2008 Remote Access/SSTP
Hi all, This is driving me really crazy! I installed a Routing and Remote Access Server on a Windows 2008 server, following the instructions from a traing video as follows. 1. Installed the Active Directory Certificate Services. 2. Requested a certificate and installed it on the server. 3. Installed the RRAS Service and configured it. 4. Insatalled the certificate from the Certificate Authority server on the client, which is a computer at home. Unfortunatelly, I keep getting the message "The certificate's CN does not match the passed value". The CN I used when I created the "Server Authentication" certificate was "vpn1.mydomain.com", which is pointing to our public IP address. When I created the VPN connection, I used "vpn1.mydomain.com" as the host name when I try to connect using SSTP. What am I doing wrong? Does the CN have be the anything special? According to the video, this must match the name used as the host on the VPN connection. The VPN connection works fine with PPTP. Help please!!! Thanks in advance.
September 2nd, 2010 9:32pm

Hi, Thanks for the post. This issue may occur if the host name of the server that is specified in the VPN connection does not match the subject name that is specified on the SSL certificate that the server submits to the client computer. Please verify that the certificate which RAS server uses for SSL has the correct subject name. For example, if the VPN client is configured to use FQDN name to connect to the VPN server, the certificate used by VPN server must have FQDN in the subject name. Same thing if the client is configured to use IP address (IPv4 or IPv6) of VPN server. If the appropriately-named certificate is not present on the RAS server, you must obtain a new certificate for the RAS server. For changing the SSTP machine certificate, you could refer to the following article: http://blogs.technet.com/b/rrasblog/archive/2007/11/08/do-you-want-to-change-the-certificate-used-by-the-sstp-server-read-how.aspx Hope this helps. MilesPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2010 1:43pm

Miles, Thanks for the reply. As stated on my post, the vpn1.mydomain.com is a registered name, which is pointing to our public IP address. In other words, I added the "vpn1.mydomain.com" name to our GoDaddy account. When I requested the server certificate, I used the "vpn1.mydomain.com" in the "Name:" field. when I review the certificate, the subject has this same name. What I noticed, however is that when the certificate is installed on the client workstation, using the http://vpn1.mydomain.com/certsrv, the only certificate avaliable, which I installed, has the "CN = mydomain-servername-CA" under the subject. So it seems to me that the client gets installed the Certificate Authority certificate, not the one with the "vpn1.mydomain.com" subject. Is this how is supposed to be? Even the video I watched for the CA configuration, shows the CA certificate on the client, not the one with the "vpn.domain.com". Thanks.
September 3rd, 2010 5:51pm

Miles, After doing more research, I think I found what the problem might be. We have an Exchange server, which is also using port 443 for SSL. So, on a post, somebody suggested to use the following address on the client computer "https://vpn1.mydomain.com/sra_%7BBA195980-CD49-458b-9E23-C84EE0ADCD75%7D/" to see the certificate being used. To my surprise, the client computer is using the somemail.exchange.com, which is our Exchange SSL certificate. Why is this happening? What do I have to do to have the client use the certificate of the vpn1.mydomain.com for the SSTP, instead of the somemail.exchange.com? Thanks in advance.
Free Windows Admin Tool Kit Click here and download it now
September 8th, 2010 8:39pm

Hi, Thanks for the update. Please check if the following article could help you on this issue: http://blogs.technet.com/b/rrasblog/archive/2009/02/11/sstp-certificate-selection.aspx Thanks, MilesPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
September 9th, 2010 7:39am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics