L2TP connection fails with error 789 on a Windows Server 2012 R2-based RRAS server

Gilt für: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 StandardWindows Server 2012 R2 Essentials

This article describes an issue that occurs in a Windows Server 2012 R2-based Routing and Remote Access service (RRAS) server. A hotfix is available to fix this issue. The hotfix has a prerequisite.


Consider the following scenario:
  • You deploy DirectAccess and Layer Two Tunneling Protocol (L2TP) VPN connections in Windows Server 2012 R2.
  • An IP-HTTPS certificate from a public certification authority (CA) is installed.
  • A second certificate from an internal CA is installed for the L2TP/IPsec VPN connection.
In this scenario, the L2TP/IPsec VPN connection doesn't work, and you receive a 789 error code that looks something like this:

Error 789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.

Hotfix information

Important If you install a language pack after you install this hotfix, you must reinstall this hotfix. Therefore, we recommend that you install any language packs that you need before you install this hotfix. For more information, see Add language packs to Windows.

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that's described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there's a "Hotfix Download Available" section at the top of this Knowledge Base article. If this section doesn't appear, submit a request to Microsoft Customer Service and Support to get the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that don't qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note The "Hotfix Download Available" form displays the languages for which the hotfix is available. If you don't see your language, it's because a hotfix isn't available for that language.


To apply this hotfix, you must have April 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (2919355) installed in Windows Server 2012 R2.

Registry information

After you install this hotfix, the following registry subkey is configured:
Name: DoNotUpdateAuthCert
Value: 0

To apply this hotfix, you have to change the value of the registry subkey to 1. Then, set the following registry subkey with the L2TP/IPsec certificate thumbprint:
HKLM\System\CurrentControlSet\Services\RemoteAccess\Parameters : ServerAuthCert

Restart requirement

You may have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix doesn't replace a previously released hotfix.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


This issue occurs because DirectAccess populates the following registry subkey with the IP-HTTPS certificates hash during the configuration:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters : ServerAuthCert


See the terminology that Microsoft uses to describe software updates.

File Information

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). Be aware that dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time bias. The dates and times may also change when you perform certain operations on the files.