Always on vpn root certificate

William Hanna 1 Reputation point
2020-10-30T13:54:48.76+00:00

Hello,

The root certificate was about to expire and the organisation created a new root certificate. Thats where the problem started with AOVPN -

All new users are getting error below, but for the old users always on vpn still worked. A certificate could not be found that can be used with the Extensible Authenticate Protocol

I was looking into our CA server - I found two certificates in properties which was the root cert. Certificate 1# ‎‎c8 43 72 1c bc 3a d2 99 10 e1 f3 1c 99 36 1e ed ce b6 66 2b Ends 2021 Certificate 2# ‎‎f8 62 71 8d c1 f0 63 1e 09 c5 da 75 e6 f0 a6 0d eb 41 0d 46 Ends 2030

In Intune - we are pushing out custom VPN settings that points out to the certficiate that ends 2021

<TrustedRootCA>c8 43 72 1c bc 3a d2 99 10 e1 f3 1c 99 36 1e ed ce b6 66 2b </TrustedRootCA><TrustedRootCA>c8 43 72 1c bc 3a d2 99 10 e1 f3 1c 99 36 1e ed ce b6 66 2b </TrustedRootCA><IssuerHash>c8 43 72 1c bc 3a d2 99 10 e1 f3 1c 99 36 1e ed ce b6 66 2b </IssuerHash></CAHashList><EKUMapping><EKUMap><EKUName>Enterprise VPN</EKUName>

If I get VPN setting on the windows 10 client I can see that in Certification selection it selects the certficiate it ends with 2021 ONLY.

If I enable the certificate that ends in 2030, we can then connect.

BUT if i ONLY choose the certificate that ends in 2030 I get error

Connection was prevented because of a policy configured on your ras/vpn server
somehow I need to have the old cert that ends in 2021 enabled... I need to replace it

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,340 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Gloria Gu 3,896 Reputation points
    2020-11-02T05:54:25.397+00:00

    @William Hanna Hi,

    Thank you for posting in Q&A!

    After my research for the related information, During the VPN configuration, if the authentication protocol configured on the VPN server is MS-CHAP and if the VPN client is Windows 10, the user may get error 812.
    Please Make sure to configure the VPN server with highly secured authentication protocols like MS-CHAPv2 or EAP based authentication. And Ensure that your client configuration matches the conditions that are specified on the NPS server.

    Hope you have a nice day!
    Gloria

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
    https://learn.microsoft.com/en-us/answers/articles/67444/email-notifications.html

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.