Sometimes users cannot access resources through Direct Access RRS feed

  • Question

  • Dear,

    I have the following infrastructure:
    - DirectAccess on server 2008R2
    - All PC's Win 7 enterprise & domain joined.

    Sometimes, my users having problems with Direct Access connections, most of the time everything is working.
    I've done a lot of troubleshooting including the Direct Access Connectivitity Assistant. When my users experience this problem, the client log of DA Troubleshooting tool shows the following:


    Interface IPHTTPSInterface (Group Policy)  Parameters
    Role                       : client
    URL                        : https://removed_for_privacy_reasons:443/IPHTTPS
    Last Error Code            : 0x80092013
    Interface Status           : failed to connect to the IPHTTPS server. Waiting to reconnect 
    The URL points to my da server publiek IP, so this is not the problem.

    I've found something which is strange:
    In the wwwroot of the DA server, there are 2 certs:
    - NOV-DC-01-CA
    - NOV-DC-01-CA+

    I cannot post screenshots here, so I will explain:

    In both certs, there is a distribution point name URL, but it points to a subdomain (pki.mydomain.eu) which doesn't exists anymore. There is also warning (!) in the cert about this. This exists within my both certificates

    The DPN URL is not valid anymore. It points to a direction: pki.mydomainname.eu. But the A record for pki, seems to be removed (I think a while ago).

    Could this be the problem why some users are experiencing sometimes problems, and others don't have problems for example for a while? If this is the problem: why is it working sometimes and sometimes not?

    Can anyone point me in the right direction? Recreating the PKI A record (pointing to the public IP of the DA server), would this solve my problems?

    Kind regards and many thanx!

    Saturday, October 18, 2014 12:31 PM

All replies

  • Hi,

    Your IPHTTPS error is related to CRL publication and outdated CRL : http://support.microsoft.com/kb/2980672

    Did you use your internal PKI to deliver your IPHTTPS certificate?

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, October 20, 2014 4:09 PM
  • Agree with BenoitS, Seems you have problems with CRL.

    The entries you see, NOV-DC-01-CA and NOV-DC-01-CA+ are NOT certs but they are CRL and Delta CRLs.

    You have 2 options to resolve this problem.

    1) Make your MS CA CRL available for DA users.


    2) Obtain a cert from Public CAs (Like Verisign or Digicert) and replace the current IPHTTPS cert.

    Tuesday, October 21, 2014 11:28 AM
  • Hi,

    To be sure, just connect one affected client on LAN and connect to the NLS using a web browser to force your system to retreive a new version of the CRL. After that, your DirectAccess client will be operational for some days but remember, standard CRL have a seven days life time and Delta CRL is limited to one day. For these reasons, moving to a public CA is highly recommanded.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, October 21, 2014 11:31 AM