Nightmare on VPN street with TMG and SSTP Part 2 of 4

Welcome back to Nightmare on VPN street with TMG and SSTP – Part 2 of 4.  If you’ve been following along, we’re going to configure the TMG server to request a new certificate from the internal CA.

If you want to go back to Part 1, click here.

Here goes:

So here’s my take and process on this issue.  Once your certificate expires on TMG, you’re basically hosed as the replacement process appears to be manual.

  1. If you change out the certificate in the web listener, that’s a good start – but will not work if you don’t do other things.  TMG will not properly remove your old certificate from the registry and will not properly register the new certificate into the registry.  This is a frustratingly manual process.
  2. You cannot find the SHA256 hash easily (required to register it to TMG and required for Windows Vista clients and higher).  This is a pseudo chicken and egg issue.
  3. There are many hours (40+) that went into mr resolution which will take you about 10 minutes to fix once you know what’s specifically wrong and what specifically to fix.
  4. The event logs are of no help in problem definition.  They will help right near the very end though in terms of figuring out the SHA256 hash.

Here goes:

  • I started getting Event ID Error 4 on the client and also received an error message from the SSTP dialog box when trying to VPN in.

Client Eventlog error 01

  • The TMG server was already getting certificate expired in the Application Log (or about to expire) errors – event ID 64 below:

TMG Certificate expired error 01

  • In the TMG System Log, the common Schannel error was ever present whenever the client tried to make a connection to it event ID 36888 :
  • TMG SChannel error 01I also got a bunch of RasSstp errors Event ID 18 as well as Event ID 36886 Schannel errors which basically mean that your certificate doesn’t work and/or is not properly registered or just isn’t installed.  THIS IS THE CRUX OF THE PROBLEM.

TMG RemoteAccess and Schannel errorsNow to the solution:

  1. Issue a new certificate either from a 3rd party CA or from your own internal CA.  I used an internal CA and use the following procedure to do so:
    1. Go to your TMG server and do Start–>Run–>mmc
    2. On the File menu, click Add/Remove Snap-in.  In the list of available snap-ins, click Certificates, and then click Add.
    3. Click Computer account, and click Next.
    4. Click Local computer, and click Finish.
    5. Click OK.
    6. In the console tree, double-click Certificates (Local Computer), and then double-click Personal.
    7. Right-click Personal, point to All Tasks, and then click Request New Certificate to start the Certificate Enrollment wizard.
    8. Click Next and Next again.
    9. Select the Web Server template or custom template you may have created like I have.
    10. Click the warning icon below More information is required to enroll for this certificate. Click here to configure these settings.
    11. In the Subject name area under Type, click Common Name.
      In the Subject name area under Value, enter the fully qualified domain name of the server, and then click Add.  (This is important to choose the name your VPN client will connect to externally.  Whether it’s or something else.  This is also the place to add other alternate DNS names.  Please see my screenshot for details.
    12. Certenrollment01
    13. In the Alternative name area under Type, click DNS.  In the Alternative name area under Value, enter the fully qualified domain name of the server, and then click Add.
    14. Repeat steps 17 and 18 above for each additional SAN that you require. Click OK when finished.
    15. I added a friendly name and description as well as validating the following selections were chosen in the print screens.  Remember The private key must be exportable. To specify that the private key is exportable, click the Private Key tab, click the Key Options arrow, and click Make private key exportable. The CA must also be configured to support exportable private keys.Certenrollment02
    16. Certenrollment05Certenrollment04Certenrollment03
    17. Click EnrollAfter enrollment succeeds, click Finish:
    18. Certenrollment06
    19. Click “View Certificate”, Details and scroll down to Thumbprint.  That thumbprint will be of critical importance to this process.
    20. CertThumbprint 
    21. Now, we’ll want to export this key and install it on our client (in the Computer\Personal store) that we’ll be using to test connectivity with.
      1. Click Copy to File
      2. Make sure to export the private key
      3. Select “Include all certificates in the certification path if possible” and “Export all extended properties”
      4. Give it a password
      5. Give it a filename and location
      6. Then click Finish
      7. Copy the .pfx file to your client
      8. Right click the file and choose “Install PFX”
      9. Put in the password and select the “Make this key exportable” and “Include all extended properties” checkboxes. (the latter should be selected by default)
      10. Choose ‘Place certificates in the following store’ and select ‘Personal’
      11. Click Finish
      12. Open the MMC for certificates –> Computer and make sure the key is in the Personal>Certificates folder for the Local Computer account.
      13. Alternatively, you can open the Certificates snapin for the Local Computer account and choose “import”, find the file and go through the above steps.
    22. At this point, you’ll want to copy and paste the SHA1 value into Notepad ++ – I’ve attached a print screen of the various commands that were used – not all were included, but it’s a pretty good list:
    23. Notepad++ command file

Here’s the text I used as well:

HA1 Thumbprint for server certificate:
50 fd 47 d6 fa 14 36 c0 47 e6 a7 b3 88 b5 fc 2e 9e fd 6c 49

Commands saved (no particular order):

netsh http show sslcert
netsh http delete sslcert ipport=[::]:443
net start remoteaccess
net stop sstpsvc /y
netsh http show ssl
netsh http add sslcert ipport=[::]:443 certhash=50fd47d6fa1436c047e6a7b388b5fc2e9efd6c49 appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY
netsh http add sslcert ipport= certhash=50fd47d6fa1436c047e6a7b388b5fc2e9efd6c49 appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY
reg delete HKLM\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters /v SHA256CertificateHash /f
reg delete HKLM\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters /v SHA1CertificateHash /f
netstat -aon |findstr 443

Please go on to part 3 of Nightmare on VPN street with TMG and SSTP.

This entry was posted in Computers and Internet and tagged , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s