I have tried to create VPN connection in my windows 8.1 machine.
I have followed the steps mentioned in the setup. While connecting Its shows the error message as:
"A certificate could not be found that can be used with this
Extensible Authentication Protocol. (Error 798)".
How to resolve this issue. Thanks in advance.
This typically means that the client certificate is not installed on the Windows machine you are trying to connect from.
On the client machine, please open "certmgr" from command prompt and verify that the client certificate (created/signed by the root certificate) is installed on the machine.
A couple more things to check or verify:
The P2S root cert, the one you uploaded to Azure, must be in the
machine's trusted root store in certmgr
Delete the re-install/import the client cert again, please ensure you
do NOT check the "Enable strong private key protection. ..."
(It's a long shot but ...) Check if the following regkey is set to 1:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
\SelectSelfSignedCert
If it still fails, collect tracing for further debugging from an elevated command prompt:
"netsh ras diag se tr en"
repro the issue (failed connect)
"netsh ras diag se tr dis"
Share/send the contents of your Windows\tracing folder
[Edit]
Just found another link with very extensive instructions to try:
https://www.tectimes.net/how-to-microsoft-azure-como-solucionar-el-error-798-a-certificate-could-not-be-used-with-this-extensible-authentication-protocol-en-windows-8-1-en-una-vpn-hacia-azure/
(In Spansh, you will need to translate the page.)
Thanks,
Yushun [MSFT]
Related
We created a root crtificate, which unfortunately expired today in Azure VPN, I regenerated the certificate, upload it to Azure VPN, regenerated a client certificate and se up the OpenVPN configuration file. (After downloaadin the "VPN Client" from the Azure portal.
However, I keep getting "Peer certification verification failure" and I can't seem to understand why. Everything I read suggests that it is as there is a mismatch between the server and the client, however, I must be making the same mistakes, as I have followed the instructions below to generate the root certs, and the client certs::
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site#cer
I've used the following open-ssl command to generate convert to a PEM file:
"C:\Program Files\OpenSSL-Win64\bin\openssl" pkcs12 -in child.pfx -out child.pem -clcerts
Then followed this for creating the OVPN file for the iOS device. (I have downloaded the OpenVPN Client to my desktop machine to make it easier to test)
https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-cert-mac
I have done this more than once, as well as having "Reset" the VPN gateway, just to try and make sure that it isn't something weird going on.
Does anyone have any ideas as to where I am going wrong?
In case anyone comes across this, there are two things that I have done to fix this issue:
I ended up entering the name of the Root Certificate into the azure settings (the cn=psroot2025 part)
I had been using a windows version of OpenVPN to test the connections were working, by the looks of it, some versions of OpenVPN return the "Peer certification verification failure" error, although this is not the case. You need to download version 2.5.4 from https://openvpn.net/community-downloads/ instead of the latest and this seems to not have the same issue (I had originally installed vrsion 2.5.7.)
Hope that helps...
I want to transfer a few files weekly from mainframe to a Linux server running RedHat using a batch (JCL) job using FTPS.
Linux server is configured with vsftpd. Is it possible to send file from mainframe to linux using FTPS?
Getting this error while transferring the file from mainframe to Linux.
EZA1736I FTP
EZY2640I Using 'SYS1.TCPPARMS(FTPDATA)' for local site configuration parameters.
EZA1450I xxx FTP CS xxx
EZA1456I Connect to ?
EZA1736I host_name
EZA1554I Connecting to: host_name xxx.xxx.xxx.xxx port: 21.
220 (vsFTPd 2.0.5)
EZA1701I >>> AUTH TLS
234 Proceed with negotiation.
EZA2897I Authentication negotiation failed
EZA1534I *** Control connection with host_name dies.
EZA1457I You must first issue the 'OPEN' command
EZA1460I Command:
EZA1618I Unknown command: 'Atul'
EZA1619I For a list of the available commands, say HELP
EZA1460I Command:
EZA1736I Summer#123
EZA1618I Unknown command: 'Monsoon#123'
EZA1460I Command:
EZA1736I cd /home/Atul/
EZA1457I You must first issue the 'OPEN' command
From your log you seem to be able to set up an unsecured connection to the FTP server. That's good.
EZA2897I Authentication negotiation failed indicates that the TLS-handshake did not complete successfully. Either the partners could not find a common TLS-version and/or ciphersuite or (that's the point I'd examine first) the certificate provided by the FTPs-server isn't trusted by the client user. To be sure you would have to capture and examine a TCP- or TLS-trace.
In a first step I would check the certificate provided by the FTP server and compare it to the trusted certificates in your security manager. In the case of RACF you would have to examine SITE-certificates and/or certificates in the user's keyring.
Yes, sending from the mainframe using FTPS to VSFTP is certainly possible. Both the client (z/OS in this case) and server (Linux in this case) need to agree on the encryption method to be used and I believe by default, z/OS has to trust the certificate for the server, which may involve importing the certificate bundle to a key ring that the batch job has access to. The job not having access to a keyring that trusts the chain for the server certificate would be my first guess.
I don't have experience with setting up the RACF keyring things, but I can say that people do successfully send us data every day from z/OS to our Linux server via FTPS.
in windows server 2012, I installed IIS.
I created a site with host name host1 (name of windows server) and create a folder called host1 under C:\inetpub\wwwroot, contains a html file.
when navigate http://host1/, I got the desired content of the html file
Now, I have to create a certificate using that thread.
I success all the steps, but stucked on step 7:
at that step, the cmd of (wacs.exe) is closed by it self.
Could you please help me solving that issue ? Big thanks.
To get the reason behind the issue you need to check the event viewer log.
I tried to reproduce your issue. I got the below error in event viewer:
A fatal error occurred while creating an SSL client credential. The internal error state is 10013.
you will find this log under the windows-> system logs.
The reason behind the issue is on your machine TLS 1.2 is not enabled.
To resolve the issue you could follow the below steps:
1)open the registry editor.
2) go to the below section:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2
set below value to the particular section:
client:
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
Server:
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
Note: Do not forget to restart your machine after editing registry key values.
reference link:
A fatal error occurred while creating a TLS client credential. The internal error state is 10013
I'm trying to set up a remote desktop session for monitoring specific systems at my place of work. I only have access to a Linux machine and I need to connect via a terminal server gateway. I am using FreeRDP to do this and i am using the following command to create the connection:
xfreerdp /d:** /u:***** /p:******* /g:******.************.***
/v:****.*********.***** /port:3389 /size:1920x1080
I have hidden all connection details per my supervisors request however both he and I verified the correct information is entered into the fields.
When I send the connection through I get the following error:
Connected to ******.************.***:443
Connected to ******.************.***:443
TS Gateway Connection Success
Got stub length 4 with flags 3 and called 7
Got stub length 4 with flags 3 and called 6
SSL_read: I/O error: connection reset by peer (104)
Rpc_client_frag_read: error reading header
Would anyone have any idea of what I might be missing? I have even tried adding
/sec:rdp
to the script and even that produced the same error
Try rdp from a Windows system (or have someone else try from their system, since you don't have direct access to Windows). I know it won't solve your problem, but it may give you better information. I'm in a similar situation and got the same error message. I tried remmina instead of xfreerdp and got even less information than xfreerdp spits out.
From a Windows VM, at least I could tell when I got my domain\username & password right -- it told me my account was not allowed rdp access to that server. I'm figuring that means that there are accounts that can rdp in, but mine is not among them. Along the way, though, I found that the remote was using a certificate from an untrusted authority, which was useful information for my case.
If your Linux is old or hasn't been updated, do so. Your certificate store may be out of date. But it may also be that your company's Windows domain has certificates that Linux doesn't know about. It could be a simple matter that you're lacking the company-supplied cert (because they push it to all Windows machines on the domain, but your Linux machine doesn't get that "benefit").
Is there a way to connect to an Amazon EC2 server via SFTP with SSH private key authentication only? I've been busting my head researching this but couldn't find a proper answer.
Basically, I need to edit files in Dreamweaver and enable automatic upload on save.
I have some detailed instructions of the setup:
Download Bitvise SSH Client (Tunnelier)http://www.bitvise.com/download-area
In login tab, press ‘Use keypair manager’ and import your amazon .pem key. You should finally end up with something like this:
In login tab set your amazon instance information
Host: ec2 instance IP Port: 22 Username: ec2-user Initial method:
publickey – slot 1
In services tab setup localhost listener for FTP connections like below:
Press Login to connect to the Amazon EC2. If success, it will open the ssh and SFT terminals. You may now close these 2 windows.
In Dreamweaver, setup a new server to connect to bitwise 127.0.0.1 listener. You can set the Root Directory of the FTP.
Now when you put files to ‘Amazon Test’ they will be directed to your amazon EC2 instance, in selected Root Directory above.
Adobe doesn't offer the option to use SFTP with private key authentication with Dreamweaver.
According to Adobes web site you can use FTPS where there is a certificate used for authenticating that your connecting to the correct server and obviously encryption, but nothing about the use of SFTP with private key authentication.
You can read all about what is available with Dreamweaver remote server connect function here: http://helpx.adobe.com/dreamweaver/using/connect-remote-server.html
You can use Putty's Pageant and FileZilla which I know is a bummer considering the cost of Adobe Dreamweaver (I have it) but appears to be the only other secure option.
You can read about how to use the 2 here: http://wiki.filezilla-project.org/Howto
I see this is an old post, but I just ran into this issue. I have been using an app that has the same issue for years, my solution was to use Bitvise Tunnelier (http://www.bitvise.com/tunnelier) it allows you to connect to ssh with your key pair and it will proxy FTP to localhost on whatever port you set. So in Dreamweaver you connect to localhost at that port with regular FTP. It's secure enough for most cases because Tunnelier will not accept connections from anything but local.
The download page on their site can be a pain to find, it is here: http://www.bitvise.com/download-area . You will want "Download Bitvise SSH Client (Tunnelier)".
You may simply allow password authentication on your EC2 instance (which is disabled by default) by looking at the following instructions
http://bensnotepad.com/enable-password-access-to-your-amazon-ec2-linux-instance