This common error in azure VPN when a miss configuration has been made in the process in the gateway settings . I will attach a list of possible solutions that you may find useful .Which also covers local machine time problems.
This guidance is meant for engineers that have implemented Azure VPN ( open vpn ) with azure AD authentication . It is expected you have some knowledge about an azure gateway and you are familiar with the process of this technology . In this guidance you will find the official Microsoft guide to support this post.
Description of the error :
List of possible solutions & recommendations
- Check that your local time in the machine is correct
- Ensure the VPN Config in the gateway is correct ( Check the 3 fields Tenant, Audience ,Issuer )
- Review all your configs and follow the MS guidance :https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant
- If any of the configs is found here incorrect, make sure you redeploy the config (XML) in your clients again .
Several people has reported leaving spaces , or missing characters – For this reason I will post a mini guidance how to get correctly this values
You will find this section on the point to site config in your azure gateway settings
- Tenant: TenantID for the Azure AD tenant
Make sure you enter the format correctly. Do not leave the field without the “/” at the end .
Find tenant ID through the Azure portal
- Sign in to the Azure portal.
- Select Azure Active Directory.
- Select Properties.
- Then, scroll down to the Tenant ID field. Your tenant ID will be in the box.
Audience: Application ID of the “Azure VPN” Azure AD Enterprise App . Ensure it has the right format
You should be able to find here .
- Enter 41b23e61-6c1e-4545-b367-cd054e0ed4b4 for Azure Public
- Enter 51bb15d4-3a4f-4ebf-9dca-40096fe32426 for Azure Government
- Enter 538ee9e6-310a-468d-afef-ea97365856a9 for Azure Germany
- Enter 49f817b6-84ae-4cc0-928c-73f27289b3aa for Azure China 21Vianet
Make sure no spaces, no extra characters are added in this piece of the config
Issuer: URL of the Secure Token Service
Ensure you do not miss the correct format.
The format is expected a “/” at the end . I have seen in forums some people missing that character