The certificate does not contain the EKU Client Authentication RRS feed

  • Question

  • Hi,

    I've recently configured DirectAccess on a new Sererv2012 R2 server.
    Checked the box for certificate authentication.

    On my Windows 8.1 client I have a computer certificate with Client Authentication and Server Authentication.

    When i run the troubleshoot tool it give a warning at the certificate:

    The certificate does not contain the EKU Client Authentication

    Since it is the default computer certificate it does have the Client Authentication.
    Also tried to duplicate the cert template and issue that to my laptop, but that certificate is not accepted as it only shows 1 certificate.

    Can anyone point me in the proper direction?


    Thursday, November 17, 2016 9:51 AM

All replies

  • If you are using the built-in "Computer" template or a template duplicated from it, then it should definitely meet the requirements for being a DirectAccess IPsec authentication certificate.

    I don't trust the output of the DA troubleshooting tool, never have. I have seen so many times where it shows false-negatives. I tend to focus instead on netsh commands that actually tell me what is and isn't working with the DA connection. These are the same commands that we always used to look over in the DCA logs back in the Win7 days - here's a good starting point for what to look over:

    Friday, January 6, 2017 4:28 PM