locked
Direct Access with OTP - Error Code 0x80040004 RRS feed

  • Question

  • Hello everyone,

    I am currently trying to get Direct Access working with RSA one time passwords. Everything seems to work fine up until I put in my token code on the mobile device (Surface Pro 3). After I put in the code it takes about one minute and then I get the error code "0x80040004" back. There are not entries in the Windows Event Viewer and no incoming traffic on server side (neither RSA server nor Direct Access server). OTP Health Status on the DA server is green. So the problem is probably on the client. 

    This is the guide I have used: 

    http://technet.microsoft.com/de-de/library/hh831544.aspx

    The GPO gets applied on the client without problems and the DA certificates also seem to be fine.

    The Server is a Windows Server 2012 R2, on the client I am using Windows 8.1 (64 bit).

    Has anybody experienced the same problem?

    Any input would be great. Thanks.

    Best regards

    Johannes


    Friday, November 28, 2014 7:51 AM

All replies

  • Hello Johannes,

    I have recently butted heads with this exact problem that resulted in a Premier Support call. Unfortunately there is a suprising lack of documentation around how OTP works and how it should be configured. The short version is the Windows Server 2012R2 DirectAccess and One-Time Password DOES NOT WORK. There is a bug in the code released with Server 2012R2 at the driver level that actually prevents OTP from functioning in this deployment scenario.

    To get OTP to work in a DirectAccess deployment you must use Windows Server 2012. Another gotcha to be wary of once you get it configured is:

    All Domain Controllers in your AD domain must have a DC certificate that includes the Smart Card Logon EKU (Kerberos Authentication and Domian Controller Authentication Certificates include this, the default Domain Controller template does not) if it does not clients will receive "The Request is not supported" after entering their token code.

    I hope this helps.

    Regards,

    Henry426

    Monday, January 26, 2015 11:51 PM