Microsoft Always-On VPN: IKE failed to find valid machine certificate

Seth Weber 46 Reputation points
2020-12-04T20:51:17.503+00:00

I set up an Always-On VPN configuration and I'm testing it - I followed Microsoft's guide at https://learn.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always....

After I got it all set up and I'm at the point where I test the connection by manually creating a connection profile (https://learn.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-de.... under "Manually create a single test VPN connection").

After I click Connect, it's able to reach our network and the VPN server itself, but I get this error: "IKE failed to find a valid machine certificate."

I checked and I have a user authentication certificate for the client computer (which I'm using), I have our CA and Root CA trusted on that client computer, and the VPN server both has the VPN server authentication certificate and the NPS server authentication certificate (the server is both the VPN server and the NPS server).

Not sure why it can't find the VPN server's certificate?

Notes:

  • VPN Server & NPS Server are the same system.
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,363 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
554 questions
0 comments No comments
{count} votes

Accepted answer
  1. Candy Luo 12,721 Reputation points Microsoft Vendor
    2020-12-07T06:25:16.413+00:00

    Hi ,

    I noticed that you said the server is both the VPN server and the NPS server. Did you mean both RAS and NPS services are installed on a single server?

    For an object to even talk with your NPS server, it must first be in the RADIUS client list. The RAS with Always-On-VPN has to be as a Radius client and set FQDN and IP address to Friendly server value on the Always-On-VPN server.

    As always, we do not recommend to implement the two role VPN and NPS on a single server.

    Here is a similar thread discussed before , you could have a look:

    Always-On VPN - RAS & NPS services on single server

    Best Regards,

    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


2 additional answers

Sort by: Most helpful
  1. meatO 1 Reputation point
    2021-02-10T13:34:41.933+00:00

    Hi,

    I'm having the exact same problem.

    Followed the config to the T and at the point of testing the VPN connection, I also receive the same error:

    IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store.

    I have separate RAS and NPS servers.

    The point about multi role server doesn't answer the question.

    Also, the configuration guide from Microsoft only goes as far as configuring certificates for User Tunneling. So at the point of testing the VPN connection under the sub heading of "Manually create a single test VPN connection" which can be found here:

    https://learn.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-template-vpn-profile-on-a-domain-joined-client-computer

    We haven't even begun to talk about Computer Certificates and Device Tunnels.

    Anyone able to help?

    Thanks


  2. meatO 1 Reputation point
    2021-02-15T18:39:11.49+00:00

    Why? it's the same issue.

    @SethWeber-6088 Did you manage to fix this?

    Thanks


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.