none
DA2012/Win7 - working, but error on IPsec in Ops Status RRS feed

  • Question

  • So I finally have Direct Access on 2012 (Single server) running.  Single NIC behind a Sonicwall firewall.  We're using a third-party IPHTTPS cert.  Others are self signed.  Everything appears to be working just fine.

    In the Remote Access console, under the operations status, IPSec is in a critical state.  Details -

    Error:
    There is no valid certificate to be used by IPsec which chains to the root/intermediate certificate configured to be used by IPsec in the DirectAccess configuration.

    Causes:
    The certificate has not been installed or is not valid.

    Resolution:
    Please ensure that a valid certificate is present in the machine store and DA server is configured to use the corresponding root certificate.
    The valid certificate must satisfy the following:
     a. Should not be expired.
     b. Should have a private key.
     c. Should be configured to be used for Client authentication.
     d. Should chain to the configured root/intermediate cert.

    I will be the first to admit I'm just learning DA and IPsec and certs (Other than a normal cert on a web server!)  So not sure how to troubleshoot or what I'm missing.  Again - everything appears to be working, so not sure what I'm missing.  Looking at some other threads, they mention the firewall not being on (It is), GPO not setup for autoenrollment (It is - can see that below).  That's about all I'm finding. 

    Here's the output from certutil -store my

    my "Personal"
    ================ Certificate 0 ================
    Serial Number: 607dcf8da089d382423a056682934519
    Issuer: CN=DirectAccess-RADIUS-Encrypt-FILE002.domain.local
     NotBefore: 1/10/2013 4:29 PM
     NotAfter: 1/10/2018 11:39 AM
    Subject: CN=DirectAccess-RADIUS-Encrypt-FILE002.domain.local
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Cert Hash(sha1): fb 1e cd 3b 4f d3 77 42 47 2e 4c 01 7d af 3e 99 0b 81 d1 c0
      Key Container = d1034e536191f1bd46e88dd88e1e8c9e_92404682-ad92-483f-81ee-c5a3d
    a31597f
      Simple container name: le-d392c1d5-ab80-43d2-aeab-d853268c0a30
      Provider = Microsoft Strong Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed

    ================ Certificate 1 ================
    Serial Number: 4e9fafafe17322
    Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=ht
    tp://certificates.godaddy.com/repository, O=GoDaddy.com, Inc., L=Scottsdale, S=A
    rizona, C=US
     NotBefore: 12/14/2012 5:52 PM
     NotAfter: 12/14/2015 4:48 PM
    Subject: CN=da.domain.com, OU=Domain Control Validated, O=da.tunnellc
    onsulting.com
    Non-root Certificate
    Cert Hash(sha1): 46 f4 e4 83 18 00 89 0e 57 0b 64 51 33 36 01 54 71 56 59 07
      Key Container = 9d88e1f832431493b0de3b0e5ed80c20_92404682-ad92-483f-81ee-c5a3d
    a31597f
      Simple container name: le-8cb20e9a-6221-4b4e-aaa1-87a2bff529db
      Provider = Microsoft RSA SChannel Cryptographic Provider
    Encryption test passed

    ================ Certificate 2 ================
    Serial Number: 6000000002e21219a5a198722d000000000002
    Issuer: CN=TC-DC004-CA, DC=domain, DC=local
     NotBefore: 12/17/2012 9:59 AM
     NotAfter: 12/17/2013 9:59 AM
    Subject: EMPTY (DNS Name=FILE002.domain.local)
    Non-root Certificate
    Template: DirectAccess IPsec Client
    Cert Hash(sha1): 23 3b 1e fa b0 1b 0e 92 b7 74 34 8e f1 41 76 72 66 fd 50 80
      Key Container = a6288cbae7f8ccfcb52f78ec43e9507d_92404682-ad92-483f-81ee-c5a3d
    a31597f
      Simple container name: le-DirectAccess IPsec Client-c3b0dc2e-42d0-4530-995d-61
    1cf2e15527
      Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed

    ================ Certificate 3 ================
    Serial Number: 60000000030fcaa67d429df973000000000003
    Issuer: CN=TC-DC004-CA, DC=domain, DC=local
     NotBefore: 12/17/2012 9:59 AM
     NotAfter: 12/17/2013 9:59 AM
    Subject: CN=FILE002.domain.local
    Non-root Certificate
    Template: DirectAccess IPsec Server
    Cert Hash(sha1): 18 b5 51 2c fd dc ca 80 ab d8 65 d2 59 0b 99 86 ce 75 29 a6
      Key Container = 42b91bf19d080da28eaa594684073d5d_92404682-ad92-483f-81ee-c5a3d
    a31597f
      Simple container name: le-DirectAccess IPsec Server-fa48d3a0-0ee5-4743-bafb-9b
    c5b1b06545
      Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed
    CertUtil: -store command completed successfully.

    Friday, January 11, 2013 2:20 AM

All replies

  • Most likely you need a plain old computer certificate from your internal CA.
    Tuesday, January 22, 2013 8:44 PM
  • Most likely you need a plain old computer certificate from your internal CA.
    You nailed it. I had the exact same error after deploying DirectAccess on Server 2012 R2. I simply added the Certificates MMC and requested a new computer certificate. Then I refreshed the Operation Status window in the Remote Access Management Console and IPsec is now happy. Thanks!

    • Edited by C0rmang Monday, January 27, 2014 7:25 PM
    Monday, January 27, 2014 7:25 PM