SSTP VPN Error

RobertKaucher

I am attempting to set up an SSTP VPN connection. I have followed all of the usual steps except I used an enterprise ca. I verified the correct cert is being used using the 'netsh http show sslcert' command. I have ensured that the friendly name is set to the name of the vpn connection. I imported the cert into my client pc and get that known error code when the certificate is not set up properly. I am at my wits end on this. Not sure what else to try.

wedge1988

did you manage to get this working?

-> I'm about to attempt this setup. Did you use a custom cert or a public registered cert?

As far as i am aware, you require a public signed certificate. In addition, an "A" host record with the certificate friendly name needs to be made.

VPN setups are confusing though right? -.-

RobertKaucher

Wow! Way to necro! Yes, I did. But I have no recollection at all about what I did. I did not use a public cert, though. It was all done through my enterprise CA.

Also, there was a virtual lab with this on TechNet some place.

wedge1988

ah ok. I just thought that if the cert isn't publicly signed then it would return a "NOT VALID" error. Suppose this wouldnt matter though after thinking it through, cause it'd be in the root cert authority path anyway. lol.

suppose that is only a requirement for websites. ^.^

anywhoo, ill go take a look on the microsoft virtual labs page. cheers!

oh, by the way..

i'm guessing this is covered on the MCITP upgrade from MCSE exams? and as usual like the 70-298 it's a tough ride. lol. at least now i suppose i have a lot more experience with it all!

RobertKaucher

wedge1988 wrote: »

i'm guessing this is covered on the MCITP upgrade from MCSE exams? and as usual like the 70-298 it's a tough ride. lol. at least now i suppose i have a lot more experience with it all!

Yes. It was. It's hard for me to recall details... It was nearly 3 years ago. But knowing what I do about your work environment I think this sort of lab work could be very practical for you. You still working for a school system?

LCA

There is a walkthrough for VPN with SSTP on Technet that does work, have you tried it or is that what you're using?

One thing I do recall from the walkthrough is that the Server cert must be set up very precisely otherwise it all turns to custard. One thing I remember doing is deleting the original certificate the CA issued after obtaining the correct cert via the web browser.

Good luck!

RobertKaucher

LCA wrote: »

There is a walkthrough for VPN with SSTP on Technet that does work, have you tried it or is that what you're using?

One thing I do recall from the walkthrough is that the Server cert must be set up very precisely otherwise it all turns to custard. One thing I remember doing is deleting the original certificate the CA issued after obtaining the correct cert via the web browser.

Good luck!

I take issue with this statement. Custard is yummy and good.

wedge1988

@ Robert - yep, i'm still working at a school. And yes, SSTP is going to save me sooooo much aggrivation. (One of the reasons it was made i believe)

I really dislike that the county control our firewall -.- but then i must be the only person with any real brains in a school, since most people who work in schools, (IT related, lets be specific) are just beginner techs.

also. Christmas + Custard = Overload + Tummy Hurts

Thats my view.

@ LCA

You mean this one right?

SSTP Remote Access Step-by-Step Guide: Deployment

Past half way it asks to confirm that GRE wont work after you blocked it. Well this isn't and issue because the county didn't unblock this when i asked them to unblock the required ports for PPTP. -.- (Sarcasm)

Ill give it a go when i can, hopefully soon, and let you both know how i get on.

If not, have a great christmas (Whether you celebrate it or not!)

LCA

wedge1988,

Yes that's the walkthrough I was referring too.

RobertKaucher

WHERE IS ALL THIS CUSTARD YOU GUYS KEEP TALKING ABOUT??? My fat inner child is dieing!

Just wanted to make sure you have this link:
https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032454427&EventCategory=3&culture=en-US&CountryCode=US

LCA

RobertKaucher wrote: »

WHERE IS ALL THIS CUSTARD YOU GUYS KEEP TALKING ABOUT??? My fat inner child is dieing!

Custard is great but not inside Windows!!

wedge1988

sorry guys, will have to try tomorrow. I got side tracked setting up Kerberos Constrained Delegation with ISA and SharePoint Server 2007 (KCD)

I still can't get the thing to work but as usual probably me over doing it. It's already secure with 2048-bit SSL. ^.^;

So yeh, tomorrow! cheers!

RobertKaucher

wedge1988 wrote: »

sorry guys, will have to try tomorrow. I got side tracked setting up Kerberos Constrained Delegation with ISA and SharePoint Server 2007 (KCD)

I still can't get the thing to work but as usual probably me over doing it. It's already secure with 2048-bit SSL. ^.^;

So yeh, tomorrow! cheers!

I've set this up so many times I could do it in my sleep. Let me know if I can offer any help. My user name @ Gmail.com.

Also, you might find this SQL query useful in testing: Elemental SQL: How to determin if you are logged in via Kerberos or NTLM on SQL Server

Here is what our topology looks like (We deal with at least 4 domains, 3 different forests).