Every computer that you connect to a Virtual Network with a Point-to-Site connection must have a client certificate installed. All what is required is just to generate it from the root certificate and install it on each computer and make sure it is valid client certificate, if not the authentication will fail when the computer tries to connect to the Virtual Network and you will get this error “The remote access connection completed, but authentication failed because the certificate that authenticates the client to the server is not valid. Ensure that the certificate used for authentication is valid. (Error 853)” For more related Windows Operating System errors you can read this: How to Resolve Microsoft RDP Connection Black Screen, How to Fix “Insufficient System Resources Exist to Complete the Requested Service” error, How to fix the issue “The Security Database on the Server does not have a Computer Account for this Workstation Trust Relationship” on Windows Server [Part 2], How to Quickly Fix Windows Search Bar Not Working, Windows Out Of Box Experience: OOBESETTINGSMULTIPLEPAGE error on Windows 10, Windows cannot connect to the printer: Operation Failed with error 0x000004f8, How to Fix “Unknown hard error” on Windows Server and Windows 10,
Please note that it is possible to generate a unique certificate for each workstation or generate the same certificate for all the workstations. The benefit of generating the same certificate is the ability to be able to revoke any certificate you decide to revoke. But when multiple workstations use the certificate for authentication, then each time you revoke a certificate you will need to generate a new certificate and start installing on each workstation again.
Generate your certificate by following these methods:
- Enterprise certificate:
- Generate a client certificate with the common name like tech@yourdomain.com. This format is better than the domain name\username format.
- You also need to confirm that the client certificate is based on a user certificate template that consist Client Authentication in the user list.
- Self-signed root certificate:
When a certificate is generated from a self-signed root certificate it is automatically installed on the workstation where the certificate was generated. But note that if you intend to install this certificate on another computer then you will need to export it as .pfx file which also includes the whole certificate chain. When you do this, you will be able to create .pfx file that consists of all the root certificate information needed for the computer to get authenticated.
In this guide, we will be demonstrating how to generate a compatible certificate that you can export, distribute and install on all computers.
Immediately the virtual network gateway is created, navigate to the Point-to-site configuration and click Configure now to open the configuration page.
in the Address pool box, add the private IP address range that you want to make use for your connectivity. VPN clients dynamically receive an IP address from the range of IP’s that you already specify here.
Continue to the next part of configuration which is the authentication and tunnel types. Here you specify the tunnel type and the authentication type. Note that if the tunnel type or authentication type on the Point-to-site configuration page is not visible it then means your gateway is using the Basic SKU.
The Basic SKU does not support IKEv2 or RADIUS authentication. But if you decide to use these configuration settings then you will need to delete and configure a new gateway with a different gateway SKU.
Select Azure certificate as your authentication type
The next thing is to upload a root certificate public key information to Azure. This is used to authenticate any computers that have installed the certificate generated from the trusted root certificate.
- Now move to the Root certificate section of the Point-to-site configuration page. This section is only visible if you have selected Azure certificate for the authentication type.
- Confirm that the root certificate is exported as a Base-64 encoded X.509 (.CER) file. The reason for this is because you will be able to open the certificate with any text editor, there is no need for exporting the private key.
You can open the certificate with a text editor like notepad and by the time you are copying the certificate confirm that you copy the text without any line feeds.
In the Root certificate section, it is very possible you add up to 20 trusted root certificates.
- Paste the certificate data into the Public certificate data field.
- Give the certificate a Name.
Click Save to save all configuration settings.
Another thing we are looking at is installing exported client certificates. Let us assume you want to create a point-to-site (P2S) connection from a computer that was not used to generate the certificate then it is a must that you have to install the exported certificate on the computer before P2S connection can be possible. But while installing the certificate you will need the password that was created while exporting the client certificate.
Always confirm that the client certificate was exported as a .pfx with the entire certificate chain. If this confirmation is not done then the root certificate information will not be complete or present on the client’s computer and the client won’t be able to authenticate properly.
Configuring settings for VPN clients
For connection to the virtual network gateway via P2S to be possible then each computer will make use of the VPN client which is part of the Windows operating system programs.
To access this VPN service just type VPN in the search box, this will display the VPN setting where you carry out your VPN connection. You do not need to install any separate VPN client all that is required is to configure each VPN client by using a client configuration package. This client configuration package is unique in the sense that it only contains settings that are specific to the VPN gateway that you created on Azure.
You can as well generate and download VPN client configuration files, then install them on the computer. After the installation, you can then go ahead to connect to Azure.
How to connect from a Windows VPN client
- Navigate to VPN settings on your computer and select the VPN connection that you created through the VPN client configuration that you downloaded and installed.
- On the Connection status page, click Connect to start the connection. You will see a message about “connection manager needs elevated privilege” you can just click continue. If you see a Select Certificate screen, confirm that the client certificate displaying is the one that you need to connect. If it is not, use the drop-down arrow to select the correct certificate, and then select OK.
The earlier issue has now been corrected because the correct certificate was installed and selected then the P2S connection will be successfully established.
I hope you found this blog post on How to fix this issue: The remote access connection completed, but authentication failed because the certificate that authenticates the client to the server is not valid. Ensure that the certificate used for authentication is valid. (Error 853). very interesting and helpful. In case you have any questions do not hesitate to ask in the comment section.