none
KB2661254 - This patch breaks DirectAccess client PC's

    Question

  • Anyone else run into an issue where installing patch KB2661254 breaks DirectAccess on the client's PC?  We had it happen today.  All the certificates in our deployment are 2048-bit, so we are all scratching our heads why this hoses things.  Everything looks correct on the clients PC as far as setup goes, but it will not create tunnels.  Remove the patch from the client PC, reboot and wham, everything goes back to working like normal.  Ours is a pretty out of the box setup with about 2,000 users.
    Thursday, October 11, 2012 7:30 PM

All replies

  • Hi Naladar,
    Just did an installation of the patch on a Windows 7 SP1 client and the DA tunnels established themself correctly after the required reboot.

    I assume you have checked the keysizes of the entire chain?
    Enable CAPI2 logging in Eventviewer and do a reboot to see if you get any errors there when the client tries to establish the IPSec tunnels.
    If that doesnt help you, continue by enabling IPSec debugging on the client.


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Friday, October 12, 2012 10:43 AM
  • Please ensure that both your External Public certificate and internal PKI certiifcate meet the requirement.

    Have you installed the update on your internal PKI and UAG servers ?

    Friday, October 12, 2012 2:34 PM
  • Did you verify that you could send data over those tunnels?  We have checked the key sizes of all the certificates and they are all 2048-bit.  We pulled these patches from the servers before they were deployed, so they were not affected.  We had over 30 machines hit at the same time with this and removing this patch fixed it on every occasion.  We pulled this patch from being deployed any further until we can work on discovering the root cause and get a resolution. We rolled it out to the client machines because it looked like it would not affect anything in our deployment since we have been using 2048-bit keys on everything for the last 4 years.  I have a case opened with our support vendor as well and they are researching the issue.  I will try out those troubleshooting steps you mentioned on Monday or Tuesday of next week and report back with my findings.  Thank you very much! 

    Friday, October 12, 2012 11:58 PM
  • Hi again,

    Yes of course, I was working with that client all afternoon yesterday and were connected to a number of different internal systems during that time. (Primarily RDP/SMB)
    Actually did an additional test by adding all the additional updates that were available for my client also just to verify that the error didn't have anything to do with a combination of that update and another update.


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Saturday, October 13, 2012 7:27 AM