Search This Blog

Saturday, May 14, 2011

How to troubleshoot Secure Socket Tunneling Protocol (SSTP)-based connection failures in Windows Server 2008

How to troubleshoot Secure Socket Tunneling Protocol (SSTP)-based connection failures in Windows Server 2008

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  How to back up and restore the registry in Windows
Introduce
 
This article describes how to troubleshoot Secure Socket Tunneling Protocol (SSTP)-based connection failures that you may experience in Windows Server 2008.

SSTP is a new kind of Virtual Private Networking (VPN) tunnel that is available in the Routing and Remote Access server role in Windows Server 2008. SSTP allows for Point-to-Point Protocol (PPP) packets to be encapsulated over HTTP. This feature allows for a VPN connection to be more easily established through a firewall or through a Network Address Translation (NAT) device. Also, this feature allows for a VPN connection to be established through an HTTP proxy device.

The information in this article is specific to troubleshooting connection failures that relate to an SSTP-based VPN connection. You may receive other error codes on a remote access client computer. However, these error codes may be common for other kinds of VPN tunnels, such as PPTP, L2TP, and SSTP. For example, this article does not discuss error codes that you may receive if a remote access policy fails, if client authentication fails, or if a server does not support the ports that are required for the particular kind of connection. 
More Information
The following scenarios describe common issues that you may experience when a VPN client cannot connect to an SSTP-based VPN server.

Scenario 1: You receive error code 0x800704C9 when you try to connect to an SSTP-based VPN server

This issue may occur if no SSTP ports are available on the server. To troubleshoot this issue, verify that the Routing and Remote Access server has sufficient ports configured for remote access. To do this, follow these steps:
  1. Start the Routing and Remote Access MMC snap-in.
  2. Expand the server, right-click Ports, and then click Properties.
  3. In the Name list, click WAN Miniport (SSTP), and then click Configure.
  4. Modify the number that appears in the Maximum ports list, as appropriate for your requirements, and then click OK.

    Note By default, 128 ports are available for this device.
  5. In the Port Properties dialog box, click OK.

Scenario 2: You receive error code 809 when you try to connect to an SSTP-based VPN server

This issue may occur if one of the following conditions is true:
  • Remote access is disabled on the server.
  • The remote access server is not listening on the appropriate port.
  • The Routing and Remote Access service or the SSTP service is stopped on the server.
  • The server certificate was removed from the computer certificate store on the server before SSTP was configured.
  • The Extended Key Usage (EKU) extension for the certificate that is used for the SSTP connection is incorrect. For example, the certificate has an EKU that specifies that client authentication be used to configure the SSTP connection.
To troubleshoot this issue, follow these steps:
  1. Verify that the Routing and Remote Access service and the SSTP service are running on the server. To do this, follow these steps:
    1. Start a command prompt, and then run the following two commands:
      • sc query remoteaccess
      • sc query sstpsvc
    2. If one or both services are stopped, use the Routing and Remote Access Microsoft Management Console (MMC) snap-in or the Services MMC snap-in to start the appropriate service or services.
  2. Determine whether the server is listening on the correct port. To do this, start a command prompt, and then run the following command:
    netstat -aon
    For example, verify that the SSTP service is listening on TCP port 443. If the SSTP service is listening on TCP port 443, the following local address entries will appear when you run the netstat -aon command:
    0.0.0.0:443 (IPv4)
    [::]:443 (IPv6)
    Note To determine the process ID of the SSTP service, follow these steps:
    1. Start Task Manager, and then click the Services tab.
    2. In the Name list, locate the SstpSvc entry, and then note the number that appears in the PID column.
  3. Verify that a certificate that specifies server authentication is located in the computer certificate store. To do this, follow these steps:
    1. Click Start, click Run, type mmc, and then click OK.
    2. On the File menu, click Add/Remove Snap-in.
    3. In the Available snap-ins list, click Certificates, and then click Add >.
    4. In the Certificates snap-in dialog box, click Computer account, and then click Next.
    5. Leave the Local computer option selected, and then click Finished.
    6. In the Add or Remove Snap-ins dialog box, click OK.
    7. In the Console1 MMC snap-in, expand Certificates (Local Computer), expand Personal, and then click Certificates.
    8. In the details pane, double-click a certificate, and then click the Details tab. Determine whether Server Authentication appears as one of the certificate usage entries.

Scenario 3: You receive error code 0x80070040 when you try to connect to an SSTP-based VPN server

This issue may occur if a server authentication certificate is not installed on the Routing and Remote Access server.

To troubleshoot this issue, follow these steps:
  1. Click Start, click Run, type mmc, and then click OK.
  2. On the File menu, click Add/Remove Snap-in.
  3. In the Available snap-ins list, click Certificates, and then click Add >.
  4. In the Certificates snap-in dialog box, click Computer account, and then click Next.
  5. Leave the Local computer option selected, and then click Finished.
  6. In the Add or Remove Snap-ins dialog box, click OK.
  7. In the Console1 MMC snap-in, expand Certificates (Local Computer), expand Personal, and then click Certificates.
  8. In the details pane, double-click a certificate, and then click the Details tab. Determine whether Server Authentication appears as one of the certificate usage entries.

Scenario 4: You receive error code 0x800B0101 when you try to connect to an SSTP-based VPN server

This issue may occur if the server authentication certificate on the Routing and Remote Access server has expired.

To troubleshoot this issue, follow these steps:
  1. Click Start, click Run, type mmc, and then click OK.
  2. On the File menu, click Add/Remove Snap-in.
  3. In the Available snap-ins list, click Certificates, and then click Add >.
  4. In the Certificates snap-in dialog box, click Computer account, and then click Next.
  5. Leave the Local computer option selected, and then click Finished.
  6. In the Add or Remove Snap-ins dialog box, click OK.
  7. In the Console1 MMC snap-in, expand Certificates (Local Computer), expand Personal, and then click Certificates.
  8. In the details pane, locate the certificate that has Server Authentication as one of the certificate usage entries, and then determine whether the certificate has expired.
  9. If the certificate has expired, renew the certificate.

Scenario 5: You receive error code 0x800B0109 when you try to connect to an SSTP-based VPN server

This issue may occur if the appropriate trusted root certification authority (CA) certificate is not installed in the Trusted Root Certification Authorities store on the client computer.

Note Generally, if the client computer is joined to the domain and if you use domain credentials to log on to the VPN server, the certificate is automatically installed in the Trusted Root Certification Authorities store. However, if the computer is not joined to the domain or if you use an alternative certificate chain, you may experience this issue.

To troubleshoot this issue, follow these steps:
  1. On the client computer, click Start, click Run, type mmc, and then click OK.
  2. On the File menu, click Add/Remove Snap-in.
  3. In the Add/Remove Snap-in dialog box, click Add.
  4. In the Available Standalone Snap-In dialog box, click Certificates, and then click Add.
  5. In the Certificates snap-in dialog box, click Computer account, click Next, and then click Finish.
  6. Click Close, and then click OK.
  7. In the Console1 MMC snap-in, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
  8. Examine the certificates that appear in the details pane to determine whether a certificate from the certification authority is present.
  9. If the appropriate certificate is not present in the Trusted Root Certification Authorities store, you must import a certificate for the appropriate certification authority.

Scenario 6: You receive error code 0x800B010F when you try to connect to an SSTP-based VPN server

This issue may occur if the host name of the server that is specified in the VPN connection does not match the subject name that is specified on the SSL certificate that the server submits to the client computer.

To troubleshoot this issue, follow these steps:
  1. On the VPN server, click Start, click Run, type mmc, and then click OK.
  2. On the File menu, click Add/Remove Snap-in.
  3. In the Available snap-ins list, click Certificates, and then click Add >.
  4. In the Certificates snap-in dialog box, click Computer account, and then click Next.
  5. Leave the Local computer option selected, and then click Finished.
  6. In the Add or Remove Snap-ins dialog box, click OK.
  7. In the Console1 MMC snap-in, expand Certificates (Local Computer), expand Personal, and then click Certificates.
  8. In the details pane, locate the certificate that the VPN server uses for the SSL connection.
  9. Verify that the certificate has the correct subject name. For example, if the VPN client uses an IP address to connect to the server, the certificate must specify that IP address in the subject name. If the appropriately-named certificate is not present on the VPN server, you must obtain a new certificate for the VPN server.

Scenario 7: You receive error code 0x80092013 when you try to connect to an SSTP-based VPN server

This issue may occur if the client computer fails the certificate revocation check for the SSL certificate that the client computer obtained from the VPN server.

To troubleshoot this issue, verify that the server that hosts the Certificate Revocation List (CRL) is available to the client. This may mean that the CRL server is available to the client over the Internet. The client computer runs the CRL check during the establishment of the SSL connection. However, this verification operation is not performed over the VPN connection. This is because the VPN connection is not established until the CRL check has succeeded. Instead the CRL check query is sent directly to the CRL server.

Scenario 8: The Routing and Remote Access server is running, but there are no incoming SSTP connections

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To troubleshoot this issue, follow these steps:
  1. Verify that the SSTP service is running. To do this, run the sc query sstpsvc command at a command prompt.
  2. Verify that the Routing and Remote Access service is running. To do this, run the sc query remoteaccess command at a command prompt.
  3. Verify that the SSTP service is listening on TCP port 443 or on the port on which you have configured the SSTP service to listen. To do this, run the following command at a command prompt:
    netstat –aon | findstr 443
  4. Examine the server certificate that is bound to the Http.sys driver. To do this, run the following command at a command prompt:
    netsh http show sslcert
  5. Examine the IP address and the port number of the server certificate. The Routing and Remote Access service reads only the IPv6 address ::0 or the IPv4 address 0.0.0.0.
  6. Verify that the server certificate that you examined in steps 4 and 5 is present in the computer certificates store. To do this, follow these steps:
    1. Click Start, click Run, type mmc, and then click OK.
    2. On the File menu, click Add/Remove Snap-in.
    3. In the Available snap-ins list, click Certificates, and then click Add >.
    4. In the Certificates snap-in dialog box, click Computer account, and then click Next.
    5. Leave the Local computer option selected, and then click Finished.
    6. In the Add or Remove Snap-ins dialog box, click OK.
    7. In the Console1 MMC snap-in, expand Certificates (Local Computer), expand Personal, and then click Certificates.
    8. In the details pane, locate the appropriate certificate.
  7. Verify that the certificate is valid and that it has not expired. Also, verify that the same certificate hash is listed under the Sha256CertificateHash registry key or under the Sha1CertificateHash registry key.
  8. Verify that no Routing and Remote Access inbound filters or outbound filters are configured to block SSTP connections. To do this, follow these steps:
    1. Start the Routing and Remote Access MMC snap-in.
    2. Expand the server, and then expand IPv4 or IPv6, as appropriate for your networking traffic.
    3. Click General, right-click the appropriate network interface, and then click Properties.
    4. In the Network_Interface_Name Properties dialog box, click Inbound Filters. Verify that no filter is configured to block SSTP traffic, and then click OK.
    5. In the Network_Interface_Name Properties dialog box, click Outbound Filters. Verify that no filter is configured to block SSTP traffic, and then click OK.
  9. Determine whether the server is configured to listen on the appropriate port for SSTP connections. By default, the server uses TCP port 443 for SSTP connections. To determine which port the server uses, follow these steps:
    1. Start Registry Editor, and then locate the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters
    2. In the details pane, right-click ListenerPort, and then click Modify.
    3. Note the value that appears in the Value data box.
    Note By default, the ListenerPort registry entry has a value of 443. If you change this value, you must restart the Routing and Remote Access service.
  10. Determine whether the Windows Firewall is configured to have an exception to allow for SSTP traffic. To do this, follow these steps:
    1. Click Start, click Run, type firewall.cpl, and then click OK.
    2. In the Windows Firewall dialog box, click Allow a program through Windows Firewall.
    3. On the Exceptions tab of the Windows Firewall Settings dialog box, verify that the Secure Socket Tunneling Protocol check box is selected.
  11. Verify that a firewall that is configured in front of the Routing and Remote Access server is not configured to block SSTP traffic that is destined for the Routing and Remote Access server. For example, verify that an external firewall is not configured to block TCP 443 traffic.
  12. Examine the System log and the Application log to locate any events that are related to the Routing and Remote Access service or to the SSTP service.
Microsoft

2 comments: