none
Direct Access and Multiple Domains RRS feed

  • Question

  • Hi All

    We are using Direct Access on Server 2012.

    We have two domains, domain1 and domain2 they are fully trusted in Active Directory and users can work normally between the two domains with no issues.

    The DA server is in “domain1” ( and all computer accounts are in domain1 )

    If a user connects to Direct Access and his computer and user account is in “domain1” he can connect to Direct Access with no problems at all.

    If a user connects to Direct Access and his computer account is in “domain1” and his user account is in “domain2” we see his connection in Direct Access but he can not do anything once connected.

    Any ideas ?

    Wednesday, July 23, 2014 10:08 AM

Answers

  • For info we have now found out what the problem is.  The other domain has a trust, but it's a standard trust not a forest level trust, if you set the non working domain as a forest level two way trust the issue is resolved, it cant pass the kerberos authentication across otherwise.

    • Marked as answer by duncan320 Friday, July 25, 2014 1:10 PM
    Friday, July 25, 2014 1:10 PM

All replies

  • What does the DirectAccess Troubleshooting tool report?

    http://www.microsoft.com/en-au/download/details.aspx?id=41938


    Wednesday, July 23, 2014 12:12 PM
  • The only point it actually fails on is HTTP Probe, cant send the entire log would take me to long to edit, here is the selected failure. 

    23/07/2014 13:31:47[P:5284 T:5] [MicrosoftServices.WS2012DA.ClientTroubleshooter.UserTunnelChecker] Info: Enter VerifyHttpProbe - checks the availability of the configured HTTP probes.
    23/07/2014 13:31:47[P:5284 T:5] [MicrosoftServices.WS2012DA.ClientTroubleshooter.UserTunnelChecker] Info: Trying to connect to http://xxx.xxx.xxx.xxx.uk.
    23/07/2014 13:31:47[P:5284 T:1] [MicrosoftServices.WS2012DA.ClientTroubleshooter.TreeViewHandler] Info: Added ChildNode UserTunnelTestsNodeChild1.
    23/07/2014 13:31:47[P:5284 T:5] [MicrosoftServices.WS2012DA.ClientTroubleshooter.NetworkHelper] Info: Proxy will be bypassed for destination http://xxx.xxx.xxx.xxx.uk.
    23/07/2014 13:32:17[P:5284 T:5] [MicrosoftServices.WS2012DA.ClientTroubleshooter.NetworkHelper] Info: An WebException occurred while running a HTTP request. Message: The operation has timed out.
    23/07/2014 13:32:17[P:5284 T:5] [MicrosoftServices.WS2012DA.ClientTroubleshooter.NetworkHelper] Info: No response was received during the time-out period for the request.
    23/07/2014 13:32:17[P:5284 T:5] [MicrosoftServices.WS2012DA.ClientTroubleshooter.NetworkHelper] Info: There is no HTTP status code for a response timeout, so HTTP 504 is returned as workaround.
    23/07/2014 13:32:17[P:5284 T:5] [MicrosoftServices.WS2012DA.ClientTroubleshooter.UserTunnelChecker] ERROR: Failed to connect to HTTP probe at http://xxx.xxx.xxx.xxx.uk.
    23/07/2014 13:32:17[P:5284 T:5] [MicrosoftServices.WS2012DA.ClientTroubleshooter.MainForm] Info: Added child node message Failed to connect to HTTP probe at http://xxx.xxx.xxx.xxx.uk.
    23/07/2014 13:32:17[P:5284 T:5] [MicrosoftServices.WS2012DA.ClientTroubleshooter.MainForm] Info: Finished running 2nd IPsec User Tunnel tests.


    Wednesday, July 23, 2014 2:30 PM
  • With the HTTP probe, can you visit that address in a web browser on a machine that is and isn't working? What happens when you try to?
    Wednesday, July 23, 2014 9:42 PM
  • We cant access the probe address in a browser on the ones that dont work, just normal page not found.  We think the issue is more domain/permission related rather than an actual Direct Access problem. 

    Thanks.

    Thursday, July 24, 2014 9:21 AM
  • I'm guessing the webpage is hosted on IIS. Have you got anonymous access enabled to the site?
    Thursday, July 24, 2014 11:07 AM
  • Yes just double checked its on IIS and anonymous is enabled. 

    Thanks

    Thursday, July 24, 2014 12:13 PM
  • For info we have now found out what the problem is.  The other domain has a trust, but it's a standard trust not a forest level trust, if you set the non working domain as a forest level two way trust the issue is resolved, it cant pass the kerberos authentication across otherwise.

    • Marked as answer by duncan320 Friday, July 25, 2014 1:10 PM
    Friday, July 25, 2014 1:10 PM