Windows Azure Virtual Network Point-to-Site connection error

11
votes

I have recently created an Azure Virtual Network to test connectivity between a VM on Azure with a client server on premise (point-to-site connection).

First I followed the tutorial here: https://azure.microsoft.com/documentation/articles/vpn-gateway-point-to-site-create/

Next, I provisioned another VM on Azure but not part of the Virtual Network. I downloaded the AMD64 Client VPN Package and installed it onto this VM and connected to the VPN. The connection was successful and I could point my browser to the VM1's IIS that was created within the virtual network.

Finally, I downloaded the x86 Client VPN Package and installed it onto my local machine running Windows 7 and tried to connect via VPN. Instead, I got the error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (Error 0x800b0109) For customized troubleshooting information for this connection, click Help.

The logs are:

    Operating System      : Windows NT 6.1 Service Pack 1
    Dialer Version        : 7.2.7600.16385
    Connection Name       : TestVirtualNetwork
    All Users/Single User : Single User
    Start Date/Time       : 01/05/2013, 23:02:34

    Module Name, Time, Log ID, Log Item Name, Other Info
    For Connection Type, 0=dial-up, 1=VPN, 2=VPN over dial-up

[cmdial32]  23:02:34    22  Clear Log Event 
[cmdial32]  23:02:36    04  Pre-Connect Event   ConnectionType = 1
[cmdial32]  23:02:36    06  Pre-Tunnel Event    UserName = TestClientCert Domain =  DUNSetting = TestVirtualNetwork Tunnel DeviceName = WAN Miniport (SSTP) TunnelAddress = azuregateway-66437671-fb05-4fac-83a7-1ae2313d717f-0.cloudapp.net
[cmdial32]  23:02:37    21  On-Error Event  ErrorCode = -2146762487 ErrorSource = RAS
4
azure-virtual-network
Could it be related to this: blogs.msdn.com/b/windowsazure/archive/2013/03/15/… ???user2264560
I have a similar problem but I haven't been able to solve it using any of the mentioned solutions :-(Vinod

4 Answers

24
votes

I was experiencing the same issue and came across this blog post describing what appears to be a bug in the VPN installer generated by Azure site:

https://nbevans.wordpress.com/2014/03/01/point-to-site-p2s-azure-vpn/

Effectively, the issue is that there is an additional certificate needed to trust the Azure gateway for your virtual network. That cert is bundled inside the VPN installer .exe generated by the Azure Virtual Network page.

  1. Extract the VPN installer .exe generated by the Azure site (I used 7-zip)
  2. Inside you'll find a .cer file
  3. Install the certificate in the "Trusted Root Certification Authorities" of the "Computer account"
    1. Open mmc.exe
    2. Add the "Certificates" snap-in
    3. Be sure to choose "Computer" account for the Local computer
    4. Right-click the "Trusted Root Certification Authorities" node, All-Tasks, Import, and browse to the .cer file you extracted from the VPN exe

This will likely be needed on all clients you intend to connect to the virtual network.

1
votes

I want to post a different answer from the ones above since I came across the same issue but in a different situation since the VPN connection presented the issue long way after it had been configured for the first time. So I had installed all the certificates needed in order the VPN to function but as things changes too often I double checked all the certificates were where they supposed to. After doing that, I review the log and although the error points to a certificate issue I paid attention to the connection details and specially one, the Tunnel address (the one with the prefix azuregateway with a lot of hex numbers and the domain cloudapp.net) and realized that the domain was being blocked by a firewall/web filter appliance. Allowing this domain in the appliance allowed to be able to connect using the VPN tunnel again. That's about it.

-1
votes

You need to make sure that you install the client certificate on your local computer. Also ensure that the root certificate you created is installed in your trusted root store.

To find out if your certificate is trusted, run mmc, click 'File', 'Add/Remove Snap In', double-click Certificates, select "My user account" and press Finish. Open 'Certificates - Current User', 'Personal', 'Certificates' and find the client certificate you created.

If it is not there, please follow the step to install it. If it is there, double-click it and click Certification Path. You should see no warnings or errors. If you do, it is probably because your root certificate is not installed correctly.

If that is the case, double-click the root certificate .cer file you created earlier, and choose in the import wizard select 'Place all certificates in the following store', click Browse and choose 'Trusted Root Certification Authorities' and then finish.

-1
votes

There were several answers i found. Here is the one worked for me:

  1. Install root & client in current user->personal folder.
  2. Install the certificate which come along with VPN client(extracted using 7z) in local machine -> trusted root.

worked charm:)