Windows 11 built-in VPN UI fails for SSTP while rasdial succeeds connecting
Posted: Sun Apr 12, 2026 1:19 pm
Environment
- SoftEther VPN Server 4.44 Build 9807
- Server OS: Windows 11 Pro VM
- Public hostname: vpn.mydomain.it
- Valid X.509 certificate installed in SoftEther with SAN = vpn.mydomain.it
- TCP 443 published from router/NAT to the VPN server
- SecureNAT enabled
- Virtual Hub: MyDomain_VPN
- User authentication: local SoftEther user with password authentication
- Client OS: Windows 11 built-in VPN client
- VPN protocol: SSTP
- Authentication method: MS-CHAP v2
Steps to reproduce
1. Configure SoftEther VPN Server 4.44 Build 9807 on a Windows 11 Pro VM.
2. Enable SSTP on TCP 443.
3. Install a valid X.509 certificate with SAN = vpn.mydomain.it.
4. Enable SecureNAT on the Virtual Hub MyDomain_VPN.
5. Create a local SoftEther VPN user with password authentication.
6. On a Windows 11 client, create a built-in VPN profile named Test10_SSTP using:
- Server address: vpn.mydomain.it
- VPN type: SSTP
- Authentication: username and password / MS-CHAP v2
7. Test the connection with rasdial using the same profile and valid credentials.
8. Then test the same VPN connection using the modern Windows 11 VPN UI.
Expected behavior
- The built-in Windows 11 VPN client should connect successfully through the UI, just like rasdial does.
- The credential prompt should behave like a normal VPN username/password prompt.
- No credential error should be shown before the user manually enters credentials.
- Since rasdial succeeds with the same server, profile, protocol, and credentials, the UI path is expected to work as well.
Actual behavior
- The server is reachable and TCP 443 works correctly.
- TLS handshake works.
- The SoftEther server receives the SSTP connection and starts a real SSTP/PPP session.
- If wrong credentials are used, the server logs correctly show authentication failure.
- If correct credentials are used with rasdial, the connection succeeds.
Working command:
Output:
Successfully connected to Test10_SSTP.
However, when trying to connect through the modern Windows 11 VPN UI:
- Windows shows a "Windows Security" prompt
- the fields are "Email address" and "Password"
- the red message "The username or password is incorrect" is already displayed before manually entering fresh credentials
- the connection fails from the UI
- rasdial using the same profile still works
Additional notes
- This does not look like a generic server-side SSTP failure, because the server certificate is valid, TCP 443 works, the server receives the SSTP connection, and rasdial succeeds.
- The problem seems specific to the modern Windows UI path, or to the interoperability between that UI path and SoftEther SSTP.
- Earlier I found that old/dirty VPN profiles could contain settings such as:
- UseRasCredentials=1
- CacheCredentials=1
- PreviewDomain=1
- Recreating the VPN profile improved the situation, but the modern UI still behaves incorrectly.
- The issue seems related to credential handling in the modern Windows UI, because rasdial works correctly with the same underlying VPN setup.
Question
Has anybody seen similar behavior with:
- SoftEther SSTP
- Windows 11 built-in VPN client
- modern credential dialog showing "Email address" instead of a normal VPN username prompt?
- SoftEther VPN Server 4.44 Build 9807
- Server OS: Windows 11 Pro VM
- Public hostname: vpn.mydomain.it
- Valid X.509 certificate installed in SoftEther with SAN = vpn.mydomain.it
- TCP 443 published from router/NAT to the VPN server
- SecureNAT enabled
- Virtual Hub: MyDomain_VPN
- User authentication: local SoftEther user with password authentication
- Client OS: Windows 11 built-in VPN client
- VPN protocol: SSTP
- Authentication method: MS-CHAP v2
Steps to reproduce
1. Configure SoftEther VPN Server 4.44 Build 9807 on a Windows 11 Pro VM.
2. Enable SSTP on TCP 443.
3. Install a valid X.509 certificate with SAN = vpn.mydomain.it.
4. Enable SecureNAT on the Virtual Hub MyDomain_VPN.
5. Create a local SoftEther VPN user with password authentication.
6. On a Windows 11 client, create a built-in VPN profile named Test10_SSTP using:
- Server address: vpn.mydomain.it
- VPN type: SSTP
- Authentication: username and password / MS-CHAP v2
7. Test the connection with rasdial using the same profile and valid credentials.
8. Then test the same VPN connection using the modern Windows 11 VPN UI.
Expected behavior
- The built-in Windows 11 VPN client should connect successfully through the UI, just like rasdial does.
- The credential prompt should behave like a normal VPN username/password prompt.
- No credential error should be shown before the user manually enters credentials.
- Since rasdial succeeds with the same server, profile, protocol, and credentials, the UI path is expected to work as well.
Actual behavior
- The server is reachable and TCP 443 works correctly.
- TLS handshake works.
- The SoftEther server receives the SSTP connection and starts a real SSTP/PPP session.
- If wrong credentials are used, the server logs correctly show authentication failure.
- If correct credentials are used with rasdial, the connection succeeds.
Working command:
Code: Select all
rasdial "Test10_SSTP" myusername "MYPASSWORD"Successfully connected to Test10_SSTP.
However, when trying to connect through the modern Windows 11 VPN UI:
- Windows shows a "Windows Security" prompt
- the fields are "Email address" and "Password"
- the red message "The username or password is incorrect" is already displayed before manually entering fresh credentials
- the connection fails from the UI
- rasdial using the same profile still works
Additional notes
- This does not look like a generic server-side SSTP failure, because the server certificate is valid, TCP 443 works, the server receives the SSTP connection, and rasdial succeeds.
- The problem seems specific to the modern Windows UI path, or to the interoperability between that UI path and SoftEther SSTP.
- Earlier I found that old/dirty VPN profiles could contain settings such as:
- UseRasCredentials=1
- CacheCredentials=1
- PreviewDomain=1
- Recreating the VPN profile improved the situation, but the modern UI still behaves incorrectly.
- The issue seems related to credential handling in the modern Windows UI, because rasdial works correctly with the same underlying VPN setup.
Question
Has anybody seen similar behavior with:
- SoftEther SSTP
- Windows 11 built-in VPN client
- modern credential dialog showing "Email address" instead of a normal VPN username prompt?