When Always On VPN clients are configured to use the Secure Socket Tunneling Protocol (SSTP) with Windows Server Routing and Remote Access Service (RRAS), administrators may encounter a scenario in which a client can establish a VPN connection using SSTP successfully, but is then disconnected immediately. The system event log contains an entry with Event ID 6 from the RasSstp source that includes the following error message.
“The SSTP-based VPN connection to the remote access server was terminated because of a security check failure. Security settings on the remote access server do not match settings on this computer. Contact the system administrator of the remote access server and relay the following information.”
Common Causes
The two most common causes of this issue are when SSTP is configured for SSL offload, and when a VPN client is on a network where SSL inspection is taking place.
SSTP Offload
The most common cause of this issue is when SSL offload is configured for SSTP on an external load balancer or application delivery controller (ADC). To prevent interception from a Man-in-the-Middle attack, the VPN client sends the certificate hash of the SSL certificate used when the VPN connection was established. If this information does not match what is configured on the RRAS server, the connection is assumed to be compromised and the connection is immediately dropped.
SSL Inspection
Another scenario where this issue may occur is when a VPN client is behind a network device configured to perform SSL deep-packet inspection (DPI). SSTP VPN clients will be unable to connect to the VPN server in this scenario.
Resolution
When offloading SSL to another device, the RRAS server must be configured to know which SSL certificate is being presented to remote clients. This information is stored in the following registry key.
HKLM:\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters\SHA256CertificateHash
However, this registry entry requires a binary value, which makes it a challenge to configure manually. To resolve this problem, it is recommended that the same SSL certificate installed on the load balancer/ADC also be installed on the VPN server (even though SSL will be offloaded). To do this, first import the SSL certificate and private key in to the Local Computer certificate store, then open the RRAS management console and perform the following steps.
- Right-click the VPN server and choose Properties.
- Select the Security tab.
- Uncheck Use HTTP in the SSL Certificate Binding section.
- Select the appropriate SSL certificate from the Certificate drop-down list (click View to verify).
- Click Apply.
This will add the correct SSL certificate information to the registry. Next, re-enable HTTP for SSL offload by performing the following steps.
- Check Use HTTP in the SSL Certificate Binding section.
- Click Apply.
PowerShell Configuration
If the SSL certificate cannot be installed on the VPN server, or to automate this configuration across multiple servers remotely, download and run the Enable-SstpOffload PowerShell script from my GitHub repository here and run the following command.
Enable-SSTPOffload -CertificateHash [SHA256 Certificate Hash of Public SSL Certificate] -Restart
For example…
Enable-SSTPOffload -CertificateHash “C3AB8FF13720E8AD9047DD39466B3C8974E592C2FA383D4A3960714CAEF0C4F2” -Restart
Additional Information
Windows 10 Always On VPN Load Balancing and SSL Offload
Windows 10 Always On VPN SSTP Load Balancing with F5 BIG-IP
Windows 10 Always On VPN SSL Certificate Requirements for SSTP
Windows 10 Always On VPN Protocol Recommendations for Windows Server RRAS
Adam
/ May 29, 2019interesting one. we’ve had this issue since enabling ssl offloading on our LB. everytime the servers reboot it seems to drop several bits of information in
SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters\
Not just the sha256 bits
Out of interest would you ever suggest using the “NoCertRevocationCheck” key to bypass this requirement?
Richard M. Hicks
/ May 30, 2019There are some additional bits of information that are required, yes. However, the pertinent piece of information is the certificate hash. If that doesn’t match you’ll experience the behavior described in this article. Best way to ensure that doesn’t happen is to remove the SSL certificate on the VPN server and use my configuration script here: https://github.com/richardhicks/sstpoffload/blob/master/Enable-SstpOffload.ps1.
Flo TPG
/ April 22, 2020This was driving me crazy today. End of story: the client machine had this crap-ware ZScaler installed. Uninstalled, SSTP VPN works again.
Richard M. Hicks
/ April 22, 2020Not a fan of Zsclaer, huh? 😉
Flo TPG
/ April 23, 2020How can you tell? 😉
Anyway – thx a lot for this article – brought me on the right track that something must intercept the traffic.
Always a bad idea to do so, what could possibly go wrong – zscaler?