1
00:00:02,040 --> 00:00:05,620
So the next error I want to focus on is the error 812.

2
00:00:05,620 --> 00:00:09,060
So I'm going to launch a VPN connection here.

3
00:00:09,060 --> 00:00:11,940
And here you see using rasdial,

4
00:00:11,940 --> 00:00:16,120
I've initiated a connection for my AlwaysOn VPN user‑based connection.

5
00:00:16,120 --> 00:00:20,180
And by the way, you will only see 812 errors for user‑based connections,

6
00:00:20,180 --> 00:00:22,050
not for device tunnel connections. Here,

7
00:00:22,050 --> 00:00:25,730
it's basically saying that the error 812 means that the connection was

8
00:00:25,730 --> 00:00:30,940
prevented because of a policy configured on your RAS or VPN server.

9
00:00:30,940 --> 00:00:33,380
So to begin troubleshooting our 812 error,

10
00:00:33,380 --> 00:00:35,900
we need to jump over to the NPS server,

11
00:00:35,900 --> 00:00:42,240
and the first thing we're going to do here is open up the event log.

12
00:00:42,240 --> 00:00:47,250
What I like to do here is expand Custom Views and then expand Server Roles

13
00:00:47,250 --> 00:00:50,470
and then highlight Network Policy and Access Services.

14
00:00:50,470 --> 00:00:55,130
And this will yield all the information that is pertinent to the NPS role.

15
00:00:55,130 --> 00:00:59,030
So what I'm looking for here specifically is anything with the event

16
00:00:59,030 --> 00:01:04,940
ID 6273 in the task category Network Policy Server.

17
00:01:04,940 --> 00:01:06,960
And if I take a look at this error message,

18
00:01:06,960 --> 00:01:10,040
you'll see that it indicates that the network policy

19
00:01:10,040 --> 00:01:12,160
server denied access to a user.

20
00:01:12,160 --> 00:01:18,470
What I find helpful here is that if you scroll down in this window, you

21
00:01:18,470 --> 00:01:23,480
will actually see that there's a reason. There's a reason code and a

22
00:01:23,480 --> 00:01:28,260
reason. And specifically it says the reason is the connection request did

23
00:01:28,260 --> 00:01:31,240
not match any configured network policy.

24
00:01:31,240 --> 00:01:36,600
What that means is that the user was not likely a member of the correct group.

25
00:01:36,600 --> 00:01:39,850
Remember, our network policy is tied to a specific user group,

26
00:01:39,850 --> 00:01:42,410
and if the user is not a member of that group,

27
00:01:42,410 --> 00:01:44,940
then this access will fail.

28
00:01:44,940 --> 00:01:49,700
Another common cause for the error 812 is an error in which the

29
00:01:49,700 --> 00:01:53,050
Message‑Authenticator attribute is not valid.

30
00:01:53,050 --> 00:01:56,260
And essentially what this means, what this really translates to in

31
00:01:56,260 --> 00:02:00,140
plain English, is that the shared secret is incorrect.

32
00:02:00,140 --> 00:02:05,490
So this means that the NPS server's RADIUS shared secret is not

33
00:02:05,490 --> 00:02:08,620
matching what the VPN server is providing.

34
00:02:08,620 --> 00:02:13,760
So if you see this event ID 18 from the event source NPS and you

35
00:02:13,760 --> 00:02:17,150
see that an Access‑Request message was received from a client

36
00:02:17,150 --> 00:02:19,540
with an invalid Message‑Authenticator,

37
00:02:19,540 --> 00:02:24,230
you'll know intuitively that that is simply a mismatched shared secret.

38
00:02:24,230 --> 00:02:28,610
And one last thing regarding error 812 messages, and it's really important to

39
00:02:28,610 --> 00:02:34,880
understand that NPS communication failure between the VPN server and the RADIUS

40
00:02:34,880 --> 00:02:39,620
server or NPS server can result in an error 812.

41
00:02:39,620 --> 00:02:42,950
That can be really misleading because the error message specifically

42
00:02:42,950 --> 00:02:46,640
states it's because of a policy on the NPS server.

43
00:02:46,640 --> 00:02:51,410
But here again, if the VPN server is unable to communicate with the NPS server,

44
00:02:51,410 --> 00:02:55,530
so that could mean that it's the firewall is blocking the traffic or that

45
00:02:55,530 --> 00:02:59,430
it doesn't have a route to the NPS server or what have you or maybe even

46
00:02:59,430 --> 00:03:02,290
just configured incorrectly on the VPN server,

47
00:03:02,290 --> 00:03:05,160
all of those things will result in NPS communication

48
00:03:05,160 --> 00:03:08,050
failure, and they will all result in an 812.

49
00:03:08,050 --> 00:03:10,700
So it can be a little bit deceiving, somewhat misleading,

50
00:03:10,700 --> 00:03:12,140
but be mindful of that.

51
00:03:12,140 --> 00:03:15,950
If you're looking in the event logs on the NPS server and you don't

52
00:03:15,950 --> 00:03:27,000
see an allowed or denied message in the event log, it's a good bet the NPS server simply did not receive that request.