Always On VPN problems

Daniel 81 Reputation points
2024-09-23T14:16:10.73+00:00

Hello,

We are running Windows server 2019 with RAS role (RAS server), and we also have second servers that is Windows server 2019 on which we have NPS role (NPS server).

 

We have some issues with VPN connection where a group of users that are located in a different AD forest (AD Forest trust is setup as bi-directional trust). When the issue starts this group of users from different forest are not able to authenticate and on clients they receive an error:

Can’t connect to VPN User Tunnel The remote access connection completed, but authentication failed because the certificate that authenticates the client to the server is not valid. Ensure that the certificate used for authentication is valid.

 

 

And in Event log of the RAS server we have log entries:

 

CoId={XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX}: The user user@domain.local connected from IP address <PUBLIC IP ADDRESS OF CLIENT> but failed an authentication attempt due to the following reason: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.  Details:

 

  • System   - Provider    [ Name]  RemoteAccess   - EventID 20271    [ Qualifiers]  0    Level 3    Task 0    Keywords 0x80000000000000   - TimeCreated    [ SystemTime]  2024-09-18T18:17:33.908487400Z    EventRecordID 13255841    Channel System    Computer VPN.domain.local    Security  - EventData    {74530D90-09AB-0007-E3A7-6074AB09DB01}    user@domain.com    IP ADDRESS    The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.    0x70    2C030000  -------------------------------------------------------------------------------- Binary data: In Words 0000: 0000032C     In Bytes 0000: 2C 03 00 00               ,... Any ideas what could be the issue? The changes that have happened on the configuration are: autorenewal of the NPS server certificate which was done as it was in previous years. 

Also worth mentioning is that the issue goes away after rebooting both servers in sequence. Which is not ideal as this issues doesn't happen consistently at the same time but appears a bit random (it works fine for a day, then the issues occurs, after reboot the setup works ok for 2 day and then the issues occurs again)

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,809 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
553 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.