Event ID - 5

Event Id5
SourceMicrosoft-Windows-RasSstp
DescriptionThe Secure Socket Tunneling Protocol (SSTP) negotiation has failed. The failure code is stored in the Data section of this message. Correct the problem and try again.
Event InformationAccording to Microsoft :
Diagnose :
This error condition might be caused by one of the following:
  • There are network connectivity issues or certificate configuration failures. The error message (in the Win32 error code) will indicate what happened.
  • The operation to receive the HTTP response has failed for the reason in the detail message.
  • The response received from the server is not HTTP version 1.1. This could be due to the server-side implementation. SSTP has a baseline requirement of HTTP version 1.1.
  • Either the proxy or the SSTP server has failed the HTTP response. The HTTP status code logged in the data portion should provide information about the failure.
  • This can occur if the HTTP layer was established and an error was encountered during the establishment of the SSTP session. The issue could be due to FSM parameter negotiation or a system failure.
  • The server-side implementation of the SSTP service needs to access the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SstpSvc\Parameters\ConfigStore, which SSTP uses to store its own state. If this store is damaged, the system will revert to default settings, which might not be the last active system state.
  • The HTTP layer could not be initialized. The HTTP.SYS driver might not be loaded or there might be some other system failure.
  • The URL specified should be configured to allow SSTPSVC.
Resolve
Fix the network connectivity or certificate issue
Fix the network connectivity or certificate-related issue and try the connection again.
Note: The following procedures include steps for using the ping command to perform troubleshooting. Before you perform these steps, check whether the firewall or Internet Protocol security settings on your network allow Internet Control Message Protocol traffic. ICMP is the TCP/IP protocol that is used by the ping command.
To perform these procedures,must be a member of the Administrators group or must have been delegated the appropriate authority.
Follow the procedures in the order in which they appear until the problem is resolved.
Determine if there is a network connectivity problem
To determine if there is a network connectivity problem between the remote access server and the domain controller:
  1. On the remote access server, click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type ping server_FQDN, where server_FQDN is the fully qualified domain name (FQDN) of the domain controller, and then press ENTER.
  3. At the command prompt, type ping IP_address, where IP_address is the IP address of the domain controller, and then press ENTER.
If you can successfully ping the domain controller by IP address, but not by FQDN, this indicates a possible issue with DNS host name resolution.
If you cannot successfully ping the domain controller by IP address, this indicates a possible issue with network connectivity, firewall configuration, or Internet Protocol security configuration.
Perform additional troubleshooting steps
The following are some additional troubleshooting steps that can perform to help identify the root cause of the problem:
  • Ping other computers on the network to help determine the extent of the network connectivity issue.
  • If can ping other servers but not domain controller try to ping the domain controller from another computer. If cannot ping the domain controller from any computer, first ensure that the domain controller is running.If the domain controller is running, check the network settings on the domain controller.
  • Check the TCP/IP settings on the local computer.
  • In Device Manager, check the status of the network adapter.To open Device Manager, click Start, click Run, type devmgmt.msc, and then click OK.
  • Check network connectivity indicator lights on the computer and at the hub or router.Check network cabling.
  • Check firewall settings by using the Windows Firewall with Advanced Security snap-in.
  • Check IPsec settings by using the IP Security Policy Management snap-in.
Configure the remote access server to support HTTP version 1.1
To check that Internet Explorer is set to use HTTP version 1.1:
  1. On the remote access server, start Internet Explorer.
  2. On the Tools menu, click Internet Options.
  3. Click the Advanced tab.
  4. Under HTTP 1.1 settings, select the Use HTTP 1.1 check box.
Check the HTTP status code
The resolution steps vary, according to the HTTP status code.
The only status code that the SSTP service on the client will respond for a failure is HTTP_STATUS_PROXY_AUTH_REQ (Proxy authentication required). An Access Denied message will appear in the dialer user interface on the client computer. Configure the proxy server so that it does not prompt for authentication.
For all other HTTP status codes, review the definition of the HTTP status code.
If the Web proxy or the SSTP server is rejecting the connection, the server might not be configured to use SSTP.To check whether the Web proxy server is configured to block the connection to the SSTP URL.
Set permissions for the specified URL for SSTPSVC
Namespace reservation assigns the rights for a portion of the HTTP URL namespace to a particular group of users.A reservation gives those users the right to create services that listen on that portion of the namespace. Reservations are URL prefixes, meaning that the reservation covers all subpaths of the reservation path.
Use the netsh http add urlacl command to configure access control lists (ACLs) for the URL for SSTPSVC use.
Configure the certificate manually
To perform this procedure, must have membership in Administrators, or must have been delegated the appropriate authority.
  1. Click Start, click All Programs, and then click Accessories.
  2. Right-click Command Prompt, and then click Run as administrator.
  3. Configure the certificate manually using the netsh.exe http add sslcert command.
Configure the server with an SSTP certificate
Configure a SSTP certificate with an Enhanced Key Usage (EKU) of either Server Authentication or Any Purpose.
To perform these procedures, must be a member of the Administrators group, or must have been delegated the appropriate authority.
Delete a certificate
Delete the certificate from the certificate store.
Restart Routing and Remote Access
Configure the server with acceptable hash certificate by the Reverse Web Proxy server
Possible resolution:
  • Review the logs of the Reverse Web proxy and capture the hash configured by the proxy server to the client.
  • Configure the RRAS server with the same hash by the proxy server.
To perform these procedures, must be a member of the Administrators group, or must have been delegated the appropriate authority.

View the certificate hash

Configure the certificate hash on the remote access server

Restart the Routing and Remote Access service

Provide the permission for SSTP relevant registry parameter

Modify value data for SHA1CertificateHash registry parameter

Modify value data for SHA256CertificateHash registry parameter

Modify value data for ServerURL registry parameter
Reference LinksEvent ID 5 from Microsoft-Windows-RasSstp

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.