Tech Community Live: Windows edition
Jun 05 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community

Always On VPN - User tunnel

Copper Contributor

Hello,

 I have a customer who has implemented Always On VPN and used it to replace their Direct Access solution.

 We have device-based tunnels working correctly. We have user-based tunnels working correctly from domain joined laptops.

 The challenge we are having is trying to establish a user-based tunnel from a non-domain joined device. 

 For example I have a customer supplied laptop here at my desk, I am back at my office.  Once I sign into the laptop I can manually start a user-based tunnel and establish a VPN connection to the customers premises. 

 I have transferred the VPN configuration, including my customer supplied certificate to my work provided laptop which off course is joined to my work's domain.   

 I have created a VPN connection which should allow me to establish a connection to my client's office. I installed the certificate in my personal store. I have manually looked at the adapter properties for the VPN connection and compared them to the one on the customer laptop. I cannot see any differences. 

 The VPN connection fails. When I look in my local application event log for RasClient events I can see we establish a connection with the VPN /RRAS Server. But then we get error, "The error code returned on failure is -1878457588".

If I look on the NPS server in the customers environment I get the following event logged:

BrianLynch_0-1675736140441.png

continued......

BrianLynch_1-1675736184551.png

Despite me not configuring any credentials it has used the correct user login as shown in the first screen scrape.  So my assumption here is it is using the correct user certificate.  But the NPS server appears to deny access as it believes I have a credentials mismatch.  I never at any stage have entered my credentials, I have configured the VPN profile to use the certificate. 

 As I said the same certificate works correctly from the customer supplied machine so I'm fairly confident that we do indeed map to and existing user and this user is configured to use the VPN. 

 I have fiddled with various settings but have not been able to get past this error. For example, I tried checking the "Use a different username for the connection" under the smart card properties then manually entered my credentials, I was prompted for a PW. 

 Has anybody gotten a user-based tunnel to work from a non-domain joined device? 

 Or does anybody have any suggestions on what I need to configure to get this working?

 

Thanks and regards

 

 

5 Replies

@Brian LynchIf your user authentication certificate is stored on a TPM it could be related to a known issue described here.

 

https://learn.microsoft.com/en-us/answers/questions/467673/windows-10-tpm-2-0-client-authentication-...

 

Try implementing the workaround listed in this post and let me know what happens.

@Brian Lynch

 

It is possible that the issue could be related to the authentication method being used. If the device is not domain joined, it might not have access to the necessary credentials for the user-based VPN connection. To resolve this issue, you can try to use certificate-based authentication or implement a solution for password-based authentication. Additionally, you can also try to troubleshoot the connection by checking the VPN logs for error messages and configurations, and verifying that the necessary ports and protocols are open on the device and network.

 

(external link removed by moderator)

Hello,
we were using certificate based auth. . We were able to get the VPN to work successfully once we re-exported the certificate with the SAN which includes the Principal Name. We are using a 3rd Party CA based in Azure and when the certificate was originally exported it did not include the SAN. Once I had the correct details in the certificate the VPN connected successfully.
Thanks for your response,

regards
Hi Richard,
thanks for the response. We were able to get the VPN to work successfully once we re-exported the certificate with the SAN which includes the Principle Name. We are using a 3rd Party CA based in Azure and when the certificate was originally exported it did not include the SAN. Once I had the correct details in the certificate the VPN connected successfully.

Thanks and regards

 It sounds like you've covered quite a bit already. When I was troubleshooting a similar issue, it turned out to be a certificate chain problem. Double-check that your customer's certificate's entire chain is correctly installed on your work laptop. Sometimes a missing or incomplete chain can throw these unexpected errors. Also, make sure to read this article about do you need VPN to play at online casinos. I hope that is useful!