Troubleshooting Always On VPN Error 853

Troubleshooting Always On VPN Error 691 and 812 – Part 2

Using Windows Server Network Policy Server (NPS) servers is a common choice for authenticating Microsoft Windows 10 Always On VPN user tunnel connections. The NPS server is joined to the domain and configured with a Network Policy that defines the authentication scheme used by clients for authentication when establishing an Always On VPN connection. Protected Extensible Authentication Protocol (PEAP) using client authentication certificates recommended for most Always On VPN deployment scenarios.

Can’t Connect

Users establishing an Always On VPN user tunnel connection using PEAP and client authentication certificates may encounter a scenario in which a VPN connection attempt fails with the following error message.

“The remote access connection completed, but authentication failed because the certificate that authenticates the client to the server is not valid. Ensure that the certificate used for authentication is valid.”

Error 853

In addition, the Application event log records an event ID 20227 from the RasClient source that includes the following error message.

“The user <username> dialed a connection named <connection name> which has failed. The error code is 853.”

Missing NTAuth Certificate

Error code 853 is commonly caused by a missing issuing Certification Authority (CA) certificate in the NTAuth store on the NPS server. The NPS server must have the issuing CA certificate included in this store to perform authentication using client certificates. You can see the contents of the NTAuth certificate store by opening an elevated command window on the NPS server and running the following command.

certutil.exe -enterprise -viewstore NTAuth

Install Certificate

To install the issuing CA server’s certificate into the NTAuth store, copy the CA certificate to the NPS server, open an elevated command window, then run the following command.

certutil.exe -enterprise -addstore NTAuth <issuing CA certificate>

Once complete, view the store again, and you’ll see the issuing CA certificate listed in the NTAuth certificate store.

Additional Information

Troubleshooting Always On VPN Error Code 858

Troubleshooting Always On VPN Error Code 864

Always On VPN and Windows Server 2019 NPS Bug

Always On VPN Network Policy Server (NPS) Load Balancing

Microsoft Network Policy Server (NPS) Reason Codes

Leave a comment

18 Comments

  1. Jon Rosenlund

     /  August 12, 2021

    I’ve been doing some testing with the Windows 11 builds and been hitting this scenario, but the NTAuth Store already has the cert. This is a setup that works flawlessly with all the Win10 clients. Been troubleshooting, but not quite sure what seems to be causing this yet.

    Reply
    • Could be an issue with the pre-release build, not sure. I did some quick testing with Windows 11 a while back and everything was working, but that doesn’t mean something changed since then.

      Reply
  2. morethanthesky

     /  August 20, 2021

    I wanted to put here that I got error 853 and it was unrelated to the above. We have two CAs, two NPS servers, two AoVPN servers. One of our CAs (the one that issues user certs) has had its CA service ‘stuck’. Its happened twice in the past 12 months.

    I restart the service and Enterprise PKI goes green again, BUT afterwards I also have to restart the NPS servers because for some reason they don’t accept that the CA is acceptable now.

    I just wanted to put this here in case it helps someone with an error 853.

    Reply
  3. Martijn

     /  August 25, 2021

    I’m also experiencing the problems Jon has with Windows 11. No solution found yet.

    Reply
    • Jon Rosenlund

       /  August 31, 2021

      Have you had any luck? I’ve not. Keep sort of hoping it’ll get worked out with ones of the new releases, but no such luck. I just can’t seem to find any reason why this error is coming up. With the newly announced official release date of October 5th for Win 11, I’m feeling a bit buggered.

      Reply
    • Jon Rosenlund

       /  September 14, 2021

      Martijn,

      You may want to see my issue resolved post in case you’re in the same boat.

      Reply
  4. JTB

     /  September 1, 2021

    Yup seems to be an issue with August build of windows 11 error 853

    Reply
    • Jon Rosenlund

       /  September 14, 2021

      JTB,

      You may want to see my issue resolved post in case you’re in the same boat.

      Reply
  5. Jon Rosenlund

     /  September 11, 2021

    So, I’ve resolved the Windows 11 issue in my environment.

    For me, is was a CAPITALIZATION issue in the subject name of the NPS Server’s certificate. Essentially, the PEAP settings of the VPN profile was specifying npsserverhostname.domain.com (NOTE: there are 2 of these entries in your profile):

    npsserverhostname.domain.com

    but the subject name of the actual certificate on the NPS server was NPSSERVERHOSTNAME.domain.com

    After manually testing this by adjusting my PEAP settings on a test machine to match the UPPERCASE that existed in NPS cert’s subject, I decided to leave the profile alone and instead adjust / fix the UPPERCASE subject name for the cert.

    To do this:
    -I edited the dNSHostName attribute of the NPS server’s computer object in Active Directory. Changed that from NPSSERVERHOSTNAME.domain.com to npsserverhostname.domain.com.
    -Then I went to my CA>Manage Certificate Templates>right-clicked on the NPS server certificate template>”Reenroll All Certificate Holders.
    -Back on the NPS server, from an administrative command prompt forced the reenroll by entering “certutil -pulse” and verified the new certificate now had the lowercase version of npsserverhostname.domain.com.

    With the PEAP setting for the server names in server validation matching case sensitively with the subject name of the NPS server’s certificate, Everything works a charm.

    This was never an issue prior to Windows 11. I’ve yet to see anything about this in all my googling over the past month or so, so I hope this can help someone else. I’m sure I won’t be the only one who has some mismatching on their case sensitivity here.

    Reply
    • That’s really interesting. Case sensitivity isn’t usually a thing in Windows. Always surprising when it comes up. Common for Linux for sure, but not Windows. I’ll be on the lookout for this issue!

      Reply
      • Jon Rosenlund

         /  September 14, 2021

        I was surprised as well. After going down a bunch of rabbit holes everything seem to be pointing to / acting as if something was wrong with the Subject Name on the NPS server’s cert so frankly I was just sort of trying anything. The case sensitivity has never been an issue so I really wasn’t expecting a result. You just never know.

      • If I can reproduce and confirm this, I’ll definitely create a blog post. You’re only seeing this on Windows 11, correct? Not Windows 10 21H1?

      • Jon Rosenlund

         /  September 16, 2021

        That is correct. Only Windows 11. Windows 10 21H1 is not affected by this.

      • Great. I will look into this soon. 🙂

  6. JTB

     /  September 15, 2021

    Can confirm this works… great find!

    Reply

Leave a Reply

%d bloggers like this: