Direct Access Certificate Expired RRS feed

  • Question

  • My cert expired on my Direct Access server (2012 R2) and now I am kind of screwed. I have lots of remote clients who cannot just plug back in to grab the new cert + settings I applied to DA. 

    I tried creating a new ticket using:

    djoin /provision /domain /machine "%pcname%" /policynames "DirectAccess Client Settings" /rootcacerts /reuse /savefile dj_ticket.txt

    Then I tried having them process it remotely using:

    djoin /requestODJ /loadfile dj_ticket.txt /windowspath %SystemRoot% /localos

    Normally this works perfectly to allow me to have remote clients join my domain without direct access however, it doesn't work when the remote clients were already a member of the domain. I somehow need to flush the old settings and apply the new ones.

    Any ideas?

    Friday, August 22, 2014 7:33 PM

All replies

  • Hi

    Witch certificate expired? IPHTTPS? It's not suppose to impact DirectAccess clients unless you change the url to use. Did you introduce Other changes to your DA configuration (such as NAP enforcement?)

    At last, the DJOIN can only work if computer is not already member of a domain (so in workgroup).

    BenoitS - Simple by Design

    Sunday, August 24, 2014 8:45 PM
  • A certificate expiring on the DirectAccess server should be a simple matter of replacing the certificate with a new one, whether you are talking about the SSL certificate used by IP-HTTPS or the machine certificate used for IPsec authentication. I have worked with plenty of customers who have let either one of those certs expire. As soon as you replace the cert with a new copy on the server, clients will immediately start connecting automatically again.
    Thursday, August 28, 2014 6:59 PM