locked
DA broke after installing Win 7 SP1 and/or 2008 R2 SP1 RRS feed

  • Question

  • Searched a bit and didn't see an answer - forgive me if already asked.

     

    My clients are Win 7 32bit and DA server 2008 R2. Upon upgrading a client to 7 SP1, the DA connection refuses to work.

    Upon upgrading the DA server to 2008 R2 SP1, the DA connection breaks. 

    If upgrading the DA server only, leaving the clients at non-SP1, the connection breaks as well.

    Is there something I'm missing with the release of SP1?

     

    Thanks, guys.

    Monday, August 29, 2011 4:38 AM

All replies

  • Hi,

     

    I'm not aware that SP1 broke DirectAccess. But let start some troubleshooting tips :

    Please post the result of the following commands on the DA client connected on Internet:

    -NETSH.EXE DNSCLIENT SHOW STATE

    -CERTUTIL -STORE MY

    -NETSH.EXE INTERFACE TEREDO SHOW STATE

    -NETSH.EXE INTERFACE HTTPSTUNNEL SHOW INTERFACE

    -NETSH.EXE NAMESPACE SHOW POLICY

    -NETSH.EXE NAMESPACE SHOW EFFECTIVEPOLICY

     

     Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Monday, August 29, 2011 6:50 AM
  • BenoitS,

     

    Thanks for your reply. Everything looks in order and the same. I've posted output from my Win7 32bit before SP1 and after... You may see something I'm not noticing however. Thanks.

     

    **********************************AFTER SP1:*********************************

    -NETSH.EXE DNSCLIENT SHOW STATE

    Name Resolution Policy Table Options

    --------------------------------------------------------------------

     

    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS

                                            if the name does not exist in DNS or

                                            if the DNS servers are unreachable

                                            when on a private network

     

    Query Resolution Behavior             : Resolve only IPv6 addresses for names

     

    Network Location Behavior             : Let Network ID determine when Direct

                                            Access settings are to be used

     

    Machine Location                      : Outside corporate network

     

    Direct Access Settings                : Configured and Enabled

     

    DNSSEC Settings                       : Not Configured

    -CERTUTIL -STORE MY

    ================ Certificate 0 ================

    Serial Number: 1d5c3f3c000000000079

    Issuer: CN=gsba-FULTON-CA, DC=gsba, DC=com

     NotBefore: 12/13/2010 10:19 AM

     NotAfter: 12/13/2011 10:19 AM

    Subject: CN=LTAPL0093VM.gsba.com

    Certificate Template Name (Certificate Type): Machine

    Non-root Certificate

    Template: Machine

    Cert Hash(sha1): af 3c d8 5c c3 ee c7 cf 3e d8 5e 3a 64 5d fb 09 12 cc 8e ab

      Key Container = b568956e30ff89c1bf2a8fae078275fc_07d788cd-d2ff-45d7-964d-fb0f8

    aaea5e3

      Provider = Microsoft RSA SChannel Cryptographic Provider

    Encryption test FAILED


    ================ Certificate 1 ================

    Archived!

    Serial Number: 6be82de900000000002d

    Issuer: CN=xxx, DC=xx, DC=xx

     NotBefore: 5/7/2010 3:52 PM

     NotAfter: 5/7/2011 3:52 PM

    Subject: CN=WSLTPCT66JVM.xxx.com

    Certificate Template Name (Certificate Type): Machine

    Non-root Certificate

    Template: Machine

    Cert Hash(sha1): 40 19 a5 db fc e3 c6 ee 86 1d 1e 47 dd 14 77 17 e1 88 03 e8

      Key Container = 1614ab9351a5298fb1030a1850152dfd_07d788cd-d2ff-45d7-964d-fb0f8

    aaea5e3

      Provider = Microsoft RSA SChannel Cryptographic Provider

    Encryption test FAILED

    CertUtil: -store command completed successfully.

    -NETSH.EXE INTERFACE TEREDO SHOW STATE

    Teredo Parameters

    ---------------------------------------------

    Type                    : client

    Server Name             : xx.xx.xx.xx (Group Policy)

    Client Refresh Interval : 30 seconds

    Client Port             : unspecified

    State                   : qualified

    Client Type             : teredo host-specific relay

    Network                 : unmanaged

    NAT                     : symmetric (port)

    NAT Special Behaviour   : UPNP: No, PortPreserving: No

    Local Mapping           : 10.0.1.12:61029

    External NAT Mapping    : 68.216.10.57:5634

    -NETSH.EXE INTERFACE HTTPSTUNNEL SHOW INTERFACE

    Interface IPHTTPSInterface (Group Policy)  Parameters

    ------------------------------------------------------------

    Role                       : client

    URL                        : https://da.xxxx.com:443/IPHTTPS

    Last Error Code            : 0x0

    Interface Status           : IPHTTPS interface active

    -NETSH.EXE NAMESPACE SHOW POLICY

    DNS Name Resolution Policy Table Settings


    Settings for evision.visionforpubliced.org

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    DNSSEC (IPsec)                          : disabled

    DirectAccess (DNS Servers)              : 2002:44d8:a38::44d8:a38

    DirectAccess (IPsec)                    : disabled

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for nls.gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    DNSSEC (IPsec)                          : disabled

    DirectAccess (DNS Servers)              :

    DirectAccess (IPsec)                    : disabled

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for www.gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    DNSSEC (IPsec)                          : disabled

    DirectAccess (DNS Servers)              :

    DirectAccess (IPsec)                    : disabled

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for ica.gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    DNSSEC (IPsec)                          : disabled

    DirectAccess (DNS Servers)              :

    DirectAccess (IPsec)                    : disabled

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for mail.gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    DNSSEC (IPsec)                          : disabled

    DirectAccess (DNS Servers)              :

    DirectAccess (IPsec)                    : disabled

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for da.gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    DNSSEC (IPsec)                          : disabled

    DirectAccess (DNS Servers)              :

    DirectAccess (IPsec)                    : disabled

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for .gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    DNSSEC (IPsec)                          : disabled

    DirectAccess (DNS Servers)              : 2002:44d8:a38::44d8:a38

    DirectAccess (IPsec)                    : disabled

    DirectAccess (Proxy Settings)           : Bypass proxy

    -NETSH.EXE NAMESPACE SHOW EFFECTIVEPOLICY

    DNS Effective Name Resolution Policy Table Settings



    Settings for evision.visionforpubliced.org

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    IPsec settings                          : disabled

    DirectAccess (DNS Servers)              : 2002:44d8:a38::44d8:a38

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for nls.gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    IPsec settings                          : disabled

    DirectAccess (DNS Servers)              :

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for www.gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    IPsec settings                          : disabled

    DirectAccess (DNS Servers)              :

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for ica.gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    IPsec settings                          : disabled

    DirectAccess (DNS Servers)              :

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for mail.gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    IPsec settings                          : disabled

    DirectAccess (DNS Servers)              :

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for da.gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    IPsec settings                          : disabled

    DirectAccess (DNS Servers)              :

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for .gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    IPsec settings                          : disabled

    DirectAccess (DNS Servers)              : 2002:44d8:a38::44d8:a38

    DirectAccess (Proxy Settings)           : Bypass proxy

     


    Monday, August 29, 2011 6:49 PM
  • *******************BEFORE SP1*************************

    -NETSH DNSCLIENT SH STATE

     

    Name Resolution Policy Table Options

    --------------------------------------------------------------------

     

    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS

                                            if the name does not exist in DNS or

                                            if the DNS servers are unreachable

                                            when on a private network

     

    Query Resolution Behavior             : Resolve only IPv6 addresses for names

     

    Network Location Behavior             : Let Network ID determine when Direct

                                            Access settings are to be used

     

    Machine Location                      : Outside corporate network

     

    Direct Access Settings                : Configured and Enabled

     

    DNSSEC Settings                       : Not Configured

    -CERTUTIL -STORE MY

     

    ================ Certificate 0 ================

    Serial Number: 1d5c3f3c000000000079

    Issuer: CN=gsba-FULTON-CA, DC=gsba, DC=com

     NotBefore: 12/13/2010 10:19 AM

     NotAfter: 12/13/2011 10:19 AM

    Subject: CN=LTAPL0093VM.gsba.com

    Certificate Template Name (Certificate Type): Machine

    Non-root Certificate

    Template: Machine, Computer

    Cert Hash(sha1): af 3c d8 5c c3 ee c7 cf 3e d8 5e 3a 64 5d fb 09 12 cc 8e ab

      Key Container = b568956e30ff89c1bf2a8fae078275fc_07d788cd-d2ff-45d7-964d-fb0f8

    aaea5e3

      Provider = Microsoft RSA SChannel Cryptographic Provider

    Encryption test FAILED


    ================ Certificate 1 ================

    Archived!

    Serial Number: 6be82de900000000002d

    Issuer: CN=gsba-FULTON-CA, DC=gsba, DC=com

     NotBefore: 5/7/2010 3:52 PM

     NotAfter: 5/7/2011 3:52 PM

    Subject: CN=WSLTPCT66JVM.gsba.com

    Certificate Template Name (Certificate Type): Machine

    Non-root Certificate

    Template: Machine, Computer

    Cert Hash(sha1): 40 19 a5 db fc e3 c6 ee 86 1d 1e 47 dd 14 77 17 e1 88 03 e8

      Key Container = 1614ab9351a5298fb1030a1850152dfd_07d788cd-d2ff-45d7-964d-fb0f8

    aaea5e3

      Provider = Microsoft RSA SChannel Cryptographic Provider

    Encryption test FAILED

    CertUtil: -store command completed successfully.


     

    -NETSH.EXE INTERFACE TEREDO SHOW STATE

     

    Teredo Parameters

    ---------------------------------------------

    Type                    : client

    Server Name             : 68.216.10.55 (Group Policy)

    Client Refresh Interval : 30 seconds

    Client Port             : unspecified

    State                   : qualified

    Client Type             : teredo host-specific relay

    Network                 : unmanaged

    NAT                     : symmetric (port)

    NAT Special Behaviour   : UPNP: No, PortPreserving: No

    Local Mapping           : 10.0.1.11:62599

    External NAT Mapping    : 68.216.10.57:5988

     

    -NETSH.EXE INTERFACE HTTPSTUNNEL SHOW INTERFACE

     

    Interface IPHTTPSInterface (Group Policy)  Parameters

    ------------------------------------------------------------

    Role                       : client

    URL                        : https://da.gsba.com:443/IPHTTPS

    Last Error Code            : 0x0

    Interface Status           : IPHTTPS interface active

     

    -NETSH.EXE NAMESPACE SHOW POLICY

     

    DNS Name Resolution Policy Table Settings


    Settings for evision.visionforpubliced.org

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    DNSSEC (IPsec)                          : disabled

    DirectAccess (DNS Servers)              : 2002:44d8:a38::44d8:a38

    DirectAccess (IPsec)                    : disabled

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for nls.gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    DNSSEC (IPsec)                          : disabled

    DirectAccess (DNS Servers)              :

    DirectAccess (IPsec)                    : disabled

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for www.gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    DNSSEC (IPsec)                          : disabled

    DirectAccess (DNS Servers)              :

    DirectAccess (IPsec)                    : disabled

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for ica.gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    DNSSEC (IPsec)                          : disabled

    DirectAccess (DNS Servers)              :

    DirectAccess (IPsec)                    : disabled

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for mail.gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    DNSSEC (IPsec)                          : disabled

    DirectAccess (DNS Servers)              :

    DirectAccess (IPsec)                    : disabled

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for da.gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    DNSSEC (IPsec)                          : disabled

    DirectAccess (DNS Servers)              :

    DirectAccess (IPsec)                    : disabled

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for .gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    DNSSEC (IPsec)                          : disabled

    DirectAccess (DNS Servers)              : 2002:44d8:a38::44d8:a38

    DirectAccess (IPsec)                    : disabled

    DirectAccess (Proxy Settings)           : Bypass proxy

     

    -NETSH.EXE NAMESPACE SHOW EFFECTIVEPOLICY

     

    DNS Effective Name Resolution Policy Table Settings



    Settings for evision.visionforpubliced.org

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    IPsec settings                          : disabled

    DirectAccess (DNS Servers)              : 2002:44d8:a38::44d8:a38

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for nls.gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    IPsec settings                          : disabled

    DirectAccess (DNS Servers)              :

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for www.gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    IPsec settings                          : disabled

    DirectAccess (DNS Servers)              :

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for ica.gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    IPsec settings                          : disabled

    DirectAccess (DNS Servers)              :

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for mail.gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    IPsec settings                          : disabled

    DirectAccess (DNS Servers)              :

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for da.gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    IPsec settings                          : disabled

    DirectAccess (DNS Servers)              :

    DirectAccess (Proxy Settings)           : Bypass proxy




    Settings for .gsba.com

    ----------------------------------------------------------------------

    Certification authority                 : DC=com, DC=gsba, CN=gsba-FULTON-CA

    DNSSEC (Validation)                     : disabled

    IPsec settings                          : disabled

    DirectAccess (DNS Servers)              : 2002:44d8:a38::44d8:a38

    DirectAccess (Proxy Settings)           : Bypass proxy

     

     

    Monday, August 29, 2011 6:49 PM
  • Hi

     

    No information prove that is it a client-side issue. You can try with a non SP1 client. If it does not work too, it is a server side issue. It is a Windows 2008 R2 SP1 DA, so letss go with the following commands :

    -CERTUTIL -STORE MY

    -NETSH.EXE INTERFACE TEREDO SHOW STATE

    -NETSH.EXE INTERFACE HTTPSTUNNEL SHOW INTERFACE

    -NETSH.EXE IPSECDOSPROTECTION SHOW INTERFACES

    -NETSH.EXE IPSECDOSPROTECTION SHOW STATE

     

    I hope to find relevant information on server side.

     

     


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Monday, August 29, 2011 7:48 PM
  • Before testing, let me confirm the versions and what works and what doesn't.

     

    DAS is 2008 R2 - upgrading to SP1 breaks DA (with both clients pre and post Win7 SP1)

    Win 7 PRE SP1 works, Win 7 POST SP1 does not work. I'll grab some output from the server. However, It's currently NOT SP1 - I backed it down when it broke everything.

    Monday, August 29, 2011 7:52 PM
  • I'm not aware of a SP1 issue that could afect both Windows 7 and Windows Server 2008 R2 for DirectAccess.Can you generate logs of the Windows Network diagnostics. There a wizard to collect trace about DirectAccess problems from client-side. Hope the wizard could give us a first clue.

     


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Monday, August 29, 2011 8:09 PM
  • This is from the POST SP1 client box. A quick check showed my PRE and POST firewall settings are the same. The POST SP1 box is a clone VM of the PRE, and the client firewall is set by GPO. My understanding is the firewall has to be ON on the client to do IPSec tunneling, which it is. This is a real stumper...Thanks for taking a look.

     

    Top of Form 1

     

    Windows Network Diagnostics

    Publisher details

     

    Issues found

    Security or firewall settings might be blocking the connection 

    Security or firewall settings might be blocking the connectionSecurity policy settings or firewall settings on this computer might be blocking the connection.

    Detected

     

    Contact your network administrator

    Completed

     

     

    Issues found

    Detection details

     

    6

    Security or firewall settings might be blocking the connection

    Detected

     

    Security policy settings or firewall settings on this computer might be blocking the connection.

    Contact your network administrator

    Completed

     

    Your network security settings might need to be adjusted to allow Windows to connect.

     

     

    Detection details

     

     

     

    Diagnostics Information (Network Security)

    Details about network security diagnosis: 

     

    Settings that might be blocking the connection:

    Provider name: Microsoft Corporation

    Provider description: Microsoft Windows Firewall Provider

    Filter name: Boot Time Filter

    Provider context name: -

     

     

    Network Diagnostics Log

    File Name: 

    C9D71897-A7C5-4093-97B8-359EC477A5E0.Diagnose.0.etl

     

     

    Network Diagnostics Log

    File Name: 

    038466B6-62E3-4BEC-A947-6350387D5CBF.Diagnose.1.etl

     

     

    Other Networking Configuration and Logs

    File Name: 

    NetworkConfiguration.cab

     

     

     

    Other Networking Configuration and Logs

    File Name: 

    NetworkConfiguration.cab

     

     

    Collection information

    Computer Name: 

    LTAPL0093VM

    Windows Version:

    6.1

    Architecture:

    x86

    Time:

    Tuesday, August 30, 2011 8:24:01 AM

     

    Publisher details

     

     

    Windows Network Diagnostics

    Detects problems with network connectivity.

    Package Version:

    1.0

    Publisher:

    Microsoft Windows

    Bottom of Form 1

    Tuesday, August 30, 2011 12:38 PM
  • Hi All,

     

    Any further ideas to try with this?

    Tuesday, September 6, 2011 12:26 PM
  • Based on the output of your client-side info from posts above, I would try re-issuing your machine certificate to the laptop. Try revoking and reissuing the certificate from your CA server for this client, and if that doesn't work you could also try manually clearing out the certificates that exist on the client and then requesting a new one. I think that the problem is certificate related because all of the other settings look good.
    Tuesday, September 6, 2011 12:38 PM
  • Jordan,

     

    Thanks for the suggestion. I revoked the certificate in my CA, and also went into the client certificate store and cleared active and archived personal certs, then requested new both through restarts and request wizard, to no avail. Am I missing anything with your suggestion?


    • Edited by ds_clark Tuesday, September 6, 2011 2:12 PM
    Tuesday, September 6, 2011 2:12 PM
  • Sounds like you tried the right things. Could you post another "certutil -store my" from the client? Also, are you using the built-in Computer Template for these certificates or a customized template?

    Tuesday, September 6, 2011 2:25 PM
  • Sure. I'm using built-in template for machine certs. Comparing this output to my PRE-SP1 VM everything is the same....

    What about IPv6 issue or something with DNS that may have changed?

    C:\Users\dclark.GSBA0>certutil -store my

    my

    ================ Certificate 0 ================

    Serial Number: 563930f30000000000d0

    Issuer: CN=gsba-FULTON-CA, DC=gsba, DC=com

     NotBefore: 9/6/2011 10:04 AM

     NotAfter: 9/5/2012 10:04 AM

    Subject: CN=LTAPL0119VM-SP1.gsba.com

    Certificate Template Name (Certificate Type): Machine

    Non-root Certificate

    Template: Machine, Computer

    Cert Hash(sha1): 42 94 cd 59 b5 47 52 ba 12 0a 48 26 f2 1f 37 cd a1 70 38 a5

      Key Container = 262205ce0100cb14895e427ca74cabc8_07d788cd-d2ff-45d7-964d-fb0f8

    aaea5e3

      Provider = Microsoft RSA SChannel Cryptographic Provider

    Encryption test FAILED

    CertUtil: -store command completed successfully.

     

    ****ALSO, here's netsh int teredo sh state

    C:\Users\dclark.GSBA0>netsh int teredo sh state

    Teredo Parameters

    ---------------------------------------------

    Type                    : client

    Server Name             : 68.216.10.55 (Group Policy)

    Client Refresh Interval : 30 seconds

    Client Port             : unspecified

    State                   : qualified

    Client Type             : teredo host-specific relay

    Network                 : unmanaged

    NAT                     : symmetric (port)

    NAT Special Behaviour   : UPNP: No, PortPreserving: No

    Local Mapping           : 10.0.1.5:61029

    External NAT Mapping    : 68.216.10.57:1507

    *********************

    C:\Users\dclark.GSBA0>netsh int httpstunnel sh int

     

    Interface IPHTTPSInterface (Group Policy)  Parameters

    ------------------------------------------------------------

    Role                       : client

    URL                        : https://da.gsba.com:443/IPHTTPS

    Last Error Code            : 0x0

    Interface Status           : IPHTTPS interface active

    Tuesday, September 6, 2011 5:14 PM
  • Your "transition tunnels" are establishing - in your case you are getting a Teredo and an IP-HTTPS tunnel, which isn't too uncommon (to have both). However, if DA is not working then you likely are not establishing the IPsec tunnels within those transition tunnels. IPsec problems are most commonly certificate related, thus my line of questioning.

    Check your Windows Security logs to see if you are getting anything logged in there about IPsec. That should clue you in to what is wrong. If you don't see anything listed, try running the following command on the client, then attempt to access internal resources (trying to force DA to connect), then check the logs again (this command turns on more advanced logging):

    auditpol.exe /set /SubCategory:"IPsec Main Mode","IPsec Extended Mode" /success:enable /failure:enable

    You can also check on the client to see whether or not you have any IPsec tunnels established by either looking at Main Mode or Quick Mode SAs inside Windows Firewall with Advanced Security, or by running the command "netsh advf monitor show mmsa" from a command prompt. I presume your pre-SP1 machine will show tunnels, and your post-SP1 machine will not.

    And...sorry to throw these ideas all out at once...you can also check the UAG Web Monitor's DirectAccess section to find out whether or not UAG thinks it's running in a healthy state on the server side. Each component of UAG will show up with a green check or a red X and this can also help determine where the problem lies.

    Tuesday, September 6, 2011 5:56 PM
  • Good find - after enabling more advanced logging, the culprit appeared. Not sure why the IKE creds are not acceptable. I did verify my CA is installed as a trusted root CA still, but my knowledge of IPsec is limited at best. I appreciate your time!
    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          9/6/2011 2:12:29 PM
    Event ID:      4653
    Task Category: IPsec Main Mode
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      LTAPL0119VM-SP1.gsba.com
    Description:
    An IPsec main mode negotiation failed.
    Local Endpoint:
    Local Principal Name: -
    Network Address: 2002:44d8:a37:8100:ed22:756c:7552:22e4
    Keying Module Port: 500
    Remote Endpoint:
    Principal Name: -
    Network Address: 2002:44d8:a38::44d8:a38
    Keying Module Port: 500
    Additional Information:
    Keying Module Name: AuthIP
    Authentication Method: Unknown authentication
    Role: Initiator
    Impersonation State: Not enabled
    Main Mode Filter ID: 126942
    Failure Information:
    Failure Point: Local computer
    Failure Reason: IKE authentication credentials are unacceptable
    State: Sent second (KE) payload
    Initiator Cookie: 8f6429a7f43e1235
    Responder Cookie: a0e299b7b22af28e
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4653</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12547</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2011-09-06T18:12:29.249801600Z" />
        <EventRecordID>163732</EventRecordID>
        <Correlation />
        <Execution ProcessID="532" ThreadID="5040" />
        <Channel>Security</Channel>
        <Computer>LTAPL0119VM-SP1.gsba.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="LocalMMPrincipalName">-</Data>
        <Data Name="RemoteMMPrincipalName">-</Data>
        <Data Name="LocalAddress">2002:44d8:a37:8100:ed22:756c:7552:22e4</Data>
        <Data Name="LocalKeyModPort">500</Data>
        <Data Name="RemoteAddress">2002:44d8:a38::44d8:a38</Data>
        <Data Name="RemoteKeyModPort">500</Data>
        <Data Name="KeyModName">%%8223</Data>
        <Data Name="FailurePoint">%%8199</Data>
        <Data Name="FailureReason">IKE authentication credentials are unacceptable
    </Data>
        <Data Name="MMAuthMethod">%%8194</Data>
        <Data Name="State">%%8203</Data>
        <Data Name="Role">%%8205</Data>
        <Data Name="MMImpersonationState">%%8217</Data>
        <Data Name="MMFilterID">126942</Data>
        <Data Name="InitiatorCookie">8f6429a7f43e1235</Data>
        <Data Name="ResponderCookie">a0e299b7b22af28e</Data>
      </EventData>
    </Event>
    Tuesday, September 6, 2011 6:16 PM
  • What do you get when you run this command?  If you have connectivity to your Domain Controllers you should see a lit of them.

    nltest /dsgetdc: /force

    Do you have any GPO's that might configure the Windows firewall somehow?  Perhaps that might be conflicting with the IPSec policy that the UAG GPO sets.

    Any chance you might have made changes to your HOSTS file?  This thread shows someone having problems after hard coding the IPv4 addresses of a Domain Controller in the HOSTS file and after removing that the "IKE authentication credentials are unacceptable" error was resolved.


    MrShannon | Concurrency Blogs | UAG SP1 DirectAccess Configuration Guide
    Wednesday, September 7, 2011 6:24 PM