SSTP VPN Windows Server 2019

Alan Bateman
Alan Bateman used Ask the Experts™
Cannot get Windows Server 2019 SSTP VPN authentication to work. I have set up Windows server 2019 Std on a small ProLiant Microserver straight out of the box. I have installed ADDS, IIS and RRAS , and got a working SSL certificate bound to default website (from LetsEncrypt). I have setup 20 SSTP ports with their own static IP address pool . I am using Windows Authentication (have not installed NPS) and have selected MSChap v2 as a valid authentication protocol.  When I try to connect to this server via this VPN it appears to connect and then immediately fails authentication. It clearly refuses to accept my username and password for the domain (despite that username being an enterprise and domain administrator ).  I have a very similar setup working with a couple of other customers elsewhere but this one just will not work. I have selected Allow Access on the user profile.  Is there something else I've missed?  Something that authorises users to be able to connect to the domain via VPN??
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
OK. Fixed it.  It appears that even though I did not have Network Policy and Access Services (NPAS) added as a server role, I still had an NPS shortcut under Windows Administration tasks. It also appears that the NPS settings stored there appear to over-ride the Allow Access which was selected on the users dial-in tab. I enabled a network connection request policy and enabled a network policy specifying MS-CHAP v2 as the authentication policy , changed the dial-up tab to say 'Control access through NPS...' and suddenly it all works.  I thought I'd disabled NPS but it seems I had to configure it properly after all.  I thought this only applied if using RADIUS authentication and I had RRAS set to Windows Authentication but, hey-ho,  that's Microsoft software for you. It's working now.
Top Expert 2013

I did not have a definitive answer for you but was following. Thanks Alan for posting your solution.  I was very curious.  I haven't configured SSTP for quite a while but I believe NPS and a policy have been required since 2012 for both SSTP and L2TP, and possibly even PPTP.  Good to know. Thanks again.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial