Always On VPN Administrators may encounter a scenario where Always On VPN connections suddenly stop working for all clients using the Secure Socket Tunneling Protocol (SSTP) VPN protocol. IKEv2 VPN connections continue to work, however.
Event Log
Reviewing the event log on a client machine reveals an error event ID 20227 from the RasClient source. The error message states the following.
“The user [username] dialed a connection named [connection name] which has failed. The error code returned on failure is -2146762495.”
Error -2146762495?
Always On VPN administrators will be familiar with error codes such as 809, 691 and 812, 853, 858, and even 13801, 13806, and 13868. However, this error code seems to be formatted much differently. As it turns out, this message is in decimal format. Thankfully it’s pretty easy to convert it to something more meaningful, like hexadecimal. To do this, open the Windows calculator (calc.exe) and switch to programmer mode. Highlight DEC and enter -2146762495. The hexadecimal value will be displayed in the HEX field, as shown here.
Error 0x800B0101
After converting the error message from decimal to hex, use the Microsoft Error Lookup tool (err.exe) to translate the hex value of this error. As shown here, 0x800B0101 translates to CERT_E_EXPIRED.
Expired TLS Certificate
Once again, an expired certificate is to blame! In this case, the TLS certificate installed on the VPN server has expired and is no longer valid.
Resolution
The problem is simple enough to resolve, of course. Obtain a new TLS certificate from your certification authority (CA) of choice and update your VPN server configuration. You can find detailed guidance for updating the RRAS VPN server’s TLS certificate here. You will also find a video demonstration of the RRAS SSL/TLS certificate renewal process here.
Windows Server Routing and Remote Access Service (RRAS) is popular for Always On VPN deployments because it supports the Secure Socket Tunneling Protocol (SSTP). The SSTP VPN protocol is recommended for use with the Always On VPN user tunnel because it is firewall friendly. Installing a TLS certificate on the VPN server is necessary to support SSTP VPN connections. Administrators should use a TLS certificate signed by a public certification authority (CA) for optimal reliability and performance.
Click here to view a video demonstration of the procedures outlined in this article.
Certificate Expiration
Of course, all certificates expire, and the TLS certificate used for SSTP is no exception. When using a public TLS certificate, the certificate lifetime is typically no more than one year, which means Always On VPN administrators will be renewing this certificate regularly.
Certificate Renewal
The process of “renewing” an SSTP TLS certificate is essentially the same as installing a new one, as it is best to create a new public/private key pair when renewing a certificate. The following outlines the steps required to generate a Certificate Signing Request (CSR), import the certificate, then assign the certificate to the SSTP listener on the VPN server.
Note: The guidance provided here assumes using an ECC certificate, which is best for optimal security and performance. More details here.
Certificate Request
Open the local computer certificate store (certlm.msc) on the VPN server and perform the following steps to generate a new CSR.
Expand Certificates – Local Computer > Personal.
Right-click the Certificates folder and choose All Tasks > Advanced Operations > Create Custom Request.
Click Next.
Highlight Proceed without enrollment policy.
Click Next.
Select (No template) CNG key from the Template drop-down list.
Select PKCS #10 in the Request format section.
Click Next.
Click on the down arrow next to Details.
Click on the Properties button.
Select the General tab.
Enter the public hostname for the certificate in the Friendly name field.
Select the Subject tab.
Select Common name from the Type drop-down list in the Subject name section.
Enter the public hostname for the certificate in the Value field.
Click Add.
In the Alternative name section, select DNS from the Type drop-down list.
Enter the public hostname for the certificate in the Value field.
Click Add.
Select the Extensions tab.
Expand the Extended Key Usage section.
Select Server Authentication from the Available options section.
Click Add.
Select the Private Key tab.
Expand the Cryptographic Service Provider section.
Uncheck the box next to RSA,Microsoft Software Key Storage Provider.
Check the box next to ECDSA_P256,Microsoft Software Key Storage Provider.
Expand the Key options section.
Check the box next to Make private key exportable.
Click Ok.
Click Next.
Enter a name for the file in the File Name field.
Select Base 64 in the File format section.
Click Finish.
Import Certificate
Once complete, submit the file created to a public CA for signing. When the CA returns the signed certificate, perform the following steps to import it to the local compute certificate store.
Right-click the Certificates folder and choose All Tasks > Import.
Click Next.
Enter the name of the certificate file returned by the public CA in the File name field.
Click Next.
Select Place all certificates in the following store and ensure that Personal is listed in the Certificate store field.
Click Next.
Click Finish.
Click Ok.
Assign Certificate
After importing the new TLS certificate in the local computer’s certificate store, open the Routing and Remote Access management console (rrasmgmt.msc) and perform the following steps to assign the TLS certificate to the SSTP listener.
Right-click the VPN server and choose Properties.
Select the Security tab.
Select the new TLS certificate from the Certificate drop-down list in the SSL Certificate Binding section. When replacing an existing certificate, you may see a certificate with the same name more than once. Click the View button and ensure the new certificate is selected.
Click Ok.
Click Yes to restart the RemoteAccess service.
Demonstration Video
A recorded video demonstration of this process can be found here. The video recording also includes guidance for making these changes on Windows Server Core servers.
Using Windows Server Network Policy Server (NPS) servers is a common choice for authenticating Microsoft Windows 10 Always On VPN user tunnel connections. The NPS server is joined to the domain and configured with a Network Policy that defines the authentication scheme used by clients for authentication when establishing an Always On VPN connection. Protected Extensible Authentication Protocol (PEAP) using client authentication certificates recommended for most Always On VPN deployment scenarios.
Experiencing error 853 on Windows 11? Click here for more information.
Can’t Connect
Users establishing an Always On VPN user tunnel connection using PEAP and client authentication certificates may encounter a scenario in which a VPN connection attempt fails with the following error message.
“The remote access connection completed, but authentication failed because the certificate that authenticates the client to the server is not valid. Ensure that the certificate used for authentication is valid.”
Error 853
In addition, the Application event log records an event ID 20227 from the RasClient source that includes the following error message.
“The user <username> dialed a connection named <connection name> which has failed. The error code is 853.”
Missing NTAuth Certificate
Error code 853 is commonly caused by a missing issuing Certification Authority (CA) certificate in the NTAuth store on the NPS server. The NPS server must have the issuing CA certificate included in this store to perform authentication using client certificates. You can see the contents of the NTAuth certificate store by opening an elevated command window on the NPS server and running the following command.
certutil.exe -enterprise -viewstore NTAuth
Install Certificate
To install the issuing CA server’s certificate into the NTAuth store, copy the CA certificate to the NPS server, open an elevated command window, then run the following command.
certutil.exe -enterprise -addstore NTAuth <issuing CA certificate>
Once complete, view the store again, and you’ll see the issuing CA certificate listed in the NTAuth certificate store.
