none
UAG DirectAccess new root CA cert and the "A client certificate was not provided" warning RRS feed

  • Question

  • Hi everyone,

    We've implemented UAG DA, machine tunnel only, and we have several thousand remote clients that have been successfully using this tunnel.  We had a situation with our internal CA recently where we had to issue a new root cert (the new root cert points to the same internal CA as before).  It appears that both of our UAG DA servers have (automatically) received the new root cert, and they have also configured themselves with some cross-certs that chain to the correct root CA as well.  I installed UAG SP1 after it first came out, so I believe that these cert updates were able to automatically complete because of the TMG modifications that allow the RPC (DCOM) connectivity between the UAG servers and our internal CA (I have verified that these TMG modifications have been done on our UAG servers).  I also believe that all of our remote clients should be able to automatically renew their individual computer certs over DA because of the SP1 TMG modifications. 

    However, I am now seeing these "A client certificate was not provided" warnings, which I never used to see when we first rolled out UAG DA to the company.  In other threads I've seen the comment that "these are transient errors" and will not affect connectivity.  I have not yet been able to repro the warning with a test machine so I can't confirm that statement yet.  But what worries me is that these warnings apparently only started showing up after we issued a new root cert (even though it was from the same internal CA as before).  This makes me think that I may need to do some manual intervention to get the DA servers to recognize computer certs that are presented by remote clients who have received updated computer certs that are chained to the new root cert.  Is that correct?  Will I need to do anything through the DA wizard in order to make sure that the DA servers are using the correct root cert to validate the DA client computer certs? 

    Thanks!

    Wednesday, April 13, 2011 8:57 PM

Answers

  • Hi,

     

    If you renew your CA with a new Root certificate, you will need to be sure that all of your Clients are able to enroll a new certificate before you can switch UAG/DA to the new CA. That's the most important. Once you are sure of that point you will be able to change the CA in the UAG DirectAccess configuration wizard. New GPO will be applied to all DirectAccess clients and UAG DirectAccess servers.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by Erez Benari Tuesday, May 10, 2011 12:14 AM
    Thursday, April 14, 2011 6:55 AM

All replies

  • Are you sure these didn't appear since applying SP1 as opposed to after the Root CA renewal?
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, April 14, 2011 12:44 AM
    Moderator
  • Hi,

     

    If you renew your CA with a new Root certificate, you will need to be sure that all of your Clients are able to enroll a new certificate before you can switch UAG/DA to the new CA. That's the most important. Once you are sure of that point you will be able to change the CA in the UAG DirectAccess configuration wizard. New GPO will be applied to all DirectAccess clients and UAG DirectAccess servers.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by Erez Benari Tuesday, May 10, 2011 12:14 AM
    Thursday, April 14, 2011 6:55 AM
  • Hi,

    Thank you for responding. 

    Yes, I'm 90% sure.  The messages may have started appearing several days (or even a couple of weeks) after the root cert renewal, as I don't know exactly when they started appearing; but I did some performance monitoring work on the DA servers about three weeks ago, and during that work I looked over the active client connections and didn't see that message at all. 

    Thursday, April 14, 2011 5:09 PM
  • Hi,

    Thank you for responding also. :-)

    To confirm, you're saying that I need to be sure that all of the clients are *able* to enroll a new cert?  Meaning that they can access our internal CA either while physically located in the office or through the DA connection?

    Thursday, April 14, 2011 5:10 PM
  • Hi,

     

    That right. A simple test, try to perform a certificate renewval on a DirectAccess client.

     

    Best regards.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Thursday, April 14, 2011 6:18 PM
  • Cool, thanks!  I'll give that a try.
    Friday, April 15, 2011 6:33 PM