locked
Having to logon with admin account RRS feed

  • Question

  • Hi,

    At one customer, where I have installed UAG with DirectAccess, users who don't have admininstrative rigths on their local computers can't use DirectAccess. If a user with admin rights logon once and then logout, the user is able to use DA after that. I also got a report from one user that he lost DA on his computer and had to logon with an admin account again, and then it started to work again. Where would I go to find a solution for this? Any User GPO that requires admin rigths? DA does not use any user gpo's as far as I know, so that shouldn't be the problem but I'm a bit lost here. Anyone with the same experience?

    /Tomas

    Tuesday, May 31, 2011 11:54 AM

Answers

  • A bit delayed, but still having the same issues. Debugging has been enabled, both on the server and the client but it doesn't really matter. I've seen on one client now also that the not even the infrastructure tunnel is established. When logging on with an account that is a member of the local administrators group, it all starts working again, for a while. I have not seen any particular events that causes it to stop working but logging on with an administrator account makes it work again.

    I have the logs from connectivity assistant for both when it works and when it doesn't work. The only thing I can find as a difference is that there are no SA's on the non-working one, which does not come as a surprise...

    What parts of DA would be user dependant? I thought that everything regarding DA was just computer dependant.

    /Tomas

    • Marked as answer by Erez Benari Friday, August 26, 2011 10:36 PM
    Tuesday, August 9, 2011 6:51 AM

All replies

  • Hi,

    Some initial questions that might help you pinpoint what it is that stops working,

    Does the computer show up in the web monitor (at the UAG) without any logged on users?
    (Ie, can the machine establish the Infrastructure tunnel?)

    Have you looked through a DCA log from a machine that is unable to connect?
    - Is IPHTTPS/Teredo/6to4 connected?
    - Does either of the above list an error code?
    - Does the client system have the correct IPSec tunnels (and are there entries in the NRPT)

    I would suggest that you generate a DCA log from a computer where DA doesn't work with a regular user logged on, and then a new one when the user has logged in as local administrator.

    Best wishes,
    Jonas Blom

    Tuesday, May 31, 2011 6:15 PM
  • Sorry, I was a bit in a rush when I posted the question, I should have provided more information right away.

    The infrastructure tunnel is established, using Teredo usually, depending on the type of connection of course, IPHTTPS. That I can see in the client log file or in Web Monitor.

    I can't see any type of error codes, other than in the security event log, if I enable that kind of logging on the client. There I can see information saying that the negotiation timed out (Unknown authentication, event id 4653). Should have something to do with the computer certificate, but the certificate is there all the time.

    Tomas

    Tuesday, May 31, 2011 6:34 PM
  • Hi again,

    When you enabled IPSec debugging on the client, did you also enable it on the serverside?
    There should be some errors there also that might help you troubleshoot further.

    If you see that the Infrastructure tunnel is established, the client has managed to establish an IPSec tunnel to the server.
    But is most likely unable to establish the Intranet tunnel that uses Kerberos as the 2nd step of authorization.

    Easy way to verify that the Infrastructure tunnel works is to access one of the servers listed as endpoints this tunnel from a client.
    (For example, use nslookup to check DNS connectivity to the adress listed in your NRPT at the same time)

    To find out if it is conflicting gpo's, I suggest using gpresult or GPMC (I like the GPMC Modelling wizard for these scenarios, http://technet.microsoft.com/en-us/library/cc783004(WS.10).aspx )

    Do a simulation for one of your normal users and one of your admin users and see what is changed. Always good to rule out all alternatives.

    Best wishes,
    Jonas Blom

    Wednesday, June 1, 2011 5:49 AM
  • A bit delayed, but still having the same issues. Debugging has been enabled, both on the server and the client but it doesn't really matter. I've seen on one client now also that the not even the infrastructure tunnel is established. When logging on with an account that is a member of the local administrators group, it all starts working again, for a while. I have not seen any particular events that causes it to stop working but logging on with an administrator account makes it work again.

    I have the logs from connectivity assistant for both when it works and when it doesn't work. The only thing I can find as a difference is that there are no SA's on the non-working one, which does not come as a surprise...

    What parts of DA would be user dependant? I thought that everything regarding DA was just computer dependant.

    /Tomas

    • Marked as answer by Erez Benari Friday, August 26, 2011 10:36 PM
    Tuesday, August 9, 2011 6:51 AM