none
Direct Access Clients

    Question

  • Hello Team,

    We have almost 20k Direct access clients which are successfully running with SHA1 Certificates. we have not started to build a new SHA2 CA machine till now and we would not be able to issue SHA2 certificates to Direct access Client before Feb 14 2017. So can you please tell me that what would be the impact. Will they be able connect to domain ?

    Please advise

    Friday, December 16, 2016 3:01 PM

All replies

  • Hi,

    1.The DirectAccess server should have a server authentication certificate for TLS issued by a Certification Authority (CA) that is trusted by the DirectAccess clients. And the TLS Server-Authentication Certificates will be invalid certificates in February 2017.

    What kind of certificate did you use?

    The self-sign TLS certificate and cross-chain TLS certificate will not  be impacted in February 2017.Otherwise,I think it will be failed to use DA.

    2.How can I determine how my environment will be impacted by the February 2017 TLS deprecation?

    By installing the latest November 2016 Windows Updates, including the
    November 2016 Preview of Monthly Quality Rollups for Windows 7/Windows 8.1, you
    can test how your site will be impacted by the February 2017 update.  Please
    note that the Windows 7 and Windows 8.1 updates are currently offered as
    Optional Updates on Windows Update, and are expected to be promoted to
    Recommended Updates on December 13th, 2017. You can do this by running the
    following commands from an Administrator

    First Create a logging directory and grant universal access:

    set LogDir=C:\Log
    mkdir %LogDir%
    icacls %LogDir% /grant *S-1-15-2-1:(OI)(CI)(F) 
    icacls %LogDir% /grant *S-1-1-0:(OI)(CI)(F)
    icacls %LogDir% /grant *S-1-5-12:(OI)(CI)(F)
    icacls %LogDir% /setintegritylevel L
    Enable certificate logging
    Certutil -setreg chain\WeakSignatureLogDir %LogDir%
    Certutil -setreg chain\WeakSha1ThirdPartyFlags 0x80900008

    REF:Windows Enforcement of SHA1 Certificates

    http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx


    Best Regards,
    Cartman
    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, December 19, 2016 9:06 AM
    Moderator
  • Hi,

    I am checking to see if the problem has been resolved. If there's anything you'd like to know, don't hesitate to ask.


    Best Regards,
    Cartman
    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 27, 2016 6:46 AM
    Moderator