RRAS: The subject name of the certificate to be used for IKEv2 or SSTP must match the name of the RRAS server or the IP address of the external interface of the RRAS server

  • Article

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Storage Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Network Policy and Access Service (NPAS) Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2012, Windows Server 2008 R2

Product/Feature

Routing and Remote Access Service (RRAS)

Severity

Warning

Category

Configuration

Issue

The subject name of one or more certificates that can be used for IKEv2 or SSTP does not match the name of the RRAS server or the IP address of one of the interfaces of the RRAS server.

Impact

If the subject name of a certificate does not match the name or IP address of an interface on the RRAS server then the client cannot connect to the RRAS server if the server uses this certificate.

The purpose of having the client authenticate the server is to ensure that a rogue or malicious server is not masquerading as the server to which the client wants to connect. If the computer name or IP address of the VPN server does not match that in the subject name in the certificate, then authentication fails, and the client refuses to connect to the server.

The warning does not mean that the certificate currently used for IKEv2 or SSTP does not have a matching subject name, it means that one or more certificates on the server that can be used for IKEv2 or SSTP are not matching. As long as the one certificate used by the RRAS server for IKEv2 or SSTP does have a matching subject name, then you can ignore this message.

Resolution

Issue a certificate with a subject name that reflects the IP address or name of the RRAS server.

Note

Ignore this warning if your RRAS server is behind a NAT router. The certificate should contain the address of external interface of the NAT router.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To check the subject name on a certificate in the local computer store

  1. Start the Microsoft Management Console. Click Start, type MMC, and then press ENTER.

  2. Click File and then click Add/Remove Snap-in.

  3. In the Available snap-ins list, select Certificates and then click Add.

  4. Select Computer account, and then click Next.

  5. Select Local computer, click Finish, and then click OK.

  6. Expand Certificates (Local Computer), expand Personal, and then click Certificates.

  7. Double-click a certificate to see the details.

  8. On the Details tab, select Subject Alternative Name to see the name or IP address of the VPN server that is authenticated by this certificate. If that field is not present, then examine the Subject Name field.

  9. Click OK to close the dialog box.

Additional references

For more information about SSTP deployment, see SSTP Remote Access Step-by-Step Guide: Deployment (https://go.microsoft.com/fwlink/?linkid=142711).

For more information about IKEv2 deployment, see Step-by-Step Guide: Deploy Remote Access with VPN Reconnect in a Test Lab (https://go.microsoft.com/fwlink/?linkid=143464).

For more about creating certificates by using the Active Directory Certificate Services server role, see Active Directory Certificate Services (https://go.microsoft.com/fwlink/?linkid=136444) in the Windows Server Technical Library.

For more about the Routing and Remote Access role service, see Routing and Remote Access (https://go.microsoft.com/fwlink/?linkid=153482) on TechNet, and Routing and Remote Access Service in the Windows Server Technical Library.