Azure vpn error A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 798)
When you try to connect to an Azure virtual network by using the VPN client, except for exporting the root certificate public key .cer
file to Azure, each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate and then export and install the client certificate. If the client certificate is not installed, authentication fails.
This problem occurs if the client certificate is missing from Certificates - Current User\Personal\Certificates
.
You could follow this solution to fix this issue. For more information about how to install the client certificate, see Generate and export certificates for point-to-site connections.
In case anyone runs into this issue at some stage, I had installed a new root cert that worked for 2 out of 3 VPN gateways fine. The third kept giving a 798 error even though the certs were correct and in the right place.
To fix the Error 798, I did the following:
- reset the gateway in Azure Portal. (support & troubleshooting on VPN gateway blade)
- remove the VPN configuration from my pc (win10)
- reboot pc (just to be safe)
- download and reinstall the VPN client from the Azure Portal again (from Point-to-site configuration on Azure VPN gateway in question)
- Once done, I could then connect without any issues. Tested on several different users.
My guess is that if you are adding / removing the Root certs it might need you to reinstall the VPN client on your computer after the gateway has the new root cert configuration.
Hope that helps.
In addition to the answer by Nancy Xiong:
If you are still having problems with this error you can try the following
- Run
certmgr.msc
- Go to
Personal
->Certificates
- Right-click your certificate
All Tasks
->Export
- Choose
Yes: Export private key
- Accept default options until you reach a step where you must enter a password
- Enter a password, and continue until you have exported your certificate
- Repeat this process if you have more than one certificate
- Locate your certificates in the Windows file explorer
- Right-click->
Install
- Select
Current User
for the Store Location - Accept default options, and enter the certificate password when prompted
- When asked which Certificate Store to place the certificate in, select
Place all certificates in the following store
- Click 'Browse' and select your
Personal
store
This should now work.
In rare circumstances you may find that this solution will only work for a short time (usually failing the next time you reboot). In this case you may need to follow these additional steps
- Boot your computer into BIOS Configuration
- Disabled any settings for
Intel VTX
andIntel VTD
- Restart your computer
- Retry the steps above