Hi.
I have the following setup:
- 1 2008 R2 Core running AD
- 1 2008 R2 Ent. running CA, IIS, Exchange and RRAS
- All behind a NAT firewall
I have VPN configured as follows (NAT-T enabled):
- Working: L2TP/Ipsec connection
- Working: SSTP (PEAP with EAP-MSCHAPv2)
- Problem: SSTP (PEAP with user certificate authentication)
I am using two certificates from Startssl: One for server authentication (which is in use on the SSTP PEAP/MSchapv2 profile) and one user certificate from the same vendor.
I have imported the user certificate on a client and configured the vpn connection as follows:
- SSTP
- Use EAP -> Protected EAP
- Validate server certificate (chosen correct root ca for Startssl)
- Authentication method: Certificate -> Use a certifiate on this computer
Furthermore I have mapped this user certificate to an AD account and I have also added the OID for Client Authentication to the certificate on the client.
Problem:
Upon initiating a connection I am asked to choose a certificate and the Startssl certificate is chosen. It then connects but fails with 853: "The remote access connection completed, but authetication failed because the certificate that authenticates
the client to the server is not valid. Ensure that the certificate used for authentication is valid."
This is where I am stuck now, and I cannot find too many discussions on the 853 error. Anybody got any insights?
//Ulf Thomas
Ulf Thomas