All posts tagged failure

Always On VPN with PEAP Fails in Windows 11 26H1

Always On VPN RasMan Errors in Windows 10 1903

There appears to be a bug in the latest Windows 11 26H1 (no, that’s not a typo – 26H1) build affecting Protected Extensible Authentication Protocol (PEAP). In my testing, all VPN connection attempts (Always On VPN and manual/ad-hoc) failed when PEAP was used for authentication.

Windows 11 26H1

Recently, while reviewing downloads and product keys in Visual Studio, I noticed a new Windows 11 release listed: Windows 11 26H1 (business and consumer editions). I initially thought 26H1 would be ARM-only, but the download is available for x64 as well.

I’m not sure whether this is intended as a general release, because Microsoft describes it as an Insider Experimental Preview Build (28200.1873). I also don’t recall seeing Insider builds offered through Visual Studio downloads, so I’m not sure what to make of it. Either way, if you’re evaluating this build, the notes below document a VPN issue I was able to reproduce.

Troubleshooting

After preparing a Windows 11 26H1 test client, I found that the Always On VPN user tunnel would not connect. The same configuration worked on earlier Windows 11 versions. In the event log, I observed the following errors.

Error 619

When using SSTP, the event log records error code 619 (event ID 20227) from the RasClient event source, with the following error message.

The user [domain\user] dialed a connection named [connection name] which has failed. The error code returned on failure is 619.

Error 691

When using IKEv2, the event log records error code 691 (event ID 20227) from the RasClient event source, with the following error message.

The user [domain\user] dialed a connection named [connection name] which has failed. The error code returned on failure is 691.

Workaround

At the time of writing, the only workaround I’ve found to restore Always On VPN connectivity is to switch authentication from PEAP to EAP-TLS. This may not be a drop-in change for every environment, so evaluate the security and operational impact before rolling it out broadly. You’ll need to enable EAP-TLS on both the client and the NPS/RADIUS server.

Summary

I’m not convinced Windows 11 26H1 will be widely deployed soon, since it appears to be an experimental/Insider build rather than a general release. If you decide to evaluate it, plan to use the workaround above to maintain Always On VPN connectivity.

Feedback

Have you tested Always On VPN with Windows 11 26H1? If so, do you see the same behavior? Share your findings in the comments.

Additional Information

Windows 11 Insider Experimental (26H1) Preview Build 28200.1873

Leave a comment
by Richard M. Hicks on April 27, 2026  •  Permalink
Posted in Always On VPN, AOVPN, authentication, EAP, EAP-TLS, Microsoft, PEAP, user tunnel, VPN, Windows 11
Tagged , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 27, 2026

https://directaccess.richardhicks.com/2026/04/27/always-on-vpn-with-peap-fails-in-windows-11-26h1/

Troubleshooting Intune Failed PKCS Request

Always On VPN administrators deploying on-premises enterprise PKI certificates using Microsoft Intune with PKCS may encounter a scenario where a certificate fails to be issued to a user or device. In this post, I’ll share some things to investigate when troubleshooting this issue.

Event 1001

To begin, open the Event Log and navigate to Applications and Services > Microsoft > Intune > CertificateConnectors > Admin. You will likely find an event ID 1001 from the CertificateConnectors source with the following error message.

Failed to process PKCS request.

Prerequisites

Validate the following prerequisites have been met on the issuing Certification Authority (CA) server.

Certificate Template

Ensure the certificate template used for PKCS has the correct permissions and is published on an issuing CA server. Open the Certificate Templates management console (certtmpl.msc), right-click the certificate template, choose Properties, and then click on the Security tab. The certificate template must grant the Intune Certificate connector server’s computer account (or the PKCS connector’s service account if running as a service and not SYSTEM) the Read and Enroll permissions on the template.

CA Permissions

In addition to the permissions on the certificate template, ensure the correct permissions have been configured on the issuing CA itself. Right-click on the CA in the Certification Authority management console (certsrv.msc) and choose Security. Ensure the Intune Certificate connector server’s computer account (or the PKCS connector’s service account, if running as a service and not SYSTEM) is granted The Issue and Manage Certificates and Request Certificates permissions.

Intune Policy

Ensure the Intune device configuration policy is configured correctly. These three fields are critical and can result in failed PKCS certificate deployment if misconfigured.

Certification Authority

Enter the fully qualified domain name (FQDN) of the on-premises issuing CA server in this field.

Certification Authority Name

Enter the common name of the issuing CA in this field. You will find this information by running the following command on any domain-joined Windows system.

certutil.exe -dump

Certificate Template Name

Enter the name of the certificate template in Active Directory. Be aware that the template name and template display name are two different things. The template name is usually the template display name without spaces. However, that’s not a guarantee. On the General tab of the certificate template, look at the template name field on the certificate template to confirm.

Summary

This article is not a comprehensive troubleshooting guide for problems associated with failed PKCS certificate deployment using the Microsoft Intune Certificate connector and PKCS. However, it covers some of the more common problems administrators will likely encounter. If you cannot provision PKCS certificates correctly, drop me a note and I’ll provide further guidance.

Additional Information

Troubleshooting Failed Intune Certificate Connector Configuration – Part 1

Troubleshooting Failed Intune Certificate Connector Configuration – Part 2

Intune Certificate Connector Service Account and PKCS

Microsoft Intune Cloud PKI

Microsoft Intune Cloud PKI and Certificate Templates

Microsoft Intune Cloud PKI and Active Directory

2 Comments
by Richard M. Hicks on June 24, 2024  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, ADCS, administration, Always On VPN, AOVPN, authentication, Azure, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, certificates, cloud, Cloud PKI, Cloud Service, Cryptography, Deployment, Device Management, Encryption, Endpoint Manager, Enterprise, enterprise mobility, extensible authentication protocol, Hybrid Azure AD Join, Infrastructure, InTune, Intune Certificate Connector, Intune PFX Connector, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, Operational Support, PFX Connector, PKCS, PKI, public key infrastructure, Remote Access, Security, systems management, troubleshooting, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on June 24, 2024

https://directaccess.richardhicks.com/2024/06/24/troubleshooting-intune-failed-pkcs-request/

Always On VPN Error 13801

Troubleshooting Always On VPN Error 691 and 812 – Part 2

Certificate configuration is crucial for Always On VPN deployments. I described some specific certificates requirements for IKEv2 in this previous post. Following this guidance, administrators should have no issues with IKEv2 Always On VPN connections. However, it is always possible to encounter an error if any of these certificates are missing or misconfigured.

Error 13801

One of the most common errors related to IKEv2 and certificates is 13801. When an Always On VPN connection using IKEv2 fails, the Windows Application event log will record an event ID 20227 from the RasClient source. The error message states the following:

“The user [username] dialed a connection named [connection name] which has failed. The error code returned on failure is 13801”.

IKE Authentication Credentials are Unacceptable

Error 13801 translates to ERROR_IPSEC_IKE_AUTH_FAIL, indicating an authentication failure related to IPsec. The problem can be on the device, the VPN server, or an issue with the VPN server configuration.

Authentication Methods

To begin, ensure that the appropriate authentication method is enabled on the Routing and Remote Access (RRAS) server. Right-click the VPN server in the RRAS management console (rrasmgmt.msc) and choose Properties. Next, click on the Security tab and then click on the Authentication Methods button.

Select the ‘Extensible authentication protocol (EAP)’ to support IKEv2 user tunnel connections. In addition, select ‘Allow machine certificate authentication for IKEv2’ to support Always On VPN device tunnel connections.

Certificate Chain

A 13801 error will occur if the client does not trust the certificate installed on the VPN server. Ensure the client has all the necessary root and intermediate certification authority (CA) certificates installed in their respective certificate stores.

VPN Server Certificate

A 13801 error can also occur if the VPN server does not have a properly configured server certificate. Ensure the VPN server has a valid certificate issued by the organization’s internal PKI that includes both the Server Authentication (OID 1.3.6.1.5.5.7.3.1) and IP security IKE intermediate (OID 1.3.6.1.5.5.8.2.2) EKUs. The subject name must match the public fully qualified domain name (FQDN) used by VPN clients to connect to the VPN server (not the server’s NetBIOS name). Again, ensure the certificate is valid (not expired), trusted, not revoked, and all necessary root and intermediate CA certificates are installed in their respective certificate stores.

Certificate Revocation

An expired Certificate Revocation List (CRL) can also result in a 13801 error. Open the Enterprise PKI console (pkiview.msc) on an issuing CA and review the status of all CRLs. If any are expired, resolve any issues preventing the CRL from publishing successfully, then issue a new CRL by running certutil.exe -crl on the issuing CA server.

RRAS Configuration

Another cause of the 13801 error for the device tunnel is a misconfigured Routing and Remote Access Service (RRAS) VPN server. An error 13801 can happen if the administrator incorrectly defines a trusted root CA using Set-VpnAuthProtocol. Ensure that the root certificate thumbprint matches exactly the root CA server’s thumbprint used to issue certificates to VPN devices and the VPN server.

Get-VpnAuthProtocol

Root CA Certificate Thumbprint

Resolution

Ensure that devices and VPN servers have correctly configured certificates installed. If the root CA certificate is assigned incorrectly on the VPN server, follow the guidelines detailed here to update the configuration.

Additional Information

Microsoft Windows Always On VPN Error 13806

Microsoft Windows Always On VPN Certificate Requirements for IKEv2

Microsoft Windows Always On VPN IPsec Root Certificate Configuration Issue

Microsoft Windows Always On VPN IKEv2 Policy Mismatch Error

Microsoft Windows Always On VPN IKEv2 Security Configuration

Microsoft Windows Always On VPN IKEv2 Fragmentation

Microsoft Windows Always On VPN IKEv2 Load Balancing and NAT

Microsoft Windows Always On VPN IKEv2 Features and Limitations

23 Comments
by Richard M. Hicks on December 13, 2021  •  Permalink
Posted in Always On VPN, AOVPN, authentication, Azure VPN, Azure VPN Gateway, certificates, device tunnel, Enterprise, enterprise mobility, IKEv2, Mobility, PKI, PowerShell, public key infrastructure, Remote Access, routing and remote access service, RRAS, Security, troubleshooting, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on December 13, 2021

https://directaccess.richardhicks.com/2021/12/13/always-on-vpn-error-13801/

« Older Posts