PROBLEM: Clients keep getting error 0x8007274C when attempting to connect to the VPN server using SSTP. SYMPTOMS: - L2TP connections works great --- L2TP connections generate RemoteAccess events in Event viewer, but none whatsoever for the failed SSTP attempts - Client CANNOT ACCESS https://vpn.mycompany.net/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75} - After several attempts to check and recheck RRAS Setup. Added IIS Role (much later) just to prove that cert is valid. --- If server's RRAS service disabled, IIS enabled, client is able to browse to that VPN server, certificate checks out. http://vpn.mycompany.net & https://vpn.mycompany.net. --- However, if RRAS service is running, IIS would not respond to either HTTP nor HTTPS traffic. --- SSTP won't work whether or not WWW service is running. - Port Scanner tests to the VPN Server reveals that port 80 & 443 are not open when RRAS service is running and IIS service stopped. --- But, when RRAS service is stopped and IIS is running, port 80 & 443 responds. --- Not sure whether 443 is [b]supposed to be open[/b] when only RRAS is running. ============================================================================ CLIENT: ============================================================================ - Vista SP1 (32-bit), Windows 7 (32-bit), Windows 7 x64 SP1 - CRL entry is resolvable - vpn.mycompany.net certificate installed in Local Computer > Trusted Root CA - SSTP Client connecting to FQDN vpn.mycompany.net - Windows Firewall is DISABLED (for testing purposes) - No Anti Virus nor Anti Malware protection running (for testing purposes) - Can access other HTTPS sites ============================================================================ SERVER (Windows 2008 Svr r2; Roles: DNS, AD, RRAS): ============================================================================ - 2 NICS (1 bound to an internal IP, 1 bound to an external IP addr) -- External NIC bound to a valid ISP IP Address, with a FQDN vpn.mycompany.net - Windows Firewall Service on Server DISABLED - No other device in front of the external IP addr NIC - IPV6 on RRAS DISABLED - NO RRAS Inbound/Outbound filter at all - Windows Firewall Service disabled - Using external Certificate Authority - Certs bound to port 443 seem to match in registry key HKLM\...\SstpSvc\Parameters It seems that the VPN server is simply not accepting the SSTP traffic. I don't think we've even gotten to certificate negotiation. Been trying for a few days now, have consulted many SSTP online resources (MS and others) before posting. Am stumped. Any help would be greatly appreciated. ============================================================================ SERVER CONFIGURATION CHECKLIST: ============================================================================ SERVICE_NAME: remoteaccess TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 ============================================================================ SERVICE_NAME: sstpsvc TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 ============================================================================ TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4 TCP 192.168.2.109:3268 192.168.2.116:45443 ESTABLISHED 500 TCP [::]:443 [::]:0 LISTENING 4 UDP 0.0.0.0:59443 *:* 1616 UDP 0.0.0.0:60443 *:* 1616 UDP 0.0.0.0:61443 *:* 1616 ============================================================================ SSL Certificate bindings: ------------------------- IP:port : 0.0.0.0:443 Certificate Hash : 4cbfd1fc43d4fea1cd9dce519a0c0901330a343d Application ID : {ba195980-cd49-458b-9e23-c84ee0adcd75} Certificate Store Name : MY Verify Client Certificate Revocation : Enabled Verify Revocation Using Cached Client Certificate Only : Disabled Usage Check : Enabled Revocation Freshness Time : 0 URL Retrieval Timeout : 0 Ctl Identifier : Ctl Store Name : DS Mapper Usage : Disabled Negotiate Client Certificate : Disabled IP:port : [::]:443 Certificate Hash : 4cbfd1fc43d4fea1cd9dce519a0c0901330a343d Application ID : {ba195980-cd49-458b-9e23-c84ee0adcd75} Certificate Store Name : MY Verify Client Certificate Revocation : Enabled Verify Revocation Using Cached Client Certificate Only : Disabled Usage Check : Enabled Revocation Freshness Time : 0 URL Retrieval Timeout : 0 Ctl Identifier : Ctl Store Name : DS Mapper Usage : Disabled Negotiate Client Certificate : Disabled ============================================================================ Selected (some, not all) Info about Certificate bound to SSTP viewed through RRAS MMC: -------------------------------------------------------------------------------------- Version: V3 Valid To: ‎Thursday, ‎August ‎30, ‎2012 6:59:59 PM Subject: CN = vpn.mycompany.net OU = nsProtect Secure Xpress OU = Domain Control Validated Enhanced Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1) Client Authentication (1.3.6.1.5.5.7.3.2) CRL Distribution Points: [1]CRL Distribution Point Distribution Point Name: Full Name: URL=http://crl.netsolssl.com/NetworkSolutionsDVServerCA.crl Thumbprint Algorithm: sha1 Thumbprint: ‎4c bf d1 fc 43 d4 fe a1 cd 9d ce 51 9a 0c 09 01 33 0a 34 3d ============================================================================ Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SstpSvc\Parameters] "ServiceDllUnloadOnStop"=dword:00000001 "ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\ 00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\ 73,00,73,00,74,00,70,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00 "ServerURI"="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/" "ListenerPort"=dword:00000000 "UseHttps"=dword:00000001 "SHA1CertificateHash"=hex:4c,bf,d1,fc,43,d4,fe,a1,cd,9d,ce,51,9a,0c,09,01,33,\ 0a,34,3d "isHashConfiguredByAdmin"=dword:00000001 "SHA256CertificateHash"=hex:ee,06,d8,78,2a,8c,95,d6,a1,40,d1,80,77,2c,e5,4c,f9,\ 83,a1,e4,94,60,82,28,3d,56,49,82,44,bc,1e,a9 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SstpSvc\Parameters\ConfigStore] "ListenerPort"=dword:000001bb "UseHttps"=dword:00000001 "V4CertPlumbedBySstp"=dword:00000000 "V6CertPlumbedBySstp"=dword:00000000 ============================================================================ SELECTED EVENT VIEWER ENTRIES AFTER RESTART OF RRAS + SUCCESSFUL ATTEMPT OF L2TP (BUT NO ENTRIES AT ALL FOR SSTP CONN ATTEMPTS): -------------------------------------------------------------------------------------------------------------------------------- Level Date and Time Source Event ID Task Category Information 8/31/2011 11:36:42 AM Microsoft-Windows-Time-Service 37 None The time provider NtpClient is currently receiving valid time data from zeus.olympia.local (ntp.d|0.0.0.0:123->192.168.2.114:123). Information 8/31/2011 11:35:22 AM RemoteAccess 20275 None CoID={075CE235-832C-45FE-BE27-8B41BC765125}: The user with ip address 192.168.2.145 has disconnected Information 8/31/2011 11:35:22 AM RemoteAccess 20272 None CoID={075CE235-832C-45FE-BE27-8B41BC765125}: The user OLYMPIA\inul connected on port VPN2-15 on 8/31/2011 at 11:34 AM and disconnected on 8/31/2011 at 11:35 AM. The user was active for 0 minutes 32 seconds. 17264 bytes were sent and 21956 bytes were received. The reason for disconnecting was user request. The tunnel used was WAN Miniport (L2TP). The quarantine state was 'not nap-capable'. Information 8/31/2011 11:34:57 AM Microsoft-Windows-Iphlpsvc 4200 None Isatap interface isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD} with address fe80::5efe:192.168.2.144 has been brought up. Information 8/31/2011 11:34:51 AM Microsoft-Windows-UserPnp 20003 (7005) Driver Management has concluded the process to add Service tunnel for Device Instance ID ROOT\*ISATAP\0002 with the following status: 0. Information 8/31/2011 11:34:50 AM RemoteAccess 20274 None CoID={075CE235-832C-45FE-BE27-8B41BC765125}: The user OLYMPIA\inul connected on port VPN2-15 has been assigned address 192.168.2.145 Information 8/31/2011 11:34:50 AM RemoteAccess 20250 None CoID={075CE235-832C-45FE-BE27-8B41BC765125}: The user OLYMPIA\inul has connected and has been successfully authenticated on port VPN2-15. Information 8/31/2011 11:34:49 AM RemoteAccess 20088 None The Remote Access Server acquired IP Address 192.168.2.144 to be used on the Server Adapter. Information 8/31/2011 11:30:26 AM Microsoft-Windows-HttpEvent 15007 None Reservation for namespace identified by URL prefix https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ was successfully added. Information 8/31/2011 11:30:26 AM Microsoft-Windows-HttpEvent 15008 None Reservation for namespace identified by URL prefix https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ was successfully deleted. Information 8/31/2011 11:30:26 AM Service Control Manager 7036 None The Application Layer Gateway Service service entered the running state. Information 8/31/2011 11:30:26 AM Service Control Manager 7036 None The Routing and Remote Access service entered the running state. Error 8/31/2011 11:30:26 AM RemoteAccess 20106 None "Unable to add the interface {BBF2BA88-DCC5-4D36-9256-E1C8AF602467} with the Router Manager for the IPV6 protocol. The following error occurred: Cannot complete this function. " Error 8/31/2011 11:30:26 AM RemoteAccess 20106 None "Unable to add the interface {DF914ECC-AC6A-441E-A47C-57CE90C7F8B0} with the Router Manager for the IPV6 protocol. The following error occurred: Cannot complete this function. " Information 8/31/2011 11:30:21 AM Service Control Manager 7036 None The Routing and Remote Access service entered the stopped state. Information 8/31/2011 11:30:20 AM Service Control Manager 7036 None The Application Layer Gateway Service service entered the stopped state. Information 8/31/2011 11:30:01 AM Microsoft-Windows-Eventlog 104 Log clear The System log file was cleared. ============================================================================ ============================================================================

Hi, I'm in the exact same situation and for once google is of no help. I have tried to get a simple connect through to my server (by using "telnet vpn.myserver.com 443") but it will only timeout. After deactivating the Windows firewall on the VPN box (which is a virtual machine on a Hyper-V R2 SP1) I can locally telnet the VPN box and even get the special url (https://vpn.myserver.com/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/) to work. But this only works on the VPN box itself, no other server or client is able to contact it. I have tried to connect from another server sitting next to the vpn box and in the same subnet (public IPs) but couldn't connect either. PPTP and L2TP connections are working but not SSTP. Another approach was to manually bind the http.sys to specific IPs. No change. I'm fresh out of ideas. Anyone? regards, ck

Hi, Everything you have listed above i have an issue with as well, whats worse is that one pc connects ok but after that no one can with that same error. I'm very close to giving up and trying another more reliable product.