locked
Error 629 VPN connection, with NAP and NPS enable RRS feed

  • Question

  • This is the scenario I'm running with this issue:

    I have a SERVER1 as domain "domain.com" which it has the certification role as a CA also AD + DNS, I have another SERVER2 with NPS and RAS enabled, this scenario is to try NAP trhough VPN.

    The SERVER2 is getting the CA from SERVER1 which is stored on the Personal store on SERVER2, which is a "Computer" cert.

    Both servers are Win 2k8 R2

    This SERVER2 has 2 Network, Private and Public IP, the Client it is a Win 7 Professional, already set up with the credentials received from AD DS, because this Client is part of the domain.

    I am using an Extensive Authentication Protocol (EAP), to be more specific SECURITY TAB on my VPN connection, Microsoft Protected EAP (PEAP) (ecription enabled) and the check from "Fast reconnect has been disabled".

    I have torubleshoot the most I can, and searched over the Forum, but luck yet, I'm getting this error

    "The server "SERVER2.Domain.com" presented a valid certificate issued by "Domain-SERVER1-CA", but "Domain-SERVER1-CA" is not configured as a valid trust anchor for this profile."

    What might be causing this? because is not allowing the connection at all.

    The NAP only check if Firewall is enabled by the way.

    Thank you in advanced for any help you might have.

    And from SERVER2 on the Event viewer I'm getting this error:

    "The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again.

    The certificate's CN name does not match the passed value."

    Additional Event from NPS on SERVER2:

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
    Security ID: DOMAIN\User
    Account Name: DOMAIN\User
    Account Domain: DOMAIN
    Fully Qualified Account Name: DOMAIN\User

    Client Machine:
    Security ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Account Name: CLIENT.Domain.com
    Fully Qualified Account Name: DOMAIN\CLIENT$
    OS-Version: 6.1.7601 1.0 x86 Workstation
    Called Station Identifier: W.X.Y.Z
    Calling Station Identifier: W.X.Y.R

    NAS:
    NAS IPv4 Address: O.P.Q.R
    NAS IPv6 Address: -
    NAS Identifier: SERVER2
    NAS Port-Type: Virtual
    NAS Port: 257

    RADIUS Client:
    Client Friendly Name: SERVER2
    Client IP Address: O.P.Q.R

    Authentication Details:
    Connection Request Policy Name: VPN connections
    Network Policy Name: -
    Authentication Provider: Windows
    Authentication Server: SERVER2.Domain.com
    Authentication Type: PEAP
    EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
    Account Session Identifier: XXXXXXX
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 16
    Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.




    • Edited by ellanosr82 Thursday, December 20, 2012 6:56 PM Extra Event
    Thursday, December 20, 2012 6:39 PM

Answers

  • Hi,

    Have you followed the instructions in the VPN enforcement step by step guide? The error sounds like it is related to certificates. The only certificate you need is a computer certificate installed on the NPS server. However, the client must trust this cert by having the correct Root certificate in the Trusted Root Certificates container.

    -Greg

    • Marked as answer by Aiden_Cao Monday, December 31, 2012 2:42 AM
    Sunday, December 30, 2012 9:49 AM