Event ID 16 — RRAS Secure Socket Tunneling Protocol
Applies To: Windows Server 2008 R2
Secure Socket Tunneling Protocol (SSTP) is a new form of virtual private networking (VPN) tunnel with features that allow traffic to pass through firewalls that block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate Point-to-Point (PPP) traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol. The use of HTTPS means traffic will flow through TCP port 443, a port commonly used for Web access.
Event Details
Product: | Windows Operating System |
ID: | 16 |
Source: | Microsoft-Windows-RasSstp |
Version: | 6.1 |
Symbolic Name: | SSTPSVC_LOG_CLIENT_INVALID_EKU |
Message: | The Secure Socket Tunneling Protocol server has provided a certificate with an Enhanced Key Usage that is neither Server Authentication nor Any Purpose. This client will not accept the certificate. The connection will be canceled. Contact the server administrator to correct the issue and try again. |
Resolve
Configure the server with an SSTP certificate
Configure a SSTP certificate with an Enhanced Key Usage (EKU) of either Server Authentication or Any Purpose.
To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
- Click Start, point to All Programs, and then click Accessories.
- Right-click Command Prompt, and then click Run as administrator.
- Determine if the computer certificate is configured for the SSTP-based VPN connection. This can be accomplished using one of the following steps:
- Run the netsh http show sslcert command on the remote access server to determine if the SSL certificate is plumbed to HTTP.SYS. Find the certificate with IP:Port pair 0.0.0.0::/443 and [::]:443 and note the certificate hash value.
- On the VPN client computer, open a Web browser and type in the following URL: https://<vpn server name>/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/. View the certificate and note the certificate hash value.
- Delete the certificate from the server certificate store (local computer store). See the "Delete a certificate" section.
- Remove the certificate binding from the HTTPS Listener. Type the following commands in a command window:
- netsh http delete sslcert ipport=0.0.0.0:443
- netsh http delete sslcert ipport=[::]:443
- Remove the certificate binding in RRAS. Open Regedit.exe and delete the following registry keys, if present:
- HKLM\System\CurrentControlSet\Services\Sstpsvc\Parameters\Sha256CertificateHash
- HKLM\System\CurrentControlSet\Services\Sstpsvc\Parameters\Sha1CertificateHash
- Add the new certificate inside the certificate store (local computer store).
- Plumb the new certificate to the HTTPS Listener. In this example, the SHA1 certificate hash of the new certificate is xxx. Type the following commands in a command window:
- netsh http add sslcert ipport=0.0.0.0:443 certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY
- netsh http add sslcert ipport=[::]:443 certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY
- Restart the Routing and Remote Access service. The Routing and Remote Access service will read the certificate that is plumbed to the HTTPS Listener and record the appropriate certificate hashes registry keys for its crypto-binding validation phase. See the "Restart Routing and Remote Access" section.
Delete a certificate
To delete the certificate from the certificate store:
- Open the Microsoft Management Console (MMC).
- Add the Local Computer certificates snap-in:
- Click File, click Add/Remove Snap-in, and then click Certificates from the list of available snap-ins.
- Click Add, click Computer account, and then click Next.
- Ensure Local computer is selected, click Finish, and then click OK.
- Expand Certificates (Local Computer).
- Expand Personal.
- Click Certificates. In the certificates pane, you will see a list of certificates in the store.
- Double-click the certificate that you want to be bound to the SSTP Listener, the certificate with the subject name that matches the host name used in the client VPN connection. Click the Details tab. Make sure ALL is selected in the Show drop-down list.
- Ensure that the value for the Thumbprint Algorithm field is sha1.
- Compare the value with the value of the certificate hash in step 3. If the value is the same, then this certificate is bound to the HTTPS Listener. Right-click and then delete the certificate.
Restart Routing and Remote Access
To restart the Routing and Remote Access service:
- Open Routing and Remote Access. Click Start, click Run, type rrasmgmt.msc, and then press ENTER.
- In the console tree, click Server Status.
- In the details pane, right-click a server name, point to All Tasks, and click Restart.
Verify
To verify that the remote access server can accept connections, establish a remote access connection from a client computer.
To create a VPN connection:
- Click Start, and then click Control Panel.
- Click Network and Internet, click Network and Sharing Center, and then click Set up a connection or network.
- Click Connect to a workplace, and then click Next.
- Complete the steps in the Connect to a Workplace wizard.
To connect to a remote access server:
- In Network and Sharing Center, click Manage network connections.
- Double-click the VPN connection, and then click Connect.
- Verify that the connection was established successfully.