none
Kerberos: not working properly after DirectAccess configuration wizard RRS feed

  • Question

  • Hi;

    I've setup test lab, at the end of the configuration wizard there is an error on Kerberos status

    The certificate binding for HTTPS Port 443 has changed. This certificate is used to authenticate remote clients with Kerberos. Without the correct certificate, authentication of remote clients connecting via DirectAccess will not work as expected.

    2. If you bind port 443 with another certificate for use with a different application, ensure that DirectAccess is configured to use the same certificate binding as that application.

    I would suspect the issue has something to do with my SSL being tied to my exchange server that is on the same server.

    does someone know how to fix this error? 

    I am also getting an error: The IP-HTTPS listener is inactive and cannot accept connections from DirectAccess clients.

    thank in advance

    Thursday, May 29, 2014 1:17 AM

All replies

  • Are you trying to run DirectAccess on a server that is already hosting Exchange? This is not going to be supported, and will be difficult, maybe impossible, to get working. Both DirectAccess and Exchange make use of IIS for website bindings - they will conflict with each other.

    A DirectAccess server should be dedicated to DirectAccess, no other roles.

    Friday, May 30, 2014 1:27 PM
  • Yes they are both on the same server. This is not in a production environment. The error states that "If you bind port 443 with another certificate for use with a different application, ensure that DirectAccess is configured to use the same certificate binding as that application."

    How do I got about doing that?

    Friday, May 30, 2014 4:01 PM
  • If you are using a wildcard or SAN certificate that encompasses both names, the one used by Exchange and the one used by DirectAccess, you might be able to make the wizard happy. I'm not sure, I have never tried. I really think you should change course and setup DA on it's own server. Even if you get it working, this is not going to be a good test bed because you will be far away from a standard configuration, and you won't be able to expect good results or a reliable testing platform.
    Friday, May 30, 2014 7:59 PM