SOLVED

Problem with connecting to Point-to-Site VPN the message received was unexpected ot badly formatted

%3CLINGO-SUB%20id%3D%22lingo-sub-85878%22%20slang%3D%22en-US%22%3EProblem%20with%20connecting%20to%20Point-to-Site%20VPN%20the%20message%20received%20was%20unexpected%20ot%20badly%20formatted%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85878%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3ECan%20someone%20please%20help%20me%20with%20the%20following%20question.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20setup%20a%20point-to-site%20VPN%20(I%20should%20mention%20I%20have%20been%20dealing%20with%20X509%20certificates%20for%20years)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebackground%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20created%20my%20own%20Root%20CA%20(Windows%202012%20R2%20Domain%20Joined)%20and%20uploaded%20the%20CA%20certificate%20to%20Azure%20when%20creating%20point-to-site%20VPN%20e.g.%20%22Point%20to%20site%20configuration%22%20%26gt%3B%20%22Root%20Certificates%22%20%26gt%3B%20%22Public%20certificate%20data%22%20and%20it%20saved%20OK%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20then%20created%20a%20client%20cetificate%20for%20my%20Windows%2010%20PC%20from%20this%20CA%20(I%20created%20a%20certificate%20with%20the%20EKU%20of%20Client%20Authentication%20and%20Server%20Authentication)%2C%20I%20do%20not%20believe%20I%20need%20to%20Server%20Authentication%20EKU%20but%20it%20is%20there%20in%20any%20event.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20installed%20the%20client%20certiciate%20in%20my%20Windows%2010%20PC%2C%20made%20certain%26nbsp%3Bit%20links%20to%20its%20private%20key%20OK%2C%20and%20chains%20up%20OK%20to%20the%20issuing%20CA%20(e.g.%20my%20Root%20CA)%20so%20all%20OK%20so%20far%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20subject%20name%20of%20the%20client%20certificate%20is%20the%20same%20as%20the%20hostname%20(e.g.%20when%20you%20go%20into%20cmd%20and%20type%20hostname)%20of%20my%20Windows%2010%20PC%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20installed%20the%20client%20certificate%20in%20both%20the%20LocalMachine%5CMy%20(aka%20personal)%20and%20CurrentUser%5CMy%20(aka%20personal)%20stores%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20download%20the%20VPN%20client%20x64%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhen%20I%20try%20to%20connect%20I%20receive%20the%20following%20error%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22the%20message%20received%20was%20unexpected%20ot%20badly%20formatted%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20found%20a%20Microsoft%20post%20which%20stated%20this%20error%20was%20due%20to%20the%20following%20cause%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22This%20problem%20occurs%20if%20the%20root%20certificate%20public%20key%20is%20not%20uploaded%20into%20Microsoft%20Azure%20VPN%20gateway%20or%20the%20key%20is%20corrupted%20or%20expired.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eit%20said%20the%20solution%20was%20to%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22To%20resolve%20this%20problem%2C%20check%20the%20status%20of%20the%20root%20certificate%20in%20Azure%20portal%20to%20see%20whether%20it%20has%20been%20revoked.%20If%20it%20is%20not%20revoked%2C%20try%20to%20delete%20the%20root%20certificate%20and%20reupload.%20For%20more%20information%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fblob%2Fmaster%2Farticles%2Fvpn-gateway%2Fvpn-gateway-howto-point-to-site-classic-azure-portal.md%23generatecerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CFONT%20color%3D%22%230066cc%22%3ECreate%20certificates%3C%2FFONT%3E%3C%2FA%3E.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20opened%20the%20link%20'create%20certificates'%20above%20and%20under%20section%203.0%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EOn%20the%20%3CSTRONG%3EVPN%20connections%3C%2FSTRONG%3E%20section%20of%20the%20blade%20for%20your%20VNet%2C%20click%20the%20%3CSTRONG%3Eclients%3C%2FSTRONG%3E%20graphic%20to%20open%20the%20%3CSTRONG%3EPoint-to-site%20VPN%20connection%3C%2FSTRONG%3E%20blade.%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fblob%2Fmaster%2Farticles%2Fvpn-gateway%2Fmedia%2Fvpn-gateway-howto-point-to-site-classic-azure-portal%2Fclients125.png%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CIMG%20alt%3D%22Clients%22%20src%3D%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fraw%2Fmaster%2Farticles%2Fvpn-gateway%2Fmedia%2Fvpn-gateway-howto-point-to-site-classic-azure-portal%2Fclients125.png%22%20border%3D%220%22%20%2F%3E%3C%2FA%3E2.%20On%20the%20%3CSTRONG%3EPoint-to-site%20connection%3C%2FSTRONG%3E%20blade%2C%20click%20%3CSTRONG%3EManage%20certificates%3C%2FSTRONG%3E%20to%20open%20the%20%3CSTRONG%3ECertificates%3C%2FSTRONG%3E%20blade.%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fblob%2Fmaster%2Farticles%2Fvpn-gateway%2Fmedia%2Fvpn-gateway-howto-point-to-site-classic-azure-portal%2Fptsmanage.png%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CIMG%20alt%3D%22Certificates%20blade%22%20src%3D%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fraw%2Fmaster%2Farticles%2Fvpn-gateway%2Fmedia%2Fvpn-gateway-howto-point-to-site-classic-azure-portal%2Fptsmanage.png%22%20border%3D%220%22%20%2F%3E%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E3.%20On%20the%20%3CSTRONG%3ECertificates%3C%2FSTRONG%3E%20blade%2C%20click%20%3CSTRONG%3EUpload%3C%2FSTRONG%3E%20to%20open%20the%20%3CSTRONG%3EUpload%20certificate%3C%2FSTRONG%3E%20blade.%3C%2FP%3E%3CPRE%3E!%5BUpload%20certificates%20blade%5D(.%2Fmedia%2Fvpn-gateway-howto-point-to-site-classic-azure-portal%2Fuploadcerts.png)%26lt%3Bbr%26gt%3B%3C%2FPRE%3E%3COL%3E%3CLI%3EClick%20the%20folder%20graphic%20to%20browse%20for%20the%20.cer%20file.%20Select%20the%20file%2C%20then%20click%20%3CSTRONG%3EOK%3C%2FSTRONG%3E.%20Refresh%20the%20page%20to%20see%20the%20uploaded%20certificate%20on%20the%20%3CSTRONG%3ECertificates%3C%2FSTRONG%3E%20blade.%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fblob%2Fmaster%2Farticles%2Fvpn-gateway%2Fmedia%2Fvpn-gateway-howto-point-to-site-classic-azure-portal%2Fupload.png%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CIMG%20alt%3D%22Upload%20certificate%22%20src%3D%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fraw%2Fmaster%2Farticles%2Fvpn-gateway%2Fmedia%2Fvpn-gateway-howto-point-to-site-classic-azure-portal%2Fupload.png%22%20border%3D%220%22%20%2F%3E%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EThe%20problem%20I%20have%20is%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EI%20simply%20do%20not%20see%20the%20options%20listed%20above%20e.g.%20how%20do%20I%20get%20to%20%3CSTRONG%3EVPN%20connections%20%3F%3C%2FSTRONG%3E%20%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20go%20to%20Point-To-Site%20Configuration%20all%20I%20get%20is%20the%20following%3C%2FP%3E%3CP%3ESave%2C%20Discard%2C%20Download%20VPN%20Client%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EI%20simply%20cannot%20see%20how%20to%20get%20to%20the%20'Upload%20Certificate'%3C%2FSTRONG%3E%20GUI%20element%20they%20refer%20to%20above%2C%20(although%20I%20already%20uploaded%20up%20Root%20cert%20as%20mentioned%20above.%20Therefore%20how%20can%20I%20check%20my%20Root%20CA%20cert%20I%20uploaded%20etc%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20All%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-85878%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EVirtual%20Network%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-180569%22%20slang%3D%22en-US%22%3ERe%3A%20Problem%20with%20connecting%20to%20Point-to-Site%20VPN%20the%20message%20received%20was%20unexpected%20ot%20badly%20format%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-180569%22%20slang%3D%22en-US%22%3E%3CP%3EPlease%20visit%20my%20blog%20for%20a%20detailed%20step-by-step%20approach%20on%20how%20to%20set%20up%20the%20P2S%20connection.%20I%20hope%20you%20will%20find%20it%20useful.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fshaonztechnet.wordpress.com%2F2018%2F04%2F09%2Fsetting-up-a-point-to-site-connection-in-azure%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fshaonztechnet.wordpress.com%2F2018%2F04%2F09%2Fsetting-up-a-point-to-site-connection-in-azure%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86527%22%20slang%3D%22en-US%22%3ERe%3A%20Problem%20with%20connecting%20to%20Point-to-Site%20VPN%20the%20message%20received%20was%20unexpected%20ot%20badly%20format%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86527%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Ernest%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20your%20suggestion%20(by%20changing%20the%20cert%20so%20the%20CDP%20locations%20can%20be%20reached)%20and%20now%20all%20works%20perfectly%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86256%22%20slang%3D%22en-US%22%3ERe%3A%20Problem%20with%20connecting%20to%20Point-to-Site%20VPN%20the%20message%20received%20was%20unexpected%20ot%20badly%20format%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86256%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3EHello%20AUser%20%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3ELooking%20at%20the%20issue%20you%20described%20it%20%3C%2FFONT%3E%3CSPAN%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3Eoccurs%3C%2FFONT%3E%3C%2FSPAN%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3E%20me%20the%20VPN%20client%20may%20not%20be%20able%20to%20access%20the%20CDP%20(certificate%20revocation%20distribution%20point)%20location%20(LDAP%2C%20CIFS%2C%20HTTP)%20as%20specified%20in%20the%20CDP%20extension%20of%20the%20client%20certificate.%20Therefore%20when%20the%20client%20is%20validating%20the%20certificate%20e.g.%20building%20the%20certificate%20chain%20(which%20you%20said%20it%20can%20do)%2C%20then%20checking%20the%20%3C%2FFONT%3E%3CSPAN%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3Eintegrity%3C%2FFONT%3E%3C%2FSPAN%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3E%20of%20the%20chain%20it%20will%20fail%20this%20second%20element%20(%3C%2FFONT%3E%3CSPAN%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3Esometimes%3C%2FFONT%3E%3C%2FSPAN%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3E%20performed%20together)%20if%20it%20cannot%20reach%20any%20of%20the%20locations%20as%20specified%20in%20the%20CDP%20(or%20the%20%3C%2FFONT%3E%3CSPAN%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3EAutomotive%3C%2FFONT%3E%3C%2FSPAN%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3E%20Information%20Access%20extension%20if%20using%20OCSP%20for%20revocation%20checking).%20Therefore%20%3C%2FFONT%3E%3CSPAN%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3Ebottom%3C%2FFONT%3E%3C%2FSPAN%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3E%20line%20%3C%2FFONT%3E%3CSPAN%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3Eif%20using%20a%20certificate%20issued%20by%20a%20CA%2C%20then%20on%20the%20%3C%2FFONT%3E%3C%2FSPAN%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3Ecomputer%20with%20the%20VPN%20client%20installed%2C%20use%20the%20following%20command%20to%20verify%20access%20to%20CRL%3C%2FFONT%3E%3CSPAN%3E%20%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3Ecertutil%3C%2FFONT%3E%3C%2FSPAN%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3E%20-f%20%3C%2FFONT%3E%3CSPAN%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FSPAN%3E%3CSPAN%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3E-urlfetch%3C%2FFONT%3E%3C%2FSPAN%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3E%20%E2%80%93verify%20%3C%2FFONT%3E%3CSPAN%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3E%26nbsp%3BIf%20all%20the%20locations%20in%20the%20CDP%20(LDAP%2C%20CIFS%2C%20HTTP)%20fails%20then%20resolve%20this%20first%3C%2FFONT%3E%3C%2FSPAN%3E%20%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3EPlease%20let%20me%20know%20if%20this%20fixes%20your%20problem%2C%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3EErnest%20Brant%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello

Can someone please help me with the following question.

 

I have setup a point-to-site VPN (I should mention I have been dealing with X509 certificates for years)

 

background

 

I created my own Root CA (Windows 2012 R2 Domain Joined) and uploaded the CA certificate to Azure when creating point-to-site VPN e.g. "Point to site configuration" > "Root Certificates" > "Public certificate data" and it saved OK

 

I then created a client cetificate for my Windows 10 PC from this CA (I created a certificate with the EKU of Client Authentication and Server Authentication), I do not believe I need to Server Authentication EKU but it is there in any event.

 

I installed the client certiciate in my Windows 10 PC, made certain it links to its private key OK, and chains up OK to the issuing CA (e.g. my Root CA) so all OK so far

 

The subject name of the client certificate is the same as the hostname (e.g. when you go into cmd and type hostname) of my Windows 10 PC

 

I installed the client certificate in both the LocalMachine\My (aka personal) and CurrentUser\My (aka personal) stores

 

I download the VPN client x64

 

when I try to connect I receive the following error

 

"the message received was unexpected ot badly formatted"

 

I found a Microsoft post which stated this error was due to the following cause

 

"This problem occurs if the root certificate public key is not uploaded into Microsoft Azure VPN gateway or the key is corrupted or expired."

 

it said the solution was to

 

"To resolve this problem, check the status of the root certificate in Azure portal to see whether it has been revoked. If it is not revoked, try to delete the root certificate and reupload. For more information, see Create certificates."

 

I opened the link 'create certificates' above and under section 3.0

 

  1. On the VPN connections section of the blade for your VNet, click the clients graphic to open the Point-to-site VPN connection blade.
  2. Clients2. On the Point-to-site connection blade, click Manage certificates to open the Certificates blade.

Certificates blade

3. On the Certificates blade, click Upload to open the Upload certificate blade.

![Upload certificates blade](./media/vpn-gateway-howto-point-to-site-classic-azure-portal/uploadcerts.png)<br>
  1. Click the folder graphic to browse for the .cer file. Select the file, then click OK. Refresh the page to see the uploaded certificate on the Certificates blade.

Upload certificate

 

 

The problem I have is

I simply do not see the options listed above e.g. how do I get to VPN connections ?

 

When I go to Point-To-Site Configuration all I get is the following

Save, Discard, Download VPN Client

 

I simply cannot see how to get to the 'Upload Certificate' GUI element they refer to above, (although I already uploaded up Root cert as mentioned above. Therefore how can I check my Root CA cert I uploaded etc?

 

Thanks All

 

 

 

 

 

 

3 Replies
Best Response confirmed by AUser ZUser (Occasional Contributor)
Solution

Hello AUser

 

Looking at the issue you described it occurs me the VPN client may not be able to access the CDP (certificate revocation distribution point) location (LDAP, CIFS, HTTP) as specified in the CDP extension of the client certificate. Therefore when the client is validating the certificate e.g. building the certificate chain (which you said it can do), then checking the integrity of the chain it will fail this second element (sometimes performed together) if it cannot reach any of the locations as specified in the CDP (or the Automotive Information Access extension if using OCSP for revocation checking). Therefore bottom line if using a certificate issued by a CA, then on the computer with the VPN client installed, use the following command to verify access to CRL  

certutil -f  -urlfetch –verify  If all the locations in the CDP (LDAP, CIFS, HTTP) fails then resolve this first

 

Please let me know if this fixes your problem,

 

Ernest Brant

Hello Ernest

 

I tried your suggestion (by changing the cert so the CDP locations can be reached) and now all works perfectly

 

Thanks

 

Please visit my blog for a detailed step-by-step approach on how to set up the P2S connection. I hope you will find it useful.

https://shaonztechnet.wordpress.com/2018/04/09/setting-up-a-point-to-site-connection-in-azure/