Azure Point-to-Site VPN Error 812

Aug 16th, 2018

Came across this error message when attempting to established P2S VPN connection from Windows Server 2012 R2 client to Azure.

The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error. (Error 812)

Most sites will tell you it is certificate related but most of the answers I found googling didn’t resolve my issue. The fix was upgrading my TLS to TLS 1.2 because starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support only TLS 1.2. 

Here are my solutions:

  1. Backup your registry
  2. Open command prompt as Administrator and run:
  3. reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v TlsVersion /t REG_DWORD /d 0xfc0
  4. reg add “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp” /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
  5. if %PROCESSOR_ARCHITECTURE% EQU AMD64 reg add “HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp” /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0

ADFS 3.0 IWA Browser Clients Support for Firefox and Safari

Mar 27th, 2014

With Windows Server 2012 R2 ADFS 3.0 architecture have some changes, such as, no IIS requirements, etc. With no IIS, most changes will have to be done through PowerShell and java script modifications.

Currently and by design, Integrated Windows Authentication (IWA) is not supported for most browsers such as Chrome, Firefox, and Safari. And because of this, users using any unsupported browser client (By default on IE is supported) for Single Sign-On (SSO), will always be presented with the ADFS logon form for user name and password even if these users are within the internal network.

Here are the steps to add your browser client of choice for IWA. The ADFS Properties for WIASupportedUserAgents and ExtendedProtectionTokenCheck will be modified. Read more…

Create a custom Multi-Valued attribute in Active Directory

Jan 26th, 2014

Have you ever worked in an environment where because of regulations and compliance, you are required to maintain all terminated and former employees group membership long after they have left the company and their accounts disabled. Leaving their membership in groups makes the group hard to audit because it will contain both active and disabled users. One possible solution is to create a custom user attribute to store the legacy groups for all disabled users.

This brief post will demonstrate how to successfully modify the Active Directory schema to create a custom Multi-Valued user attributes. To modify the schema, the account must be a member of the schema Admins group. Before proceeding make sure you understand the full functionality of an Active Directory Schema. Since schema modification/extension is irreversible, caution must be taken for any schema modification. It is always advisable to test in a lab environment before attempting in production. More information about the Active Directory schema can be found on the TechNet site. Read more…

Enabling Access Based Enumeration -ABE on DFS Namespace-Part II

Nov 20th, 2011

In my previous post on Access Based Enumeration, I outlined procedures for enabling ABE. With Windows server  2008 and 2008 R2, there is an added option to enable ABE  on a DFS Namespace. I will show how to accomplish this on this post. Read more…

PowerShell Get-ADUserGroupMembership

Sep 14th, 2010
#Get-ADUserGroupMembership
########################################################################
# This PoSh script will read input of AD Users from a text file-c:\ADUsers.tx  and output
# the respective user’s AD Group Membership in a .csv file -C:\UserGroup.csv.
# REQUIREMENTS:
# Quest Active Directory cmdLets must be installed on the machine that script will run from.
#Witten By: www.isaacoben.com
#Version: 1.2
#########################################################################
#Add QAD cmdlets
Add-PSSnapin Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue
#Get User list from text file ADUser.txt
$ADUser = Get-Content “c:\ADUsers.txt”
#Count number of users on list
$ADUser_Count = $ADUser.Length
#Enumerate the number of users
$i = 0;
ForEach ($targetUser in $ADUser)
{
$Progress_bar = [int][Math]::Ceiling((($i / $ADUser_Count) * 100))
#Start Displaying Progress activity
Write-Progress -Activity “Retrieving AD Group Membership for $targetUser” -PercentComplete $Progress_bar -Status “$Progress_bar% Complete” -SecondsRemaining $Progress_bar
Sleep (1)
$Current_User = Get-QADUser $targetUser
$Current_User| Get-QADMemberOf |Select-Object $Current_User.Name, name|Out-File -FilePath ‘C:\UserGroup.csv’-Append
$i ++
}
Write-Progress -Activity “Retrieved All Users” -PercentComplete 100 -Status “Done – 100%”
Sleep (1)