Event ID 21 — RRAS Secure Socket Tunneling Protocol

Applies To: Windows Server 2008

Secure Socket Tunneling Protocol (SSTP) is a new form of virtual private networking (VPN) tunnel with features that allow traffic to pass through firewalls that block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate Point-to-Point (PPP) traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol. The use of HTTPS means traffic will flow through TCP port 443, a port commonly used for Web access.

Event Details

Product: Windows Operating System
ID: 21
Source: Microsoft-Windows-RasSstp
Version: 6.0
Symbolic Name: SSTPSVC_LOG_SERVER_CERT_HASH_FAILURE
Message: The Secure Socket Tunneling Protocol service was not able to get the hash for the certificate configured with HTTP. The detailed error message is provided below. Correct the problem and try again.

%1

Resolve

Configure the server with an SSTP certificate

Configure a  SSTP certificate with an Enhanced Key Usage (EKU) of either Server Authentication or Any Purpose.

To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

  1. Click Start, point to All Programs, and then click Accessories.
  2. Right-click Command Prompt, and then click Run as administrator.
  3. Determine if the computer certificate is configured for the SSTP-based VPN connection. This can be accomplished using one of the following steps:
    • Run the netsh http show sslcert command on the remote access server to determine if the SSL certificate is plumbed to HTTP.SYS. Find the certificate with IP:Port pair 0.0.0.0::/443 and [::]:443 and note the certificate hash value.
    • On the VPN client computer, open a Web browser and type in the following URL: https://<vpn server name>/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/. View the certificate and note the certificate hash value.
  4. Delete the certificate from the server certificate store (local computer store). See the "Delete a certificate" section.
  5. Remove the certificate binding from the HTTPS Listener. Type the following commands in a command window:
    • netsh http delete sslcert ipport=0.0.0.0:443
    • netsh http delete sslcert ipport=[::]:443
  6. Remove the certificate binding in RRAS. Open Regedit.exe and delete the following registry keys, if present:
    • HKLM\System\CurrentControlSet\Services\Sstpsvc\Parameters\Sha256CertificateHash
    • HKLM\System\CurrentControlSet\Services\Sstpsvc\Parameters\Sha1CertificateHash
  7. Add the new certificate inside the certificate store (local computer store).
  8. Plumb the new certificate to the HTTPS Listener. In this example, the SHA1 certificate hash of the new certificate is xxx. Type the following commands in a command window:
    • netsh http add sslcert ipport=0.0.0.0:443 certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY
    • netsh http add sslcert ipport=[::]:443 certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY
  9. Restart the Routing and Remote Access service. The Routing and Remote Access service will read the certificate that is plumbed to the HTTPS Listener and record the appropriate certificate hashes registry keys for its crypto-binding validation phase. See the "Restart Routing and Remote Access" section.

Delete a certificate

To delete the certificate from the certificate store:

  1. Open the Microsoft Management Console (MMC).
  2. Add the Local Computer certificates snap-in:
    • Click File, click Add/Remove Snap-in, and then click Certificates from the list of available snap-ins.
    • Click Add, click Computer account, and then click Next.
    • Ensure Local computer is selected, click Finish, and then click OK.
  3. Expand Certificates (Local Computer).
  4. Expand Personal.
  5. Click Certificates. In the certificates pane, you will see a list of certificates in the store.
  6. Double-click the certificate that you want to be bound to the SSTP Listener, the certificate with the subject name that matches the host name used in the client VPN connection. Click the Details tab. Make sure ALL is selected in the Show drop-down list.
  7. Ensure that the value for the Thumbprint Algorithm field is sha1.
  8. Compare the value with the value of the certificate hash in step 3. If the value is the same, then this certificate is bound to the HTTPS Listener. Right-click and then delete the certificate.

Restart Routing and Remote Access

To restart the Routing and Remote Access service:

  1. Open Routing and Remote Access. Click Start, click Run, type rrasmgmt.msc, and then press ENTER.
  2. In the console tree, click Server Status.
  3. In the details pane, right-click a server name, point to All Tasks, and click Restart.

Verify

To verify that the remote access server can accept connections, establish a remote access connection from a client computer.

To create a VPN connection:

  1. Click Start, and then click Control Panel.
  2. Click Network and Internet, click Network and Sharing Center, and then click Set up a connection or network.
  3. Click Connect to a workplace, and then click Next.
  4. Complete the steps in the Connect to a Workplace wizard.

To connect to a remote access server:

  1. In Network and Sharing Center, click Manage network connections.
  2. Double-click the VPN connection, and then click Connect.
  3. Verify that the connection was established successfully.

RRAS Secure Socket Tunneling Protocol

Routing and Remote Access Service Infrastructure