Configuration.exe crashes during DirectAccess confiuration RRS feed

  • General discussion

  • I currently have a working DirectAccess single server UAG deployment (using at trunk as well). It is working fine and i have updated the deployment to Update roll-up 1.

    I am due to demo to a client DirectAccess with UAG and they are also interested in using NAP. So I have built and deployed a NAP server, but now every time I try to change any of the settings in UAG for the "DirectAccess Server" component the console hangs (50% CPU) and i have to kill configuration.exe .... I get this no matter what i edit on the last stage of that screen (i.e smart card auth, certificates etc... it literally hangs the second I click anything!).

    I have tried running a procmon trace but without much insight, I've also made sure i disabled any Anti-Virus on the server.

    Anyone have any ideas?


    Edit: I should say the server has 5GB RAM, dual CPU & is only installed for UAG. It is currently supporting ~5 users in a controlled trial

    • Edited by Bibbleq Wednesday, June 2, 2010 7:51 AM server specs added
    • Changed type Bibbleq Wednesday, June 2, 2010 11:54 AM question is no longer relevent. issue went away after re-install however this is not a valid solution
    Wednesday, June 2, 2010 7:49 AM

All replies

  • After uninstalling everything and starting from scratch i can now get to the relevant configuration section. I still need to work out the right way of implementing NAP but thats another story!


    Wednesday, June 2, 2010 11:53 AM
  • Hi Bibbleq,

    What issues are you having with the NAP configuration? Are you wondering about how to configure UAG support for NAP, or working on putting together the back-end NAP infrastructure.



    MS ISDUA/UAG DA Anywhere Access Team
    Wednesday, June 2, 2010 1:55 PM
  • Hi Bibbleq,

    Did you happen to select an Intermediate certificate authority on this page?

    To workaround this, you must wipe the UAG configuration:

    C:\Program Files\Microsoft Forefront Unified Access Gateway\utils\ConfigMgr>configmgrutil -del -

    Wednesday, June 2, 2010 2:52 PM
  • Hey Yaniv

    Yes thats exactly what it was, i've just reproduced it again...


    I have got NAP setup and working except i can't enforce it (so it seems a bit pointless!). Is there a way to successfully use an intermediate CA on this screen?



    Wednesday, June 2, 2010 4:28 PM
  • Hi again,

    Both are known issues. There is currently no way of using an Intermediate certificate authority for IPsec.

    If you're just trying to enforce NAP then you don't have to select the NAP certificate authority for IPsec. It will work fine as well if you simply select the root certificate authority.

    The NAP enforcement has this "small" issue in RTM... It is fixed in UP1 though and health is enforced correctly in that version.

    Wednesday, June 2, 2010 4:32 PM
  • OK Great thanks for hte quick reply, but can i just clarify the following:


    1: I can still validate health certificates issued by the intermediate CA if i have UAG set to validate the root

    2: I have to manually enforce validation on the intranet tunnel using the commands here: http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/e7a562d6-052a-4273-8ae9-14da89025124


    Its interesting the intermediate CA is a known issue, i've searched high and low but can't find much about it. Is there a KB somewhere?


    Thanks again!


    Wednesday, June 2, 2010 4:43 PM
  • 1) Yes, health validation is done using the type of the certificate (Health EKU), and specifying the exact NAP intermediate certificate authority is not required.

    2) That's right, the command in that thread can fix the IPsec settings on the server to enforce the health validation. Although it is still recommended you install UAG Update 1.

    Regarding the intermediate CA issue. We just discovered it a few weeks ago, so it isn't a publicly known issue. but it's known to some people :)



    Wednesday, June 2, 2010 4:56 PM
  • :)


    Just got it all to play nicely! thanks for the help.



    Wednesday, June 2, 2010 4:57 PM
  • I am having the same issue with the wizard freezing on the Certificates portion.  I have been working with some engineers and people on the Microsoft dev team to troubleshoot the issue on and off for nearly 2 weeks now.  No resolution, but I can confirm that it is known, however not very publicly known ;]

    It's a good thing my configuration works and I just stumbled over the fluke when I was trying to re-confirm my settings.

    MrShannon | TechNuggets Blog | Concurrency Blogs
    Wednesday, June 2, 2010 9:22 PM
  • Ah, thanks - the crashes in the CA page has been driving us crazy. Looking forward to UP1 to get out of this problem.

    Sincerly, Jon E. Carlsen
    Thursday, June 3, 2010 12:50 PM
  • Hey guys,

    Thanks for working through this!

    Provided great information for a blog post, so consider the CA issue and NAP sort of documented ;)



    MS ISDUA/UAG DA Anywhere Access Team
    Thursday, June 3, 2010 1:45 PM
  • Hi,

    Sorry guys, but the Intermediate CA hang will only be fixed in SP1. UP1 was already released.

    If there is a strong need for selection of intermediate CAs in the community then we might consider a hotfix.

    Thursday, June 3, 2010 7:50 PM
  • Are there any time scales for SP1 at hte moment?


    I'd say the need to be able to select an intermediate CA is secondary to people who already selected one & need to re-configure. My scenario was as follows:

    • Installed UAG
    • Configured DA
    • Used intermediate CA as thats what i had!
    • Tested DA
    • It worked so went on to configure trunks
    • running trunks for internal services
    • a month later needed to enforce NAP for DA
    • Went back to alter DA configuration and was no longer able to (due to crash)

    In this scenario i had to remove & reinstall UAG (I didn't know about the wipe commands at the time). This now means i have a functioning DA install but will have to spend a long time re-creating my trunks (unless you can do selective restores from config backups? - an idea for future possibly?)

    If there was a hotfix then i could just install that and carry on configuring rather than having to "start from scratch". I'd rate this as a fairly major problem as people could have spent a long time configuring trunks etc... only to have to wipe and re-start it all.



    Friday, June 4, 2010 6:23 AM
  • In my case I am fairly positive I actually had it configured with a Root CA the first time through.  The second time I went through the wizard to satisfy my curiosity I was unable to get past that Certificate page because the Next (or Finish) button was disabled...until I selected an Intermediate cert.  I thought maybe that was the solution to my problem of-the-moment so I completed the wizard.  After that, any time I return to the wizard it locks on the cert page and spikes my servers CPU at 99% until I kill Configuration.exe.

    So IMO there is just something wrong with that part of the wizard.

    MrShannon | TechNuggets Blog | Concurrency Blogs
    Saturday, June 5, 2010 2:22 AM
  • Hi MrShannon,

    Your page didn't freeze completely. It was temporarily locked due to a validation that takes a lot of time, and it simply unlocks once that validation is completed. (it believe this should also be fixed in SP1)

    Bibbleq's problem was different as the page was stuck forever and nothing you could do would un-freeze it.

    Bibbleq, can you please specify why selecting the root certificate wouldn't do in your case? Do your organization use a certificate authority that is subordinate to a 3rd party root CA? I'm just trying to understand the scenario, so I can justify this hotfix.




    Sunday, June 6, 2010 4:23 PM
  • I've left that wizard sit, locked, for well over an hour.  The UI indicates "Unresponsive" and the CPU stays pegged the whole time.  I don't claim to be a patient man, but I would not categorize that as "temporarily locked," especially since  I have not yet seen it recover from this state.
    MrShannon | TechNuggets Blog | Concurrency Blogs
    Monday, June 7, 2010 11:32 AM
  • Hi Yaniv. I also suffered the "subordinate CA" effect. The matter is my customer has an internal PKI with an offline RootCA and an subordinate issuing one. First time I run the wizard I selected the subordinate. Then, we needed to make some changes and when running the wizard again the configuration console completely died (once and again). After all kind of testing I could recover a backup before DA configured and I could make the changes. I noticed that in the GPO settings there was no mention to the subordinate CA but only to the Root CA. You mention to wipe the configuration. This means deleting the whole configuration, not only the one related to DA, isn't it? Our deployment is comprised of several trunks as well as DA. Is there a way to restore trunks configuration separately from DA?

    Thanks a lot

    // Raúl - I love this game
    Monday, June 7, 2010 12:22 PM
  • Do you have a live repro of this problem?

    If so, can you take a dump of the process (Configuration.exe) and send it to me: yanivn@microsoft.com


    Monday, June 7, 2010 12:23 PM
  • Hi Yaniv. I will be glad to do it.

    Thanks again

    // Raúl - I love this game
    Monday, June 7, 2010 1:11 PM
  • Hi RMoros,

    Sorry, but I actually meant that for MrShannon, who is experiencing this hang with the selection of a root CA.

    The issue you're experiencing with intermediate certificates is well known and it should be fixed, no process dump is required.

    Yes, clearing the configuration will also clear the UAG trunks. I don't really know how can you clear the DA configuration while maintaining the Secure Application Publishing one.

    You can try the following workaround:

    • Go to MMC and open the Certificates snap in
    • Select "Computer account" and "local computer"
    • In the navigation tree, open "Intermediate Certificate Authorities\Certificates"
    • Export the certificate you selected in UAG DA to a file (for backup)
    • Now delete it from MMC.

    Try to open the certificates page in UAG DA now. Maybe it will tell you the certificate is missing and let you choose a different one.



    Monday, June 7, 2010 3:39 PM
  • Oooops. Sorry for the intromission.

    I already tried what you suggest but it didn't work


    // Raúl - I love this game
    Monday, June 7, 2010 4:24 PM
  • Try also deleting the root CA from "Trusted Root Certification Authorities", and restart UAG Management

    Monday, June 7, 2010 7:10 PM
  • If so, can you take a dump of the process (Configuration.exe) and send it to me: yanivn@microsoft.com

    Are you sure you want it via email?  Even zipped it about 100MB.
    MrShannon | TechNuggets Blog | Concurrency Blogs
    Monday, June 7, 2010 7:41 PM
  • Hello Yaniv,

    I personaly dont have an issue with using a root CA for the clients, but i do have several customers who would not accept this as a valid solution. They have multi-teir CA hierarchys for a reason so that they can separate out contractors & staff etc...


    For me the biggest justification would be in lost effort in having to roll back the config. I lost all my trunks and portals that i had configured as i only re-visited my DA components after configuring all the trunks.

    Thanks for the help anyway - i appreciate the effort!


    Friday, June 11, 2010 3:39 PM
  • MrShannon, I'm pretty sure I don't want it via email :) If you are willing to upload 100MB, then maybe we can use SkyDrive to share this file?

    Bibbleq, you are totally right. I will take this discussion internally.

    Sunday, June 13, 2010 3:42 PM
  • I'll have to cut the zip files up into a couple parts since there is a 50MB limit on SkyDrive.  I have sent them to another Microsoft rep but I haven't heard from him on it yet.
    MrShannon | TechNuggets Blog | Concurrency Blogs
    Sunday, June 13, 2010 6:28 PM