This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 59%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETD%3C/text%3E%3C/svg%3E)
A while back, I set up Always-On VPN has been working amazingly, up until October 7th, when the NPS server renewed it's machine certificate. Because the Windows 10 VPN clients are set up to verify the server, the new id it is presenting is different, so the clients fail to connect as they don’t recognize the server.
If on the client I pick “Tell user if the server’s identity can’t be verified”, instead of “Don’t ask user to authorise new servers or trusted CAs” it does pop up a message that it can’t verify the server, and asks if you want to continue, and if you agree, it will connect. Not really the intent of a seamless connection.
I can just turn off “Verify the server’s identity by validating the certificate”, but again, not really the most logical choice.
Looking for assistance on how I get my clients to again recognize the NPS server with it’s renewed machine certificate.
My VPN server and my NPS server are different machines.
Well, with further investigation, that wasn't the fix. It seems to have fixed itself. Our NPS server did reboot, and as of this morning, I was getting reports that everything is fine again. Frustrating, but I'm just happy it's working again.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 73%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESQ%3C/text%3E%3C/svg%3E)
Hi,
Thanks for posting in Q&A platform.
I noticed that you mentioned that "Because the Windows 10 VPN clients are set up to verify the server"
Could you please help to provide more details about how to set up windows 10 VPN clients to verify the servers so that we can reproduce the issue in our lab for further troubleshooting.
Thanks for your understanding.
Best Regards,
Sunny
----------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
When I initially set the VPN up in 2018, I followed this process
https://michaelfirsov.wordpress.com/testing-ikev2-vpn-with-peap-authentication-in-windows-server-2016-part1/
It was working fine until the NPS server certificated auto-renewed on October 7th. After which, the VPN Client will no longer recognize the server. I then had to provide the attached work-around to my VPN client users in order for them to be able to reconnect (with the error).32062-vpn-connectivity-temporary-work-around.pdf
I think I discovered what happened.
When I create the initial machine certificate it was SHA1, when it renewed it renewed as SHA512 and our VPN client is using the thumbprint of our CA SHA1 certificate. If I update the VPN to the SHA512 CA thumbprint, it works again.
I just need to figure out now, how to update that thumbprint stored in the VPN connection on all my clients.