locked
0x32 - IPHTTPS interface administratively disabled (DirectAccess on Windows Server 2012) RRS feed

  • Question

  • Hi all,

    Please help me identify the root cause of this error message.

    Windows Server 2008 R2 - DC

    Windows Server 2012 - DirectAccess Server (Single Server)

    Windows 8 - DirectAccess Client

    All configuration is with geern mark on DirectAccess Server but I receive thsi error on running netsh int httpstunnel show interfaces:

    ...

    Last Error Code: 0x32

    Interface Status: IPHTTPS interface administratively disabled

    Mamy thanks in advance.

    Monday, December 3, 2012 7:26 AM

All replies

  • The first thing I would do is to take a "clean" client computer that doesn't have any of your standard GPOs or policies applied to it, give it the DirectAccess settings and see if that behaves differently. If you use a standard set of security lockdown GPO settings or anything like that, there are many places where these GPOs that you have used for years without problems can cause trouble for DirectAccess and interfere with the settings that the DA GPOs are trying to put into place.
    Monday, December 3, 2012 3:35 PM
  • Hi

    Jordan is right. Check if you did not disable IPv6 locally in the network interface properties, in the registry of by group policies.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, December 3, 2012 8:15 PM
  • Hello all,

    It is a clean separated domain and VMs which were configured from scratch.

    So there shouldn't be any settings which disable ipv6 administratively.

    The question is in router which stays after my DA Server with public ipv4 address.

    Does it need support for ipv6?

    Thursday, December 6, 2012 8:00 AM
  • Hi

    Windows Server 2012 include NAT64/DNS64 feature, just like UAG 2010. This means you dont need IPv6 on your internal network. The only case you need IPv6 is for remote management. Your helpdesk computer must be able to communicate in IPv6 with your DirectAccess client located on Internet. In this scenario, we dont need IPv6 capable router.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, December 6, 2012 8:54 AM
  • BenoitS, thanks for your note.

    Thanks why I am asking for this.

    I also know that there are included transition technologies but where is that ipv6 administratively disabled and why DA is care about it if it's only using ipv4?

    Thursday, December 6, 2012 9:26 AM
  • DA rely on IPv6 for Client to DA server communication.

    Let's start with this KB http://support.microsoft.com/kb/929852/en-us. We must be sure that IPv6 is not disabled.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, December 6, 2012 9:42 AM
  • BenoitS,

    Thanks for your link.

    I've applied this fix for enabling ipv6 for my Windows Server 2008 DC and after that anyway Windows 8 show me ipv6 is disabled and netsh int httpstunnel show interfaces:

    ...

    Last Error Code: 0x32

    Interface Status: IPHTTPS interface administratively disabled

    Thursday, December 6, 2012 11:01 AM
  • This was not supposed to be applied on DC. This was designed to be applied on DirectAccess client or DirectAccess server. Your domain controller does not need IPv6.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, December 6, 2012 11:12 AM
  • I tried to apply it on DA.

    And it said that it's not applicable on it.

    My DA server is with Windows Server 2012 not Windows Server 2008 to which this fix is designed for.

    Thursday, December 6, 2012 12:13 PM
  • OK,

    Did not realize that fix it was not available for Windows 8/Windows Server 2012. So what do you have with theses Powershell commands on your DA server:

    -Get-NetIPHttpsState

    -Get-NetIPHttpsConfiguration


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, December 6, 2012 12:25 PM
  • Here are results:

    Get-NetIPHttpsState

    LastErorCode: 0x0

    InterfaceStatus: ITHTTPS interface active

    Get-NetIPHttpsConfiguration:

    PolicyStore: ActiveStore

    ConfigurationType: Local

    ProfileActivated:

    State: Endabled

    ServerURL: https://myexternalipv4ipsaddress/IPHTTPS

    Type: Server

    AuthMode:

    StrongCRLRequired:


    Thursday, December 6, 2012 12:43 PM
  • If that's the anwser for your DA Server, it's operational. What is the result on client-side (Windows 8)?


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, December 6, 2012 12:48 PM
  • Get-NetIPHttpsState returns nothing

    Get-NetIPHttpsConfiguration:

    PolicyStore: ActiveStore

    ConfigurationType: GroupPolicy

    Profile:

    ProfileActivated:

    State: Endabled

    ServerURL: https://myexternalipv4ipsaddress/IPHTTPS

    Type: Client

    AuthMode:

    StrongCRLRequired: False

    But DirectAccess "WorkPlace Connection" is showing "Connecting" status and in properties: IPv6 is disabled. Contact your admin for help.

    Thursday, December 6, 2012 1:35 PM
  • So it's a client-side problem. Are you sure that IPv6 was not disabled on your Windows 8 client? Out of the box it works.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, December 6, 2012 1:38 PM
  • BenoitS, thanks a lot for your help.

    It seems that Windows 8 was installed by upgrading Windows 7 which was in another domain with disabled ipv6 components for security reasons:

    set registry key SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\DisabledComponents=4294967295

    After chnaging this hive I get another error from Windows 8 client:

    Get-NetIPHttpsState:

    LastErrorCode: 0x274c

    InterfaceStatus: Failed to connect to the IPHTTPS server: waiting to reconnect.

    Thursday, December 6, 2012 2:16 PM
  • Windows 7 upgrade to Windows 8 is not considered as a "clean" installation. If IPv6 was disabled before migration, it's till disabled after. Your last error code means that you cannot establish an IPHTTPS connection because client cannot check CRL for your IP-HTTPS certificate on your DA server. I suppose this certificate was delivered by an internal CA that does not have it's CRL published on Internet?


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, December 6, 2012 2:21 PM
  • Sorry for my mistake about "clean" installation.

    How can I disable checking for CRL?

    Thursday, December 6, 2012 3:14 PM
  • Disabling CRL checking is not recommanded for production environment.

    From a technical point of view, it's an option in Internet Explorer configuration panel. For me that's not an option because it disable CRL checking for all certificates.In real deployment, you must have a certificate for witch you must check CRL.

    If your are in a test lab, just import your internal CRL on your client computer this will be fine until this CRL expires.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, December 6, 2012 3:20 PM
  • I've installed CRLs from DC (Server 2008 R2) which is CA on Windows 8 from here:

    C:\Windows\System32\CertSrv\CertEnroll

    But the situation is the same.

    Friday, December 7, 2012 7:28 AM
  • Still the same results for Get-NetIPHttpsState and Get-NetIPHttpsConfiguration?

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, December 10, 2012 8:21 AM
  • Get-NetIPHttpsConfiguration is the same.

    But other one with another error code.

    Get-NetIPHttpsState:

    LastErrorCode: 0x2751

    InterfaceStatus: Failed to connect to the IPHTTPS server: waiting to reconnect.

    Thanks.

    Monday, December 10, 2012 9:10 AM
  • Hi

    We have now another problem. This error code means that IPHTTPS server-side si not reachable. You are in a single interface DirectAccess scenario, this means that problem might be located on NAT translation between Internet and your Windows Server 2012.

    -Are you sure you can reach the IPHTTPS url from your client?

    -Are you sure you can reach the IPHTTPS url from your NAT device?


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, December 10, 2012 4:12 PM
  • Did you upgrade Windows 7 Ultimate/Enterprise to Windows 8 Professional? DirectAccess is only supported in Windows 8 Enterprise.

    Maybe you have an Enterprise edition, but I'll ask just to make sure. Please refere to the following overview for a full feature list per edition.

    Windows 8 editions
    http://en.wikipedia.org/wiki/Windows_8_editions


    Boudewijn Plomp, BPMi Infrastructure & Security

    Wednesday, December 12, 2012 6:15 PM
  • Good point, just type the followong Powershell V3 command : Get-WindowsEdition -Online


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Thursday, December 13, 2012 9:36 PM
  • I had a win 8.1 enterprise machine that had the same issue.  We had previously disabled ipv6 and were re-enabling to try out directaccess.

    I had no registry entry for HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\DisabledComponents

    Every post I read insisted this was the culprit so I created the entry and set it to 0.  Rebooted and direct access fired up no problems.


    • Edited by MattH83 Friday, September 19, 2014 7:52 PM
    Friday, September 19, 2014 7:50 PM