Windows Server 2012 R2 Essentials VPN Fails After Certificate Was Renewed

About a year ago, we set up our office with four Windows Server 2012 R2 servers running in VMware virtual machines. One of these is configured with the Windows Server Essentials role and is our domain controller. We configured Anywhere Access for both virtual private network (VPN) and remote web access (RWA) using a third-party certificate from GeoTrust. We have Windows 8.1 Enterprise clients with about 8 users that occasionally connect via the VPN. All has been working fine for the last year until this morning.

Over the weekend, our certificate expired, so I purchased and installed a new one this morning. Since then, no one is able to connect to the VPN. When we try to connect, it goes through very quickly and looks like it is connecting (and even very briefly shows "Connected"), but the connection is not made (or it is dropped) and no error is displayed. We ARE able to log on to the RWA site with the new certificate.

When I received the new certificate, I edited the bindings for the Default Web Site on the Essentials server to use the new cert. After we discovered the problems, I also ran through the Anywhere Access configuration wizard again. I don't know if there is something else I need to do or what the problem is. One other note is that the new certificate is using SHA-2 instead of SHA-1.

Do you have any thoughts on what the problem might be or where to look for more information? Again, we don't receive any error message, the connection just seems to drop as soon as it is made.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zephyr ICTCloud ArchitectCommented:
Is the new certificate in the certificate (root) store? Is the old one still in there but the new one isn't?
bhafAuthor Commented:
The new one shows in the Personal folder of the Local Computer Certificates on the server in question which is where the old one showed up. (Is that what you mean by the certificate store?) I deleted the old one before I was aware of this problem, however, so only the new one shows now.

I just tried quickly using a self-signed certificate, and that gives an error 800 when I try to connect. Haven't looked into that yet as we're not trying to use a self-signed cert.
Zephyr ICTCloud ArchitectCommented:
Sometimes the Personal folder isn't enough, did you check the root folder as well? I've had occasions where I had to put the certificate into the root folder of the certificate store of the client.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Zephyr ICTCloud ArchitectCommented:
Also, if you check the certificate through your browser, does it say that you have the private key that corresponds with the certificate?
bhafAuthor Commented:
I found a solution for the problem. I'll give the details to help others that might run into the same thing.

I found this article while searching the web:

This referenced the following Microsoft KB article:

Using something mentioned in the comments of the Server Fault article, I did the following:

1.  Opened Routing and Remote Access on the server in question.

2.  Opened the properties for the server from the console tree.

3.  In the server properties dialog, clicked on the Security tab. This displayed the following message:

The certificate used for Secure Socket Tunneling Protocol (SSTP) is missing. You must configure a new certificate for SSTP.

4.  At the bottom of the Security tab, I looked in the SSL Certificate Binding section and found that the Certificate field was blank.

5.  I used the drop-down list to change the Certificate to the one I had just installed. This gave me a warning related to DirectAccess, but we are not using DirectAccess so I proceeded. (I had set it up at one point but never went into production with it.)

After I did this, we were able to connect to the VPN again.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Zephyr ICTCloud ArchitectCommented:
Great find, thanks for the follow up!
bhafAuthor Commented:
I appreciate spravtek jumping in to help as I couldn't find anything about this on the web when I first looked. But I kept searching and eventually found an article elsewhere that led me to a resolution. Thanks anyway spravtek!
Zephyr ICTCloud ArchitectCommented:
No problem, thanks for writing down the solution, it will surely help others!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.