Event ID 5 — RRAS Secure Socket Tunneling Protocol

Updated: November 29, 2007

Applies To: Windows Server 2008

red

Secure Socket Tunneling Protocol (SSTP) is a new form of virtual private networking (VPN) tunnel with features that allow traffic to pass through firewalls that block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate Point-to-Point (PPP) traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol. The use of HTTPS means traffic will flow through TCP port 443, a port commonly used for Web access.

Event Details

Product: Windows Operating System
ID: 5
Source: Microsoft-Windows-RasSstp
Version: 6.0
Symbolic Name: SSTPSVC_LOG_CLIENT_FSM_FAILED
Message: The Secure Socket Tunneling Protocol (SSTP) negotiation has failed. The failure code is stored in the Data section of this message. Correct the problem and try again.

Diagnose

This error condition might be caused by one of the following:

  • There are network connectivity issues or certificate configuration failures. The error message (in the Win32 error code) will indicate what happened. See the section titled "Fix the network connectivity or certificate issue."
  • The operation to receive the HTTP response has failed for the reason in the detail message.
  • The response received from the server is not HTTP version 1.1. This could be due to the server-side implementation. SSTP has a baseline requirement of HTTP version 1.1. See the section title "Configure the remote access server to support HTTP version 1.1."
  • Either the proxy or the SSTP server has failed the HTTP response. The HTTP status code logged in the data portion should provide information about the failure. See the section titled "Check the HTTP status code."
  • This can occur if the HTTP layer was established and an error was encountered during the establishment of the SSTP session. The issue could be due to FSM parameter negotiation or a system failure. 
  • The server-side implementation of the SSTP service needs to access the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SstpSvc\Parameters\ConfigStore, which SSTP uses to store its own state. If this store is damaged, the system will revert to default settings, which might not be the last active system state.
  • The HTTP layer could not be initialized. The HTTP.SYS driver might not be loaded or there might be some other system failure.
  • The URL specified should be configured to allow SSTPSVC. See the section titled "Set permissions for the specified URL for SSTPSVC."

 

Resolve

Fix the network connectivity or certificate issue

Fix the network connectivity or certificate-related issue and try the connection again.

Note:  The following procedures include steps for using the ping command to perform troubleshooting. Before you perform these steps, check whether the firewall or Internet Protocol security (IPsec) settings on your network allow Internet Control Message Protocol (ICMP) traffic. ICMP is the TCP/IP protocol that is used by the ping command.

To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

Follow the procedures in the order in which they appear until the problem is resolved.

Determine if there is a network connectivity problem

To determine if there is a network connectivity problem between the remote access server and the domain controller:

  1. On the remote access server, click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type ping server_FQDN, where server_FQDN is the fully qualified domain name (FQDN) of the domain controller (for example, server1.contoso.com), and then press ENTER.

    If the ping was successful, you will receive a reply similar to the following:

    Reply from IP_address: bytes=32 time=3ms TTL=59

    Reply from IP_address: bytes=32 time=20ms TTL=59

    Reply from IP_address: bytes=32 time=3ms TTL=59

    Reply from IP_address: bytes=32 time=6ms TTL=59

  3. At the command prompt, type ping IP_address, where IP_address is the IP address of the domain controller, and then press ENTER.

If you can successfully ping the domain controller by IP address, but not by FQDN, this indicates a possible issue with DNS host name resolution.

If you cannot successfully ping the domain controller by IP address, this indicates a possible issue with network connectivity, firewall configuration, or Internet Protocol security (IPsec) configuration.

Perform additional troubleshooting steps

The following are some additional troubleshooting steps that you can perform to help identify the root cause of the problem:

  • Ping other computers on the network to help determine the extent of the network connectivity issue.
  • If you can ping other servers but not the domain controller, try to ping the domain controller from another computer. If you cannot ping the domain controller from any computer, first ensure that the domain controller is running. If the domain controller is running, check the network settings on the domain controller.
  • Check the TCP/IP settings on the local computer by doing the following:
    1. Click Start, click Run, type cmd, and then click OK.
    2. At the command prompt, type ipconfig /all, and then press ENTER. Make sure that the information listed is correct.
    3. Type ping localhost to verify that TCP/IP is installed and correctly configured on the local computer. If the ping is unsuccessful, this might indicate the TCP/IP stack is corrupted or that there is a problem with your network adapter.
    4. Type ping IP_address, where IP_address is the IP address assigned to the computer. If you can ping the localhost address but not the local address, there might be an issue with the routing table or the network adapter driver.
    5. Type ping DNS_server, where DNS_server is the IP address assigned to the DNS server. If there is more than one DNS server on your network, you should ping each one. If you cannot ping the DNS servers, this indicates a potential problem with the DNS servers, or with the network between the computer and the DNS servers.
    6. If the domain controller is on a different subnet, try to ping the default gateway. If you cannot ping the default gateway, this might indicate a problem with the network adapter, the router or gateway device, cabling, or other connectivity hardware.
  • In Device Manager, check the status of the network adapter. To open Device Manager, click Start, click Run, type devmgmt.msc, and then click OK.
  • Check network connectivity indicator lights on the computer and at the hub or router. Check network cabling.
  • Check firewall settings by using the Windows Firewall with Advanced Security snap-in.
  • Check IPsec settings by using the IP Security Policy Management snap-in.

Configure the remote access server to support HTTP version 1.1

To check that Internet Explorer is set to use HTTP version 1.1:

  1. On the remote access server, start Internet Explorer.
  2. On the Tools menu, click Internet Options.
  3. Click the Advanced tab.
  4. Under HTTP 1.1 settings, select the Use HTTP 1.1 check box.

Check the HTTP status code

The resolution steps vary, according to the HTTP status code.

The only status code that the SSTP service on the client will respond for a failure is HTTP_STATUS_PROXY_AUTH_REQ (Proxy authentication required). An Access Denied message will appear in the dialer user interface on the client computer. Configure the proxy server so that it does not prompt for authentication.

For all other HTTP status codes, review the definition of the HTTP status code. For a list of HTTP status codes, see http://go.microsoft.com/fwlink/?LinkID=82289.

If the Web proxy or the SSTP server is rejecting the connection, the server might not be configured to use SSTP. To check whether the Web proxy server is configured to block the connection to the SSTP URL, try the following link: https://%3cservername%3e/sra_%7BBA195980-CD49-458b-9E23-C84EE0ADCD75%7D/

Set permissions for the specified URL for SSTPSVC

Namespace reservation assigns the rights for a portion of the HTTP URL namespace to a particular group of users. A reservation gives those users the right to create services that listen on that portion of the namespace. Reservations are URL prefixes, meaning that the reservation covers all subpaths of the reservation path.

Use the netsh http add urlacl command to configure access control lists (ACLs) for the URL for SSTPSVC use.

The following is an example of how to use this command:

netsh http add urlacl url=http://+:80/MyUri user=DOMAIN\user

Configure the certificate manually

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

  1. Click Start, click All Programs, and then click Accessories.
  2. Right-click Command Prompt, and then click Run as administrator.
  3. Configure the certificate manually using the netsh.exe http add sslcert command.

Configure the server with an SSTP certificate

Configure a  SSTP certificate with an Enhanced Key Usage (EKU) of either Server Authentication or Any Purpose.

To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

  1. Click Start, point to All Programs, and then click Accessories.
  2. Right-click Command Prompt, and then click Run as administrator.
  3. Determine if the computer certificate is configured for the SSTP-based VPN connection. This can be accomplished using one of the following steps:
    • Run the netsh http show sslcert command on the remote access server to determine if the SSL certificate is plumbed to HTTP.SYS. Find the certificate with IP:Port pair 0.0.0.0::/443 and [::]:443 and note the certificate hash value.
    • On the VPN client computer, open a Web browser and type in the following URL: https://<vpn server name>/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/. View the certificate and note the certificate hash value.
  4. Delete the certificate from the server certificate store (local computer store). See the "Delete a certificate" section.
  5. Remove the certificate binding from the HTTPS Listener. Type the following commands in a command window:
    • netsh http delete sslcert ipport=0.0.0.0:443
    • netsh http delete sslcert ipport=[::]:443
  6. Remove the certificate binding in RRAS. Open Regedit.exe and delete the following registry keys, if present:
    • HKLM\System\CurrentControlSet\Services\Sstpsvc\Parameters\Sha256CertificateHash
    • HKLM\System\CurrentControlSet\Services\Sstpsvc\Parameters\Sha1CertificateHash
  7. Add the new certificate inside the certificate store (local computer store).
  8. Plumb the new certificate to the HTTPS Listener. In this example, the SHA1 certificate hash of the new certificate is xxx. Type the following commands in a command window:
    • netsh http add sslcert ipport=0.0.0.0:443 certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY
    • netsh http add sslcert ipport=[::]:443 certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY
  9. Restart the Routing and Remote Access service. The Routing and Remote Access service will read the certificate that is plumbed to the HTTPS Listener and record the appropriate certificate hashes registry keys for its crypto-binding validation phase. See the "Restart Routing and Remote Access" section.

Delete a certificate

To delete the certificate from the certificate store:

  1. Open the Microsoft Management Console (MMC).
  2. Add the Local Computer certificates snap-in:
    • Click File, click Add/Remove Snap-in, and then click Certificates from the list of available snap-ins.
    • Click Add, click Computer account, and then click Next.
    • Ensure Local computer is selected, click Finish, and then click OK.
  3. Expand Certificates (Local Computer).
  4. Expand Personal.
  5. Click Certificates. In the certificates pane, you will see a list of certificates in the store.
  6. Double-click the certificate that you want to be bound to the SSTP Listener, the certificate with the subject name that matches the host name used in the client VPN connection. Click the Details tab. Make sure ALL is selected in the Show drop-down list.
  7. Ensure that the value for the Thumbprint Algorithm field is sha1.
  8. Compare the value with the value of the certificate hash in step 3. If the value is the same, then this certificate is bound to the HTTPS Listener. Right-click and then delete the certificate.

Restart Routing and Remote Access

To restart the Routing and Remote Access service:

  1. Open Routing and Remote Access. Click Start, click Run, type rrasmgmt.msc, and then press ENTER.
  2. In the console tree, click Server Status.
  3. In the details pane, right-click a server name, point to All Tasks, and click Restart.

Configure the server with acceptable hash certificate by the Reverse Web Proxy server

Possible resolution:

  • Review the logs of the Reverse Web proxy and capture the hash configured by the proxy server to the client. For more information, see the "View the certificate hash" section.
  • Configure the RRAS server with the same hash by the proxy server. For more information, see the "Configure the certificate hash on the remote access server" section.

To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

View the certificate hash

To view the certificate hash:

  1. On the Web proxy server, click Start, click Run, type mmc, and then click OK.
  2. Click File, and then click Add/Remove Snap-in.
  3. Under Available snap-ins, click Certificates, and then click Add.
  4. Click Computer account in the Certificate snap-in dialog box, and then click Next.
  5. Click Local computer, click Finish, and then click OK.
  6. Click File, click Save As, and then save the console as certmgmt.msc.
  7. Expland Certificates (Local Computer), Trusted Root Certification Authorities, Certificates, and then double-click the certificate.
  8. Click the Details tab, and then click the Thumbprint field to view the hash. Hash details can be obtained only for the sha1 Thumbprint algorithm, not for the sha256 Thumbprint algorithm.

Configure the certificate hash on the remote access server

To view the hash and change the value:

  1. On the remote access server, click Start, click Run, type mmc, and then click OK.
  2. Click File, and then click Add/Remove Snap-in.
  3. Under Available snap-ins, click Certificates, and then click Add.
  4. Click Computer account in the Certificate snap-in dialog box, and then click Next.
  5. Click Local computer, click Finish, and then click OK.
  6. Click File, click Save As, and then save the console as certmgmt.msc.
  7. Expland Certificates (Local Computer), Trusted Root Certification Authorities, Certificates, and then double-click the certificate.
  8. Click the Details tab, and then click the Thumbprint field to view the hash. Hash details can be obtained only for the sha1 Thumbprint algorithm, not for the sha256 Thumbprint algorithm.
  9. If there is mismtach between the hash of the certificate on the remote access server and the Web proxy server, right-click the certificate on the remote access server, and then click Delete.
  10. Remove the certificate binding from HTTPS Listener. Type the following commands in a command window:
    • netsh http delete sslcert ipport=0.0.0.0:443
    • netsh http delete sslcert ipport=[::]:443
  11. Remove the certificate binding in the Routing and Remote Access service. Open the Registry Editor and delete the following registry keys (if present):
    • HKLM\System\CurrentControlSet\Services\Sstpsvc\Parameters\Sha256CertificateHash
    • HKLM\System\CurrentControlSet\Services\Sstpsvc\Parameters\Sha1CertificateHash
  12. Add the new certificate inside the certificate store (local computer store).
  13. Plumb the new certificate to the HTTPS Listener (assuming the new certificate has SHA1 certificate hash as xxx). Type the following commands in a command window:
    • netsh http add sslcert ipport=0.0.0.0:443 certhash=<same as that of web proxy> appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY
    • netsh http add sslcert ipport=[::]:443 certhash=<same as that of web proxy>appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY
  14. Restart the Routing and Remote Access service. The Routing and Remote Access service will read the certificate that is plumbed to the HTTPS Listener and record the certificate hash regkeys for its crypto-binding validation phase. See the "Restart Routing and Remote Access" section.

Restart the Routing and Remote Access service

To restart the Routing and Remote Access service:

  1. Open Routing and Remote Access. Click Start, click Run, type rrasmgmt.msc, and then press ENTER.
  2. In the console tree, click Server Status.
  3. In the details pane, right-click a server name, point to All Tasks, and click Restart.

Provide the permission for SSTP relevant registry parameter

Open the Registry Editor and check the values of the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SstpSvc\Parameters

Check that the System account has read/write permission for each registry key. To check the permissions:

  1. Right-click each registry key, and then click Permissions.
  2. If the System account does not have read/write permissions for the key, add them.

Modify value data for SHA1CertificateHash registry parameter

Open the Registry Editor and check the values of the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SstpSvc\Parameters\SHA1CertificateHash

Check that the System account has read/write permission for each registry key. To check the permissions:

  1. Right-click each registry key, and then click Permissions.
  2. If the System account does not have read/write permissions for the key, add them.
  3. Right-click the SHA1CertificateHash registry parameter, click Modify, type 20, and then click OK.

Modify value data for SHA256CertificateHash registry parameter

Open the Registry Editor and check the values of the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SstpSvc\Parameters\SHA256CertificateHash

Check that the System account has read/write permission for each registry key. To check the permissions:

  1. Right-click each registry key, and then click Permissions.
  2. If the System account does not have read/write permissions for the key, add them.
  3. Right-click the SHA256CertificateHash registry parameter, click Modify, type 32, and then click OK.

Modify value data for ServerURL registry parameter

Open the Registry Editor and check the values of the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SstpSvc\Parameters\ConfigStore

Check that the System account has read/write permission for each registry key. To check the permissions:

  1. Right-click each registry key, and then click Permissions.
  2. If the System account does not have read/write permissions for the key, add them.
  3. Right-click the ServerURL registry parameter, click Modify, type https://%3cservername%3e/sra_%7bBA195980-CD49-458b-9E23-C84EE0ADCD75%7d/, and then click OK.

Verify

To verify that the remote access server can accept connections, establish a remote access connection from a client computer.

To create a VPN connection:

  1. Click Start, and then click Control Panel.
  2. Click Network and Internet, click Network and Sharing Center, and then click Set up a connection or network.
  3. Click Connect to a workplace, and then click Next.
  4. Complete the steps in the Connect to a Workplace wizard.

To connect to a remote access server:

  1. In Network and Sharing Center, click Manage network connections.
  2. Double-click the VPN connection, and then click Connect.
  3. Verify that the connection was established successfully.

Related Management Information

RRAS Secure Socket Tunneling Protocol

Routing and Remote Access Service Infrastructure

Community Additions

ADD
Show: