Routing and Remote Access Blog

VPN articles - straight from Windows development team

How to deploy SSTP based VPN server and IIS on the same machine

How to deploy SSTP based VPN server and IIS on the same machine

  • Comments 1
  • Likes

This blog is going to tell about how SSTP can be affected by configuring IIS Server on the same Server and how to get rid of this problem without moving the IIS Server to a different machine.

 

Let's us first know what kind of issue can arise if IIS is configured alongwith SSTP on the same server.

 

Let's say that SSTP is configured on the Server using a Server Authentication Certificate (SAC). The IP:Port binding will look like as follows:-

 

G:\Users\Administrator>netsh http show ssl

 

SSL Certificate bindings:

-------------------------

 

    IP:port                 : 0.0.0.0:443

    Certificate Hash        : 3f399643ac981dd68726e4d99f90f7c5a349498a

    Application ID          : {ba195980-cd49-458b-9e23-c84ee0adcd75}

    Certificate Store Name  : MY

    Verify Client Certificate Revocation    : Enabled

    Verify Revocation Using Cached Client Certificate Only    : Disabled

    Usage Check    : Enabled

    Revocation Freshness Time : 0

    URL Retrieval Timeout   : 0

    Ctl Identifier          : (null)

    Ctl Store Name          : (null)

    DS Mapper Usage    : Disabled

    Negotiate Client Certificate    : Disabled

 

    IP:port                 : [::]:443

    Certificate Hash        : 3f399643ac981dd68726e4d99f90f7c5a349498a

    Application ID          : {ba195980-cd49-458b-9e23-c84ee0adcd75}

    Certificate Store Name  : MY

    Verify Client Certificate Revocation    : Enabled

    Verify Revocation Using Cached Client Certificate Only    : Disabled

    Usage Check    : Enabled

    Revocation Freshness Time : 0

    URL Retrieval Timeout   : 0

    Ctl Identifier          : (null)

    Ctl Store Name          : (null)

    DS Mapper Usage    : Disabled

    Negotiate Client Certificate    : Disabled

----------------------------------------------

 

The SSTP based connections from the client to this Server will go fine.

Now, the admin decides to configure an HTTPS site using IIS Server on the same server machine using the same Certificate SAC which is used for SSTP.

 

IIS7 gives an option to bind a particular Certificate to the HTTPS site in the UI. However this binds the certificate only to the IPv4 listener i.e. 0.0.0.0:443 and not to the IPv6 listener [::]:443. This works fine for both IPv4 and IPv6 based access to the HTTPS site published because IIS uses the same certificate which is bound to IPv4:443 for IPv6 address based access also.

 

However, SSTP requires that the certificate bound to both the listeners be the same.

 

So, based on the above fact, admin binds the Certificate SAC to 0.0.0.0:443 which will try to do a fresh binding to the 0.0.0.0:443 with the same certificate SAC which was already done by SSTP. This will not disturb the Certificate binding to 0.0.0.0:443 and [::]:443.

So, the HTTPS site access using IPv4/IPv6 address and SSTP connection will go fine.

 

So far, everything is fine.

 

Now, admin decides to remove this published HTTPS site or wants to bind it to a different Certificate. This will result in the removal of the Certificate SAC binding from 0.0.0.0:443 by IIS, as it assumes that it is the only application which is using it. So, the IP:Port binding at this point will look like as follows:-

 

G:\Users\Administrator>netsh http show ssl

 

SSL Certificate bindings:

-------------------------

 

    IP:port                 : [::]:443

    Certificate Hash        : 3f399643ac981dd68726e4d99f90f7c5a349498a

    Application ID          : {ba195980-cd49-458b-9e23-c84ee0adcd75}

    Certificate Store Name  : MY

    Verify Client Certificate Revocation    : Enabled

    Verify Revocation Using Cached Client Certificate Only    : Disabled

    Usage Check    : Enabled

    Revocation Freshness Time : 0

    URL Retrieval Timeout   : 0

    Ctl Identifier          : (null)

    Ctl Store Name          : (null)

    DS Mapper Usage    : Disabled

    Negotiate Client Certificate    : Disabled

----------------------------------------------

 

As you would notice above, the binding of the Certificate to 0.0.0.0:443 is gone. Now, if the admin tries to make an SSTP based connection using IPv4 address of this Server from a client, it will FAIL. The reason behind it is that, in the SSL phase, the Server will not find any certificate bound to the IPv4:443 (which is 0.0.0.0:443) and so, it will fail.

 

 

Solution for this problem:-

----------------------------------------------

If both SSTP and IIS are configured on the same server using the same certificate and if the HTTPS site needs to be removed, the admin needs to follow the below procedure :-

 

Step 1) Remove the HTTPS site from the IIS.

 

Step 2)

 

Case 1:- Server has only one Server Authentication Or All Purpose Certificate in the store:-

netsh http delete ssl 0.0.0.0:443

netsh http delete ssl [::]:443

reg delete HKLM\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters /v SHA256CertificateHash /f

net stop sstpsvc /y

net start remoteaccess

 

Case 2:- Server has more than one Server Authentication Or All Purpose Certificate in the store:-

netsh http delete ssl 0.0.0.0:443

netsh http delete ssl [::]:443

reg delete HKLM\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters /v SHA256CertificateHash /f

netsh http add sslcert ipport=0.0.0.0:443 certhash=<SAC2 Cert Thumbprint> appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

netsh http add sslcert ipport=[::]:443 certhash=<SAC2 Cert Thumbprint> appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

net stop sstpsvc /y

net start remoteaccess

 

<SAC2 Cert Thumbprint> : This value is present in the Certificate itself. To get this value, open the certificate by double clicking on it in the store and go to "Details" tab. Under it, there are multiple "Field" and "value" pair. Go to the last of this list. You will find something like this:-

 

Thumprint                      f8 3e 90 44 82 02 69 e6 98 07 2e 19 88 0d 30 84 06 89 a1 f9

 

Pick this value and remove the spaces in between. After that, it will look like

f83e9044820269e698072e19880d30840689a1f9

 

Use this value in place of <SAC2 Cert Thumbprint> as below

 

netsh http delete ssl 0.0.0.0:443

netsh http delete ssl [::]:443

reg delete HKLM\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters /v SHA256CertificateHash /f

netsh http add sslcert ipport=0.0.0.0:443 certhash=f83e9044820269e698072e19880d30840689a1f9 appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

netsh http add sslcert ipport=[::]:443 certhash=f83e9044820269e698072e19880d30840689a1f9 appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

net stop sstpsvc /y

net start remoteaccess

 

After executing the above mentioned command, the IP:Port binding will look like before as follows:-

 

G:\Users\Administrator>netsh http show ssl

 

SSL Certificate bindings:

-------------------------

 

    IP:port                 : 0.0.0.0:443

    Certificate Hash        : 3f399643ac981dd68726e4d99f90f7c5a349498a

    Application ID          : {ba195980-cd49-458b-9e23-c84ee0adcd75}

    Certificate Store Name  : MY

    Verify Client Certificate Revocation    : Enabled

    Verify Revocation Using Cached Client Certificate Only    : Disabled

    Usage Check    : Enabled

    Revocation Freshness Time : 0

    URL Retrieval Timeout   : 0

    Ctl Identifier          : (null)

    Ctl Store Name          : (null)

    DS Mapper Usage    : Disabled

    Negotiate Client Certificate    : Disabled

 

    IP:port                 : [::]:443

    Certificate Hash        : 3f399643ac981dd68726e4d99f90f7c5a349498a

    Application ID          : {ba195980-cd49-458b-9e23-c84ee0adcd75}

    Certificate Store Name  : MY

    Verify Client Certificate Revocation    : Enabled

    Verify Revocation Using Cached Client Certificate Only    : Disabled

    Usage Check    : Enabled

    Revocation Freshness Time : 0

    URL Retrieval Timeout   : 0

    Ctl Identifier          : (null)

    Ctl Store Name          : (null)

    DS Mapper Usage    : Disabled

    Negotiate Client Certificate    : Disabled

----------------------------------------------

 

Now, the SSTP based connections will go fine.

 

Thanks,

Amit Kumar

Software Design Engineer/Test,

Enterprise Networking Group, Microsoft.

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment