error 786: no valid machine certificate found

Skip to first unread message


Nov 19, 2003, 2:31:38 PM11/19/03
Hello all,

I have been trying to set up a VPN connection using L2TP and
I have done the following:
On the Server:
1. Created an Enterprise CA on my Domain Controller which is also the
VPN server.
2. Requested a machine Cert on the VPN server which is in the Local
computer personal store.

On the Client:
3. Imported the CA Cert to the Trusted CAs in the local machine store.
4. I have also requested a User Cert which is in the Local User
Personal store
5. and a machine cert that is in the Local Computer Personal store.

I Still get the message:
Error 786: The L2TP Connection attempt failed because there is no
valid machine certificate on your computer for security

What am I missing?

Thanks in advance for any help.


Sharoon Shetty K [MSFT]

Nov 21, 2003, 12:59:05 AM11/21/03
Hi Mike,

The error 786 can occur in the following cases:

a) The certificate has not been installed correctly.

Verify in MMC that certificates actually have been installed for both the CA
and for the user. Verify that the certificates are valid (check the start
and end dates) and issued by the same CA as used on your Server. Check the
internal clock of your computer: if it is set to a strange date (say, 1970
or so), your computer will think that the certificate is not (yet) valid.

b) Built-in IPsec stack has been disabled, e.g. when a third-party IPsec
client was installed and then removed.

Click Start -> Programs -> Administrative Tools -> Services. Select "IPSec
Policy Agent" from the list and check if the Startup type is set to
"Automatic". If it is not, this is the problem. Set Startup type to
"Automatic", click Apply and then Start.

Hope this helps!

- Sharoon

"Mike" <> wrote in message

menard 242622

Nov 23, 2003, 4:27:14 PM11/23/03
make sure you have the 'fix' for nat-t also.

"Mike" <> wrote in message


Nov 26, 2003, 11:14:44 AM11/26/03

Thanks for your help.

Here is my configuration
I imported the CA Certificate to:
Certificates (Local Machine) \ Trusted Root Certification Authorities
\ Certificates And Certificates (Current User) \ Trusted Root
Certification Authorities \ Certificates

I requested a Computer Certificate into:
Certificates (Local Machine) \ Personal \ Certificates And I requested
a User Certificate into:
Certificates (Current User) \ Personal \Certificates

The Internal Clocks are correct
The date in the CA certificate Nov 17 2005, but The Computer and
User Certificates are Nov 18, 2004 The IPSec Policy Agent is running

Are there Addition places I should install the Certificates?




Nov 26, 2003, 11:22:06 AM11/26/03

I have the Nat-T fix install and the same result


"menard 242622" <> wrote in message news:<e$UzSigsD...@TK2MSFTNGP12.phx.gbl>...


Dec 1, 2003, 1:43:25 PM12/1/03
set your connectoid up like your going to go to l2tp, but change the network
tab to automatic
hint, once you change it to auto, go back to security and make sure that
doesn't change it from certificate base authentication to password. if you
can then connect with that connectoid and it fails to use l2tp, but uses the
certificate to authenticate a pptp session, you may have all the certs you
need, but the encapsulation or the port setup is incorrect, or something
in-between you and the node your connecting to arent configured as needed.

if i said that all correctly i believe i am lucky.


"menard 242622" <> wrote in message

Sharoon Shetty K [MSFT]

Dec 11, 2003, 1:17:10 AM12/11/03

Hi Mike,

The Negotiation timed out could be due to some IPSec issue or due to the fact that the packets from the server behind the NAT are not reaching the client.

For NAT-T, port 4500 also needs to be opened apart from 500 for IKE and 1701 for L2TP.

As mentioned in my previous mail the Oakley log might help with the information on the IKE packets sent/received.

Also please check if the machine outside the firewall is part of some other untrusted domain.



-----Original Message-----

From: Mike Piccini []

Sent: Monday, December 01, 2003 8:29 PM

To: Sharoon Shetty

Subject: RE: error 786: no valid machine certificate found


Thanks for all your help.

I was able to get it to work by installing an Administrator User Cert in the personal store.

It works if you connect to the RRAS server from beind the fire wall. When I try to come from the outside I get Error 792: Negotiation Time out. On the Fire wall I have the L2TP and IKE ports open. Is there another I should open? I have installed the NAT-T patch on the XP client also.



-----Original Message-----

From: Sharoon Shetty []

Sent: Friday, November 28, 2003 1:17 AM


Subject: RE: error 786: no valid machine certificate found

Hi Mike,

Can you give the oakley log. The steps to get this log are given below:

To Enable the logs execute the below command - netsh ipsec dynamic>set config ikelogging 1

Log path:


We do have an open bug on a similar issue i.e. "though valid certs are present, machine doesn't sense them".

As a workaround, you can delete all certs and re-install certs again.

However before doing this get oakley log so that we can confirm you are facing the same problem.

Once you have got the logs you can disable the logs by executing the following command - netsh ipsec dynamic>set config ikelogging 0



Reply all
Reply to author
0 new messages