I have some issues with SSTP server right now. I want to connect to the SSTP server with Windows 7 and Windows Server 2008R2 built-in client. I have a certificate installed on the router, it’s decrypted (shows KR before the cert) and the SSTP server is using that certificate. The problem is, if i want to connect to the server, windows fails to connect with 0x800B0109 (A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider). However, i have already imported the root CA to the trusted certificates. If i check the “Require client certificate” in the SSTP server section, i got another error code: 0x80070320 (The oplock that was associated with this handle is now associated with a different handle).
In the router’s log i see:
09:51:45 sstp,info <sstp-0>: waiting for call...
09:51:45 sstp,info <sstp-0>: terminating... - port error
09:51:45 sstp,info <sstp-0>: disconnected
If i enabled SSTP logging i see:
09:54:17 sstp,info <sstp-0>: waiting for call...
09:54:17 sstp,info <sstp-0>: terminating... - port error
09:54:18 sstp,debug <sstp-0>: LCP lowerdown
09:54:18 sstp,debug <sstp-0>: LCP down event in initial state
09:54:18 sstp,info <sstp-0>: disconnected
I’m doing the same setup with 5.0b6 and have encountered the exact same problem
with verify off, certificate chain processed …
with verify on, the oplock error
I’m using certs generated by cacert.org and the cert has the KR flag
Even though this is an old thread I am having the exact same problem and the same 0x80070320 error when attempting to connect to my SSTP server which is a RB1200 with os 5.5 from a Windows 7 client.
I have a cert from rapidssl and the cert status when I do a /certificate print of cert1 (my cert that was created) it shows status KR which should be correct.
I have logging of SSTP turned on and all I see is:
: waiting for call
: terminating… - handshake failed
: LCP lowerdown
: LCP down event in initial state
No decent info as to whats going on.
One question that I have does the public key have to installed on the Windows 7 client? Looking at some Microsoft docs it seems to inidicate it does but that might be for a self signed cert which we do not have.
UPDATE!!!
I just came across a post that said to turn off verify client cert checkbox in SSTP server and now I’m connecting!!
Hi Webguyz, could you please post here more detail about how did you imported your certificate to WIN7? I have already imported certificate to WIN7 and Routerboard certificate status is KR. But it seems shows me error#0x800B0109. If I enable “verify client cert”, it shows error#0x80070320. My Routerboard has public IP but does not have domain name. I created certificate with common.name=202.XXX.XXX.2. I tried to find solution on microsoft and MT forums during 2 days.
Untrusted root error means that CA is not in windows trusted list. If it was imported correctly and specified address does not match servers address, then unset verify-server-address-from-certificate.
Im sorry that I ask pure microsoft related question. I understand I cant import certificate correctly to the windows7. But please tell me how to import certificate correctly. I have 2 files. one is .crt, other one is .key But microsoft is able to import only one file and without passphrase.
I had same problem as you.
Solution for me was import self-signed certificate to Local Computer certification store:
Open MMC. Add the Local Computer certificates snap-in (Click on File -->Add/Remove snap-in -->Select ‘Certificates’ from the list of Available snap-ins → Click on Add → Select ‘Computer account’ → Click on Next → Ensure ‘Local computer’ is selected’ → Click on Finish → OK
Import certificate to ‘Trusted Root Certificate Authorities.’
After that, SSTP VPN started working on Win 7 client.