Event ID - 21

Event Id21
SourceMicrosoft-Windows-RasSstp
DescriptionThe Secure Socket Tunneling Protocol service was not able to get the hash for the certificate configured with HTTP. The detailed error message is provided below. Correct the problem and try again. %1
Event Information According to Microsoft :

Cause :

This event is logged when the Secure Socket Tunneling Protocol service was not able to get the hash for the certificate configured with HTTP.

Resolution :

Configure the server with an SSTP certificate

Configure a SSTP certificate with an Enhanced Key Usage (EKU) of either Server Authentication or Any Purpose.

To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
  1. Click Start , point to All Programs , and then click Accessories .
  2. Right-click Command Prompt , and then click Run as administrator .
  3. Determine if the computer certificate is configured for the SSTP-based VPN connection. This can be accomplished using one of the following steps:

    • Run the netsh http show sslcert command on the remote access server to determine if the SSL certificate is plumbed to HTTP.SYS. Find the certificate with IP:Port pair 0.0.0.0::/443 and [::]:443 and note the certificate hash value.
    • On the VPN client computer, open a Web browser and type in the following URL: https:///sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/. View the certificate and note the certificate hash value.

  4. Delete the certificate from the server certificate store (local computer store). See the "Delete a certificate" section.
  5. Remove the certificate binding from the HTTPS Listener. Type the following commands in a command window:

    • netsh http delete sslcert ipport=0.0.0.0:443
    • netsh http delete sslcert ipport=[::]:443

  6. Remove the certificate binding in RRAS. Open Regedit.exe and delete the following registry keys, if present:

    • HKLM\System\CurrentControlSet\Services\Sstpsvc\Parameters\Sha256CertificateHash
    • HKLM\System\CurrentControlSet\Services\Sstpsvc\Parameters\Sha1CertificateHash

  7. Add the new certificate inside the certificate store (local computer store).
  8. Plumb the new certificate to the HTTPS Listener. In this example, the SHA1 certificate hash of the new certificate is xxx. Type the following commands in a command window:

    • netsh http add sslcert ipport=0.0.0.0:443 certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY
    • netsh http add sslcert ipport=[::]:443 certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

  9. Restart the Routing and Remote Access service. The Routing and Remote Access service will read the certificate that is plumbed to the HTTPS Listener and record the appropriate certificate hashes registry keys for its crypto-binding validation phase. See the "Restart Routing and Remote Access" section.
Delete a certificate

To delete the certificate from the certificate store:
  1. Open the Microsoft Management Console (MMC).
  2. Add the Local Computer certificates snap-in:

    • Click File , click Add/Remove Snap-in , and then click Certificates from the list of available snap-ins.
    • Click Add , click Computer account , and then click Next .
    • Ensure Local computer is selected, click Finish , and then click OK .

  3. Expand Certificates (Local Computer) .
  4. Expand Personal .
  5. Click Certificates . In the certificates pane, you will see a list of certificates in the store.
  6. Double-click the certificate that you want to be bound to the SSTP Listener, the certificate with the subject name that matches the host name used in the client VPN connection. Click the Details tab. Make sure ALL is selected in the Show drop-down list.
  7. Ensure that the value for the Thumbprint Algorithm field is sha1 .
  8. Compare the value with the value of the certificate hash in step 3. If the value is the same, then this certificate is bound to the HTTPS Listener. Right-click and then delete the certificate.
Restart Routing and Remote Access

To restart the Routing and Remote Access service:
  1. Open Routing and Remote Access. Click Start , click Run , type rrasmgmt.msc , and then press ENTER.
  2. In the console tree, click Server Status .
  3. In the details pane, right-click a server name, point to All Tasks , and click Restart .
Verify :

To verify that the remote access server can accept connections, establish a remote access connection from a client computer.

To create a VPN connection:
  1. Click Start , and then click Control Panel .
  2. Click Network and Internet , click Network and Sharing Center , and then click Set up a connection or network .
  3. Click Connect to a workplace , and then click Next .
  4. Complete the steps in the Connect to a Workplace wizard.
To connect to a remote access server:
  1. In Network and Sharing Center, click Manage network connections .
  2. Double-click the VPN connection, and then click Connect .
  3. Verify that the connection was established successfully.
Reference LinksEvent ID 21 from Microsoft-Windows-RasSstp

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.