Does anyone know the answer to this? (SSTP problem)
Robbo777
Member Posts: 331 ■■■□□□□□□□
Hi, would anyone have an idea as to why this problem is occurring?
I have successfully managed to configure an SSTP VPN connection using a VPN connection request policy and the condition being SSTP, along with the network policy of "Connections to Microsoft Routing and Remote Access server" that comes with the RRAS installation (which seemed to fix that issue). BUT! I want to make a VPN connection and configure network policies to perform system health checks on the connecting client machines. So i have created 3 network policies also, Compliant VPN connections, Non Compliant and Non NAP Capable, the only condition is that they are either granted or not granted access based off the health policy results which corresponds to Windows Security Health Validator. Everything seems to be setup right and when i remove the "Health Policy" condition and replace it with another arbitrary one such as a user group, it works again, so it seems to be something with the health policy it doesn't like, the error message is "Error 649 the account does not have permission to dial in", I'm not quite sure why i'm getting this error now since it was working before with the same users logging in before.
Also, on every user account the "Control access through NPS" option is selected.
I have successfully managed to configure an SSTP VPN connection using a VPN connection request policy and the condition being SSTP, along with the network policy of "Connections to Microsoft Routing and Remote Access server" that comes with the RRAS installation (which seemed to fix that issue). BUT! I want to make a VPN connection and configure network policies to perform system health checks on the connecting client machines. So i have created 3 network policies also, Compliant VPN connections, Non Compliant and Non NAP Capable, the only condition is that they are either granted or not granted access based off the health policy results which corresponds to Windows Security Health Validator. Everything seems to be setup right and when i remove the "Health Policy" condition and replace it with another arbitrary one such as a user group, it works again, so it seems to be something with the health policy it doesn't like, the error message is "Error 649 the account does not have permission to dial in", I'm not quite sure why i'm getting this error now since it was working before with the same users logging in before.
Also, on every user account the "Control access through NPS" option is selected.
Comments
-
Robbo777
Member Posts: 331 ■■■□□□□□□□
Okay, so i have finally managed to fix it through problems with the health authority etc... thankfully its done now, but wouldn't you know one last problem arises.
After the VPN connects, i get a message saying that the SHA is not installed and therefore network connectivity automatically becomes limited. Why does windows give me this message and is there anything i can do to stop it?
It's my DC that i'm using the VPN on. -
OctalDump
Member Posts: 1,722
What OS are the clients? Do they have Security Center installed?2017 Goals - Something Cisco, Something Linux, Agile PM -
Robbo777
Member Posts: 331 ■■■□□□□□□□
Yes i have security centre installed, I've managed to figure it out that the security centre doesn't come with server 2012 etc... and thus wont work.
I have managed to successfully configured it now though on my internal client PC, but only through registry fixes. I keep getting this error relating to checking to see if the server has been revoked....... "The revocation function was unable to check revocation because the revocation server was offline."
I've gone onto revoked certificates in my CA and clicked on publish and created a new CRL but the clients are not getting it or its not working somehow. Any idea as to how i can fix this?