locked
DirectAccess not working on S2012R2 single homed with other IIS site RRS feed

  • Question

  • Hi,

    I have a setup with a HTTPS site on IIS, and am trying to setup DirectAccess on the server with the same SSL cert used for the IIS site.

    The DirectAccess installation is working, all greens on the Operations Status overview, but the client keeps trying to connect.
    I've tried several reboots, just to be sure the policies are pushed.

    The DACTT (DirectAccess Client Troubleshooting Tool) throws a lot of exclamation marks and red crosses, but I can't find out what I'm doing wrong.

    First it sees multiple gateways, no worries, only one is active. The active one is located and the log continues.

    I can see it's seeing that I'm offsite, then the IPHTTPS interface is in single site config, the URL endpoint is set just fine (https://host.mydomain:443) but then it says 'Failed to connect to endpoint https://host.mydomain:443'

    After that a few more fails, but that is probably because it's not connecting.

    Any help is welcome!
    Cheers,

    Leon

    Tuesday, September 6, 2016 8:22 PM

All replies

  • The IP-HTTPS certificate for Directaccess is used with netsh for 0.0.0.0:443.
    You can see the configuration by using this command: netsh http show sslcert

    C:\Users\admingma>netsh http show sslcert
    
    SSL Certificate bindings:
    -------------------------
    
        IP:port                      : 0.0.0.0:443
        Certificate Hash             : 0bcd6dd50f2cc2e93925adde64d05a973a9addf4
        Application ID               : {5d8e2743-ef20-4d38-8751-7e400f200e65}
        Certificate Store Name       : MY
        Verify Client Certificate Revocation : Enabled
        Verify Revocation Using Cached Client Certificate Only : Disabled
        Usage Check                  : Enabled
        Revocation Freshness Time    : 0
        URL Retrieval Timeout        : 0
        Ctl Identifier               : (null)
        Ctl Store Name               : (null)
        DS Mapper Usage              : Disabled
        Negotiate Client Certificate : Disabled
        Reject Connections           : Disabled

    If you have created a new binding in the IIS using the certificate, the server is probably now redirecting your client's request to IIS instead of the right service that authenticate it for DirectAccess.

    Gerald

    Thursday, September 8, 2016 1:59 PM
  • Hi Gerald,

    thanks for the reply. You are writing that IIS is probably using the SSL cert instead of DirectAccess...Do your know if there is some documentation about this, because it can be just as probable that that's not the case ;-).

    I was able to find enough documentation to not install DirectAccess Role on a Domain Controller, but there was nothing about IIS, or other sites. Something else I found is that http.sys is changed on a kernel level, getting all the SSL traffic. My guess is that traffic is being processed a lot sooner then IIS, unless IIS is also running at the kernel level.

    However, the IIS site on port 443 is running just fine!

    Hope someone can help me out.

    Thursday, September 8, 2016 8:09 PM
  • I just tested this on my server using a "Behind a NAT with two NIC" configuration:

    - Create a HTTPS binding using the directaccess certificate and used the External IP address of the server (DMZ facing Internet)
    - Reboot server
    - After reboot, all DirectAccess services are Green in the console

    Result: Client can't connect to the infra

    netsh int iphttps sh int shows this result: "Failed to connect to the IPHTTPS server; waiting to reconnect"

    On the server, netstat -a shows a connexion between the client and the server on port 443 with a FIN_WAIT status.

    After deleting the binding from IIS then restart IIS, the client can successfully connect to the DirectAccess server.

    In the DirectAccess server, the IIS is only used as the NLS server until you move this configuration on another server.

    Gerald


    Friday, September 9, 2016 11:53 AM