Skip Ribbon Commands
Skip to main content

Ondrej Sevecek's English Pages


Engineering and troubleshooting by Directory Master!
MCM: Directory

Quick Launch

Ondrej Sevecek's English Pages > Posts > SSTP troubles with multiple EKU purposes in client certirtificates
April 30
SSTP troubles with multiple EKU purposes in client certirtificates

I have encountered a weird problem with Windows 8 connection to an SSTP VPN server. Windows 7 clients worked well. Client authentication was done with EAP-PEAP and client (user) certificates. Client certificates were issued from an internal Windows enterprise certificate authority (AD CS) running on Windows 2012.

The error was not too much of help:

Error connecting to
Error 0x80420100. There was an unknown error.

Narrowing it down to client certificate issue, I have found out, that the certificates contained two EKU purposes (Enhanced/Extended Key Usage). The purpose which is required for PEAP is Client Authentication (OID But the certificates also contained Smart Card Logon purpose (OID as well.

I was able to resolve the issue by removing the Smart Card Logon purpose from the client certificate EKU. And really it works now.

What I also tried was to configure the advanced certificate selection options on the new Configure Certificate Selection dialog box. It is a new feature of the PEAP client on Windows 8 which enables more precise client certificate selection options than what was available with Windows 7 or older. Anyway, no matter what combination of options I tried to use, it didn't work for me either.

For example, what I would think should help, was to enable the Extended Key Usage (EKU) section, check the Client Authentication checkbox and add the Smart Card Logon purpose into the and the following EKUs. But it didn't work.

I suspect that the whole problem may be related to the fact, that the Smart Card Logon purpose was stored as the first OID in the client's certificate EKU. Which meant that the Client Authentication purpose was only the second one. Unfortunatelly, I was not able to change the order of OIDs to verify it.


Re: SSTP troubles with multiple EKU purposes in client certirtificates

You can enable tracing for the PEAP method and check what error it is reporting internally.

Run the following commands from an elevated command prompt

netsh ras set tr * en
<try connecting VPN>
netsh ras set tr * dis

It will create log files in C:\windows\tracing.

Have a look at those files for exact reason or share those files here.
 on 11/07/2013 14:24

Add Comment

Sorry comments are disable due to the constant load of spam *

This simple antispam field seems to work well. Just put here the number.


You do not need to provide any value this column. It will automatically fill with the name of the article itself.

Author *

Body *