none
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (Error 0x800b0109) RRS feed

  • Question

  • Hello there all

    We've been successfully connecting to our Azure VNET via a standard point-to-site VPN configuration for more than a year. We originally created individual certificates for each user, as described at:

    https://azure.microsoft.com/en-gb/documentation/articles/vpn-gateway-point-to-site-create/

    ...And they have worked just fine for a year or so.

    Now, halfway through our morning, we suddenly can't connect to the VNET. Earlier in the morning, we connected successfully.

    We now get the error:

    A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (Error 0x800b0109)

    Any ideas? Thanks a lot.

    Monday, August 15, 2016 3:15 PM

All replies

  • Hello,

    Thanks for posting the query here!

    This issue may occur if the appropriate trusted root certification authority (CA) certificate is not installed in the Trusted Root Certification Authorities store on the client computer. 

    Note Generally, if the client computer is joined to the domain and if you use domain credentials to log on to the VPN server, the certificate is automatically installed in the Trusted Root Certification Authorities store. However, if the computer is not joined to the domain or if you use an alternative certificate chain, you may experience this issue. 

    To troubleshoot this issue, follow these steps:
    1. On the client computer, click Start , click Run , type mmc , and then click OK .
    2. On the File menu, click Add/Remove Snap-in .
    3. In the Add/Remove Snap-in dialog box, click Add .
    4. In the Available Standalone Snap-In dialog box, click Certificates , and then click Add .
    5. In the Certificates snap-in dialog box, click Computer account , click Next , and then click Finish .
    6. Click Close , and then click OK .
    7. In the Console1 MMC snap-in, expand Certificates (Local Computer) , expand Trusted Root Certification Authorities , and then click Certificates .
    8. Examine the certificates that appear in the details pane to determine whether a certificate from the certification authority is present.
    9. If the appropriate certificate is not present in the Trusted Root Certification Authorities store, you must import a certificate for the appropriate certification authority.

    Hope this Helps,

    You can Refer to this : http://stackoverflow.com/questions/16320918/windows-azure-virtual-network-point-to-site-connection-error

    Let me know if you need further assistance on this.

    Thanks & Regards

    Vijisankar

    If a post answers your question, please click Mark As Answer on that post and Vote as Helpful.


    • Edited by vijisankar Tuesday, August 16, 2016 8:08 AM
    • Proposed as answer by GeneralB Friday, January 27, 2017 2:35 PM
    Tuesday, August 16, 2016 8:04 AM
  • Hi Vijisankar,

    we experience the same problem since yesterday. All was fine for more than a year, but now this error stops us from using the VPN connection.

    I already tried your suggestions more than once, even with completely new self signed certificates. I also had a look at the certificate in the downloaded client.exe, no luck.

    Is it releated to some maintenance happend yesterday? O related to the current issues with Azure?

    Please advice, any help is more than appreciated.

    Kind regards,
    Mark

    Tuesday, August 16, 2016 2:53 PM
  • Hi,

    Check this Whether it helps you : http://webbercross.azurewebsites.net/error-0x800b0109-a-certificate-chain-processed-but-terminated-in-a-root-certificate/

    Thanks & Regards

    Vijisankar

    If a post answers your question, please click Mark As Answer on that post and Vote as Helpful.

    Disclaimer: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.



    • Edited by vijisankar Tuesday, August 16, 2016 3:10 PM
    Tuesday, August 16, 2016 3:08 PM
  • No, this didn't help. This problem is not related to a single client computer. All our clients have the same problem.

    Kind regards
    Mark

    Tuesday, August 16, 2016 6:12 PM
  • Hi Mark,

    Please try downloading the Point-to-Site VPN package again and see if that works. This may have been affected by an internal update. We apologize for the inconvenience.

    Thanks,
    Bridget [MSFT]

    Wednesday, August 24, 2016 5:11 PM
  • Has your certificate simply expired?
    Tuesday, January 24, 2017 6:58 PM
  •               Worked for VS2015 created "test" store appx

    This was very helpful. Thank you, Vijisankar.

    After following your directions, I opened your referenced link at stackoverflow then followed "below" directions from user4312249 ...

    -------------------------------------

     Install the certificate in the "Trusted Root Certification Authorities" of the "Computer account"
    1. Open mmc.exe
    2. Add the "Certificates" snap-in
    3. Be sure to choose "Computer" account for the Local computer
    4. Right-click the "Trusted Root Certification Authorities" node, All-Tasks, Import, and browse to the .cer file you extracted from the VPN exe

    This will likely be needed on all clients you intend to connect to the virtual network.

    -------------------------------------

    It LAUNCHED the appx that I created in Visual Studio 2015 by doing the following:
          via the right click project's name > store > create app package.

    Trying to be as specific as can, in case I OR someone else as new to developing as I am runs into this issue.


    Newbie enough to get myself into trouble. :0) Eyes are crossed and growth is pain ... but working on it.

    • Proposed as answer by GeneralB Thursday, August 24, 2017 4:48 PM
    Friday, January 27, 2017 2:46 PM
  • While this aproach worked for me few monthes ago (unzipping the vpn package and manually installing certificate from there to trusted authority) This is not working any more. Without any changes to VM all the sudden it is not able to connect to vpn, with that certificate validation error. I uninstalled and reinstalled both certificates, it didn't make any difference. Now I have 2 VMs that are not able to establish VPN connection (both on azure) While my local VM that uses exactly same VPN package is working fine. Any clues on how to addtess or trouble shoot this is very appreciated. As my production deployment in Azure is halted unable to connect to the TFS server, residing on different subscription in Azure
    Tuesday, May 30, 2017 10:26 PM
  • I am a newbie but perhaps it has something to do with Hyper-V? I just installed my first virtual machines (VMs via Oracle) but not a VPN. The issue in connecting was Hyper-V had to be turned off. When I want to connect to something via a Microsoft product, it seems Hyper-V has to be turned on. Just a suggestion. For those of you who are way more techie than I, please feel free to enlighten me on how this may be wrong. Hopefully though, it is a newbie stumble in that it is correct.

    Newbie enough to get myself into trouble. :0) Eyes are crossed and growth is pain ... but working on it.

    Thursday, August 24, 2017 4:52 PM