Symptom6: Client tries to connect to SSTP VPN server and it fails to connect giving error message 0x80092013
Trouble-shooting steps: This will happen if client is failing the certificate revocation check of the SSL certificate obtained from server side. Ensure the CRL check servers on the server side are exposed on the Internet. This is because CRL check is done on the client side during SSL connection establishment phase and the CRL check query will be directly going on the Internet.
The CRL distribution point in your certificate should point to your external DNS name. The SSTP guide does not address this deployment issue that the VPN server’s internal DNS name is referenced in CRL. By default, the CRL URL is set to server’s internal DNS name (e.g. vpn1.contoso.local).
1. Open Server Manager and navigate to Roles, Active Directory Certificate Services
2. Right click on CA name (e.g. mycompany-vpn1-CA) and choose Properties.
3. Click Extensions tab.
4. Select the pre-existing http: URL and click Remove.
5. Click Add…
6. Type http://
7. Type external URL of VPN server
8. Type CertEnroll/
9. Insert variable <CaName>
10. Insert variable <CRLNameSuffix>
11. Insert variable <DeltaCRLAllowed>
12. Type .crl
13. Check boxes Include in CRLs… and Include in the CDP…
Note These steps should be done before SSTP VPN is configured. Otherwise, one must revoke the old cert and then request, issue, and install the new one.
For more information about how to troubleshoot SSTP, go to the following Microsoft TechNet blog:
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.