you for the notice. I try to post it to TMG/ISA forum.

     

    Petr

    Tuesday, January 24, 2012 11:35 AM
  • Do you mean Personal container in Current User Certificates?

    Yes that is it. It´s important that you login on your TMG with the same user you are dialing in.

    Is your TMG joined to your domain?

    Tuesday, January 24, 2012 1:24 PM
  • Are you sure? Because on ISA server I don't need any user certificate.

    Yes, both (ISA and TMG) servers are in same domain with CA. 

    Wednesday, January 25, 2012 11:23 AM
  • Yes it´s right you don´t need a user certificate on tmg, but you use the certificate from the user to authenticate against tmg. The certificate mmc only shows the certificates of the current user, so you have to logon with the user your dialing in, alternative you can export the users certificate and open the certifcate-file on tmg.

    The purpose of this procedur is, so you can check that the user certificate is valid or not. If not, so you get the reason why its not valid.

    I searched a bit in technet for using EAP with tmg and i found this article: http://technet.microsoft.com/en-us/library/dd903058.aspx, there are advanced options for configuring eap, so there you should choose your ca as trusted rootCA.

    I hope, this will helps a bit, i´m not so experienced in using vpns with tmg, i only used RRAS and NPS until now. Please let me know your results.

    Kind regards

    Wednesday, January 25, 2012 1:23 PM
  • Yes it´s right you don´t need a user certificate on tmg, but you use the certificate from the user to authenticate against tmg. The certificate mmc only shows the certificates of the current user, so you have to logon with the user your dialing in, alternative you can export the users certificate and open the certifcate-file on tmg.

    The purpose of this procedur is, so you can check that the user certificate is valid or not. If not, so you get the reason why its not valid.

     

    I tried it but without any success.

    I start to suspect that problem is on host OS because I have everything same on both servers but TMG don't work. I didn't have any of this problems in another installation of TMG before. 

    Anyway, thank you.

    Wednesday, January 25, 2012 2:38 PM
  • I tried it but without any success.
    ... so whats going wrong? Is the certificate shown as invalid? Hav you checked the settings in RRAS?
    Thursday, January 26, 2012 9:03 AM
  • I don't know where can be problem. I tried:

    - install new client comuter (in domain), enroll new client certificate from domain CA - still same problem

    - removed all certificate on TMG and import/enroll new one - still same problem

    - imported settings from ISA server - still same problem

    - configured new NPS & RADIUS server on TMG - still same problem

    - reconfigured RRAS, disabled RADIUS server and authenticated via TMG - still same problem

    - disabled all firewall policy on TMG - still same problem

    Now I will try reinstall TMG OS and will see.

    Thursday, January 26, 2012 10:17 AM
  • Hi,

    only for your information. After reinstal OS everything works without any problem with same configuration. I don't like certificates : )

    • Marked as answer by Petrrtep Friday, January 27, 2012 12:46 PM
    Friday, January 27, 2012 12:46 PM