Hi All, I am trying to establish a cert based IPSec VPN connection between a Windows Server 2008 and Windows XP client. When I am connecting it is showing "Error 786: The L2TP connection attempt failed because there is no valid machine certificate on your computer for security authentication." In my server I have already deployed the "Computer" certificate template. Over in my client I have already requested the computer certificate and have installed it in my XP client (Through Web enrollment). But it is still showing the above mentioned error. Any idea how can I rectify this? Thanks In Advance, Perumal

Verify the client computer certificate by viewing the certificates in the local machine store using MMC and the certificate snap-in http://msdn.microsoft.com/en-us/library/ms788967.aspx, note that you must have local administrator permissions. Check as well that the issuing CA is trusted by the client computer, use the Certificate MMC snap-in from above and view the Trusted Root Certification Authority store to locate the issuing CA certificate in the list. /Hasain

Hi All, Yes, the client computer certificate is in the local machine store and it is trusted (I have the root CA cert in the Trusted Root Certification Authority store too). Do the client PC have to join the domain in order to connect to the VPN server? Currently setup a L2TP/IPSec VPN client in the WinXP machine. I have chosen the Extensible AUthentication Protocol (EAP) to "Smart Card or other Certificate " and under it's properties have chosen "Use a certificate on this computer" and I have unchecked the "Validate server certificate" option. Is the above setup for the VPN Client on XP machine correct? I have tried connecting using both a user cert and a machine cert. But in both cases, Error 786: The L2TP connection attempt failed because there is no valid machine certificate on your computer for security authentication." is shown. Any idea what's the cause? I requested the machine cert through the web using the Computer template available in Windows Server 2008. Is this the correct way to request for machine cert? Thanks In Advance, Perumal

Hi Perumal, Thank you for your post. Based on my test, L2TP/IPSec VPN works on non-domain clients. Please check below steps: 1. Request user cert via cert web site http://CAServerip/certsrv (request a certificate--user certificate--submit), download CA trust certificate to a file (Download a CA certificate, certificate chain, or CRL--download CA certificate) 2. Import trust certificate to client computer certificate & user certificate mmc trust CA, export user cert to a file from user certificate mmc then import it to computer certificate mmc 3. Configure client VPN connection use EAP(not Smart Card or other Certificate)-- select validate server certificate, select SA method Smart Card or other Certificate, click configure--select user a certificate on this computer, select validate server certificate. 4. On NPS server, just duplicate default RRAS network policy, enable the policy , click Constraints--Authentication Methods--edit EAP(PEAP)--verify NPS server certificate listed If there are more inquiries on this issue, please feel free to let us know. Regards, Rick Tan

When using L2TP/IPSec two authentications will occur, the IPSec connection is authenticated using computer certificates, if not optionally configured to use MD5/Shared Key authentication. The second authentication is the L2TP user auth, this can be any of PAP, CHAP, MSCHAP, MSCHAPv2 or any EAP-based authentication method. If you want to user L2TP/IPSec with user certificate you need both a computer certificate installed in the computer personal store and a user certificate installed in the user personal store as described by Rick Tan. Because IPSec does not perform certificate mapping it is possible to use the same certificate for both computer and user authentication. If you want to configure L2TP/IPSec only using password authentication then you only need the computer certificate as the user will provide username and password. /Hasain