Azure vpn error A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 798)

Asked 31/3, 2019 at 13:37 Answered 19/8, 2022 at 22:21

Solved azure certificate vpn

I am creating a VPN in Azure, and created self-signed certificate in the following places:

Local Computer: Personal/Certificates: Issued To: FQDN name is the certificate's name Trusted Root Certification Authorities/Certificates: manually copied from Personal

I have configured the VPN in Azure and it is downloaded and extracted and the vpn client is installed successfully, however, when I run the client I received the following error:

A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 798)

Screenshot:

The error seems suggesting the certificate is NOT found, does the name matter?

Should I change the cert's name from Azurecert to FQDN which is the name in my local computer?

Thank you for your help in advance.

UPDATE: I removed the existing certification in Azure's configuration and re-added back with the same FQDN name shown in local computer's certificates, I redownloaded the client, I removed the existing installed vpn client and re-installed the new one, I receive the same error message. So it seems name is not the root cause?

UPDATE2:

The procedure I've followed:

Create Self Signed Certificate with the FQDN name on local laptop;

New-SelfSignedCertificate –DnsName NV-RXIE.novantas.pri -CertStoreLocation “cert:\LocalMachine\My”
Add the self-signed certificate as a trusted certificate authority, Copy the new cert to Trusted Root Certificate Authorities
export the cert and open it, copy the cert part and paste into the VPN setting – Root certificates, Public Certificate Data
Download the VPN client and install it on laptop, run it
Connect, failed with:

A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 798)

Dx answered 31/3, 2019 at 13:37 Comment(1)

#68728525 – Countershaft 16/8, 2021 at 8:26

When you try to connect to an Azure virtual network by using the VPN client, except for exporting the root certificate public key .cer file to Azure, each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate and then export and install the client certificate. If the client certificate is not installed, authentication fails.

This problem occurs if the client certificate is missing from Certificates - Current User\Personal\Certificates.

You could follow this solution to fix this issue. For more information about how to install the client certificate, see Generate and export certificates for point-to-site connections.

Falmouth answered 1/4, 2019 at 2:0 Comment(9)

Thank you very much Nancy, the procedures I was following do not include the step of uploading root certificate to Azure, can you enlighten me with the needed procedure step by step? The cert was created successfully on local machine – Dx 1/4, 2019 at 2:15

Your screenshot shows a root cert in Azure. re-edit it, I mean exporting the root certificate public key .cer file to Azure. Here is the full step you could follow. For windows, you can install client certificates for P2S certificate authentication connections. – Falmouth 1/4, 2019 at 2:25

What steps do you have followed? One more thing to confirm: do you installed the VPN client on the machine which is the same as you generated a self-sign root cert? – Falmouth 1/4, 2019 at 2:29

I've added the procedure in the UPDATE2 in the OP. Thank you very much. – Dx 1/4, 2019 at 2:43

Where in the Certificate Export Wizard shows the way to export/upload the cert to Azure? I only see how to export to local – Dx 1/4, 2019 at 2:47

check step 9 here, The section in blue contains the information that is uploaded to Azure. – Falmouth 1/4, 2019 at 2:50

Let us continue this discussion in chat. – Dx 1/4, 2019 at 2:51

Thank you very much Nancy, I am able to create a working VPN by following the steps in the link you shared with me. So definitely the previous guide I was following from a udemy course was actually not complete and at least not working for me. Thank you for the time and patience. – Dx 1/4, 2019 at 14:8

To other people that stumble upon this. If everything was working fine, and you just start to get this error, check your certificate expiry. An expired certificate gives the same error. – Caporal 22/6, 2020 at 22:28

In case anyone runs into this issue at some stage, I had installed a new root cert that worked for 2 out of 3 VPN gateways fine. The third kept giving a 798 error even though the certs were correct and in the right place.

To fix the Error 798, I did the following:

reset the gateway in Azure Portal. (support & troubleshooting on VPN gateway blade)
remove the VPN configuration from my pc (win10)
reboot pc (just to be safe)
download and reinstall the VPN client from the Azure Portal again (from Point-to-site configuration on Azure VPN gateway in question)
Once done, I could then connect without any issues. Tested on several different users.

My guess is that if you are adding / removing the Root certs it might need you to reinstall the VPN client on your computer after the gateway has the new root cert configuration.

Hope that helps.

Ingles answered 20/12, 2019 at 4:13 Comment(0)

In addition to the answer by Nancy Xiong:

If you are still having problems with this error you can try the following

Run certmgr.msc
Go to Personal->Certificates
Right-click your certificate
All Tasks->Export
Choose Yes: Export private key
Accept default options until you reach a step where you must enter a password
Enter a password, and continue until you have exported your certificate
Repeat this process if you have more than one certificate
Locate your certificates in the Windows file explorer
Right-click->Install
Select Current User for the Store Location
Accept default options, and enter the certificate password when prompted
When asked which Certificate Store to place the certificate in, select Place all certificates in the following store
Click 'Browse' and select your Personal store

This should now work.

In rare circumstances you may find that this solution will only work for a short time (usually failing the next time you reboot). In this case you may need to follow these additional steps

Boot your computer into BIOS Configuration
Disabled any settings for Intel VTX and Intel VTD
Restart your computer
Retry the steps above

Restate answered 3/5, 2019 at 12:15 Comment(0)

For me, I got this error because my previous cert has expired after 1 year.

I just deleted the old cert and followed this to create a new one: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

Incomer answered 19/8, 2022 at 22:21 Comment(0)

In addition to the answer by Peter Morris, I have did the below mentioned steps which helped in resolving this issue.

Delete the client certificate from your PC. This can be done by searching Manage User Certificates right click on the certificate -> Delete
Now, Reinstall your certificate, Accept default options, and enter the certificate password when prompted.
When asked which Certificate Store to place the certificate in, select Place all certificates in the following store Click 'Browse' and select your Personal store
Accept all the default options which comes next and click finish.

The above steps helped me to resolve this issue

Cavalry answered 23/10, 2021 at 11:48 Comment(0)

Recommended topics

Hot tags