FIX: Secure Socket Tunneling Protocol service either could not read the SHA256 certificate hash from the registry or the data is invalid. (Solved)
This tutorial contains instructions to fix the Event ID 18 in RRAS Secure Socket Tunneling Protocol (RasSstp) on a Windows 10 PC that acts as a VPN server, or in Windows Server 2008/ 2012: "Secure Socket Tunneling Protocol service either could not read the SHA256 certificate hash from the registry or the data is invalid".
Problem in details. VPN clients could connect to a VPN server running on Windows 10/11 PC, or in Windows Server 2008/2012 with the following error logged on the VPN server:
- The Secure Socket Tunneling Protocol service either could not read the SHA256 certificate hash from the registry or the data is invalid. To be valid, the SHA256 certificate hash must be of type REG_BINARY and 32 bytes in length. SSTP might not be able to retrieve the value from the registry due to some other system failure. The detailed error message is provided below. SSTP connections will not be accepted on this server. Correct the problem and try again.
The system cannot find the file specified.
How to FIX: Event ID 18 in RRAS Secure Socket Tunneling Protocol (SSTP) service.
The Secure Socket Tunneling Protocol (SSTP) in virtual private networking (VPN) is used to allow traffic to pass through TCP port 443 in firewalls that block PPTP and L2TP/IPsec traffic. So, in order for SSTP to accept connections you must first open the TCP port 443 on your firewall and set the SHA256 certificate hash to 32 bytes long in the Registry.To do that:
1. Open Registry Editor on the VPN server. To do that:
2. In Registry Editor, navigate to the following location:
3a. Right-click at an empty space at the right and select New > Binary value.
3b. Name the new value as: SHA256CertificateHash
3c. Now open the new value, type 32 and click OK.
4. Now close the registry editor, restart the computer and check if it accepts VPN connections. If the problem remains, proceed to the instructions below:
5. Open the registry editor again and navigate to the same registry location.
6a. At the right, right-click at an empty space and select New > DWORD (32-bit)Value.
6b. Name the new value as: IsHashConfiguredByAdmin
6c. Finally open the new value, set the Value Data to 1 and click OK.
5. Close the registry editor and restart the PC.
6. After restart, try to connect to VPN server from the clients.
That’s all folks! Did it work for you?
Please leave a comment in the comment section below or even better: like and share this blog post in the social networks to help spread the word about this solution.