Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,786 questions
Always On VPN problems
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 97%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Daniel
81
Reputation points
Hello,
We are running Windows server 2019 with RAS role (RAS server), and we also have second servers that is Windows server 2019 on which we have NPS role (NPS server).
We have some issues with VPN connection where a group of users that are located in a different AD forest (AD Forest trust is setup as bi-directional trust). When the issue starts this group of users from different forest are not able to authenticate and on clients they receive an error:
Can’t connect to VPN User Tunnel The remote access connection completed, but authentication failed because the certificate that authenticates the client to the server is not valid. Ensure that the certificate used for authentication is valid.
And in Event log of the RAS server we have log entries:
CoId={XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX}: The user user@domain.local connected from IP address <PUBLIC IP ADDRESS OF CLIENT> but failed an authentication attempt due to the following reason: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error. Details:
- System - Provider [ Name] RemoteAccess - EventID 20271 [ Qualifiers] 0 Level 3 Task 0 Keywords 0x80000000000000 - TimeCreated [ SystemTime] 2024-09-18T18:17:33.908487400Z EventRecordID 13255841 Channel System Computer VPN.domain.local Security - EventData {74530D90-09AB-0007-E3A7-6074AB09DB01} user@domain.com IP ADDRESS The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error. 0x70 2C030000 -------------------------------------------------------------------------------- Binary data: In Words 0000: 0000032C In Bytes 0000: 2C 03 00 00 ,... Any ideas what could be the issue? The changes that have happened on the configuration are: autorenewal of the NPS server certificate which was done as it was in previous years.
Also worth mentioning is that the issue goes away after rebooting both servers in sequence. Which is not ideal as this issues doesn't happen consistently at the same time but appears a bit random (it works fine for a day, then the issues occurs, after reboot the setup works ok for 2 day and then the issues occurs again)
Sign in to answer