Microsoft L2TP Certificate problem in Windows Vist

M

MobileAllOver

Well-Known Member
Joined
Jan 11, 2006
Messages
402
Reaction score
0
Location
Pretoria
I've been battling with VPN / Certificate issues on my Windows 2003 SBS Server.

Current setup:
PPTP configured, all clients can connect. Windows XP ,Windows 2003 and Windows Vista
L2TP configured. All client except for Windows Vista can connect.

Windows 2003 Server is behind NAT-T firewall. I've applied to patch for all clients to fix the NAT-Traversal issue, also on Windows Vista.

I've upgraded my Certificate Services to accommodate Vista clients - http://support.microsoft.com/kb/922706

The only remaining issue (that I know of) is the fact that the original Certificate Services can store the Certificate on the Computer Account instead on the "Local User" account. With the "upgrade", it only stores certificates in my User folder.

Without the move I get error 766: Certificate could not be found. After the move to "Local Computer" certificates, I get Error 810: A network connection between your computer and the VPN server was started, but the VPN connection was not completed. This is typically caused by the use of an incorrect or expired certificate for authentication between the client and the server. Please contact your Administrator to ensure that the certificate being used for authentication is valid.

Any suggestions?
 
Actually I didn't follow the exact procedures in http://support.microsoft.com/kb/922706
I've requested the hotfix from Microsoft that contains everything including the new LongHorn pages.

Package:
-----------------------------------------------------------
KB Article Number(s): 922706
Language: English
Platform: i386
 
OK, got it going....

1. Delete all CA certificates issued from your server (Only if your computer DOES NOT form part of domain)
2. Import CA Certificate (https://servername/certsrv, Download a CA certificate, certificate chain, or CRL, Download CA Certificate). If error appears, save to disk, open with mmc, import from file. I got several issues here
3. https://servername/certsrv... Request, advanced, User Request
4. Import certificate
5. MMC, add both Local Computer and Local User
6. Export Current User, Personal Certificate, includes all paths
7. Right-Click Local Computer, Personal, import

That's it. No more invalid certificate issues.... PM me should you need more information
 
I think the only *REAL* issue I had was that the CA certificate needs to be both in Local Computer and Local User stores....
 
How exactly did you get the hotfix?

Hello! How exactly did you get the hotfix? I've been looking all over for it. Please please please tell me!! :confused:
 
Seems to me that MS has changed to website... Should you need the files please PM me your email addy
 
Thanks MobileAllOver...I sent you a PM...the Hotfix files would really be appreciated! Thankyou!! thankyou!! thankyou!!
 
Help!!! Vista IPSEC VPNs impossible

Hello Mobile and everybody else,

I finally found something about this problem. I have been trying to fix this for two weeks and I am going insane!

So I can't connect Vista using L2TP/IPSEC VPN.

Here a description of my problem and my infrastructure:


- Updated my Windows 2003 Server Standard Enterprise CA with the certificate templates to support Vista/Longhorn clients
- Now certificate web enrollment works great with Vista
- XP computers can connect fine to the VPN server (ISA SERVER 2006) using L2TP/IPSEC
- I tried to setup the Vista clients the same way as I set up XP since there is no official documentation (step-by-step procedure) from Microsoft about Vista IPSEC setup. This does not work sine it seems to me that Vista needs two certificates, one for the machine store and the other for the user.
- Tried Mobile solution, but the problem is that when I am going to export the cert so I can have it in the other store, I can't export the private keys. I am using the default IPSEC offline template, it turns out that in Windows 2003 Enterprise it is possible to create a copy of the template and set it up to allow private key export, I can't do this since I have Windows 2003 Standard.
- I tried installing another IPSEC cert in the other store, note that however this is a different certificate, not the same. So this way I have certificate A for my user account cert store and certificate B for my machine cert store (both have of course their private keys this way, however they are not the same certificate so I guess that is why it does not work.

Here is the error I get when connecting:

Error 810: A network connection between your computer and the VPN server was started, but the VPN connection was not completed. This is typically caused by the use of an incorrect or expired certificate for authentication between the client and the server. Please contact your Administrator to ensure that the certificate being used for authentication is valid.

Here is the most significant error message in the security log:

Log Name: SecuritySource: Microsoft-Windows-Security-AuditingDate: 4/21/2008 10:30:12 PMEvent ID: 4652Task Category: IPsec Main ModeLevel: InformationKeywords: Audit FailureUser: N/AComputer: COMP12Description:An IPsec Main Mode negotiation failed. Local Endpoint: Principal Name: - Network Address: Keying Module Port: 4500Local Certificate: SHA Thumbprint: - Issuing CA: - Root CA: -Remote Endpoint: Principal Name: - Network Address: Keying Module Port: 4500Remote Certificate: SHA thumbprint: - Issuing CA: - Root CA: -Additional Information: Keying Module Name: IKE Authentication Method: Certificate Role: Initiator Impersonation State: Not enabled Main Mode Filter ID: 67637Failure Information: Failure Point: Local computer Failure Reason: IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store. State: Sent second (KE) payload Initiator Cookie: 536c74513a285fb0 Responder Cookie: c5247acd2e889518

I guess that everybody is still using XP for IPSEC VPNs, or they are using Vista just for PPTP since it has been so hard to find information about this problem. This is something that Microsoft should address ASAP.

I hope you guys are still around to help me out with this, otherwise I don't know what I'll do.

Thanks for the support. :D

Elefante
 
PM me your details - I've been playing with this for a while... I'm using Windows 2003 SBS server, surely the same should work for the Standard version.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X