DirectAcces with OTP 2012R2 WIN10 Client not ask for OTP Credentials RRS feed

  • Question

  • Hey,

    I have a DA Server 2012R2 (2 NICs DMZ+LAN one public IP) with WIN10 Clients and all is going ok. No i have configure OTP Auth for it. All is green in DA Server. GPO is updated on clients but the clients connect directly to the DA without ask for OTP Credentials. Can somebody help me?

    Regards Florian

    Wednesday, February 17, 2016 7:10 PM

All replies

  • Hi,

    -First point : Are you sure your client have it's configuration updated

    -Second : OTP only apply to internal destination not covered by infrastructure tunnel. So testing with a domain controller is useless

    -Third : Are you sure your DA server have the Sign certificate?


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Saturday, February 20, 2016 2:49 PM
  • Hi,

    thx for your reply. sry for my late answer (holidays) 

    --> 1. Yes im sure! gpupdate /force success

    --> 2. I have an internal otp server and it worked!

    --> 3. I have a self signed cert but its all on DA server too yes.

    But why can Users have access when my server settings are configured for OTP?


    Monday, February 29, 2016 2:54 PM
  • Hi,

    So let see that from another point of view. On ADCS side, your DA Gateway must have provisioned a Signing certficate. Do you see it in processed requests and not in failed requests. Same for certificate for DirectAccess client. Do you see delivered certificates or failed requests.

    OTP is required only when we need to open the user tunnel (using kerberos). That's why we don't see OTP prompt just after logon unless you have a logon script that try to access a ressources not covered by infrastructure tunnel.

    On client-side, you can enable the OTPCredentialProvider/Operational event-log to trace OTP process.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, February 29, 2016 7:48 PM
  • Hi,

    can you tell me how can i enable or find this logs in my environment on 2012 R2 and Windows 10? I see your blog but this was only with win 7... 


    Monday, February 29, 2016 9:52 PM
  • Hi, on Windows 10 it's located here : Applications and services logs\Microsoft\Windows\OtpCredentialProvider\Operational.

    Log is not enabled by default even if OTP is enabled.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, March 1, 2016 8:48 AM
  • OK..i have enable it but no logs are going in there. the cert from the da server is renewing good. I think the clients could not get a cert from the ca because i dont see any cert in local computer. I have create the templates right i think...
    Tuesday, March 1, 2016 10:15 AM
  • Hi,

    You will not be able to see any certificate on client-side. Your client will only request a certificate if it need to establish user IPSEC tunnel. If you do not see any OTP prompt, no certificate is requested to ADCS.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, March 1, 2016 3:46 PM
  • Hi, ok then no cert is requestet, but why the connection works fine? No error on server and client. If I can see anything this would be help..but everything seems ok....
    Tuesday, March 1, 2016 8:30 PM
  • Hi,

    Cert is requested only if needed, so just after OTP validation. If you just try to access domain controllers, you are using the infrastructure tunnel, so no need for OTP.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, March 1, 2016 9:40 PM
  • Hey..now i have the credential dialoque!! Thx for your help! But no its comming the following when i type any otp number: 0x800400001. I have found your blog with this error for Win8. Is there any problem with windows 10?
    Wednesday, March 2, 2016 5:14 PM
  • OK, so can you provide me events in Applications and services logs\Microsoft\Windows\OtpCredentialProvider\Operational. to see if Y can understand.

    Newt do you see a certificate request failure in ADCS at the moment you try to authenticate with OTP. If yes, it's a certificate Template problem.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, March 2, 2016 9:41 PM
  • Protokollname: Microsoft-Windows-OtpCredentialProvider/Operational
    Quelle:        Microsoft-Windows-OtpCredentialProviderEvt
    Datum:         02.03.2016 20:49:23
    Ereignis-ID:   10005
    Ebene:         Fehler
    Benutzer:      SYSTEM
    Computer:      xxxxxxxxxxxxx
    OTP-Authentifizierung auf RAS-Server "xx.xx.de" für Benutzer "domain/user<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
        <Provider Name="Microsoft-Windows-OtpCredentialProviderEvt" Guid="{5CAD485A-210F-4C16-80C5-F892DE74E28D}" />
        <TimeCreated SystemTime="2016-03-02T19:49:23.609401700Z" />
        <Correlation />
        <Execution ProcessID="5464" ThreadID="1104" />
        <Security UserID="S-1-5-18" />
        <Data Name="user">############</Data>
        <Data Name="serverAddress">x.x.de</Data>
        <Data Name="errorCode">80040001</Data>
    Thursday, March 3, 2016 5:45 PM
  • I dont see any cert request in ca...Just schannel failure in DA-Server. 36888 and 36874: Eine TLS 1.2-Verbindungsanforderung wurde von einer Remoteclientanwendung übermittelt, jedoch werden keine der Verschlüsselungssammlungen, die von der Clientanwendung unterstützt werden, vom Server unterstützt. Fehler bei der SSL-Verbindungsanforderung.

    Sorry for the german. Translator (36874): A TLS 1.2 connection request was received from a remote client application, but are not the cipher suites supported by the client application, the server supports it. The SSL connection request.

    Thursday, March 3, 2016 5:48 PM
  • Hi

    S-1-5-18, it's system local. I think your DirectAccess client is not able to submit the certificate request and have it signed because OTP is validated. You should have a certificate request failure on ADCS.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, March 3, 2016 6:26 PM
  • What do you have in the ADCS event log when you see the failure on your DirectAccess client.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, March 3, 2016 6:27 PM
  • Soo..i have renew the iphttps cert and now i have a success in the client 10022 OTP success. Then the client says connect to service and ask me again for the credentials... thats crazy... in the ADCA log i have on entry but a time ago : Von Active Directory-Zertifikatdienste konnte nicht der Standardanbieter für Verschlüsselungsschlüssel verwendet werden. Der Schlüsselsatz ist nicht vorhanden. 0x80090016 (-2146893802 NTE_BAD_KEYSET)

    From Active Directory Certificate Services could not be used for encryption key of the default provider. The key phrase is not present. 0x80090016 (-2146893802 NTE_BAD_KEYSET)

    ID 87

    Any idea?

    Thursday, March 3, 2016 7:52 PM