Azure vpn error A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 798)

5
votes

I am creating a VPN in Azure, and created self-signed certificate in the following places:

Local Computer: Personal/Certificates: Issued To: FQDN name is the certificate's name Trusted Root Certification Authorities/Certificates: manually copied from Personal

I have configured the VPN in Azure and it is downloaded and extracted and the vpn client is installed successfully, however, when I run the client I received the following error:

A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 798)

Screenshot:

enter image description here

The error seems suggesting the certificate is NOT found, does the name matter?

enter image description here

Should I change the cert's name from Azurecert to FQDN which is the name in my local computer?

Thank you for your help in advance.

UPDATE: I removed the existing certification in Azure's configuration and re-added back with the same FQDN name shown in local computer's certificates, I redownloaded the client, I removed the existing installed vpn client and re-installed the new one, I receive the same error message. So it seems name is not the root cause?

UPDATE2:

The procedure I've followed:

  1. Create Self Signed Certificate with the FQDN name on local laptop;

    New-SelfSignedCertificate –DnsName NV-RXIE.novantas.pri -CertStoreLocation “cert:\LocalMachine\My”

  2. Add the self-signed certificate as a trusted certificate authority, Copy the new cert to Trusted Root Certificate Authorities

  3. export the cert and open it, copy the cert part and paste into the VPN setting – Root certificates, Public Certificate Data

  4. Download the VPN client and install it on laptop, run it

  5. Connect, failed with:

A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 798)

3
azurecertificatevpn

3 Answers

5
votes

When you try to connect to an Azure virtual network by using the VPN client, except for exporting the root certificate public key .cer file to Azure, each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate and then export and install the client certificate. If the client certificate is not installed, authentication fails.

This problem occurs if the client certificate is missing from Certificates - Current User\Personal\Certificates.

You could follow this solution to fix this issue. For more information about how to install the client certificate, see Generate and export certificates for point-to-site connections.

3
votes

In case anyone runs into this issue at some stage, I had installed a new root cert that worked for 2 out of 3 VPN gateways fine. The third kept giving a 798 error even though the certs were correct and in the right place.

To fix the Error 798, I did the following:

  • reset the gateway in Azure Portal. (support & troubleshooting on VPN gateway blade)
  • remove the VPN configuration from my pc (win10)
  • reboot pc (just to be safe)
  • download and reinstall the VPN client from the Azure Portal again (from Point-to-site configuration on Azure VPN gateway in question)
  • Once done, I could then connect without any issues. Tested on several different users.

My guess is that if you are adding / removing the Root certs it might need you to reinstall the VPN client on your computer after the gateway has the new root cert configuration.

Hope that helps.

2
votes

In addition to the answer by Nancy Xiong:

If you are still having problems with this error you can try the following

  1. Run certmgr.msc
  2. Go to Personal->Certificates
  3. Right-click your certificate
  4. All Tasks->Export
  5. Choose Yes: Export private key
  6. Accept default options until you reach a step where you must enter a password
  7. Enter a password, and continue until you have exported your certificate
  8. Repeat this process if you have more than one certificate
  9. Locate your certificates in the Windows file explorer
  10. Right-click->Install
  11. Select Current User for the Store Location
  12. Accept default options, and enter the certificate password when prompted
  13. When asked which Certificate Store to place the certificate in, select Place all certificates in the following store
  14. Click 'Browse' and select your Personal store

This should now work.

In rare circumstances you may find that this solution will only work for a short time (usually failing the next time you reboot). In this case you may need to follow these additional steps

  1. Boot your computer into BIOS Configuration
  2. Disabled any settings for Intel VTX and Intel VTD
  3. Restart your computer
  4. Retry the steps above