Hi Tom, The problem occurs because the System and Administrator accounts do not have sufficient permissions to, or the Administrators group does not have ownership of, the directory %SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder. By implementing the solution mentioned in http://support.microsoft.com/default.aspx?scid=kb;en-us;295162, we could solve the problem. We also found out that in our case a whole bunch of HP Evo N1020V laptops with pre-installed XP have that particular problem. We could quickly verify if it was that permissions problem by trying to export the machine cert through the Certificate MMC: 1. If the permissions are wrong, we got the message: "The associated private key can not be found. Only the certificate can be exported." 2. If the permissions are correctly set, the message was: "The associated private key is marked as not exportable. Only the certificate can be exported." I think this topic is worth mentioning in the next newsletter ;-) Kindly, Stefaan -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: dinsdag 13 december 2005 22:14 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Error 786: The L2TP connection attempt failed because there is no valid machine certificate on your computer for security authentication http://www.ISAserver.org Hi Stefaan, It would be interesting to see the details of the machine certificate. Let us know what the problem was when you find out :) Thanks! Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > Sent: Tuesday, December 13, 2005 2:57 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Error 786: The L2TP connection attempt failed > because there is no valid machine certificate on your computer for > security authentication > > http://www.ISAserver.org > > Tom, > > Nothing else! > > Some time ago we had the exact same problem. But then that box was > very VERY slow and other things doesn't work either. So, we used my > favorite command FDISK and rebuild the box from scratch. Problem > solved ;-) > > BTW --- A PPTP connection with EAP-TLS works great. So, it must be > something related to the machine certificate. > > Thanks, > Stefaan > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: dinsdag 13 december 2005 21:34 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Error 786: The L2TP connection attempt failed > because there is no valid machine certificate on your computer for > security authentication > > http://www.ISAserver.org > > Hi Stefaan, > > Anything in the Event viewer that might indicate something else is > wrong? > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > > Sent: Tuesday, December 13, 2005 2:28 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Error 786: The L2TP connection > attempt failed > > because there is no valid machine certificate on your computer for > > security authentication > > > > http://www.ISAserver.org > > > > Hi Tom, > > > > I have no access those machines at this moment. But as far as I can > > remember, the whole certificate chain is correct and the clocks are > > synchronized. > > > > Thanks, > > Stefaan > > > > -----Original Message----- > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > Sent: dinsdag 13 december 2005 21:23 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Error 786: The L2TP connection > attempt failed > > because there is no valid machine certificate on your computer for > > security authentication > > > > http://www.ISAserver.org > > > > Hi Stefaan, > > > > Is the clock correct on the machines that aren't working? > > > > Is the CA certificate in the right place? > > > > Tom > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://spaces.msn.com/members/drisa/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > **Who is John Galt?** > > > > > > > > > -----Original Message----- > > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > > > Sent: Tuesday, December 13, 2005 2:03 PM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] Error 786: The L2TP connection attempt failed > > > because there is no valid machine certificate on your > computer for > > > security authentication > > > > > > http://www.ISAserver.org > > > > > > Hey guys, > > > > > > On two laptops with Windows XP SP2 we get the Error 786: The L2TP > > > connection attempt failed because there is no valid machine > > > certificate on your computer for security authentication. > > > > > > In the Event Security log we see Event ID's 547: > > > > > > IKE security association negotiation failed. > > > Mode: Key Exchange Mode (Main Mode) > > > Filter: <snip> > > > Peer Identity: <snip> > > > Failure Point: Me > > > Failure Reason: No private key associated with machine > certificate > > > Extra Status: 0x80092004 0x0 > > > > > > We have verified that there is a valid machine certificate in the > > > computer personal store with an associated private key. A > > new machine > > > certificate on the failing box isn't working either. > Other machines > > > are working great. So, something must be screwed up on this > > particular > > > boxes. > > > > > > Any idea how to solve that problem? > > > > > > Thanks, > > > Stefaan > > > > > > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > stefaan.pouseele@xxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx