none
DirectAccess SSL certificate renewal assistance RRS feed

  • Question

  • I've recently inherited a DirectAccess implementation in a new site that I have no idea about, other than the ssl certificate is going to expire in a few weeks.

    I am working on getting a certificate renewal from the authority (Comodo) however I have absolutely no idea what I am supposed to do with the new cert. Could anyone give some advice on where/how do I apply the renewed cert?

    I've never worked with DA before, so no idea about best practice, how to setup or anything, so a few pointers on where to go and what to click would be really helpful!

    Do I need to do anything on the clients/GPOs?

    Thanks!


    Sunday, July 24, 2016 4:01 PM

All replies

  • Hi,

    You just need to install the new certificate in the server's Personal store then replace the old certificate by the new certificate in the Remote Access Setup console (Step 2 -> Network Adapters).
    There's nothing to do for the clients because they will just connect as usual then check if the new certificate is valid.

    Gerald 

    Monday, July 25, 2016 9:04 AM
  • Is this something I could do remotely via DirectAccess or would the connection be severed as soon as I replaced the cert?

    Also, when renewing the cert, is there any way for me to check all of the details of the current cert to ensure they match?

     
    Monday, July 25, 2016 10:38 AM
  • I never tried to replace the public certificate remotely ^^

    I suggest you to do that outside working hours to mitigate the problems if you can't be onsite or use another way to connect to your console.

    For the certificate, you can check all the details when opening it from the Certificates console.
    (Start mmc.exe -> Add Certificates Snap-In for Computer Account then open the Personal folder to check your certificate)

    Important thing for this certificate is that his subjet MUST match the Internet name used by your clients to connect to DirectAccess.

    Gerald

    Monday, July 25, 2016 11:56 AM
  • I've just fired up step 2 in directaccess setup and I have an error stating:

    "Internal adapter Internal does not have a domain profile"

    This error is stopping me clicking next in the wizard, preventing me from applying the new certificate...

    Please could you advise?

    Thanks,

    Craig

    Monday, July 25, 2016 1:04 PM
  • Your server can't communicate correctly with your domain through the Internal adapter.
    So the applied network profile is set to Public or Private, which is not good for DirectAccess.

    Settings should be:

    IPv4 address that can communicate with your Active Directory and only your internal DNS (No gateway)
    You should also have a static route configured to forward the requests from the Internal NIC to your local IP network.

    Gerald

    Monday, July 25, 2016 1:43 PM
  • Hi Gerald,

    This DirectAccess implementation is something I have inherited, therefore I do not know anything about the configuration.

    It has been working for a few years now, so I am reluctant to change anything when it is working...

    What exact changes do I need to make to bypass this error, without breaking anything?

    Monday, July 25, 2016 1:54 PM
  • Last time I got this problem, a reboot fixed it so maybe you can try that.

    Fixing a wrong NIC network profile requires at least to disable it then enable it again to see if NLA is correctly working.

    Gerald

    Monday, July 25, 2016 2:11 PM