Always On VPN Authentication Failure After February 2025 Security Update

Microsoft introduced changes to Windows domain controllers in the February 2025 security update that may result in authentication failures for Always On VPN user tunnel connections. If you suddenly find that all your Always On VPN user tunnel connections fail, additional changes may be required to resolve the issue.

Authentication Failure

Administrators may find that Always On VPN connections fail after applying the February 2025 Microsoft security updates. Specifically, users may receive the following warning message.

“The remote access connection completed, but authentication failed because the certificate that authenticates the client to the server is not valid. Ensure that the certificate used for authentication is valid.”

Error 853

Administrators will also find a corresponding event log entry with event ID 20227 from the RasClient source with the following error message.

“The user <username> dialed a connection named <connection name> which has failed. The error code returned on failure is 853.”

NPS Events

The event log on the NPS server will also record event ID 6273 from the Microsoft Windows security auditing source with the following error message.

“Network Policy Server denied access to a user.”

The authentication details of the event include Reason Code 16 with the following reason.

“Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.”

DC Events

If the issue is related to changes implemented to domain controllers in the February 2025 security update, administrators will also find a corresponding event log entry on a domain controller with event ID 39 from the Kerberos-Key-Distribution-Center source with the following error message.

“The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). Such certificates should either be replaced or mapped directly to the user via explicit mapping.”

Root Cause

The above conditions indicate that a user attempted to authenticate to the VPN with a certificate that was not strongly mapped. Most likely, the certificate was issued using Microsoft Intune with SCEP or PKCS. This results from changes made to domain controllers in the February 2025 security update that requires certificates used for Active Directory authentication to be strongly mapped. Until now, domain controllers allowed access and only logged an event in the event log when a certificate did not include strong certificate mapping. The February 2025 security update now enforces strong certificate mapping, and authentication requests will fail without it.

Resolution

Administrators must issue new certificates that are strongly mapped to resolve this issue. For certificates issued with PKCS, changes are required on the Intune Certificate Connector server before re-issuing. For certificates issued with SCEP, changes to the device configuration policy are required. See the post Strong Certificate Mapping for Intune PKCS and SCEP Certificates for more details.

Workaround

Re-issuing certificates takes time. To restore connectivity immediately, administrators can implement the following registry settings on all domain controllers to switch back to audit mode and allow authentication without strong certificate mapping.

Key: HKLM:\SYSTEM\CurrentControlSet\Services\Kdc
Name: StrongCertificateBindingEnforcement
Type: DWORD
Value: 1

I recommend deploying this setting via GPO assigned to the Domain Controllers OU. However, you can also implement this change using PowerShell if necessary.

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\Kdc’ -Name ‘StrongCertificateBindingEnforcement’ -PropertyType DWORD -Value 1 -Force

Additional Information

Strong Certificate Mapping for Intune PKCS and SCEP Certificates

Strong Certificate Mapping Enforcement February 2025

Certificate-Based Authentication Changes and Always On VPN

Intune Strong Certificate Mapping Error

Strong Certificate Mapping Error with PKCS

Always On VPN Error 853 on Windows 11

Recently I did some validation testing with Always On VPN on Windows 11, and I’m happy to report that everything seems to work without issue. However, a few readers have reported 853 errors when establishing an Always On VPN connection after upgrading to Windows 11.

Can’t Connect

After upgrading to Windows 11, an Always On VPN connection may fail with the following error message.

“The remote access connection completed, but authentication failed because the certificate that authenticates the client to the server is not valid. Ensure the certificate used for authentication is valid.”

Error 853

In addition, the Application event log records an event ID 20227 from the RasClient source that includes the following message.

“The user <username> dialed a connection name <connection name> which has failed. The error code returned on failure is 853.”

Server Identity

This error will occur when using Protected Extensible Authentication Protocol (PEAP) authentication. Specifically, it can happen when the option to verify NPS server validity by its certificate is selected, and an explicit list of NPS servers is defined, as shown here.

Case Sensitive

In this specific scenario, Windows 11 now appears to be case-sensitive when it compares the NPS server name entered in the NPS configuration to the Subject Name on the certificate returned by the server. For example, if the Subject Name (or Subject Alternative Name, if present) entry on the NPS server certificate is nps.lab.richardhicks.net, using NPS.lab.richardhicks.net will not match and return an 853 error.

Windows 11

Case matching when validating the NPS server certificate is a change in behavior from Windows 10. Before Windows 11, this comparison was case-insensitive, and any combination of case would match if the entire hostname matched. Going forward, it appears Microsoft has also decided to require case matching to validate the server certificate.

Recommendations

Administrators should look carefully at the server certificate issued to the NPS server and ensure their client configuration accurately reflects the hostname in a case-sensitive manner to ensure a smooth migration from Windows 10 to Windows 11.

Additional Information

Troubleshooting Windows 10 Always On VPN Error 853

Windows 10 Always On VPN Network Policy Server (NPS) Load Balancing

Troubleshooting Always On VPN Error 853

Troubleshooting Always On VPN Error 691 and 812 – Part 2

Using Windows Server Network Policy Server (NPS) servers is a common choice for authenticating Microsoft Windows 10 Always On VPN user tunnel connections. The NPS server is joined to the domain and configured with a Network Policy that defines the authentication scheme used by clients for authentication when establishing an Always On VPN connection. Protected Extensible Authentication Protocol (PEAP) using client authentication certificates recommended for most Always On VPN deployment scenarios.

Experiencing error 853 on Windows 11? Click here for more information.

Can’t Connect

Users establishing an Always On VPN user tunnel connection using PEAP and client authentication certificates may encounter a scenario in which a VPN connection attempt fails with the following error message.

“The remote access connection completed, but authentication failed because the certificate that authenticates the client to the server is not valid. Ensure that the certificate used for authentication is valid.”

Error 853

In addition, the Application event log records an event ID 20227 from the RasClient source that includes the following error message.

“The user <username> dialed a connection named <connection name> which has failed. The error code is 853.”

Missing NTAuth Certificate

Error code 853 is commonly caused by a missing issuing Certification Authority (CA) certificate in the NTAuth store on the NPS server. The NPS server must have the issuing CA certificate included in this store to perform authentication using client certificates. You can see the contents of the NTAuth certificate store by opening an elevated command window on the NPS server and running the following command.

certutil.exe -enterprise -viewstore NTAuth

Install Certificate

To install the issuing CA server’s certificate into the NTAuth store, copy the CA certificate to the NPS server, open an elevated command window, then run the following command.

certutil.exe -enterprise -addstore NTAuth <issuing CA certificate>

Once complete, view the store again, and you’ll see the issuing CA certificate listed in the NTAuth certificate store.

Additional Information

Always On VPN Error 853 on Windows 11

Troubleshooting Always On VPN Error Code 858

Troubleshooting Always On VPN Error Code 864

Always On VPN and Windows Server 2019 NPS Bug

Always On VPN Network Policy Server (NPS) Load Balancing

Microsoft Network Policy Server (NPS) Reason Codes