11

I have recently created an Azure Virtual Network to test connectivity between a VM on Azure with a client server on premise (point-to-site connection).

First I followed the tutorial here: https://azure.microsoft.com/documentation/articles/vpn-gateway-point-to-site-create/

Next, I provisioned another VM on Azure but not part of the Virtual Network. I downloaded the AMD64 Client VPN Package and installed it onto this VM and connected to the VPN. The connection was successful and I could point my browser to the VM1's IIS that was created within the virtual network.

Finally, I downloaded the x86 Client VPN Package and installed it onto my local machine running Windows 7 and tried to connect via VPN. Instead, I got the error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (Error 0x800b0109) For customized troubleshooting information for this connection, click Help.

The logs are:

    Operating System      : Windows NT 6.1 Service Pack 1
    Dialer Version        : 7.2.7600.16385
    Connection Name       : TestVirtualNetwork
    All Users/Single User : Single User
    Start Date/Time       : 01/05/2013, 23:02:34

    Module Name, Time, Log ID, Log Item Name, Other Info
    For Connection Type, 0=dial-up, 1=VPN, 2=VPN over dial-up

[cmdial32]  23:02:34    22  Clear Log Event 
[cmdial32]  23:02:36    04  Pre-Connect Event   ConnectionType = 1
[cmdial32]  23:02:36    06  Pre-Tunnel Event    UserName = TestClientCert Domain =  DUNSetting = TestVirtualNetwork Tunnel DeviceName = WAN Miniport (SSTP) TunnelAddress = azuregateway-66437671-fb05-4fac-83a7-1ae2313d717f-0.cloudapp.net
[cmdial32]  23:02:37    21  On-Error Event  ErrorCode = -2146762487 ErrorSource = RAS
Dene
  • 578
  • 5
  • 9
3thanZ
  • 133
  • 1
  • 1
  • 4
  • Could it be related to this: http://blogs.msdn.com/b/windowsazure/archive/2013/03/15/windows-azure-root-certificate-migration.aspx ??? – user2264560 Jun 13 '13 at 06:13
  • I have a similar problem but I haven't been able to solve it using any of the mentioned solutions :-( – Vinod Dec 05 '14 at 08:09

4 Answers4

24

I was experiencing the same issue and came across this blog post describing what appears to be a bug in the VPN installer generated by Azure site:

https://nbevans.wordpress.com/2014/03/01/point-to-site-p2s-azure-vpn/

Effectively, the issue is that there is an additional certificate needed to trust the Azure gateway for your virtual network. That cert is bundled inside the VPN installer .exe generated by the Azure Virtual Network page.

  1. Extract the VPN installer .exe generated by the Azure site (I used 7-zip)
  2. Inside you'll find a .cer file
  3. Install the certificate in the "Trusted Root Certification Authorities" of the "Computer account"
    1. Open mmc.exe
    2. Add the "Certificates" snap-in
    3. Be sure to choose "Computer" account for the Local computer
    4. Right-click the "Trusted Root Certification Authorities" node, All-Tasks, Import, and browse to the .cer file you extracted from the VPN exe

This will likely be needed on all clients you intend to connect to the virtual network.

  • 1
    Very nice way to diagnose this problem. To add to your answer, you can open up the .cer file, and go to the Certification Path to verify this is the issue before you add the .cer file to your certificate store. – Josh Mouch Mar 20 '15 at 16:13
  • Wow. I was banging my head against the wall all week! This fixed it right away. – David Betz Aug 22 '15 at 00:35
  • I had that cert installed long back when I was using my VPN client. suddenly it stopped working. Then I followed your answer now I have two certs in that Trusted folder but my VPN clients connects and works. – HaBo Aug 16 '16 at 12:34
  • We never had any problems with this for months, and then suddenly it started happening with most (but not all) of our VPN certs. No idea why, and no idea why some and not others. – Ken Smith Mar 08 '17 at 19:27
1

I want to post a different answer from the ones above since I came across the same issue but in a different situation since the VPN connection presented the issue long way after it had been configured for the first time. So I had installed all the certificates needed in order the VPN to function but as things changes too often I double checked all the certificates were where they supposed to. After doing that, I review the log and although the error points to a certificate issue I paid attention to the connection details and specially one, the Tunnel address (the one with the prefix azuregateway with a lot of hex numbers and the domain cloudapp.net) and realized that the domain was being blocked by a firewall/web filter appliance. Allowing this domain in the appliance allowed to be able to connect using the VPN tunnel again. That's about it.

Humberto Castellon
  • 151
  • 4
0

You need to make sure that you install the client certificate on your local computer. Also ensure that the root certificate you created is installed in your trusted root store.

To find out if your certificate is trusted, run mmc, click 'File', 'Add/Remove Snap In', double-click Certificates, select "My user account" and press Finish. Open 'Certificates - Current User', 'Personal', 'Certificates' and find the client certificate you created.

If it is not there, please follow the step to install it. If it is there, double-click it and click Certification Path. You should see no warnings or errors. If you do, it is probably because your root certificate is not installed correctly.

If that is the case, double-click the root certificate .cer file you created earlier, and choose in the import wizard select 'Place all certificates in the following store', click Browse and choose 'Trusted Root Certification Authorities' and then finish.

Lars Truijens
  • 42,837
  • 6
  • 126
  • 143
Sal
  • 11
  • It would be helpful if you could add some highlighting and break the paragraph apart in to a list of steps to make this more readable. – UpAndAdam May 01 '13 at 18:48
  • Hi Lars, thanks for the response. Do you mean that I need to import both the .pfx and .cer files in my local computer that I want to connect via VPN? – 3thanZ May 02 '13 at 10:13
  • 2
    Hi Lars, I tried as per your suggestion. There was indeed an issue flagged because the root certificate was not installed in the 'Trusted Root Certification Authorities' but after resolving that, the issue still persists. – 3thanZ May 02 '13 at 13:38
  • Check that you don't have fiddler or something else of the sort open in the background. https://groups.google.com/forum/#!topic/httpfiddler/AXF2AWQrPzU – Erez Robinson Mar 31 '14 at 07:25
-1

There were several answers i found. Here is the one worked for me:

  1. Install root & client in current user->personal folder.
  2. Install the certificate which come along with VPN client(extracted using 7z) in local machine -> trusted root.

worked charm:)

karthi4all
  • 309
  • 1
  • 3
  • 6