Azure VPN Client "Access denied" error

Alexander Shushanidze 41 Reputation points
2020-12-24T07:47:25.173+00:00

Hi. I have a problem with an Azure VPN client. One of the users is trying to connect to Azure VPN (using Azure Virtual Network Gateway with AD Login) and getting the "Access denied" error:
51044-image.png
This is not related to Azure AD because I can log in to the VPN with his credentials. We ran the diagnostics, all good. The logs showing nothing but "Access denied". We tried to reinstall this app, doesn't work.
I had the same problem but with a different error message, something like "The system cannot find the file specified." Same here, nothing useful in the logs. I've fixed it with a Windows update - not sure if the update helped, but the procedure of updating itself - I think it's reset something. But in this case, there are no updates on the list so we need to do something else.
I wonder what else we can look at?

Thanks.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
906 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 30,141 Reputation points Microsoft Employee
    2021-02-12T08:10:25.703+00:00

    <<<Resolution Update>>>

    Below is the RCA for this issue as updated by the support team:

    Issue:

    Azure VPN Client (OpenVPN) with AAD fails to connect to Azure with errors: "Access Denied" or "Cannot find file specified".

    Cause:

    Something changed permissions to HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache and removed access for "NT Service\DnsCache" user group.
    This group is used by dnscache service to update DnsClientNrptRule in registry.
    Failure to update the registry key leads to the error.

    Resolution:

    After adding required permissions, VPN Connection was established.
    Because issue was observed on several machines, @Alexander Shushanidze wrote a script to fix the problem.
    VPN PG has been informed about this issue and they will investigate further and try to fix the issue, if it is caused by VPN Client.

    Thanks,
    Gita

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    3 people found this answer helpful.
  2. GitaraniSharma-MSFT 30,141 Reputation points Microsoft Employee
    2020-12-24T13:47:24.793+00:00

    Hello @Alexander Shushanidze ,

    From your screenshot, it looks like AAD Token was granted but not accepted by the Server. And you also mentioned that you are able to login to the VPN with the same credentials on your machine. Hence, the cause could be either of the below:

    1. Token was granted but not accepted by the Server means that Server is configured with different AAD Settings. Could you check the AAD settings and confirm that everything is same?
    2. User cannot connect on their machine but their user can connect on another - This can sometimes happen when the clock on the machine has a discrepancy and is either too far ahead or too far behind. To fix the time run the following from an administrative cmd prompt and try again: w32tm /config /syncfromflags:domhier /update net stop w32time net start w32time

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.