This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
I have setup an Always on VPN infrastructure (user tunnel), with Windows Server 2019 for VPN and NPS servers. When I try to connect from Windows 10, an error shows: IKE failed to find a valid machine certificate......
Eventviewer on Laptop shows Error code 13806, while CAPI2 logs on RRAS server shows errors on event IDs 11, 41, and 42 (Build chain, Verify Revocation and Reject Revocation Information) for the verification of the VPN server certificate.
Certs (Root and Subordinate) are all installed.
Can someone guide me to check the problem please?
Hi,
In regards to your issue, here're my suggestions:
"Error code 13806" typically occurs when no machine certificate or root machine certificate is present on the VPN server. Please ensure that the certificates outlined in this deployment are installed on both the client computer and the VPN server.
-------If my answer is helpful to you, please remember to mark them as answer. Thank you!------
Regards
Gloria
Thanks for your info.....
The above is all rightly set. Now found out that my laptop is showing CAPI2 errors while trying to validate the CRL of the user tunnel certificate.
The revocation function was unable to check revocation because the revocation server was offline.
[ value] 80092013
Is there a way to solve this from the client side?
There are no CAPI2 errors on the VPN and NPS servers.
Thanks again.
Hi,
The error occurs because the Microsoft Certificate Trust List Publisher certificate expired and a copy of the CTL with an expired signing certificate exists in the CryptnetUrlCache folder. When you visit a secure website, basically Windows will use this certificate to verify the authenticity of the site. The certificate is updated regularly so apparently when Windows needs to update the certificate, it failed do so and writes the error in Event Viewer.
There is solution to this problem, so if you have this error, just visit this Microsoft Support page
support.microsoft.com
and use the Microsoft Fix it utility. If you want to do it manually, please remember to backup your files first. The Fix it utility will create the Restore point automatically.
Microsoft fix it redirects you to windows troubleshooter - which in turn didn't find any problems!
Do you have any guidance for a manual fix?
I have gone through the steps in http://woshub.com/updating-trusted-root-certificates-in-windows-10/ but still the same error when checking revocation for the internal CA user cert.
Hi,
Since the situation of your issue is complicated, I would asuggest you contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.
Global Customer Service phone numbers
https://support.microsoft.com/en-us/gp/customer-service-phone-numbers
Thank you - found the root problem to my situation... (yet still not fixed)....
Our internal CA was set up with an offline root and a subordinate CA. The subordinate CA certificate's CRL points towards the offline root CA (thus not reachable), so the certificate chain check is failing.
Our internal CA has been set by Microsoft directly, so I guess we have to contact them about this issue....
Thanks again
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 56.00000000000001%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hi,
How is your PKI setup to check CRL, is it publicly available?
OCSP?