none
DirectAccess - Clients can PING DC, see SYSVOL, but nothing else RRS feed

  • Question

  • Hi there,

    I have implemented a Windows 2012R2 DirectAccess with IP-HTTPS only. The clients can connect and I can ping the DC's with a IPv6 responce. I can also browse the SYSVOL and NETLOGON shares, no problem.

    The problem I am having is that this is where access stop - I cannot browse to any internal web servers (i.e. OWA) or other DFS shares at all.

    Anyone seen this before? I have checks all the firewall logs and I cannot why I can't browse the LAN resources...

    Any help/pointers would be appreciated!

    Saturday, December 13, 2014 12:16 PM

Answers

  • OK, for anyone out there, some more info:

    DirectAccess and SHA512 are not friends out of the box, you will need to install the following:

    https://support.microsoft.com/kb/2973337

    After you install it your client might get a connection error 0x103

    Run NETSH HTTP SHOW SSLCERT

    If you get DS MAPPER Usage  : Disabled ...

    Go to here to bind the certificate.... you will now be able to see everything on your network via SHA512 !!!

    Note that I am also using forced tunneling, so all traffic is encrypted. Works a treat!

    

    • Marked as answer by Amathus Tuesday, December 16, 2014 10:16 AM
    Tuesday, December 16, 2014 10:15 AM

All replies

  • Hi Amathus,

    Which user do you use to logon the client? Please make sure that you use the domain users to logon the client.

    DirectAccess authenticates the computer before the user logs on. Typically, computer authentication grants access only to domain controllers and DNS servers.

    After the user logs on, DirectAccess authenticates the user, and the user can connect to any resources he or she is authorized to access.

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, December 15, 2014 3:33 AM
    Moderator
  • Hi Steven,

    Thanks for the reply - a bit more info:

    If I disable "Use computer certificates" authentication in Step 2, I can see everything on the LAN.

    I have since done a bit of googling, and there seems to be an issue with the way we deployed out PKI.

    Our root CA is configured to use SHA512 with 4096 bit RSA - some people on the internet mentiod that SHA512 and DirectAccess do not play nicely together.

    Is this something anyone can confirm?

    Monday, December 15, 2014 12:58 PM
  • OK, for anyone out there, some more info:

    DirectAccess and SHA512 are not friends out of the box, you will need to install the following:

    https://support.microsoft.com/kb/2973337

    After you install it your client might get a connection error 0x103

    Run NETSH HTTP SHOW SSLCERT

    If you get DS MAPPER Usage  : Disabled ...

    Go to here to bind the certificate.... you will now be able to see everything on your network via SHA512 !!!

    Note that I am also using forced tunneling, so all traffic is encrypted. Works a treat!

    

    • Marked as answer by Amathus Tuesday, December 16, 2014 10:16 AM
    Tuesday, December 16, 2014 10:15 AM