Error while trying to configure DirectAccess with OTP RRS feed

  • Question

  • hi you all

    I have a working environment of DirectAccess 2012 R2 for Win8.1 clients (One DA Server)

    I have both Vasco and Azure MFA for OTP authentication and I wanted to add any of them to my DA topology

    I installed a new dedicated Enterprise-CA and added the OTP templates , added a new DAProbe user to my radius server and followed the rest of the documentation as described on TechNet.

    I know there's a bug in the DA UI wizard for OTP so I just enabled Two-Factor authentication and then from PowerShell I ran the command

    Enable-DAOtpAuthentication -CertificateTemplateName 'DirectAccessOTPLogon' -SigningCertificateTemplateName 'DirectAccessOTPRegistrationAuthority' -CAServer 'testdomain.com\CA' -RadiusServer MFA.testdomain.com -SharedSecret Aa123456

    and I get the following error:

    Enable-DAOtpAuthentication : The specified CA servers are either not valid enterprise CAs or specified incorrectly.
    Rerun the cmdlet with a valid CAServer parameter in the correct format (FQDN\CAServerName).
    At line:1 char:1
    + Enable-DAOtpAuthentication -CertificateTemplateName 'DirectAccessOTPLogon' -Sign ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (CAServer:root/Microsoft/...pAuthentication) [Enable-DAOtpAuthentication],
        + FullyQualifiedErrorId : HRESULT 80092004,Enable-DAOtpAuthentication

    • My radius server is domain joined
    • the PowerShell runs as Administrator
    • firewalls are disabled on my DC, CA and my radius server and I can ping the CA without any issues
    • The CA is Enterprise CA for sure and not Standalone
    • I can issue certificates from the CA without any issues
    • I tried to input the CA Server like this @{'domain.fqdn'}, 'domain.fqdn', domain.fqdn - all result the same
    • I even tried to create another CA from scratch just to be sure the problem is not on my server...

    in anyway, I'm stuck. seems like no one else on the web ran into this error...

    I'd love to get some help on ways to troubleshoot the problem


    Tamir Levy

    Saturday, May 2, 2015 8:41 AM


All replies

  • Hi,

    Microsoft recently published a fix for OTP activation problem with Windows Server 2012 R2 Remote Access Management Console : https://support.microsoft.com/en-us/kb/3047733/. Your error code remind me a Windows Server 2012 problem. Is subject name encoded in your IPHTTPS certificate is encoded in UTF-8 Format (https://support.microsoft.com/en-us/kb/2796394/)?

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Saturday, May 2, 2015 4:45 PM
  • Amazing Benoits ! for the first time I was able to finish the wizard using the UI

    I still have problem with the authentication.

    I will open a new thread for that

    thanks very much

    Tamir Levy

    Saturday, May 2, 2015 6:56 PM