RE: Error 786: The L2TP connection attempt failed because there is no valid machine certificate on your computer for security authentication
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 15 Dec 2005 10:25:48 +0100
Hi Tom,
The problem occurs because the System and Administrator accounts do not have
sufficient permissions to, or the Administrators group does not have
ownership of, the directory %SystemDrive%\Documents and Settings\All
Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder. By
implementing the solution mentioned in
http://support.microsoft.com/default.aspx?scid=kb;en-us;295162, we could
solve the problem.
We also found out that in our case a whole bunch of HP Evo N1020V laptops
with pre-installed XP have that particular problem. We could quickly verify
if it was that permissions problem by trying to export the machine cert
through the Certificate MMC:
1. If the permissions are wrong, we got the message: "The associated private
key can not be found. Only the certificate can be exported."
2. If the permissions are correctly set, the message was: "The associated
private key is marked as not exportable. Only the certificate can be
exported."
I think this topic is worth mentioning in the next newsletter ;-)
Kindly,
Stefaan
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: dinsdag 13 december 2005 22:14
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Error 786: The L2TP connection attempt failed because
there is no valid machine certificate on your computer for security
authentication
http://www.ISAserver.org
Hi Stefaan,
It would be interesting to see the details of the machine certificate.
Let us know what the problem was when you find out :)
Thanks!
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Tuesday, December 13, 2005 2:57 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Error 786: The L2TP connection attempt failed
> because there is no valid machine certificate on your computer for
> security authentication
>
> http://www.ISAserver.org
>
> Tom,
>
> Nothing else!
>
> Some time ago we had the exact same problem. But then that box was
> very VERY slow and other things doesn't work either. So, we used my
> favorite command FDISK and rebuild the box from scratch. Problem
> solved ;-)
>
> BTW --- A PPTP connection with EAP-TLS works great. So, it must be
> something related to the machine certificate.
>
> Thanks,
> Stefaan
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: dinsdag 13 december 2005 21:34
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Error 786: The L2TP connection attempt failed
> because there is no valid machine certificate on your computer for
> security authentication
>
> http://www.ISAserver.org
>
> Hi Stefaan,
>
> Anything in the Event viewer that might indicate something else is
> wrong?
>
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> > Sent: Tuesday, December 13, 2005 2:28 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Error 786: The L2TP connection
> attempt failed
> > because there is no valid machine certificate on your computer for
> > security authentication
> >
> > http://www.ISAserver.org
> >
> > Hi Tom,
> >
> > I have no access those machines at this moment. But as far as I can
> > remember, the whole certificate chain is correct and the clocks are
> > synchronized.
> >
> > Thanks,
> > Stefaan
> >
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: dinsdag 13 december 2005 21:23
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Error 786: The L2TP connection
> attempt failed
> > because there is no valid machine certificate on your computer for
> > security authentication
> >
> > http://www.ISAserver.org
> >
> > Hi Stefaan,
> >
> > Is the clock correct on the machines that aren't working?
> >
> > Is the CA certificate in the right place?
> >
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >
> >
> >
> > > -----Original Message-----
> > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> > > Sent: Tuesday, December 13, 2005 2:03 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Error 786: The L2TP connection attempt failed
> > > because there is no valid machine certificate on your
> computer for
> > > security authentication
> > >
> > > http://www.ISAserver.org
> > >
> > > Hey guys,
> > >
> > > On two laptops with Windows XP SP2 we get the Error 786: The L2TP
> > > connection attempt failed because there is no valid machine
> > > certificate on your computer for security authentication.
> > >
> > > In the Event Security log we see Event ID's 547:
> > >
> > > IKE security association negotiation failed.
> > > Mode: Key Exchange Mode (Main Mode)
> > > Filter: <snip>
> > > Peer Identity: <snip>
> > > Failure Point: Me
> > > Failure Reason: No private key associated with machine
> certificate
> > > Extra Status: 0x80092004 0x0
> > >
> > > We have verified that there is a valid machine certificate in the
> > > computer personal store with an associated private key. A
> > new machine
> > > certificate on the failing box isn't working either.
> Other machines
> > > are working great. So, something must be screwed up on this
> > particular
> > > boxes.
> > >
> > > Any idea how to solve that problem?
> > >
> > > Thanks,
> > > Stefaan
> > >
> > >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> stefaan.pouseele@xxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
