Quickly establish a SSTP VPN connection from a Windows 7 RC VPN client without a published CRL distribution point

Say you’ve just deployed a lab for testing SSTP including:
- Windows 2008 R2 RC as the RRAS server and the NPS server
- Windows 2008 R2 RC as the DC and enterprise CA(Active Directory Certificate Services role-the certification authority (CA)- and Certification Authority Web Enrollment-the service that enables the issuing of certificates through a Web browser- were installed, IIS was also installed as a required role service for Certification Authority Web Enrollment)
- and Windows 7 RC as the SSTP VPN client.

For various reasons, you may want to be able to quickly establish a SSTP connection, for example my Windows 7 RC machine(the SSTP VPN client) is not a domain member, only the RRAS server is a domain member.
You’ve imported the CA’s certificate on the client, within the Certificates Computer Store, Trusted Root Certificates Authorities.
Quickly edited the hosts file on the client and added the hostname of the VPN server(the needed certificate was issued to the FQDN name of the VPN server-in my case I’ve issued a computer certificate to the VPN server using the mmc and the Computer Certificate template-, and so the client uses the FQDN name of the server in the VPN connection).

But the CRL check “stops” your SSTP connection because you’ve not published yet the HTTP CRL distribution point(in fact, within the bellow lines, I’ve not configured a  “HTTP CRL distribution point”, just the ldap one is present within the server’s certificate) and the “stringent” CRL check was not disabled(disabling the CRL check may be acceptable in a lab), so the client cannot download the CRL:
sstp_error_crl

VPN server’s certificate:
rras_server_cert

server_cert

server_cert2

CA’s certificate imported on the client, within the Certificates Computer Store, Trusted Root Certificates Authorities:
ca_cert_imported 

Hosts file on the SSTP VPN client:
hosts_file_client

Configured VPN connection on the client:
vpn_connection_client 

We can make the 0x80092013 CRL check error  “go away” without disabling the CRL check, if we download and import on the Windows 7 RC SSTP VPN client the latest base CRL and the latest delta CRL from our Enterprise CA that issued the certificate(obviously if you want to experiment a more “production like lab”-as production it can be a RC-, you should publish the required CRL distribution point and appropriately configure the VPN server’s certificate).
ca_crl_dates 

For example, initially establish a PPTP VPN connection from your client, and while you download the needed CA’s certificate from the Web enrollment site on the CA, also download the latest base CRL and the latest delta CRL:

ca_download

ca_crl_download

Then, after you’ve imported on the client the CA’s certificate within the Certificates Computer Store, Trusted Root Certificates Authorities, import the latest base CRL and the latest delta CRL into the Certificates Computer Store, Intermediate Certificates Authorities:

import_crl

Just follow the wizard:
following the wizard

After you import them, they will appear within the Certificates Computer Store, Intermediate Certificates Authorities, Certificate Revocation List:
- base CRL:

base_crl_1

base_crl_2
- delta CRL:

delta_crl_1

delta_crl_2

And now you should be able to establish your SSTP connection from the Windows 7 RC VPN client(EAP-MSCHAPv2 was used bellow for user authentication):
vpn_connection_client_estab

 

Related documents:
- How to debug SSTP specific connection failures:
http://blogs.technet.com/rrasblog/archive/2007/09/26/how-to-debug-sstp-specific-connection-failures.aspx
- How to troubleshoot Secure Socket Tunneling Protocol (SSTP) based connection failures when client fails to connect to SSTP VPN server giving error message 0x80092013”
http://support.microsoft.com/kb/961880
- How to troubleshoot Secure Socket Tunneling Protocol (SSTP)-based connection failures in Windows Server 2008:
http://support.microsoft.com/kb/947031
- Revoking certificates and publishing CRLs:
http://technet.microsoft.com/en-us/library/cc782162.aspx
- Schedule the publication of the certificate revocation list:
http://technet.microsoft.com/en-us/library/cc781735(WS.10).aspx

Comments (3) -

  • Ralf Linke

    4/1/2010 2:33:36 PM |

    Very good! I Had This error and i search in the net, but i had nothing found on Microsoft or other!

    Thanks

  • Tom

    9/13/2010 3:57:37 PM |

    Hi,
         If I am at a coffee shop or hotel room, my SSTP connection works flawlessly.  If I go into the clients office after connecting in the hotel the SSTP works great.  If I don't connect at the hotel for a day and then go into the client's office, I get the  0x80092013 error.  What could be the cause the inside a corporate network I can't get the crl (although I can get if by specifying the address in the browser) but at a public wi-fi I can get a connection?

         Thanks for your help,

         Tom

  • adimcev

    9/13/2010 8:49:45 PM |

    Hi Tom,

    I would start by taking a Wireshark or Netmon trace on the SSTP VPN client and see how(the path, DNS) the client tries to get the CRL on the inside network, and notice the server response if any.

    Thanks,
    Adrian

Comments are closed