How to fix “A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 789)” for Azure Point-to-Site VPN

 

In my previous post, I discussed on how you can configure Azure point-to-site VPNs to create a virtual network on the Azure platform. In some circumstances, you may get error 798 with the status “A certificate could not be found that can be used with this Extensible Authentication Protocol”. In the following instruction, I will go through options to resolve this issue.

After installing and configuring the Point-To-Site VPN client, sometimes the following error occurs when dialing the connection:

clip_image001_thumb2 - Copy

If you are sure the error is not related to the following problems then follow the instruction here.

  1. You did not add the client digital certificate on the computer you are trying to make the VPN connection. Check that you followed all steps in Part 3.2 Generate and install the client certificates of our instruction on how to configure Azure point-to-site VPNs.
  2. The corresponding digital certificate exists, but it has not been imported into the Personal Store. Maybe it is imported into the Computer Store of the certificate store.

The instruction is designed based on Windows 7. But other Windows versions would be very similar with minor changes.

Manual Configuration of VPN in Windows

  1. Open Control Panel> Network and Sharing Center> Set up a new connection or network
    cp
  2. Connect to a workplace

    cw

  3.  Use my Internet Connection (VPN)
    usevpn
  4. Now you should give a name for your connection. For the address, you should indicate the TunnelAddress to which you want to connect.
    addressTo find the address follow you should check the log file of your unsuccessful VPN connection you created based on the VPN client package downloaded from Azure.
    a) Right click on your VPN connection.Screenshot 2017-04-12 14.56.31
    b) Open properties.
    Screenshot 2017-04-12 13.13.10c) Open view log.
    log
    You should find something like Tunnel DeviceName =  TunnelAddress = azuregateway-59cc4…………………….d113c7e8.cloudapp.net
    This is the address.
  5. Right click on your VPN connection. You should modify properties of the Manual VPN you created. Open properities in the Security tab.
    properties
  6. Then enter the properties to choose the option “User a certificate on this computer”.smart
  7. Finally, to continue having Internet connection even when we are connected to the VPN go to the “Networking” tab and from there go to the properties of the IPv4 protocol.
    net
  8. Then we will choose the “Advanced”
    advanced
  9.  And uncheck the option “Use default Gateway on remote network”.
    default
  10. Now test the connection to Azure and it should be giving you the option to select the client certificate.
    connect
  11.  Select your Azure Client Certificate and ok.
    cert
  12. You must be already connected to Azure!!!

If you have connectivity issues to remote machines (not able to ping remote machines), you should check windows route with the following command.

route PRINT

If you do not have a route for sending traffic to destination IP addresses (similar to the below example), you need to do this manually.

192.168.0.0 255.255.0.0 On-link 172.16.201.1 28

In the above example, the IP address allocated to my host is 172.16.201.1 and remote machines in Azure are from the 192.168.0.0/16 range.

To manually add a new route in Windows you should use the following command. Run cmd as an administrator.

route ADD MASK

for example:

route ADD 192.168.0.0 MASK 255.255.0.0 172.16.201.1

 

  1. If you want to make a one-step process to run VPN connection and add routes, you have two options: 1) creating a batch file using Rasdial command, 2) using PowerShell.

    The following batch script runs  your VPN connection named Aneka-VNET-SITE and then does the example ROUTE ADD:

rasdial “Aneka-VNET-SITE”
route ADD 192.168.0.0 MASK 255.255.0.0 172.16.201.0

Save this to a text file (e.g. aneka.bat) and run it to connect to VPN.

Note that the IP address for the VPN gateway ends with 0 (e.g., 172.16.201.0) to remove the need for changing the script according to the allocated IP on the VPN connection.

Or run the following PowerShell command that persistently adds the route to the connection.

Add-VpnConnectionRoute -ConnectionName “Aneka-VNET-SITE” -DestinationPrefix 192.168.0.0/16

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s