When configuring Windows 10 Always On VPN using the Routing and Remote Access Service (RRAS) on Windows Server 2012 R2 and Extensible Authentication Protocol (EAP) authentication using client certificates, clients attempting to establish a VPN connection using Internet Key Exchange version 2 (IKEv2) may receive the following error.
“The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile.”
The event log on the client also records RasClient event ID 20227 stating “the error code returned on failure is 812”.
Always On VPN clients using the Secure Socket Tunneling Protocol (SSTP) may receive the following error.
“The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.”
The event log on the client also records RasClient event ID 20227 stating “the error code returned on failure is 691”.
Resolution
These errors can occur when Transport Layer Security (TLS) 1.0 has been disabled on the RRAS server. To restore functionality, enable TLS 1.0 protocol support on the RRAS server. If disabling TLS 1.0 is required for compliance reasons, consider deploying RRAS on Windows Server 2016. TLS 1.0 can be safely disabled on Windows Server 2016 without breaking EAP client certificate authentication for Windows 10 Always On VPN clients.
Additional Information
Windows 10 Always On VPN Hands-On Training
What’s the Difference Between DirectAccess and Windows 10 Always On VPN?
5 Important Things DirectAccess Administrators Should Know About Windows 10 Always On VPN
3 Important Advantages of Windows 10 Always On VPN over DirectAccess
