PROBLEM: Clients keep getting error 0x8007274C when attempting to connect to the VPN server using SSTP.
SYMPTOMS:
- L2TP connections works great
--- L2TP connections generate RemoteAccess events in Event viewer, but none whatsoever for the failed SSTP attempts
- Client CANNOT ACCESS https://vpn.mycompany.net/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}
- After several attempts to check and recheck RRAS Setup. Added IIS Role (much later) just to prove that cert is valid.
--- If server's RRAS service disabled, IIS enabled, client is able to browse to that VPN server, certificate checks out. http://vpn.mycompany.net&https://vpn.mycompany.net.
--- However, if RRAS service is running, IIS would not respond to either HTTP nor HTTPS traffic.
--- SSTP won't work whether or not WWW service is running.
- Port Scanner tests to the VPN Server reveals that port 80 & 443 are not open when RRAS service is running and IIS service stopped.
--- But, when RRAS service is stopped and IIS is running, port 80 & 443 responds.
--- Not sure whether 443 is [b]supposed to be open[/b] when only RRAS is running.
============================================================================
CLIENT:
============================================================================
- Vista SP1 (32-bit), Windows 7 (32-bit), Windows 7 x64 SP1
- CRL entry is resolvable
- vpn.mycompany.net certificate installed in Local Computer > Trusted Root CA
- SSTP Client connecting to FQDN vpn.mycompany.net
- Windows Firewall is DISABLED (for testing purposes)
- No Anti Virus nor Anti Malware protection running (for testing purposes)
- Can access other HTTPS sites
============================================================================
SERVER (Windows 2008 Svr r2; Roles: DNS, AD, RRAS):
============================================================================
- 2 NICS (1 bound to an internal IP, 1 bound to an external IP addr)
-- External NIC bound to a valid ISP IP Address, with a FQDN vpn.mycompany.net
- Windows Firewall Service on Server DISABLED
- No other device in front of the external IP addr NIC
- IPV6 on RRAS DISABLED
- NO RRAS Inbound/Outbound filter at all
- Windows Firewall Service disabled
- Using external Certificate Authority
- Certs bound to port 443 seem to match in registry key HKLM\...\SstpSvc\Parameters
It seems that the VPN server is simply not accepting the SSTP traffic. I don't think we've even gotten to certificate negotiation.
Been trying for a few days now, have consulted many SSTP online resources (MS and others) before posting.
Am stumped. Any help would be greatly appreciated.
============================================================================
SERVER CONFIGURATION CHECKLIST:
============================================================================
SERVICE_NAME: remoteaccess
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
============================================================================
SERVICE_NAME: sstpsvc
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
============================================================================
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4
TCP 192.168.2.109:3268 192.168.2.116:45443 ESTABLISHED 500
TCP [::]:443 [::]:0 LISTENING
4
UDP 0.0.0.0:59443 *:*
1616
UDP 0.0.0.0:60443 *:*
1616
UDP 0.0.0.0:61443 *:*
1616
============================================================================
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:443
Certificate Hash : 4cbfd1fc43d4fea1cd9dce519a0c0901330a343d
Application ID : {ba195980-cd49-458b-9e23-c84ee0adcd75}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier :
Ctl Store Name :
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
IP:port : [::]:443
Certificate Hash : 4cbfd1fc43d4fea1cd9dce519a0c0901330a343d
Application ID : {ba195980-cd49-458b-9e23-c84ee0adcd75}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier :
Ctl Store Name :
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
============================================================================
Selected (some, not all) Info about Certificate bound to SSTP viewed through RRAS MMC:
--------------------------------------------------------------------------------------
Version: V3
Valid To: Thursday, August 30, 2012 6:59:59 PM
Subject:
CN = vpn.mycompany.net
OU = nsProtect Secure Xpress
OU = Domain Control Validated
Enhanced Key Usage:
Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)
CRL Distribution Points:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://crl.netsolssl.com/NetworkSolutionsDVServerCA.crl
Thumbprint Algorithm: sha1
Thumbprint: 4c bf d1 fc 43 d4 fe a1 cd 9d ce 51 9a 0c 09 01 33 0a 34 3d
============================================================================
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SstpSvc\Parameters]
"ServiceDllUnloadOnStop"=dword:00000001
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
73,00,73,00,74,00,70,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00
"ServerURI"="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/"
"ListenerPort"=dword:00000000
"UseHttps"=dword:00000001
"SHA1CertificateHash"=hex:4c,bf,d1,fc,43,d4,fe,a1,cd,9d,ce,51,9a,0c,09,01,33,\
0a,34,3d
"isHashConfiguredByAdmin"=dword:00000001
"SHA256CertificateHash"=hex:ee,06,d8,78,2a,8c,95,d6,a1,40,d1,80,77,2c,e5,4c,f9,\
83,a1,e4,94,60,82,28,3d,56,49,82,44,bc,1e,a9
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SstpSvc\Parameters\ConfigStore]
"ListenerPort"=dword:000001bb
"UseHttps"=dword:00000001
"V4CertPlumbedBySstp"=dword:00000000
"V6CertPlumbedBySstp"=dword:00000000
============================================================================
SELECTED EVENT VIEWER ENTRIES AFTER RESTART OF RRAS + SUCCESSFUL ATTEMPT OF L2TP (BUT NO ENTRIES AT ALL FOR SSTP CONN ATTEMPTS):
--------------------------------------------------------------------------------------------------------------------------------
Level Date and Time Source Event ID Task Category
Information 8/31/2011 11:36:42 AM Microsoft-Windows-Time-Service 37 None The time provider NtpClient is currently receiving valid time data from zeus.olympia.local (ntp.d|0.0.0.0:123->192.168.2.114:123).
Information 8/31/2011 11:35:22 AM RemoteAccess 20275 None CoID={075CE235-832C-45FE-BE27-8B41BC765125}: The user with ip address 192.168.2.145 has disconnected
Information 8/31/2011 11:35:22 AM RemoteAccess 20272 None CoID={075CE235-832C-45FE-BE27-8B41BC765125}: The user OLYMPIA\inul connected on port VPN2-15 on 8/31/2011 at 11:34 AM and disconnected on 8/31/2011 at 11:35 AM. The user
was active for 0 minutes 32 seconds. 17264 bytes were sent and 21956 bytes were received. The reason for disconnecting was user request. The tunnel used was WAN Miniport (L2TP). The quarantine state was 'not nap-capable'.
Information 8/31/2011 11:34:57 AM Microsoft-Windows-Iphlpsvc 4200 None Isatap interface isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD} with address fe80::5efe:192.168.2.144 has been brought up.
Information 8/31/2011 11:34:51 AM Microsoft-Windows-UserPnp 20003 (7005) Driver Management has concluded the process to add Service tunnel for Device Instance ID ROOT\*ISATAP\0002 with the following status: 0.
Information 8/31/2011 11:34:50 AM RemoteAccess 20274 None CoID={075CE235-832C-45FE-BE27-8B41BC765125}: The user OLYMPIA\inul connected on port VPN2-15 has been assigned address 192.168.2.145
Information 8/31/2011 11:34:50 AM RemoteAccess 20250 None CoID={075CE235-832C-45FE-BE27-8B41BC765125}: The user OLYMPIA\inul has connected and has been successfully authenticated on port VPN2-15.
Information 8/31/2011 11:34:49 AM RemoteAccess 20088 None The Remote Access Server acquired IP Address 192.168.2.144 to be used on the Server Adapter.
Information 8/31/2011 11:30:26 AM Microsoft-Windows-HttpEvent 15007 None Reservation for namespace identified by URL prefixhttps://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ was successfully added.
Information 8/31/2011 11:30:26 AM Microsoft-Windows-HttpEvent 15008 None Reservation for namespace identified by URL prefixhttps://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ was successfully deleted.
Information 8/31/2011 11:30:26 AM Service Control Manager 7036 None The Application Layer Gateway Service service entered the running state.
Information 8/31/2011 11:30:26 AM Service Control Manager 7036 None The Routing and Remote Access service entered the running state.
Error 8/31/2011 11:30:26 AM RemoteAccess 20106 None "Unable to add the interface {BBF2BA88-DCC5-4D36-9256-E1C8AF602467} with the Router Manager for the IPV6 protocol. The following error occurred: Cannot complete this function.
"
Error 8/31/2011 11:30:26 AM RemoteAccess 20106 None "Unable to add the interface {DF914ECC-AC6A-441E-A47C-57CE90C7F8B0} with the Router Manager for the IPV6 protocol. The following error occurred: Cannot complete this function.
"
Information 8/31/2011 11:30:21 AM Service Control Manager 7036 None The Routing and Remote Access service entered the stopped state.
Information 8/31/2011 11:30:20 AM Service Control Manager 7036 None The Application Layer Gateway Service service entered the stopped state.
Information 8/31/2011 11:30:01 AM Microsoft-Windows-Eventlog 104 Log clear The System log file was cleared.
============================================================================
============================================================================