Home
%3CLINGO-SUB%20id%3D%22lingo-sub-847567%22%20slang%3D%22en-US%22%3EA%20fix%20for%20Virtual%20Private%20Network%20issue%20in%20Windows%20Server%202016%20Essentials%20has%20been%20released%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-847567%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20is%20a%20known%20issue%20with%20Virtual%20Private%20Network%20failure%20every%2024-48%20hours%20in%20Windows%20Server%202016%20Essentials%20due%20to%20domain%20certificate%20auto-renewal.%20We%20are%20pleased%20to%20share%20that%20the%20fix%20for%20this%20issue%20has%20been%20included%20with%20the%20following%20Cumulative%20Update%20for%20Windows%20Server%202016%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4512495%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4512495%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20issue%20is%20described%20here%20in%20brief%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20Windows%20Server%202016%20Essentials%20SKU%20or%20Essentials%20role%2C%20when%20the%20domain%20name%20setup%20is%20done%20using%20a%20Windows%20Live%20account%20and%20the%20Virtual%20Private%20Network%20is%20configured%20by%20running%20the%20Anywhere%20Access%20wizard%2C%20we%20may%20experience%20issues%20with%20SSTP%20based%20Virtual%20Private%20Network.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EVPN%20may%20work%20for%20a%20day%20or%20two%20and%20then%20fails%20with%20the%20following%20error%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F131010iFA40F7C5EE51703A%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20issue%20occurs%20due%20to%20a%20failure%20while%20enumerating%20the%20Subject%20Alternative%20Name%20(SAN)%20extension%20in%20the%20certificate%2C%20parsing%20the%20DNS%20entries%20and%20matching%20it%20with%20the%20domain%20name.%20This%20failure%20results%20in%20a%20certificate%20auto-renewal%20which%20causes%20a%20certificate%20hash%20mismatch%20in%20the%20registry.%20When%20a%20remote%20client%20attempts%20to%20establish%20an%20SSTP%20VPN%20connection%2C%20it%20fails%20to%20do%20it%20because%20of%20this%20certificate%20hash%20mismatch.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EResolution%3A%20The%20fix%20for%20this%20issue%20has%20been%20included%20with%20the%20Cumulative%20Update%20(August)%20for%20Windows%20Server%202016.%20You%20can%20install%20it%20via%20Windows%20Update%20or%20from%20the%20following%20link%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4512495%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4512495%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Visitor

There is a known issue with Virtual Private Network failure every 24-48 hours in Windows Server 2016 Essentials due to domain certificate auto-renewal. We are pleased to share that the fix for this issue has been included with the following Cumulative Update for Windows Server 2016:

 

https://support.microsoft.com/en-us/help/4512495

 

The issue is described here in brief:

 

In Windows Server 2016 Essentials SKU or Essentials role, when the domain name setup is done using a Windows Live account and the Virtual Private Network is configured by running the Anywhere Access wizard, we may experience issues with SSTP based Virtual Private Network.

 

VPN may work for a day or two and then fails with the following error:

 

clipboard_image_0.png

 

The issue occurs due to a failure while enumerating the Subject Alternative Name (SAN) extension in the certificate, parsing the DNS entries and matching it with the domain name. This failure results in a certificate auto-renewal which causes a certificate hash mismatch in the registry. When a remote client attempts to establish an SSTP VPN connection, it fails to do it because of this certificate hash mismatch.

 

Resolution: The fix for this issue has been included with the Cumulative Update (August) for Windows Server 2016. You can install it via Windows Update or from the following link:

 

https://support.microsoft.com/en-us/help/4512495