All posts tagged error

Always On VPN with PEAP Fails in Windows 11 26H1

Always On VPN RasMan Errors in Windows 10 1903

There appears to be a bug in the latest Windows 11 26H1 (no, that’s not a typo – 26H1) build affecting Protected Extensible Authentication Protocol (PEAP). In my testing, all VPN connection attempts (Always On VPN and manual/ad-hoc) failed when PEAP was used for authentication.

Windows 11 26H1

Recently, while reviewing downloads and product keys in Visual Studio, I noticed a new Windows 11 release listed: Windows 11 26H1 (business and consumer editions). I initially thought 26H1 would be ARM-only, but the download is available for x64 as well.

I’m not sure whether this is intended as a general release, because Microsoft describes it as an Insider Experimental Preview Build (28200.1873). I also don’t recall seeing Insider builds offered through Visual Studio downloads, so I’m not sure what to make of it. Either way, if you’re evaluating this build, the notes below document a VPN issue I was able to reproduce.

Troubleshooting

After preparing a Windows 11 26H1 test client, I found that the Always On VPN user tunnel would not connect. The same configuration worked on earlier Windows 11 versions. In the event log, I observed the following errors.

Error 619

When using SSTP, the event log records error code 619 (event ID 20227) from the RasClient event source, with the following error message.

The user [domain\user] dialed a connection named [connection name] which has failed. The error code returned on failure is 619.

Error 691

When using IKEv2, the event log records error code 691 (event ID 20227) from the RasClient event source, with the following error message.

The user [domain\user] dialed a connection named [connection name] which has failed. The error code returned on failure is 691.

Workaround

At the time of writing, the only workaround I’ve found to restore Always On VPN connectivity is to switch authentication from PEAP to EAP-TLS. This may not be a drop-in change for every environment, so evaluate the security and operational impact before rolling it out broadly. You’ll need to enable EAP-TLS on both the client and the NPS/RADIUS server.

Summary

I’m not convinced Windows 11 26H1 will be widely deployed soon, since it appears to be an experimental/Insider build rather than a general release. If you decide to evaluate it, plan to use the workaround above to maintain Always On VPN connectivity.

Feedback

Have you tested Always On VPN with Windows 11 26H1? If so, do you see the same behavior? Share your findings in the comments.

Additional Information

Windows 11 Insider Experimental (26H1) Preview Build 28200.1873

Leave a comment
by Richard M. Hicks on April 27, 2026  •  Permalink
Posted in Always On VPN, AOVPN, authentication, EAP, EAP-TLS, Microsoft, PEAP, user tunnel, VPN, Windows 11
Tagged , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 27, 2026

https://directaccess.richardhicks.com/2026/04/27/always-on-vpn-with-peap-fails-in-windows-11-26h1/

Entra Private Access Channels Are Unreachable

Administrators deploying Microsoft Entra Private Access may encounter a scenario in which the Global Secure Access (GSA) agent reports an error. However, the client continues to work without issue, and all internal resources remain reachable via the Entra Private Access connection. This issue occurs only when the Private Access forwarding profile is enabled alone. It does not happen if the Microsoft traffic forwarding profile is also enabled.

GSA Status Error

When this happens, the Private access channel status is Connected, but the Entra access channel is Disconnected. Also, you will see the following error message when clicking on the GSA client in the notification area.

Some channels are unreachable

Global Secure Access has some channels that are unreachable

Health Check

To investigate further, click the Troubleshooting tab, then click Run tool in the Advanced diagnostics tool section. In the Health check section, you will see the following error message.

Diagnostic URLs were not found in forwarding policy

Scrolling down the list also reveals the following error messages.

Magic IP received = False

Tunneling succeeded Entra Authentication = False

Root Cause

Several months ago, Microsoft made changes to the health check probes that required enabling the Microsoft traffic forwarding profile to work. Some essential health-check probes were not accessible via the Private Access channel, resulting in the error messages shown above when only the Private Access forwarding profile is enabled.

Resolution

Microsoft is rolling out changes to address this issue at the time of this writing (late October 2025). If you encounter this error, it will most likely resolve itself soon. Alternatively, administrators can enable the Microsoft traffic forwarding profile, which will also fix this issue.

Additional Information

Microsoft Entra Private Access

Microsoft Entra Global Secure Access (GSA)

Microsoft Security Service Edge (SSE) Now Generally Available

Microsoft Entra Security Service Edge (SSE) on RunAs Radio

2 Comments
by Richard M. Hicks on October 30, 2025  •  Permalink
Posted in Entra, Entra Global Secure Access, Entra ID, Entra Internet Access, Entra Private Access, Global Secure Access, GSA, Microsoft, Microsoft Entra, Microsoft Entra Global Secure Access, Microsoft Entra ID, Microsoft Entra Internet Access, Microsoft Entra Private Access, SASE, Secure Access Service Edge, Secure Service Edge, Security, Security Service Edge, SSE, troubleshooting, Windows 10, Windows 11, Zero Trust, Zero Trust Network Access, ZTNA
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 30, 2025

https://directaccess.richardhicks.com/2025/10/30/entra-private-access-channels-are-unreachable/

Managed Certificates for Remote Desktop Protocol

The Remote Desktop Protocol (RDP) is arguably the most widely used protocol for Windows remote server administration. RDP uses Transport Layer Security (TLS) for server authentication, data encryption, and integrity. However, the default configuration of TLS for RDP in Windows is less than ideal.

RDP Self-Signed Certificate

By default, RDP uses a self-signed certificate for TLS operations. TLS with self-signed certificates is a bad security practice because they are not validated by a trusted certificate authority (CA), making it impossible for clients to verify the authenticity of the server they are connecting to, which can lead to interception attacks.

Certificate Warning

Most administrators have encountered a warning error when connecting to a remote host via RDP using a self-signed RDP certificate.

“The remote computer could not be authenticated due to problems with its security certificate. It may be unsafe to proceed.”

Nmap

You can view the default self-signed certificate with the Nmap utility by running the following command.

nmap.exe -n -p 3389 <hostname> –script ssl-cert

Managed Certificates

A better solution for RDP TLS is to use managed certificates issued by an enterprise Public Key Infrastructure (PKI) such as Microsoft Active Directory Certificate Services (AD CS). AD CS is widely deployed in AD domain environments and can be configured to issue certificates for RDP TLS.

AD CS

To configure AD CS to issue RDP certificates, perform the following steps.

Certificate Template

On an issuing CA or an administrative workstation with the Remote Server Administration Tools (RSAT) installed, open the Certificate Templates management console (certtmpl.msc) and perform the following steps.

*My apologies for the list numbering format issues below. Microsoft Word and WordPress can’t seem to agree on the list format. Hopefully, you can figure it out, though. 🙂

  1. Right-click the Workstation Authentication template and choose Duplicate Template.
  2. Select the Compatibility tab.
    1. Select the operating system (OS) version corresponding to the oldest OS hosting the issuing CA role in your environment from the Certification Authority drop-down list.
    1. Select the OS version corresponding to your environment’s oldest supported server or client OS from the Certificate recipient drop-down list.
  3. Select the General tab.
    1. Enter a descriptive name in the Template display name field.
    1. Select an appropriate validity period for your environment. The best practice is to limit the validity period to one year or less.
  4. Select the Cryptography tab.
    1. From the Provider Category drop-down list, choose Key Storage Provider.
    1. From the Algorithm name drop-down list, choose RSA.
    1. In the Minimum key size field, enter 2048.
    1. From the Request hash drop-down list, choose SHA256.
  5. Select the Subject Name tab.
    1. From the Subject name format drop-down list, select DNS name.
    1. Ensure that DNS name is also checked in the subject alternate name section.
  6. Select the Extensions tab.
    1. Click on Application Policies.
    1. Click Edit.
    1. Select Client Authentication.
    1. Click Remove.
    1. Click Add.
    1. Click New.
    1. Enter Remote Desktop Authentication in the Name field.
    1. Enter 1.3.6.1.4.1.311.54.1.2 in the Object identifier field.
    1. Click Ok.
    1. Select Remote Desktop Authentication.
    1. Click Ok.
  7. Select the Security tab.
    1. Click Domain Computers.
    1. Grant the Read and Enroll permissions.
  8. Click Ok.

Next, open the Certification Authority management console (certsrv.msc) and follow the steps below to publish the certificate.

  1. Expand the CA.
  2. Right-click Certificate Templates and choose New > Certificate Template to Issue.
  3. Select the Remote Desktop Authentication certificate template.
  4. Click Ok.

Group Policy

Next, on a domain controller or a workstation with the RSAT tools installed, open the Group Policy Management console (gmpc.msc) and perform the following steps to create a new GPO to enroll domain computers for the Remote Desktop Authentication certificate

  1. Right-click Group Policy Objects and choose New.
  2. Enter a descriptive name for the GPO in the Name field.
  3. Click Ok.
  4. Right-click the GPO and choose Edit.
  5. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.
  6. Double-click Server authentication certificate template.
  7. Select Enabled.
  8. Enter the name of the Remote Desktop Authentication certificate template in the Certificate Template Name field. Note: Be sure to enter the template name, not the template display name!
  9. Click Ok.

Once complete, link the GPO to the domain or OU to target the servers and workstations to which you wish to deploy the RDP certificate.

Validate Certificate

After updating group policy on a target resource, you’ll find that Nmap now shows the enterprise PKI-issued certificate used for RDP connections.

Additional Information

Understanding the Remote Desktop Protocol (RDP)

4 Comments
by Richard M. Hicks on February 20, 2025  •  Permalink
Posted in Active Directory Certificate Services, AD CS, ADCS, administration, authentication, Certificate Authority, Certificate Services, certificates, Device Management, Enterprise, enterprise mobility, Microsoft, Mobility, Operational Support, public key infrastructure, RDP, Remote Access, Remote Administration, Remote Desktop Protocol, Security, Transport Layer Security, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 20, 2025

https://directaccess.richardhicks.com/2025/02/20/managed-certificates-for-remote-desktop-protocol/

« Older Posts