Event ID 6 — RRAS Secure Socket Tunneling Protocol
Applies To: Windows Server 2008
Secure Socket Tunneling Protocol (SSTP) is a new form of virtual private networking (VPN) tunnel with features that allow traffic to pass through firewalls that block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate Point-to-Point (PPP) traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol. The use of HTTPS means traffic will flow through TCP port 443, a port commonly used for Web access.
Event Details
Product: | Windows Operating System |
ID: | 6 |
Source: | Microsoft-Windows-RasSstp |
Version: | 6.0 |
Symbolic Name: | SSTPSVC_LOG_CLIENT_CRYPTO_BINDING_FAILURE |
Message: | The SSTP-based VPN connection to the remote access server was terminated because of a security check failure. Security settings on the remote access server do not match settings on this computer. Contact the system administrator of the remote access server and relay the following information: SHA1 Certificate Hash: %1 SHA256 Certificate Hash: %2 |
Resolve
Configure the server with acceptable hash certificate by the Reverse Web Proxy server
Possible resolution:
- Review the logs of the Reverse Web proxy and capture the hash configured by the proxy server to the client. For more information, see the "View the certificate hash" section.
- Configure the RRAS server with the same hash by the proxy server. For more information, see the "Configure the certificate hash on the remote access server" section.
To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
View the certificate hash
To view the certificate hash:
- On the Web proxy server, click Start, click Run, type mmc, and then click OK.
- Click File, and then click Add/Remove Snap-in.
- Under Available snap-ins, click Certificates, and then click Add.
- Click Computer account in the Certificate snap-in dialog box, and then click Next.
- Click Local computer, click Finish, and then click OK.
- Click File, click Save As, and then save the console as certmgmt.msc.
- Expland Certificates (Local Computer), Trusted Root Certification Authorities, Certificates, and then double-click the certificate.
- Click the Details tab, and then click the Thumbprint field to view the hash. Hash details can be obtained only for the sha1 Thumbprint algorithm, not for the sha256 Thumbprint algorithm.
Configure the certificate hash on the remote access server
To view the hash and change the value:
- On the remote access server, click Start, click Run, type mmc, and then click OK.
- Click File, and then click Add/Remove Snap-in.
- Under Available snap-ins, click Certificates, and then click Add.
- Click Computer account in the Certificate snap-in dialog box, and then click Next.
- Click Local computer, click Finish, and then click OK.
- Click File, click Save As, and then save the console as certmgmt.msc.
- Expland Certificates (Local Computer), Trusted Root Certification Authorities, Certificates, and then double-click the certificate.
- Click the Details tab, and then click the Thumbprint field to view the hash. Hash details can be obtained only for the sha1 Thumbprint algorithm, not for the sha256 Thumbprint algorithm.
- If there is mismtach between the hash of the certificate on the remote access server and the Web proxy server, right-click the certificate on the remote access server, and then click Delete.
- Remove the certificate binding from HTTPS Listener. Type the following commands in a command window:
- netsh http delete sslcert ipport=0.0.0.0:443
- netsh http delete sslcert ipport=[::]:443
- Remove the certificate binding in the Routing and Remote Access service. Open the Registry Editor and delete the following registry keys (if present):
- HKLM\System\CurrentControlSet\Services\Sstpsvc\Parameters\Sha256CertificateHash
- HKLM\System\CurrentControlSet\Services\Sstpsvc\Parameters\Sha1CertificateHash
- Add the new certificate inside the certificate store (local computer store).
- Plumb the new certificate to the HTTPS Listener (assuming the new certificate has SHA1 certificate hash as xxx). Type the following commands in a command window:
- netsh http add sslcert ipport=0.0.0.0:443 certhash=<same as that of web proxy> appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY
- netsh http add sslcert ipport=[::]:443 certhash=<same as that of web proxy>appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY
- Restart the Routing and Remote Access service. The Routing and Remote Access service will read the certificate that is plumbed to the HTTPS Listener and record the certificate hash regkeys for its crypto-binding validation phase. See the "Restart Routing and Remote Access" section.
Restart the Routing and Remote Access service
To restart the Routing and Remote Access service:
- Open Routing and Remote Access. Click Start, click Run, type rrasmgmt.msc, and then press ENTER.
- In the console tree, click Server Status.
- In the details pane, right-click a server name, point to All Tasks, and click Restart.
Verify
To verify that the remote access server can accept connections, establish a remote access connection from a client computer.
To create a VPN connection:
- Click Start, and then click Control Panel.
- Click Network and Internet, click Network and Sharing Center, and then click Set up a connection or network.
- Click Connect to a workplace, and then click Next.
- Complete the steps in the Connect to a Workplace wizard.
To connect to a remote access server:
- In Network and Sharing Center, click Manage network connections.
- Double-click the VPN connection, and then click Connect.
- Verify that the connection was established successfully.