workforceinsight
asked on
SSO with Pre-Shared Key on Windows 7
Hello, Experts!
I'm trying to configure a Single-Sign On for our users who are outside the office and need to connect to our VPN before signing into Windows.
I've been able to configure it with this guide:
http://www.windowsnetworking.com/articles-tutorials/windows-7/VPN-Single-Sign-On-Windows-7.html
However, when it tries to connect to our VPN, we get this error:
Error Description: 766: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate.
Because our Meraki Security Appliance ONLY uses a pre-shared key and there's no remote access server in the picture, I believe that this is a Windows limitation (Windows is trying to protect me from using pre-shared keys). I thought this Microsoft article would help:
https://support.microsoft.com/kb/240262
but it seems to discuss a remote access server which is not part of the picture.
I'm sure there are some registry tweaks needed to suppress Microsoft looking for a certificate - the question is where. Any ideas?
Thanks!
I'm trying to configure a Single-Sign On for our users who are outside the office and need to connect to our VPN before signing into Windows.
I've been able to configure it with this guide:
http://www.windowsnetworking.com/articles-tutorials/windows-7/VPN-Single-Sign-On-Windows-7.html
However, when it tries to connect to our VPN, we get this error:
Error Description: 766: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate.
Because our Meraki Security Appliance ONLY uses a pre-shared key and there's no remote access server in the picture, I believe that this is a Windows limitation (Windows is trying to protect me from using pre-shared keys). I thought this Microsoft article would help:
https://support.microsoft.com/kb/240262
but it seems to discuss a remote access server which is not part of the picture.
I'm sure there are some registry tweaks needed to suppress Microsoft looking for a certificate - the question is where. Any ideas?
Thanks!
ASKER
Hello,
Thanks for commenting. Unfortunately, the VPN server is a firewall appliance that ONLY allows for a pre-shared key - no certificate.
I'm hoping to turn off Windows' need to seek out a certificate because it cannot apply to this situation.
Thanks,
Thanks for commenting. Unfortunately, the VPN server is a firewall appliance that ONLY allows for a pre-shared key - no certificate.
I'm hoping to turn off Windows' need to seek out a certificate because it cannot apply to this situation.
Thanks,
What type of VPN is the firewall appliance configured to allow? In your error message it looks like you're using a L2TP VPN. That's quite uncommon. I'd imagine you're using an IPSec VPN instead.
ASKER
Hello, craigbeck,
Thanks - you are correct, we're using an IPSec VPN.
Thanks - you are correct, we're using an IPSec VPN.
I've requested that this question be deleted for the following reason:
The question has either no comments or not enough useful information to be called an "answer".
The question has either no comments or not enough useful information to be called an "answer".
ASKER
Figured it out:
1. Run "regedit", allocate HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Se rvices\Ras Man\Parame ters, and delete ProhibitIpSec key.
2. Restart Windows, and try to connect VPN again.
1. Run "regedit", allocate HKEY_LOCAL_MACHINE\SYSTEM\
2. Restart Windows, and try to connect VPN again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for workforceinsight's comment #a39868283
for the following reason:
Registry fix is the solution
Accepted answer: 0 points for workforceinsight's comment #a39868283
for the following reason:
Registry fix is the solution
you need to install this certificate inside machine store of the VPN server.
the certificate should include the following details:
1. Common name (CN): Same as the hostname OR IP address that is configured as VPN destination on the VPN client of your network.
2. Extended Key Usage (EKU): “Server Authentication” and “IP Security IKE intermediate”.
3. Key Usage: Select Digital signature and Key encipherment( algorithm for performing encryption and decryption)