I have encountered a weird problem with Windows 8 connection to an SSTP VPN server. Windows 7 clients worked well. Client authentication was done with EAP-PEAP and client (user) certificates. Client certificates were issued from an internal Windows enterprise certificate authority (AD CS) running on Windows 2012.
The error was not too much of help:
Error connecting to
Error 0x80420100. There was an unknown error.
Narrowing it down to client certificate issue, I have found out, that the certificates contained two EKU purposes (Enhanced/Extended Key Usage). The purpose which is required for PEAP is Client Authentication (OID 184.108.40.206.220.127.116.11.2). But the certificates also contained Smart Card Logon purpose (OID 18.104.22.168.4.1.322.214.171.124) as well.
I was able to resolve the issue by removing the Smart Card Logon purpose from the client certificate EKU. And really it works now.
What I also tried was to configure the advanced certificate selection options on the new Configure Certificate Selection dialog box. It is a new feature of the PEAP client on Windows 8 which enables more precise client certificate selection options than what was available with Windows 7 or older. Anyway, no matter what combination of options I tried to use, it didn't work for me either.
For example, what I would think should help, was to enable the Extended Key Usage (EKU) section, check the Client Authentication checkbox and add the Smart Card Logon purpose into the and the following EKUs. But it didn't work.
I suspect that the whole problem may be related to the fact, that the Smart Card Logon purpose was stored as the first OID in the client's certificate EKU. Which meant that the Client Authentication purpose was only the second one. Unfortunatelly, I was not able to change the order of OIDs to verify it.