VPN Connection using certificates
Hello Just making first steps using Vista on my spare notebook, trying to establish a VPN between it and my company. We use CheckPoint VPN-1 with certificates. The certificate is imported into the personal certificate store and the VPN connection is configure as follows: - L2TP - EAP with certificate- use a cert on this computer (tested both simple cert selection and standard) When I try to connect, I get the "Cannot load dialog Error 0x80420100: There was an unknown error."Could it be the dialog allowing me to select the certificate bringing up this box?Any clue? Thanks,Nick
October 6th, 2006 4:20pm

I'm having the same issue. Did you find the answer or a solution? TIA, Terry
Free Windows Admin Tool Kit Click here and download it now
October 28th, 2006 9:23pm

Unfortunately not (yet)... would be interesting to know, if RC2 has the same issue.
November 5th, 2006 8:46pm

Yep - I was working with RC2 when I found the error...
Free Windows Admin Tool Kit Click here and download it now
November 6th, 2006 2:25pm

L2TP/IPsec still requires a "machine certificate". Once the L2TP/IPsec connection is up you may be doing additional authentication with EAP-TLS and a certificate, but this is considered a personal certificate.
November 19th, 2006 4:49pm

are U behind NAT? then registry key is necessary (key is different than on XP) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\AssumeUDPEncapsulationContextOnSendRule This key should be created and set to 2 (DWORD) to allow server-side NAT.
Free Windows Admin Tool Kit Click here and download it now
November 27th, 2006 11:09am

MiroK wrote: are U behind NAT? then registry key is necessary (key is different than on XP) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\AssumeUDPEncapsulationContextOnSendRule This key should be created and set to 2 (DWORD) to allow server-side NAT. Don't help
July 29th, 2007 1:58pm

You simply recieve this message while there are no user certificates onyour computer -- Cheers The dNetGuru
Free Windows Admin Tool Kit Click here and download it now
February 29th, 2008 3:17am

... Let the WoW begin... I have litterally tried everything now, I read the following MS articles http://support.microsoft.com/default.aspx/kb/922706 and http://www.microsoft.com/downloads/details.aspx?FamilyId=FFAEC8B2-99E0-427A-8110-2F745059A02D&displaylang=en But still, I am getting the same error. Then, I downloaded the ProcessMonitor from Microsoft and enabled and removed everything from it's filter, and then monitored when I was dialing into my servers, I could see a AccessDenied problem when the NetworkService was trying to read the HKCU\Software\Microsoft\Windows\CurrentVersion\Telephony\Locations key, I gave the right permissions there, and checked again, even when no AccessDenied error was coming up this time, I still could not get the darn thing to work . Then I thought,maybe the error is occuring because there are no user certificates installed, so I went in, downloaded the certs manually from the server (exporting them manually from the server's CertManager), copied them across to the client, and then used MMC (start, RUN, MMC, ENTER), used the (file -> AddRemove/SnapIn to add the LocalComputer Certificate and the UserCertificate), went to the TrustedRoot, and imported the Domain's root cert there, also gone to the user's cert, and imported the cert there also, when I right-click on the DialUpConnection ->properties ->secutiry -> Certficates, I can see both my Domain-CA, and the User Cert, ticked both, and then tried again, ... guess what... still the same error. Then I thought, could it be because IE7 isn't supporting the ActiveX properly, or the xenroll.dll not there in Vista/2008 by default, copied the DLL from a WIN2K release I have somewhere, and then regsvr32'd it into the system, used this time the FireFox browser, the ActiveX and all that worked, and the cert was installed there, but still, same error when tring to connect via the cert ... I don't know, how we are supposed to work with a new server that has the following problems: 1) The Browser is pretty much crippled and does not trust anything, not even the microsoft sites 2) The Browser does not come with the standard XEnroll.DLL by default, and therefore incompatible with pretty much all the existing servers out there. 3) The Browser does not come with Java enabled (or not even supports it), therefore, you have to install the SunJava, and wait to hear the better one, you are doomed if you try to use the 64bit of the OS (WIndows 2008 / Vista) as it's not compatible with the 64-to-32bit-emulated SunJVM, therefore, you cannot even open the MS site to send a feedback! since their site must use a script + Java... 4) The VPN wouldn't work for any certs, perid. You cannot use any certificates to connect, it would fail something that I am still trying to find out what the heck it is... and why Microsoft has not really seen this before just yet. 5) The really ugly Explorer that keeps forgetting your settings (re-grouping items together, or change the icon-disply etc) 6) The Shortcut/Keys that have disappeared, I used to love pressing CTRL+ALT+DEL and then "T" for TaskManager to see things, now, I have to use the mouse to "click" on the thing... Anyhow, I think I've spoken too much about windows as opposed to the VPN/CERT problem itself, I am going to try some other things to see where this whole thing is failing (items on my list for future testing):1) Checking DCOM, maybe one component there is failing 2) Probably writing a small piece of VB/VC code to try to connect in another way somewhere to see where the problem is 3) Hoping that Microsoft would wake up, start looking into this serious problem, and generate a fix for this mess. 4) Probably dive into and debug some windows components to see ifI can spot anything... 5) Don't know... will keep thinking... I just wonder, windows 2000 server was a much better system than Windows 2008 server. XP/2003 was a system in-between, however, this 2008/Vista issobad thatit keep causing problems with half the needed user-functionality been disabled, and longer time to reach to a setup-screen to change something.Having said that, I have been with MS for a long time, I hate to move to another vendor due to this history,but, honestly considering moving away into any other stable OS that I can use to do my job at the end of the day. I will send another post later with an update (shorter than this one), hopefully with the right fix. Regards Heider.
March 5th, 2008 6:14pm

Finally!!!,... Just solved this b*tch problem... This solution works for all services, including win2k, 2003, and Vista, etc. Ok, First of all, ensure that you download and install the RootCA certificate for your domain (I guess you have done that already if you have read my previous post above), if not, then simply, select "Retrieve the CA certificate or certificate revocation list -> download CA Certificate" option when you request your new certificate from your company/home-domain.Refer to the above steps to place/move this certificate into your LocalMachine's trusted-store's certificates, this is the basics and if you have been stuck with the 0x80420100 error, then you probable have done this already. Now, to solve the pain of (Requesting your user certificate): follow my steps below... 1) DO NOT USE THE STANDARD "User Certificate" option from your CertServ website to request one, this will NOT work. 2) We will request this manually now, to do this, we will be creating a new CSR (Certificate Signing Request) and then submit it manually, continue with the steps to know how: 3) From your CLIENT machine (i.e. your VISTA / Windows 2008), goto start your MMC Certificate Management, to do this, START -> RUN -> MMC, and then from the FileMenu -> AddRemoteSnapIn -> add Certificate (Local User) -> Ok -OK... until you see all the list loaded for certificates. 4) Under "Certificates - Current User" Expand "Personal", and then right click on "Certificates" select "All Tasks" -> Advanced Operations -> Create Custom Request. 5) You should see a menu/form, click Next. 6) Under the "Template" list, select "user" -> Next 7) If you like to add more details to the cert request, click on the ">>" next to the "user" to expand and do more option, thought, this step is not necessary. 8) Click "Next" and save the file into a location; for example, save it to "C:\Heider\MyRequest.txt" 9) Now, load your browser and then browse to your CertSrv website (your company/domain's CertGenerations website) 10) Select "Request a Certificate" , DO NOT CLICK NEXT, this what caused it to fail before. 11) Select "Advanced Request", Next 12) Select "Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file" from the list (i.e. second option) , hit Next 13) Open your CSR file (i.e. with Notepad, open the file you have generated above from step 8, select all the content, copy it and paste it into the "Base64 Encoded Certificagte Request" box. 14) Select "User" from the list 15) Click Submit 16) Your should get your next page with the new certificate instantly, simply, just download and install. 17) Now try your dial-up connection... this should work fine now... Let me know if this is all ok, or if anything you are stuck with, I am happy to help. Good luck and I hope you can find this useful. Regards Heider.
Free Windows Admin Tool Kit Click here and download it now
March 6th, 2008 11:03pm

I REALLY SOLVED THE PROBLEM Sorry for my bad English, but I'm try to explain my solution. I have had the same problems like you and also try all solutions but with no results. Remember that when you try to connect to the VPN a new dialog appear to select the certificate to use, Ok? Well, if you have inported your user certificate with thesecurity option activated, I mean, that the OS show you a message every time an application try to use the certificate, NOT WORK. The problem is that, when you press the button to connect to VPN, not expect that the security windows appear before the dialog to select the certificate and give the error. I have imported my user certificate with this option not marqued and work perfectly.
July 23rd, 2008 12:53pm

But how do you do that? Is is posible for you to make some kind of a guid?
Free Windows Admin Tool Kit Click here and download it now
October 17th, 2008 4:28pm

Heider, THANK YOU SO MUCH for your post! It worked like a charm with Vista and the PPTP VPN server with certificates of Windows 2003. The only problem I found is that you cannot reuse the same certificate for the same user connecting from an XP workstation. In this case you have to use the "user certificate" you can download from the certsrv. At least I had to do this to get it work with XP.
March 31st, 2009 11:10am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics