locked
UAG DirectAccess new internal CA RRS feed

  • Question

  • I have had DA configured with CA1 as our internal CA
    Now i need to move the CA to another server so i installed CA2
    On CA1 i deleted the Computer template and added the computer template to CA2 server
    On the UAG i deleted the old servername.domain.local certificate and enrolled for a new one
    Then i ran the UAG config wizard and change the CA (certificate) to the new CA2 server
    On a fresh client i enrolled for a computer certificate from CA2
    Rebooted the machine after gpupdate /force but cant get DA connection

    When looking in advanced firewall i see the GPOs/Connection security rules

    Going to main mode and quick node shows empty screens.

    Please help me as im stuck :-(

    Wednesday, August 22, 2012 9:25 AM

All replies

  • Hi,

    Dose the UAG server trust the new CA2?

    Have you run gpupdate on the UAG server?


    Regards, Rmknight

    Wednesday, August 22, 2012 10:22 AM
  • Hello,

    CA2 is in trusted root CA on the uag server (and all other servers).

    gpupdate /force and reboot the uag machine had no effect.

    Regards,

    Wednesday, August 22, 2012 10:26 AM
  • Can you supply an output from the DCA.

    Remove any sensitive data?


    Regards, Rmknight

    Wednesday, August 22, 2012 10:34 AM
  • How do i do an output from  the DCA, you mean export policy ?
    Wednesday, August 22, 2012 10:36 AM
  • Do you have the DirectAccess connectivity assistant installed on the client?

    If so right click on it and select "advanced diagnostics" then you will be able to open logs directory and open the DcaDefaultLog.html file. Please post the contents


    Regards, Rmknight

    Wednesday, August 22, 2012 10:40 AM
  • RED: Corporate connectivity is not working.
    Windows is unable to contact some corporate content resources. Please contact your administrator if this problem persists.
    22/8/2012 11:8:22 (UTC)


    Probes List
    PASS  PING: 2002:52c9:2aca::52c9:2aca
    FAIL  FILE: \\server04.mydomain.local\dacheck$\da-check.txt

    DTE List
    PASS  PING: 2002:52c9:2aca::52c9:2aca
    PASS  PING: 2002:52c9:2ac9::52c9:2ac9

    C:\Windows\system32\LogSpace\{8E554D89-DAFA-4596-91EE-12792DF4C35E}>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : MY-PC
       Primary Dns Suffix  . . . . . . . : mydomain.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : mydomain.local
                                           internal.int

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . : internal.int
       Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
       Physical Address. . . . . . . . . : 00-15-5D-0A-40-10
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::e00c:6e6:505b:b059%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 100.12.3.16(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.252.0
       Lease Obtained. . . . . . . . . . : woensdag 22 augustus 2012 12:43:39
       Lease Expires . . . . . . . . . . : woensdag 29 augustus 2012 12:43:40
       Default Gateway . . . . . . . . . : 100.12.0.254
       DHCP Server . . . . . . . . . . . : 100.12.1.1
       DHCPv6 IAID . . . . . . . . . . . : 234886493
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-C6-4D-AE-00-15-5D-0A-40-10
       DNS Servers . . . . . . . . . . . : 100.12.1.1
                                           100.12.1.2
                                           100.212.1.1
                                           100.212.1.5
       Primary WINS Server . . . . . . . : 100.12.1.2
       Secondary WINS Server . . . . . . : 100.12.1.1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.internal.int:

       Connection-specific DNS Suffix  . : internal.int
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:52c9:64ec:8000:0:5efe:10.12.3.16(Preferred)
       Link-local IPv6 Address . . . . . : fe80::5efe:10.12.3.16%12(Preferred)
       Default Gateway . . . . . . . . . : fe80::5efe:10.212.1.24%12
       DNS Servers . . . . . . . . . . . : 100.12.1.1
                                           100.12.1.2
                                           100.212.1.1
                                           100.212.1.5
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter iphttpsinterface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : iphttpsinterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    C:\Windows\system32\LogSpace\{8E554D89-DAFA-4596-91EE-12792DF4C35E}>netsh int teredo show state
    Teredo Parameters
    ---------------------------------------------
    Type                    : client
    Server Name             : 200.200.200.200 (Group Policy)
    Client Refresh Interval : 30 seconds
    Client Port             : unspecified
    State                   : offline
    Error                   : client is in a managed network


    C:\Windows\system32\LogSpace\{8E554D89-DAFA-4596-91EE-12792DF4C35E}>netsh int httpstunnel show interfaces

    Interface IPHTTPSInterface (Group Policy)  Parameters
    ------------------------------------------------------------
    Role                       : client
    URL                        : https://myda.mydomain.com:443/IPHTTPS
    Last Error Code            : 0x801901f6
    Interface Status           : failed to connect to the IPHTTPS server. Waiting to reconnect


    C:\Windows\system32\LogSpace\{8E554D89-DAFA-4596-91EE-12792DF4C35E}>netsh dns show state

    Name Resolution Policy Table Options
    --------------------------------------------------------------------

    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                            if the name does not exist in DNS or
                                            if the DNS servers are unreachable
                                            when on a private network

    Query Resolution Behavior             : Resolve only IPv6 addresses for names

    Network Location Behavior             : Let Network ID determine when Direct
                                            Access settings are to be used

    Machine Location                      : Outside corporate network

    Direct Access Settings                : Configured and Enabled

    DNSSEC Settings                       : Not Configured


    C:\Windows\system32\LogSpace\{8E554D89-DAFA-4596-91EE-12792DF4C35E}>netsh name show policy

    DNS Name Resolution Policy Table Settings

    Settings for nls.mydomain.local
    ----------------------------------------------------------------------
    Certification authority                 : DC=local, DC=mydomain, CN=mydomain-SRVCA1-CA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Use default browser settings

     

    Settings for wmyda.mydomain.nl
    ----------------------------------------------------------------------
    Certification authority                 : DC=local, DC=mydomain, CN=mydomain-SRVCA1-CA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Use default browser settings

     

    Settings for .mydomain.nl
    ----------------------------------------------------------------------
    Certification authority                 : DC=local, DC=mydomain, CN=mydomain-SRVCA1-CA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : 2002:52c9:2aca::52c9:2aca
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy

     

    Settings for .mydomain.local
    ----------------------------------------------------------------------
    Certification authority                 : DC=local, DC=mydomain, CN=mydomain-SRVCA1-CA
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : 2002:52c9:2aca::52c9:2aca
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy

     


    C:\Windows\system32\LogSpace\{8E554D89-DAFA-4596-91EE-12792DF4C35E}>netsh name show effective

    DNS Effective Name Resolution Policy Table Settings


    Settings for in-or-out.mydomain.local
    ----------------------------------------------------------------------
    Certification authority                 : DC=local, DC=mydomain, CN=mydomain-SRVCA1-CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (Proxy Settings)           : Use default browser settings

     

    Settings for myda.mydomain.nl
    ----------------------------------------------------------------------
    Certification authority                 : DC=local, DC=mydomain, CN=mydomain-SRVCA1-CA
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (Proxy Settings)           : Use default browser settings

     

    Settings for .mydomain.nl
    ----------------------------------------------------------------------
    Certification authority                 : DC=local, DC=mydomain, CN=mydomain-SRVCA1
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 2002:52c9:2aca::52c9:2aca
    DirectAccess (Proxy Settings)           : Bypass proxy

     

    Settings for .mydomain.local
    ----------------------------------------------------------------------
    Certification authority                 : DC=local, DC=mydomain, CN=mydomain-SRVCA1
    DNSSEC (Validation)                     : disabled
    IPsec settings                          : disabled
    DirectAccess (DNS Servers)              : 2002:52c9:2aca::52c9:2aca
    DirectAccess (Proxy Settings)           : Bypass proxy

     


    C:\Windows\system32\LogSpace\{8E554D89-DAFA-4596-91EE-12792DF4C35E}>netsh int ipv6 show int level=verbose 

    Interface Loopback Pseudo-Interface 1 Parameters
    ----------------------------------------------
    IfLuid                             : loopback_0
    IfIndex                            : 1
    State                              : connected
    Metric                             : 50
    Link MTU                           : 4294967295 bytes
    Reachable Time                     : 37500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : disabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface isatap.internal.int Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_4
    IfIndex                            : 12
    State                              : connected
    Metric                             : 5
    Link MTU                           : 1280 bytes
    Reachable Time                     : 35500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface Local Area Connection Parameters
    ----------------------------------------------
    IfLuid                             : ethernet_6
    IfIndex                            : 11
    State                              : connected
    Metric                             : 5
    Link MTU                           : 1500 bytes
    Reachable Time                     : 25000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled

    Interface iphttpsinterface Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_6
    IfIndex                            : 13
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 36500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled


    C:\Windows\system32\LogSpace\{8E554D89-DAFA-4596-91EE-12792DF4C35E}>netsh advf show currentprofile

    Private Profile Settings:
    ----------------------------------------------------------------------
    State                                 ON
    Firewall Policy                       BlockInbound,AllowOutbound
    LocalFirewallRules                    N/A (GPO-store only)
    LocalConSecRules                      N/A (GPO-store only)
    InboundUserNotification               Enable
    RemoteManagement                      Disable
    UnicastResponseToMulticast            Enable

    Logging:
    LogAllowedConnections                 Disable
    LogDroppedConnections                 Disable
    FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
    MaxFileSize                           4096

    Ok.


    C:\Windows\system32\LogSpace\{8E554D89-DAFA-4596-91EE-12792DF4C35E}>netsh advfirewall monitor show consec

    Global Settings:
    ----------------------------------------------------------------------
    IPsec:
    StrongCRLCheck                        0:Disabled
    SAIdleTimeMin                         5min
    DefaultExemptions                     ICMP
    IPsecThroughNAT                       Never
    AuthzUserGrp                          None
    AuthzComputerGrp                      None

    StatefulFTP                           Enable
    StatefulPPTP                          Enable

    Main Mode:
    KeyLifetime                           60min,0sess
    SecMethods                            DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
    ForceDH                               No

    Categories:
    BootTimeRuleCategory                  Windows Firewall
    FirewallRuleCategory                  Windows Firewall
    StealthRuleCategory                   Windows Firewall
    ConSecRuleRuleCategory                Windows Firewall


    Quick Mode:
    QuickModeSecMethods                   ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
    QuickModePFS                          None

    Security Associations:

    No SAs match the specified criteria.


    C:\Windows\system32\LogSpace\{8E554D89-DAFA-4596-91EE-12792DF4C35E}>Certutil -store my 
    my
    ================ Certificate 0 ================
    Serial Number: 12c1e02900000000001e
    Issuer: CN=mydomain-SRVCA1, DC=mydomain, DC=local
     NotBefore: 22-8-2012 10:57
     NotAfter: 22-8-2013 10:57
    Subject: CN=MY-PC.mydomain.local
    Certificate Template Name (Certificate Type): Machine
    Non-root Certificate
    Template: Machine
    Cert Hash(sha1): bd ca 43 1d 40 f3 4b a5 19 b8 85 5c 52 5d 90 af 09 03 a7 ea
      Key Container = a6488cdd33da25a22ac7fc46b6bf2b3e_ba7f5fd3-50b8-4530-9354-81978e2262a1
      Simple container name: le-Machine-6116b1dd-4eb2-402a-a68c-f06429b93983
      Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed
    CertUtil: -store command completed successfully.

    C:\Windows\system32\LogSpace\{8E554D89-DAFA-4596-91EE-12792DF4C35E}>Systeminfo

    Host Name:                 MY-PC
    OS Name:                   Microsoft Windows 7 Enterprise
    OS Version:                6.1.7600 N/A Build 7600
    OS Manufacturer:           Microsoft Corporation
    OS Configuration:          Member Workstation
    OS Build Type:             Multiprocessor Free
    Registered Owner:          WV
    Registered Organization:  
    Product ID:                00392-972-8000024-85048
    Original Install Date:     22-8-2012, 10:25:07
    System Boot Time:          22-8-2012, 12:43:30
    System Manufacturer:       Microsoft Corporation
    System Model:              Virtual Machine
    System Type:               x64-based PC
    Processor(s):              1 Processor(s) Installed.
                               [01]: Intel64 Family 6 Model 42 Stepping 7 GenuineIntel ~2394 Mhz
    BIOS Version:              American Megatrends Inc. 090006 , 22-2-2012
    Windows Directory:         C:\Windows
    System Directory:          C:\Windows\system32
    Boot Device:               \Device\HarddiskVolume1
    System Locale:             nl;Dutch (Netherlands)
    Input Locale:              en-us;English (United States)
    Time Zone:                 (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
    Total Physical Memory:     1.024 MB
    Available Physical Memory: 538 MB
    Virtual Memory: Max Size:  2.048 MB
    Virtual Memory: Available: 1.406 MB
    Virtual Memory: In Use:    642 MB
    Page File Location(s):     C:\pagefile.sys
    Domain:                    mydomain.local
    Logon Server:              N/A
    Hotfix(s):                 N/A
    Network Card(s):           1 NIC(s) Installed.
                               [01]: Microsoft Virtual Machine Bus Network Adapter
                                     Connection Name: Local Area Connection
                                     DHCP Enabled:    Yes
                                     DHCP Server:     100.12.1.1
                                     IP address(es)
                                     [01]: 100.12.3.16
                                     [02]: fe80::e00c:6e6:505b:b059

    C:\Windows\system32\LogSpace\{8E554D89-DAFA-4596-91EE-12792DF4C35E}>whoami /groups 

    GROUP INFORMATION
    -----------------

    Group Name                             Type             SID          Attributes                                       
    ====================================== ================ ============ ==================================================
    BUILTIN\Administrators                 Alias            S-1-5-32-544 Enabled by default, Enabled group, Group owner   
    Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
    Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                  


    Wednesday, August 22, 2012 11:22 AM

  •  Error                   : client is in a managed network

    Have you disabled Teredo? it thinks it is on a enterprise network?

    Do you have the client network defined as ether "Home" or "Public"?


    Regards, Rmknight

    Wednesday, August 22, 2012 1:00 PM
  • its a new fresh windows 7 install on client, didnt change anything so teredo still enabled i guess :)

    im on an other corporate network with the client that is not attached to the network where uag is connected.

    client network = work

    Wednesday, August 22, 2012 1:08 PM
  • Hi, DA only switches on when it is in a public or home network. So your configuration should never worked. Did DA work with the old CA?

    Regards, Rmknight

    Wednesday, August 22, 2012 1:11 PM
  • Before the CA change it worked , but im no 100% sure if i then used Public, Work or Home network

    So you say i i change the network type in my client to Public it should work?

    Wednesday, August 22, 2012 1:20 PM
  • Is this a production machine as it looks like a virtual machine?

    Changing the client to a public network should work.


    Regards, Rmknight

    Wednesday, August 22, 2012 1:34 PM
  • it is an virtual machine, fresh installed at our corp company and domain joined over vpn to the customer domain.

    Going to try to change work to public now.... keep you posted

    Wednesday, August 22, 2012 1:36 PM
  • fixed and working.

    network type is still on WORK and its working so it doesnt have to be Public or Home

    but to fix i completely reinstalled the client, on all DC enroll for new domain email cert, enabled ipv6 on all DC 

    then joined the client to domain connect normal vpn and let it wait and sync with domain, reboot uag, client got cert from ca2 then i did gpupdate /force

    reboot the machine and it works

    Wednesday, August 22, 2012 5:00 PM
  • DirectAccess only activates its IPsec configurations when your local Windows Firewall is running the Private or Public firewall profile. If your client has the Domain profile active, DA tunnels do not establish. However, when you plug into a new network connection and Windows asks you if you want it to be a "work, home or public" connection - choosing "work" does not mean it will assign the Domain profile. NLA does more work than just that setting to determine when it needs the domain profile. So when you are on a new network and you choose "Public", it assigns the Public profile. When you choose either "Home" or "Work", it assigns the Private profile - and the Domain profile is assigned when the machine can actually see its own domain.

    I just wanted to make sure you knew that users choosing "work" would not be an issue that you would run into in the future.

    Teredo shows up as being "in a managed network" whenever it sees a domain of any kind. To alleviate this (because you do want to prefer Teredo over IP-HTTPS whenever possible), set all of your DA clients Teredo status to EnterpriseClient. You can do this on a per-machine basis by running netsh int teredo set state enterpriseclient - or you can assign this setting to all of your DA client computers with a GPO.

    Thursday, August 23, 2012 2:37 PM
  • Jordan, thanks for  this info this is valueable info.

    Strange thing is when i plug in the client in DomainY.int the DA still doenst work even after the enterpriseclient setting BUT in my domain at home DomainX.local it works and get DA connection.

    Friday, August 24, 2012 8:35 AM
  • The EnterpriseClient setting will tell Teredo to go ahead and try to connect even if it sees a domain, but ultimately Teredo still needs UDP access to the DA server to be able to make a successful connection. Most likely the DomainY.int network is not allowing outbound UDP access, which will stop Teredo from connecting.
    Friday, August 24, 2012 1:53 PM