Hello,
I have a Windows Server 2016 Essentials with SSTP VPN running. Clients (Win 10) can connect without any issues, browse folders, create files, copy files TO the server (any size) but they can't copy FROM the server. Not even files the client just copied to the
server.
Whilst trying to copy the files it shows the "calculating...". Eventually it stops trying with the following error:
Error 0x80070079: The semaphore timeout period has expired
I've tried OpenVPN, it has the same issues.
LAN does not encounter these issues.
When I RDP over VPN, I can copy files with it (both ways).
I've tried lowering the MTU on the VPN interface to no effect.
I'm lost for ideas and would love some help.
Hi
We have 17 DCs and at least 2 began to present a weird problem:
The DNS Manager can not connect to the DNS locally neither remotely BUT if you query a nslookup, the server gives answers...
I'm worried because this is very strange...
Any clue why this happened? and how to resolve
I've restarted the DNS Server and it restarted right, it continues responding BUT the DNS Manager does not contact the server.
looking back in time, the July 30, I see some errors:
After these errors, I see 5504 Informational:
But the IP that was rejected is another domain controller... this is not normal...
what can be missconfigured?, for today, I can not restart the server, until the next maintenance window...
Doc MX
We have been using a Godaddy cert for our wireless (PEAP) for a year. The cert has just been renewed and i need to install the new one. I have added it to the server alongside the existing one in the 'Personal Certificates' folder. I can select it in NPS but users cannot authenticate when I do. Looking at it I noticed there was no 'key' icon. What do I need to do to generate the Private key for this cert?
Thanks in advance for any help.
Simon
The setting I just put was "override client settings" (see the attached image) does fix the issue with PTR being unable to be created, deleted, or updated automatically in DNS when I typed “ipconfig /registerdns” manually at pc. When I removed the pc out of the domain, the AA and PTR did get deleted automatically and before the change (refer to the setting "override client settings"), AA would be removed but PTR won’t. However, after I removed the pc out of the domain and rejoined it into the domain, the AA and PTR won’t get created in dns automatically. I had to type “ipconfig /registerdns” at the pc to get the pc to register dns and get AA and PTR created. Before the change (refer to the setting "override client settings") , the pc would have AA to be created in DNS automatically right after it joined the domain but no PTR to be created. Therefore, dns on windows 2012 R2/dhcp on cisco ASA firewall still do not work right together.
Any advice to fix the issue with being unable to register dns automatically after the computer joins the domain? By the way, ipconfig /all on the pc does shows the correct dns server ip.
Testing deploying MS Always on VPN Profile to W10 1703 with Force tunneling. Looking at this document for settings
https://docs.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp
I have two settings that are in this document but missing from 1703
ByPassForLocal and RegisterDNS
1. The VPN Entry has the box "Register this Connection's Address" unticked. Although there is a profile setting above it is not implemented so I need to get around it. Has anyone resolved it. I can see you can use set-dns PowerShell command but only when the VPN connection is active so this is hard to manage through an SCCM job. Without this box ticked the home router's IP address is registered on our DNS server rather than the correct VPN IP address.
2. Found with Forcetunnel that the VPN entry needs to have Proxy setting in order to allow traffic out. Again there is a setting in profileXLM "ByPassForLocal" but it is not active yet - so although I can enter the Proxy/Manual/Server entry which is fine without that bypass box ticked nothing works - again has anyone hit/resolved this?
Ian Burnell, London (UK)
We’re trying to use the MFA Extension with our NPS server. However, when we try to connect through the NPS server with a radius client we receive no response and in the NPS server where the MFA Extension is installed the following event is generated:
Network Policy Server discarded the request for a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: test@axtion.nl
Account Domain: -
Fully Qualified Account Name: -
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 192.168.0.232
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: -
NAS Port: -
RADIUS Client:
Client Friendly Name: Luuk PC
Client IP Address: 192.168.0.232
Authentication Details:
Connection Request Policy Name: MFA Server Request Forward
Network Policy Name: -
Authentication Provider: <none>
Authentication Server: NPS-ARBO01.ad.extra
Authentication Type: -
EAP Type: -
Account Session Identifier: -
Reason Code: 9
Reason: The request was discarded by a third-party extension DLL file.
Any idea what is happening here?
We have VPN role on Windows Server 2016 and a Public IP assigned to Server's NIC So users from other sites can connect to the server, It used to work just fine until it was inaccessible and when pinging the server's public IP it is unreachable although the right configuration are set and nothing changed.
The odd thing is when stopping the VPN service on the server the the server's public IP become reachable and what is more strange the users used to connect via VPN connection can connect now to the server without initiating VPN connection.
My question is if the security of the server is compromised in this situation and is this considered direct access service? and how to go back to the old working settings when VPN server is started and running and users can connect only when initiating a VPN connection?
Regards.
We are switching from Cisco AnyConnect over to NetScaler for VPN. Prior to this switch, the only IP address that our VPN clients would register were their VPN-provided addresses.
Now that we've made the switch to NetScaler, clients are registering their private IP addresses. We have a highly mobile workforce, so now DNS is a sea of 192.168.xxx.xxx and 10.0.xxx.xxx.
DHCP is handled by InfoBlox. I do not know if the DHCP server is pre-registering their addresses. We allow only secure dynamic updates.
Our partners who manage NetScaler and Infoblox (we are contracted with a cloud service provider) are saying we need to disable DNS registration on VPN users NIC **but**....we weren't doing that on the Cisco-side.
Any ideas?
I recently setup an SSTP VPN on a Server 2016 RAS.
The clients connect fine but only if you acknowledge/skip when prompted with the message "Continue connecting? We don't have enough info to validate the server. You can still connect if you trust this server" you click to continue.
My assumption is that this error is due to a failure to validate the cert due to inability to contact any kind of CRL - Does this sound correct?
So i have setup an OCSP and this is working fine internally when using the FQDN (of the server hosting the OCSP responder role) and also when using my external domain name from machines outside the LAN, but when I use the external domain name from inside the LAN it does not work (this might be an issue with my router config).
Do i need to have a single URL that works both internally and externally, or can I create two different URLs in the AIA settings on the Cert Authority - one that is LAN resolvable and one WAN resolvable?
hello,
I've two globally dispersed DHCP 2012r2 servers providing ip addressing service for multiple remote offices.
We have multiple failover relationship configured between those servers. Each failover relationship is configured for pool of subnets belonging to a remote site. All failover relationships are configured in hot-standby mode with automatic state switchover enabled.
Recently we've started seeing odd behaviors where only some of failover relationships would turn into "communication interrupted" and then "partner down" state. At that time communication between dhcp servers was ok and rest of failover relationships were in "normal" state.
To resolve this we had to restart dhcp service on both DHCP servers.
Until dhcp service was restarted, we got reports about duplicate ip addresses being allocated to users. While i understand that duplicate ip's might've been given by both dhcp servers due to split brain scenario (both dhcp were up, but had "partner down" state), i don't understand why duplicates were given since both dhcp servers are configured for "conflict detection attempts".
Any idea what are possible reasons that only some failover relationships fail ?
Any idea why duplicate ip's might have been allocated despite "conflict detection attempts" set (no firewall in between) ?
thank you in advance!
Hello Everyone,
i can't find anything related to setting up an always on VPN Failover Cluster!
i'd like to use my fortigate as a load balancing hardware so that my AOV clients can switch to the second RRAS server if the connection to the first is interrupted.
pretty simple setup really but i can't make it work...
i have 2 RRAS servers setup as AOV servers. i can connect to each one individually but the switch has to be manual, i have to disconnect the client manually and reconnect it so that i switch to the second server. disconnecting the network card does't even disconnect the AOV connection it just stays connected to nothing basically
anyone have any ideas on how to set this up ?
thanks!
Hitch Bardawil
we deployed windows server 2012r2, and enable radius (NPS) for the wifi client authentication via 802.1x
and after we setup everything, all the smart phones are able to connect to the wifi, but the windows laptop can't.
at radius side, I check the event log, shown 6273 id event log.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
AND
my cert is issued by godaddy, it's a wildcard certificate. I did tried add the register key in
SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13\DisableEndEntityClientCertCheck
and not work.
anyone can help, thanks
I am looking at moving away from Direct Access and deploying Always On VPN.
I am just starting to gather information and finding it seems somewhat scattered leaving me with a high level understanding of what is going on but unsure of more of the technical details.
Some things I am unsure of at the moment are:
These a few questions I have after reading about Always On VPN today for the first time.
I just want to make sure, did I do something wrong or is this a bug? I've heard there is something going on in 1803 build, but not sure is this the same.
I have LAB with AD, PKI, NPS, VPN 2016 server, Windows 10 1803 enterprise and I deploy VPN profiles with SCCM CB 1806.
I've used User Tunnel successfully about 5 months, first with VPN only, then with VPN+NPS using EAP authorization.
Now when I started to play with Device tunnel, this happends;
1. Device Tunnel works fine by its own
2. User Tunnel works fine but its own
3. If Device tunnel is deployed after User Tunnel, it will not connect. It stays passive, there is no way to connect.
4. If User tunnel and device tunnel are deployed together, device tunnel works, but user tunnel will not connect - EAP missing cert issue. (event ID 20225 on vpn server). Deleting profiles/tunnels and re-roll them separatly seems not to fix the issue.
5. Computer, which has received Device tunnel profile, will never work with User Tunnel, even if all tunnels are deleted and only user tunnel is re-enrolled. Same EAP cert missing error.
Is the Device tunnel issue known by Microsoft? Will they fix it? My 1803 is patched with september CU.
MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.
Hello!
I am having a heck of a time getting a non domain joined computer (windows or mac) to work with eap-tls using machine certificates. Every time the laptop connects the event viewer on the NPS server shows Reason code 8 - specified user account does not exist". Which makes sense since the computer is not in the domain so it does not exist, as soon as i join it to the domain everything works as expected.
Is there something in the NPS server or in my ADCS certificate template that I can set so it will not check if the computer is in AD and just verify the certificate?
Cheers,
Paul
Hello,
i have a working radius-configuration.
Hardware:
Server2008R2 (radius-server in MS-domain)
1 AP-point
Working Well!
When making a second accespoint available through WDS and authentication with radius we have a problem.
The 2nd accespoint will create an event in the eventlog of the server with the following details:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: domain\user
Account Name: domain\user
Account Domain: domain
Fully Qualified Account Name: domain\user
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-02-6F-9A-B3-4C
Calling Station Identifier: 00-02-6F-9A-B3-50
NAS:
NAS IPv4 Address: 10.31.10.125
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: 10.31.10.125
Client IP Address: 10.31.10.125
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: domain.local
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 300
Reason: No credentials are available in the security package
Howto fix this issue? we have tried many work-arrounds!
Got a new cert for our NPS server that was previously working fine until the old cert expired. Now getting reason code 300, which seems to indicate a malformed cert but can't get any additional details aboutwhat is malformed. I followed NPS Cert guidelines here, and have regenerated the cert more than once to make sure I'm not missing anything.
https://msdn.microsoft.com/en-us/library/cc731363.aspx
Network Policy Server denied access to a user.We set up 2 new DHCP servers configured with fail over cluster load balancing.
If any 1 of the 2 servers completely fails and needs to be rebuilt, can we just add and new server and pull the settings from the remaining server or do we need a backup of the original failed server?
I would like to configure Always On VPN with device tunnels as a DA replacement.
When looking at the documentation here it seems to focus on IKEv2 and user tunnels.
If I follow the documentation for the supporting infrastructure with respect to the certificate templates for nps, users and servers, will this support device tunnels or is there additional configuration (additional certificate templates?) required here?
Also, if I want to use SSTP instead of IKEv2 for the ease of load balancing and less restrictions for travelers, is that documented anywhere? How would I go about using SSTP instead of IKEv2? I'm not asking how to load balance, but more so, how to configure SSTP instead of IKEv2.
At the end of the day, I am trying to accomplish having Always On VPN with SSTP with user and device tunnels to replace direct access.
All I can find online for documentation seems to be the official documentation I linked to above and a few blog posts that do not really touch on device tunnels.
https://www.cyberdrain.com/deploying-auto-vpn-or-always-on-vpn/
https://www.petenetlive.com/KB/Article/0001403
I am leaning towards following the cyberdrain guide as it touches on SSTP and makes it sound like it covers device tunnels as well. But I have no confirmation that device tunnels will work using his guide.