We have a working RRAS Windows 2008 R2 RRAS server with Windows 7 L2TP/IPsec VPN clients using MS-CHAP V2. We added SSTP support without any problem. When we use PEAP with EAP-MS-CHAP v2 authentication everything works great. However, switching the client to "Smart Card or other certificate" (EAP-TLS) we get the following error when starting the VPN client: Cannot load dialog. Error 798: A certificate could not be found... The Windows 7 has a good and working machine certificate (used by L2TP/IPSec) and also a valid user certificate with the right attributes. Trying L2TP/IPsec with EAP-TLS gives the same error. Note that the above error is given *before* even attempting the connection. Therefore it looks very much like a Windows 7 local problem. Any solution to that problem? Best Regards, Stefaan

Hi, Thanks for posting in TechNet forum. I'm trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. Thanks for your understanding and support. Regards, Miya TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, we've done some further testing to find out if it could be a problem with the user certificate. More specifically we exported the user certificate and imported it on an "old" XP SP3 box and configured the VPN on de XP client to use L2TP/IPsec with a machine certificate and user certificate (EAP-TLS). It worked immediately like a sharm. Repeating the same test on an up-to-date Vista client gives the same problem as an up-to-date Windows 7 client. On the Windows 7 client we re-tested it also with the UAC disabled. We got still the same error. I wonder what is going on... Best Regards, Stefaan

Hi, we've done some further testing to find out if it could be a problem with the user certificate. More specifically we exported the user certificate and imported it on an "old" XP SP3 box and configured the VPN on de XP client to use L2TP/IPsec with a machine certificate and user certificate (EAP-TLS). It worked immediately like a charm. Repeating the same test on an up-to-date Vista client gives the same problem as an up-to-date Windows 7 client. On the Windows 7 client we re-tested it also with the UAC disabled. We got still the same error. I wonder what is going on... Best Regards, Stefaan

Hi, today we have installed a fresh and up-to-date Window 7 virtual box. Nothing else installed on it but the OS. Than we installed the user certificate and configured the VPN client for SSTP with EAP-TLS authentication. The result is still the same error: Cannot load dialog. Error 798: A certificate could not be found... Best Regards, Stefaan

Hi, after some more testing we got it finally working on a Vista and a Windows 7 client. To make a long story short... Initially the user certificate was based on a "Windows Server 2008 Enterpise" certificate template with the "Error 798: A certificate could not be found..." as a result. We enrolled a new user certificate but now based on a "Windows Server 2003 Enterpise" certificate template and bingo... it works like a charm. Hmm... what's wrong with a "Windows Server 2008 Enterpise" certificate template? Best Regards, Stefaan

Hi, For the time being we are happy with using a "Windows Server 2003 Enterpise" certificate template as a workaround. Best Regards, Stefaan

HI Stefaan, I'm glad to see that you were able to get the issue resolved by recreating the user certificate. I wanted to take a quick moment to explain why this was necessary. As you know, when you duplicate a template there are the two options: Windows Server 2003 Enterprise and Windows 2008 Enterprise. These are also referred to as version 2 (2003 Enterprise) and version 3 (2008 Enterprise) templates. You can find more information on the differences between version 2 and 3 templates here: http://technet.microsoft.com/en-us/library/cc725621(WS.10).aspx One of the key differences between these two is with cryptography, with v3 templates using a new CryptoAPI called Crypto Next Generation (CNG), and a new key storage mechanism called Key Storage Provider (KSP). You can find out more information about Crypto Next Generation here: http://technet.microsoft.com/en-us/library/cc730763(WS.10).aspx In short, the reason you received the 798 error when attempting to connect with the v3 certificate is that CNG is not supported with EAP authentication in Windows 7. So you did exactly what was needed… recreate the user certificate using a v2 template. Thank you for choosing Microsoft!

Hello Mike, We have same problem with User Certificate issued by Enterprise Certification Authority, installed on Windows 2003 Standard R2 machine (which is domain member). When we configure the client to "Smart Card or other certificate" (EAP-TLS) we get the following error when starting the VPN client: Cannot load dialog. Error 798: A certificate could not be found... The Windows has a valid user certificate with the right attributes. Same error occurs on Windows XP and 7. Note that the above error is given *before* even attempting the connection. Therefore it looks very much like a Windows local problem. We have tried almost everything. The User Certificate is issued via Web Enrollment - User Certificate, as in this manual: http://www.isaserver.org/img/upl/vpnkitbeta2/vpnclienteap.htm. Could the problem reside on the fact, that we used Windows 2003 Server Standard edition for Enterprise Certification Authority role? Best regards, Elias

Hi Imrkn, The error message you are receiving basically means that no certificate was found that matched the requirements of the VPN connection you are trying to establish. I would look closely at the certificate you are trying to use, making sure that it meets the minimum requirements, for example, it includes User and Server Authentication, it has the private key, that the issuing CA is trusted, that it is in the user's personal store, not local computer, etc. You might want to try recreating the certs and see if that helps. If none of that works, you might want to post a new forum thread with more details on your setup, or for more immediate assistance, open a support case with Microsoft. But based on the error and the fact you are seeing this on XP and Windows 7, to me, all indications are there is a problem with the certificates on the clients. Mike