none
Trusted Root Certification Error RRS feed

  • Question

  • From: Joe McGlynn @kwydk via Twitter

     Having an issue with Win10 + self signed certs and Azure point to site VPN. works on Win10 Preview...trusted root cert error.  

    Generated certs as per azure.microsoft.com/en-in/document… Win7 + win10 client will connect. Win10 production fails with root trust chain nothing special visible, can demo or offer a failing cert.

    Thanks,

    @AzureSupport

    Friday, October 2, 2015 9:10 PM

Answers

  • Found the issue.

    The certificate from the cloud gateway is not been registered in my certificate store.

    The Azure VPN client gets a cert from the gateway. in this case a file called

    AzureSubscriptionAccessGUID.cer

    azuregateway-AzureSubscriptionAccessGUID-1d7fad7de8ea.cloudapp.net

    This is installed into the folder

    C:\Users\Joe McGlynn\AppData\Roaming\Microsoft\Network\Connections\Cm\AzureSubscriptionAccessGUID

    This cert should be installed by the exe....

    and the inf file

    AzureSubscriptionAccessGUID.inf Lines 108 and on

    [RunPostSetupCommandsSection]

    ;Commands here will be run After setup finishes

    reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v SelectSelfSignedCert /t REG_DWORD /d 1 /f

    cmd.exe /c certutil -addstore root "%APPDATA%\Microsoft\Network\Connections\Cm\AzureSubscriptionAccessGUID\AzureSubscriptionAccessGUID.cer"

    But its not....

    I installed this certificate manually and it works.

    Now comes the WTF...why it no workie for me on my Win10 install.


    Joe

    • Proposed as answer by Wobble Wobble Wednesday, October 7, 2015 11:15 AM
    • Marked as answer by Kamalakar K Thursday, October 8, 2015 5:07 AM
    Wednesday, October 7, 2015 10:54 AM

All replies

  • Folks,

    As per above generated self signed certs based off the link.

    Imported the root cert to the cloud service vnet.

    Installed the client pfx and vpn client onto the following OS.

    Win 7 Pro

    Win 10 Preview 10525

    Win 10 Ent 

    VPN works on Win 10 preview and Win 7, not on the Win10 production edition.

    Win 10 issue states its a root chain certificate error. Sorry don't have log/ message handy.

    One of the environments is a POC, so i could potentially share the certs and client install.

    I have not tried expanding out the VPN client to a cert based PPTP as of yet.

    We have a second site, that is production and we have tested Win7 and Win10 home as well as Win10 Preview.

    Win 10 Home does not work on that site. Have not tried Win 10 Ent as of yet.


    Joe

    Friday, October 2, 2015 9:37 PM
  • Sorry thought I had these posted last night.

    So I can generate a root cert with makecert.exe

    makecert -sky exchange -r -n "CN=CustomerRootCert" -pe -a sha1 -len 2048 -ss My "CustomerRootCert.cer"

    Then generate a client cert with

    makecert.exe -n "CN=CustomerClientCert" -pe -sky exchange -m 96 -ss My -in "CustomerRootCert" -is my -a sha1

    Win 10 Preview - worked
    ******************************************************************
    Operating System      : Windows NT 10.0 
    Dialler Version        : 7.2.10532.0
    Connection Name       : CustomerAzureNetwork
    All Users/Single User : Single User
    Start Date/Time       : 02/10/2015, 22:46:39
    ******************************************************************
    Module Name, Time, Log ID, Log Item Name, Other Info
    For Connection Type, 0=dial-up, 1=VPN, 2=VPN over dial-up
    ******************************************************************
    [cmdial32] 22:46:39 22 Clear Log Event

    ******************************************************************
    Operating System      : Windows NT 10.0 
    Dialler Version        : 7.2.10532.0
    Connection Name       : CustomerAzureNetwork
    All Users/Single User : Single User
    Start Date/Time       : 02/10/2015, 22:46:49
    ******************************************************************
    Module Name, Time, Log ID, Log Item Name, Other Info
    For Connection Type, 0=dial-up, 1=VPN, 2=VPN over dial-up
    ******************************************************************
    [cmdial32] 22:46:49 03 Pre-Init Event CallingProcess = C:\WINDOWS\system32\rasautou.exe
    [cmdial32] 22:46:56 04 Pre-Connect Event ConnectionType = 1
    [cmdial32] 22:46:56 06 Pre-Tunnel Event UserName = CustomerClientCert Domain =  DUNSetting = Long GUID0b979d Tunnel DeviceName =  TunnelAddress = azuregateway-Long GUID0b979d-Short GUID.cloudapp.net
    [cmdial32] 22:46:57 07 Connect Event
    [cmdial32] 22:46:58 08 Custom Action Dll ActionType = Connect Actions Description = to update your routing table ActionPath = C:\Users\Joe\AppData\Roaming\Microsoft\Network\Connections\Cm\Long GUID0B979D\CMROUTE.DLL ReturnValue = 0x0
    [CMMON32] 22:47:06 23 External Disconnect
    [cmdial32] 22:47:06 13 Disconnect Event CallingProcess = C:\WINDOWS\System32\NetworkUXBroker.exe




    Win 10 Production - did not work
    ******************************************************************
    Operating System      : Windows NT 10.0 
    Dialer Version        : 7.2.10240.16384
    Connection Name       : CustomerAzureNetwork
    All Users/Single User : Single User
    Start Date/Time       : 02/10/2015, 23:09:10
    ******************************************************************
    Module Name, Time, Log ID, Log Item Name, Other Info
    For Connection Type, 0=dial-up, 1=VPN, 2=VPN over dial-up
    ******************************************************************
    [cmdial32] 23:09:10 22 Clear Log Event
    [cmdial32] 23:09:23 04 Pre-Connect Event ConnectionType = 1
    [cmdial32] 23:09:23 06 Pre-Tunnel Event UserName = CustomerClientCert Domain =  DUNSetting = Long GUID0b979d Tunnel DeviceName =  TunnelAddress = azuregateway-Long GUID0-b979d-Short GUID.cloudapp.net
    [cmdial32] 23:09:23 21 On-Error Event ErrorCode = -2146762487 ErrorSource = RAS

    Error message in VPN Client

    A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
     (Error 0x800b0109)

    How to I pass on the subscription and network ID privately?


    Joe

    Saturday, October 3, 2015 11:01 AM
  • Tried it on Windows 8.1 and it worked.

    ******************************************************************
    Operating System      : Windows NT 6.3 
    Dialer Version        : 7.2.9600.17415
    Connection Name       : Customer NameAzureNetwork
    All Users/Single User : Single User
    Start Date/Time       : 05/10/2015, 10:59:39
    ******************************************************************
    Module Name, Time, Log ID, Log Item Name, Other Info
    For Connection Type, 0=dial-up, 1=VPN, 2=VPN over dial-up
    ******************************************************************
    [cmdial32] 10:59:39 03 Pre-Init Event CallingProcess = C:\WINDOWS\system32\rasautou.exe
    [cmdial32] 10:59:46 04 Pre-Connect Event ConnectionType = 1
    [cmdial32] 10:59:46 06 Pre-Tunnel Event UserName =  Domain =  DUNSetting = LongGUID70b979d Tunnel DeviceName =  TunnelAddress = azuregateway-Long GUIDe8ea.cloudapp.net
    [cmdial32] 11:00:43 04 Pre-Connect Event ConnectionType = 1
    [cmdial32] 11:00:43 06 Pre-Tunnel Event UserName =  Domain =  DUNSetting = LongGUID70b979d Tunnel DeviceName =  TunnelAddress = azuregateway-LongGUIDe8ea.cloudapp.net
    [cmdial32] 11:00:47 07 Connect Event
    [cmdial32] 11:00:47 08 Custom Action Dll ActionType = Connect Actions Description = to update your routing table ActionPath = C:\Users\mdm\AppData\Roaming\Microsoft\Network\Connections\Cm\LongGUID70B979D\CMROUTE.DLL ReturnValue = 0x0
    [cmdial32] 11:01:06 13 Disconnect Event CallingProcess = C:\WINDOWS\system32\CMMON32.EXE
    [CMMON32] 11:01:06 26 External Disconnect due to Lost Connection
    [CMMON32] 11:01:06 14 Reconnect Event

    ******************************************************************
    Operating System      : Windows NT 6.2 
    Dialer Version        : 7.2.9600.17415
    Connection Name       : Customer NameAzureNetwork
    All Users/Single User : Single User
    Start Date/Time       : 05/10/2015, 11:01:06
    ******************************************************************
    Module Name, Time, Log ID, Log Item Name, Other Info
    For Connection Type, 0=dial-up, 1=VPN, 2=VPN over dial-up
    ******************************************************************
    [cmdial32] 11:01:06 03 Pre-Init Event CallingProcess = C:\WINDOWS\system32\CMMON32.EXE


    Joe

    Monday, October 5, 2015 10:29 AM
  • Hello,

     

    We are investigating on the query and would get back to you soon on this. I apologize for the inconvenience and appreciate your time and patience in this matter.

     

    Best Regards,

    Kamalakar

    • Edited by Kamalakar K Wednesday, October 7, 2015 10:48 AM
    Wednesday, October 7, 2015 10:48 AM
  • Found the issue.

    The certificate from the cloud gateway is not been registered in my certificate store.

    The Azure VPN client gets a cert from the gateway. in this case a file called

    AzureSubscriptionAccessGUID.cer

    azuregateway-AzureSubscriptionAccessGUID-1d7fad7de8ea.cloudapp.net

    This is installed into the folder

    C:\Users\Joe McGlynn\AppData\Roaming\Microsoft\Network\Connections\Cm\AzureSubscriptionAccessGUID

    This cert should be installed by the exe....

    and the inf file

    AzureSubscriptionAccessGUID.inf Lines 108 and on

    [RunPostSetupCommandsSection]

    ;Commands here will be run After setup finishes

    reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v SelectSelfSignedCert /t REG_DWORD /d 1 /f

    cmd.exe /c certutil -addstore root "%APPDATA%\Microsoft\Network\Connections\Cm\AzureSubscriptionAccessGUID\AzureSubscriptionAccessGUID.cer"

    But its not....

    I installed this certificate manually and it works.

    Now comes the WTF...why it no workie for me on my Win10 install.


    Joe

    • Proposed as answer by Wobble Wobble Wednesday, October 7, 2015 11:15 AM
    • Marked as answer by Kamalakar K Thursday, October 8, 2015 5:07 AM
    Wednesday, October 7, 2015 10:54 AM