none
IPSec: not working properly after DirectAccess configuration wizard RRS feed

  • Question

  • Hi;

    I've setup test lab, at the end of the configuration wizard there is an error on IPSec Opertion status

    the certificate is well configured but the client is not able to receive the NRP table

    does someone know what could be the issue?

    thank in advance


    lundi 13 août 2012 10:01

Toutes les réponses

  • If you want to post some more detail on the message you are getting we might be able to point you in the right direction.

    jeudi 16 août 2012 20:27
  • Hi,

    Now ipsec on DA Server is fine (the certificate must contain edge1.CORP.contoso.com),

    The client does not get access to the DA server, using troubleshooting "Connection to a Workplace Using DirectAccess" on client side I've got the error : IPsec secutirty policies don't match.

    The Document How to build Lab Test Environment doesn't mention anything about IP Sec configuration

    what should I do?

    thanks


    vendredi 17 août 2012 13:09
  • You don't have to do any of the IPsec configurations by hand, they are all in the GPOs that UAG creates and they get pushed down to the UAG server and the DA client computers automatically. I think it might be helpful for you to understand how certificates fit in with DirectAccess. You mention your "edge1" certificate in relation to IPsec tunnels, but if I remember correctly from the TLGs the edge1 certificate is actually the SSL certificate for IP-HTTPS. The machine certificates that handle the IPsec tunnels are different.

    Here is something I wrote a while ago explaining how DA and certificates work together, hopefully this will help explain what certificates are needed and where, and then that should point you in the right direction as to what is not setup correctly in your environment: http://www.ivonetworks.com/news/2012/05/directaccess-help-im-drowning-in-certificates/

    vendredi 17 août 2012 14:09
  • Hi,

    thanks for your reply

    I have got step by step the istruction from here:

    http://www.microsoft.com/en-us/download/details.aspx?id=29010

    http://www.microsoft.com/en-us/download/details.aspx?id=29031

    At the end DA client is able to connect only in local mode, if I switch off the corp network interface, DA interface give me : "Can't reach network resource. IPv6 disabled".

    any help?

    Thanks

    lundi 20 août 2012 15:17
  • If you can post a log file from the DirectAccess Connectivity Assistant that would help greatly in troubleshooting this problem. Otherwise, start by making sure that the GPO settings got successfully placed in their correct locations. Make sure the DirectAccess Gateways GPO got applied to the DirectAccess server, and make sure the DirectAccess Clients GPO got applied to the client machine you are testing with.
    mardi 21 août 2012 14:22
  • I Jordan

    Maybe the client can't receive the GPOs, I have create a new one client machine and I've got the same problems. I can't update local policies neither running command gpupdate /force .

    above the log generated by Connectivity Assistant Tool

    thanks in advance

    __________________________________________________________________________

    RED: Corporate connectivity is not working.
    Windows is not configured for DirectAccess. Please contact your administrator if this problem persists.
    23/8/2012 13:23:38 (UTC)


    C:\Windows\system32\LogSpace\{F2679AC5-D0D1-4E85-8C8B-26CDF829EFC3}>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : CLIENT8
       Primary Dns Suffix  . . . . . . . : corp.chiarito.com
       Node Type . . . . . . . . . . . . : Peer-Peer
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : corp.chiarito.com

    Ethernet adapter Corpnet:

       Connection-specific DNS Suffix  . : corp.chiarito.com
       Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
       Physical Address. . . . . . . . . : 00-15-5D-02-AC-11
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::b9bb:fdad:dbe6:abb%13(Preferred)
       IPv4 Address. . . . . . . . . . . : 10.0.0.104(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Thursday, August 23, 2012 6:23:28 AM
       Lease Expires . . . . . . . . . . : Friday, August 31, 2012 6:23:27 AM
       Default Gateway . . . . . . . . . :
       DHCP Server . . . . . . . . . . . : 10.0.0.1
       DNS Servers . . . . . . . . . . . : 10.0.0.1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter 6TO4 Adapter:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft 6to4 Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.corp.chiarito.com:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : corp.chiarito.com
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    C:\Windows\system32\LogSpace\{F2679AC5-D0D1-4E85-8C8B-26CDF829EFC3}>netsh int teredo show state
    Teredo Parameters
    ---------------------------------------------
    Type                    : client
    Server Name             : teredo.ipv6.microsoft.com.
    Client Refresh Interval : 30 seconds
    Client Port             : unspecified
    State                   : offline
    Error                   : client is in a managed network


    C:\Windows\system32\LogSpace\{F2679AC5-D0D1-4E85-8C8B-26CDF829EFC3}>netsh int httpstunnel show interfaces


    C:\Windows\system32\LogSpace\{F2679AC5-D0D1-4E85-8C8B-26CDF829EFC3}>netsh dns show state

    Name Resolution Policy Table Options
    --------------------------------------------------------------------

    Direct Access Settings                : Not Configured

    DNSSEC Settings                       : Not Configured


    C:\Windows\system32\LogSpace\{F2679AC5-D0D1-4E85-8C8B-26CDF829EFC3}>netsh name show policy

    DNS Name Resolution Policy Table Settings

     

    C:\Windows\system32\LogSpace\{F2679AC5-D0D1-4E85-8C8B-26CDF829EFC3}>netsh name show effective

    DNS Effective Name Resolution Policy Table Settings

    Note: DirectAccess settings are inactive when this computer is inside a corporate network.

     

    C:\Windows\system32\LogSpace\{F2679AC5-D0D1-4E85-8C8B-26CDF829EFC3}>netsh int ipv6 show int level=verbose 

    Interface Loopback Pseudo-Interface 1 Parameters
    ----------------------------------------------
    IfLuid                             : loopback_0
    IfIndex                            : 1
    State                              : connected
    Metric                             : 50
    Link MTU                           : 4294967295 bytes
    Reachable Time                     : 35500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : disabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    ECN capability                     : application

    Interface 6TO4 Adapter Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_5
    IfIndex                            : 16
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 34000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : disabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    ECN capability                     : application

    Interface isatap.corp.chiarito.com Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_7
    IfIndex                            : 18
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 35500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    ECN capability                     : application

    Interface Corpnet Parameters
    ----------------------------------------------
    IfLuid                             : ethernet_11
    IfIndex                            : 13
    State                              : connected
    Metric                             : 5
    Link MTU                           : 1500 bytes
    Reachable Time                     : 42500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : disabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    ECN capability                     : application


    C:\Windows\system32\LogSpace\{F2679AC5-D0D1-4E85-8C8B-26CDF829EFC3}>netsh advf show currentprofile

    Domain Profile Settings:
    ----------------------------------------------------------------------
    State                                 ON
    Firewall Policy                       BlockInbound,AllowOutbound
    LocalFirewallRules                    N/A (GPO-store only)
    LocalConSecRules                      N/A (GPO-store only)
    InboundUserNotification               Enable
    RemoteManagement                      Disable
    UnicastResponseToMulticast            Enable

    Logging:
    LogAllowedConnections                 Disable
    LogDroppedConnections                 Disable
    FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
    MaxFileSize                           4096

    Ok.


    C:\Windows\system32\LogSpace\{F2679AC5-D0D1-4E85-8C8B-26CDF829EFC3}>netsh advfirewall monitor show consec

    Global Settings:
    ----------------------------------------------------------------------
    IPsec:
    StrongCRLCheck                        0:Disabled
    SAIdleTimeMin                         5min
    DefaultExemptions                     NeighborDiscovery,DHCP
    IPsecThroughNAT                       Never
    AuthzUserGrp                          None
    AuthzComputerGrp                      None
    AuthzUserGrpTransport                 None
    AuthzComputerGrpTransport             None

    StatefulFTP                           Enable
    StatefulPPTP                          Enable

    Main Mode:
    KeyLifetime                           480min,0sess
    SecMethods                            DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
    ForceDH                               No

    Categories:
    BootTimeRuleCategory                  Windows Firewall
    FirewallRuleCategory                  Windows Firewall
    StealthRuleCategory                   Windows Firewall
    ConSecRuleCategory                    Windows Firewall


    Quick Mode:
    QuickModeSecMethods                   ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
    QuickModePFS                          None

    Security Associations:

    No SAs match the specified criteria.


    C:\Windows\system32\LogSpace\{F2679AC5-D0D1-4E85-8C8B-26CDF829EFC3}>Certutil -store my 
    my "Personal"
    CertUtil: -store command completed successfully.

    C:\Windows\system32\LogSpace\{F2679AC5-D0D1-4E85-8C8B-26CDF829EFC3}>Systeminfo

    Host Name:                 CLIENT8
    OS Name:                   Microsoft Windows 8 Consumer Preview
    OS Version:                6.2.8250 N/A Build 8250
    OS Manufacturer:           Microsoft Corporation
    OS Configuration:          Member Workstation
    OS Build Type:             Multiprocessor Free
    Registered Owner:          Dominik
    Registered Organization:  
    Product ID:                00127-83400-00003-AA768
    Original Install Date:     8/23/2012, 2:50:00 AM
    System Boot Time:          8/23/2012, 6:14:10 AM
    System Manufacturer:       Microsoft Corporation
    System Model:              Virtual Machine
    System Type:               x64-based PC
    Processor(s):              1 Processor(s) Installed.
                               [01]: Intel64 Family 6 Model 26 Stepping 5 GenuineIntel ~2266 Mhz
    BIOS Version:              American Megatrends Inc. 090004 , 3/19/2009
    Windows Directory:         C:\Windows
    System Directory:          C:\Windows\system32
    Boot Device:               \Device\HarddiskVolume1
    System Locale:             en-us;English (United States)
    Input Locale:              en-us;English (United States)
    Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
    Total Physical Memory:     2,048 MB
    Available Physical Memory: 1,366 MB
    Virtual Memory: Max Size:  4,096 MB
    Virtual Memory: Available: 3,305 MB
    Virtual Memory: In Use:    791 MB
    Page File Location(s):     C:\pagefile.sys
    Domain:                    corp.chiarito.com
    Logon Server:              N/A
    Hotfix(s):                 21 Hotfix(s) Installed.
                               [01]: KB2653956
                               [02]: KB2658846
                               [03]: KB2676562
                               [04]: KB2680328
                               [05]: KB2680330
                               [06]: KB2680358
                               [07]: KB2680376
                               [08]: KB2680826
                               [09]: KB2683474
                               [10]: KB2683482
                               [11]: KB2686837
                               [12]: KB2687198
                               [13]: KB2687994
                               [14]: KB2689861
                               [15]: KB2690653
                               [16]: KB2691252
                               [17]: KB2693205
                               [18]: KB2693665
                               [19]: KB2718704
                               [20]: KB2719177
                               [21]: KB2719985
    Network Card(s):           2 NIC(s) Installed.
                               [01]: Intel 21140-Based PCI Fast Ethernet Adapter (Emulated)
                                     Connection Name: CERN
                                     Status:          Hardware not present
                               [02]: Microsoft Hyper-V Network Adapter
                                     Connection Name: Corpnet
                                     DHCP Enabled:    Yes
                                     DHCP Server:     10.0.0.1
                                     IP address(es)
                                     [01]: 10.0.0.104
                                     [02]: fe80::b9bb:fdad:dbe6:abb
    Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

    C:\Windows\system32\LogSpace\{F2679AC5-D0D1-4E85-8C8B-26CDF829EFC3}>whoami /groups 

    GROUP INFORMATION
    -----------------

    Group Name                             Type             SID          Attributes                                       
    ====================================== ================ ============ ==================================================
    BUILTIN\Administrators                 Alias            S-1-5-32-544 Enabled by default, Enabled group, Group owner   
    Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
    Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                  

    jeudi 23 août 2012 13:42
  • Correct, based on this log the client machine has not received the settings from the GPO. So your client doesn't have any of the information it needs on how to connect via DirectAccess. Also, you do not have the machine certificate on here yet, and that will be required for IPsec.

    I see you are using Windows 8 CP - I can't remember offhand which one was the problem, but one of the Windows 8 previews did not work with DirectAccess, they essentially released a "Pro" version instead of an "Enterprise" version, and Pro doesn't work with DA. You might want to focus your testing on a Win7 client instead to make sure that isn't part of the problem.

    jeudi 23 août 2012 14:05
  • thanks for reply

    I'm using Win8CP version as suggested in the TetLab, but I've another machine running Win8 Enterprise with the same problems

    I'm wondering why both machines can't get the policy settings...

    One question, what do you mean with: you do not have the machine certificate on here yet

    further, is there any way to force the GPO updating? I've got message above when I run gpupdate/force and gpresult /r

    thanks in advance

    __________________________________________________________________________

    RSOP data for CORP\User1 on CLIENT8 : Logging Mode
    ---------------------------------------------------

    OS Configuration:            Member Workstation
    OS Version:                  6.2.8250
    Site Name:                   Default-First-Site-Name
    Roaming Profile:             N/A
    Local Profile:               C:\Users\User1
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=CLIENT8,CN=Computers,DC=corp,DC=chiarito,DC=com
        Last time Group Policy was applied: 8/23/2012 at 6:16:33 AM
        Group Policy was applied from:      DC1.corp.chiarito.com
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        CORP
        Domain Type:                        Windows 2008 or later

        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            DirectAccess Server Settings
                Filtering:  Denied (Security)

            Local Group Policy
                Filtering:  Not Applied (Unknown Reason)

            DirectAccess Client Settings
                Filtering:  Denied (Security)

    jeudi 23 août 2012 14:16
  • Did you configure an Active Directory security group to contain your DirectAccess client computers (a group named DA_Clients for example)? You must create a group, and then specify that group in your DirectAccess wizards. Doing this will tell the script that generates the GPOs to set Security Filtering on that GPO only to apply to the DA_Clients group. Then your DirectAccess client computers must be joined to that group, for them to receive the GPO settings.

    For the certificate, did you look over the link I posted earlier that describes the places certificates are needed? I can see in the output of your log that you do not have a machine certificate issued to this client from your internal CA server, that certificate will be used to authenticate the IPsec tunnels. http://www.ivonetworks.com/news/2012/05/directaccess-help-im-drowning-in-certificates/

    jeudi 23 août 2012 14:22
  • Ok ok I get it, let me say what I have

    -machine DC1 running DNS and AD DS, it contains a group (DirectAccessGroup) with ClientX machines and domain user

    -machine APP1 acting as Certification Authority, it contains certificate which CNs are corp-APP1-CA and nls.corp.chiarito.com

    (as well as there is a template configured for auto enrollment)

    -machine edge1 acing as DA server and containing certificate created manually edge1.corp.chiarito.com

    these are it correct ? 

    jeudi 23 août 2012 14:38
  • Sounds right (especially if you are following a TLG, that should direct you exactly) - but it looks like your policy for autoenrollment must not be working. If you open MMC and snap-in Certificates (make sure to choose Computer Account), and look in the Personal certificates store, you need to have a machine certificate on each client that was issued by your APP1 internal CA server. Your log file does not show any certificate in there.

    Also, your DirectAccessGroup does not need to contain any user accounts, only the computer accounts.

    I think that if you work out those two issues - figure out why your certificates are not being applied to the client machines and figure out why the GPO settings are not being applied to the client machines, you will probably be all set. These two things may be related, maybe something on your Domain Controller is not working properly.

    jeudi 23 août 2012 15:41
  • Hi Jordan,

    I have sort out the policy issue (and temporary provided client certificate by hand)

    now each client got the GPOs (DirectAccess Client policy) and it is possible to ping APP server obtaining ipdv6 address

    I can show the client status from DA server, each client are using IPHTTPS tunnel

    left one issue, the client is not able to reach APP1 (file sharing and web server)

    troubleshooting give me this messages:

    file and print sharing resource (app1) is online but isn't responding
    to connection attempts.
     
    The remote computer isn’t responding to connections on port 445,
    possibly due to firewall or security policy settings,
    or because it might be temporarily unavailable.
    Windows couldn’t find any problems with the firewall on your computer. 

    and

    An IPsec negotiation failure is preventing the connection
    Details about network security diagnosis:

    Settings that might be blocking the connection:
    Provider name:   Microsoft Corporation
    Provider description:  Microsoft Windows Firewall IPsec Provider
    Filter name:   DirectAccess Policy-ClientToCorp
    Provider context name:  DirectAccess Policy-ClientToCorp

    I remember in tha past was able to connect to tha APP server trough other tunnels as 6to4

    any idea? (above the last log)

    many thanks

     ____________________________________________________________________________

    C:\Windows\system32\LogSpace\{37BCCE95-4005-4871-A3B8-463AFA8285F3}>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : CLIENT1
       Primary Dns Suffix  . . . . . . . : corp.chiarito.com
       Node Type . . . . . . . . . . . . : Peer-Peer
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : corp.chiarito.com

    Ethernet adapter Internet:

       Connection-specific DNS Suffix  . : isp.example.com
       Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter #2
       Physical Address. . . . . . . . . : 00-15-5D-02-AC-0F
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::84c6:ef6b:f3c3:a194%14(Preferred)
       IPv4 Address. . . . . . . . . . . : 131.107.0.102(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Tuesday, August 28, 2012 9:13:22 AM
       Lease Expires . . . . . . . . . . : Wednesday, September 5, 2012 9:13:22 AM
       Default Gateway . . . . . . . . . : 131.107.0.1
       DHCP Server . . . . . . . . . . . : 131.107.0.1
       DHCPv6 IAID . . . . . . . . . . . : 385881437
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-C6-B9-DD-00-15-5D-FF-01-3B
       DNS Servers . . . . . . . . . . . : 131.107.0.1
                                           131.107.0.1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter 6TO4 Adapter:

       Connection-specific DNS Suffix  . : isp.example.com
       Description . . . . . . . . . . . : Microsoft 6to4 Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:836b:66::836b:66(Preferred)
       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : 131.107.0.1
                                           131.107.0.1
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter isatap.isp.example.com:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : isp.example.com
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2001:0:836b:2:3413:3ff6:7c94:ff99(Preferred)
       Link-local IPv6 Address . . . . . : fe80::3413:3ff6:7c94:ff99%19(Preferred)
       Default Gateway . . . . . . . . . :
       DHCPv6 IAID . . . . . . . . . . . : 419430400
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-C6-B9-DD-00-15-5D-FF-01-3B
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter iphttpsinterface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : iphttpsinterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2001:db8:1:1000:4559:3846:6266:f04a(Preferred)
       Temporary IPv6 Address. . . . . . : 2001:db8:1:1000:5806:4552:7ba7:955f(Preferred)
       Link-local IPv6 Address . . . . . : fe80::4559:3846:6266:f04a%20(Preferred)
       Default Gateway . . . . . . . . . :
       DHCPv6 IAID . . . . . . . . . . . : 436207616
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-C6-B9-DD-00-15-5D-FF-01-3B
       NetBIOS over Tcpip. . . . . . . . : Disabled

    C:\Windows\system32\LogSpace\{37BCCE95-4005-4871-A3B8-463AFA8285F3}>netsh int teredo show state
    Teredo Parameters
    ---------------------------------------------
    Type                    : client
    Server Name             : edge1.chiarito.com (Group Policy)
    Client Refresh Interval : 30 seconds
    Client Port             : unspecified
    State                   : qualified
    Client Type             : teredo host-specific relay
    Network                 : unmanaged
    NAT                     : none (global connectivity)
    NAT Special Behaviour   : UPNP: No, PortPreserving: No
    Local Mapping           : 131.107.0.102:49161
    External NAT Mapping    : 131.107.0.102:49161


    C:\Windows\system32\LogSpace\{37BCCE95-4005-4871-A3B8-463AFA8285F3}>netsh int httpstunnel show interfaces

    Interface IPHTTPSInterface (Group Policy)  Parameters
    ------------------------------------------------------------
    Role                       : client
    URL                        : https://edge1.chiarito.com:443/IPHTTPS
    Last Error Code            : 0x0
    Interface Status           : IPHTTPS interface active


    C:\Windows\system32\LogSpace\{37BCCE95-4005-4871-A3B8-463AFA8285F3}>netsh dns show state

    Name Resolution Policy Table Options
    --------------------------------------------------------------------

    Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                            if the name does not exist in DNS or
                                            if the DNS servers are unreachable
                                            when on a private network

    Query Resolution Behavior             : Resolve only IPv6 addresses for names

    Network Location Behavior             : Let Network ID determine when Direct
                                            Access settings are to be used

    Machine Location                      : Outside corporate network

    Direct Access Settings                : Configured and Enabled

    DNSSEC Settings                       : Not Configured


    C:\Windows\system32\LogSpace\{37BCCE95-4005-4871-A3B8-463AFA8285F3}>netsh name show policy

    DNS Name Resolution Policy Table Settings


    Settings for nls.corp.chiarito.com
    ----------------------------------------------------------------------
    DNSSEC (Certification Authority)        :
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (Certification Authority)  :
    DirectAccess (DNS Servers)              :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Use default browser settings
    Generic (DNS Servers)                   :
    IDN (Encoding)                          : UTF-8 (default)


    Settings for .corp.chiarito.com
    ----------------------------------------------------------------------
    DNSSEC (Certification Authority)        :
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (Certification Authority)  :
    DirectAccess (DNS Servers)              : 2001:db8:1::2
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy
    Generic (DNS Servers)                   :
    IDN (Encoding)                          : UTF-8 (default)

     

    C:\Windows\system32\LogSpace\{37BCCE95-4005-4871-A3B8-463AFA8285F3}>netsh name show effective

    DNS Effective Name Resolution Policy Table Settings


    Settings for nls.corp.chiarito.com
    ----------------------------------------------------------------------
    DirectAccess (Certification Authority)  :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (Proxy Settings)           : Use default browser settings


    Settings for .corp.chiarito.com
    ----------------------------------------------------------------------
    DirectAccess (Certification Authority)  :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (DNS Servers)              : 2001:db8:1::2
    DirectAccess (Proxy Settings)           : Bypass proxy

     

    C:\Windows\system32\LogSpace\{37BCCE95-4005-4871-A3B8-463AFA8285F3}>netsh int ipv6 show int level=verbose 

    Interface Loopback Pseudo-Interface 1 Parameters
    ----------------------------------------------
    IfLuid                             : loopback_0
    IfIndex                            : 1
    State                              : connected
    Metric                             : 50
    Link MTU                           : 4294967295 bytes
    Reachable Time                     : 30000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : disabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    ECN capability                     : application

    Interface 6TO4 Adapter Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_5
    IfIndex                            : 16
    State                              : connected
    Metric                             : 5
    Link MTU                           : 1280 bytes
    Reachable Time                     : 21500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : disabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    ECN capability                     : application

    Interface isatap.isp.example.com Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_7
    IfIndex                            : 18
    State                              : disconnected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 18500 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : disabled
    Router Discovery                   : enabled
    Managed Address Configuration      : disabled
    Other Stateful Configuration       : disabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    ECN capability                     : application

    Interface Teredo Tunneling Pseudo-Interface Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_8
    IfIndex                            : 19
    State                              : connected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 17000 ms
    Base Reachable Time                : 15000 ms
    Retransmission Interval            : 2000 ms
    DAD Transmits                      : 0
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : enabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    ECN capability                     : application

    Interface iphttpsinterface Parameters
    ----------------------------------------------
    IfLuid                             : tunnel_9
    IfIndex                            : 20
    State                              : connected
    Metric                             : 50
    Link MTU                           : 1280 bytes
    Reachable Time                     : 17000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    ECN capability                     : application

    Interface Internet Parameters
    ----------------------------------------------
    IfLuid                             : ethernet_15
    IfIndex                            : 14
    State                              : connected
    Metric                             : 5
    Link MTU                           : 1500 bytes
    Reachable Time                     : 22000 ms
    Base Reachable Time                : 30000 ms
    Retransmission Interval            : 1000 ms
    DAD Transmits                      : 1
    Site Prefix Length                 : 64
    Site Id                            : 1
    Forwarding                         : disabled
    Advertising                        : disabled
    Neighbor Discovery                 : enabled
    Neighbor Unreachability Detection  : enabled
    Router Discovery                   : enabled
    Managed Address Configuration      : enabled
    Other Stateful Configuration       : enabled
    Weak Host Sends                    : enabled
    Weak Host Receives                 : disabled
    Use Automatic Metric               : enabled
    Ignore Default Routes              : disabled
    Advertised Router Lifetime         : 1800 seconds
    Advertise Default Route            : disabled
    Current Hop Limit                  : 0
    Force ARPND Wake up patterns       : disabled
    Directed MAC Wake up patterns      : disabled
    ECN capability                     : application


    C:\Windows\system32\LogSpace\{37BCCE95-4005-4871-A3B8-463AFA8285F3}>netsh advf show currentprofile

    Public Profile Settings:
    ----------------------------------------------------------------------
    State                                 ON
    Firewall Policy                       BlockInbound,AllowOutbound
    LocalFirewallRules                    N/A (GPO-store only)
    LocalConSecRules                      N/A (GPO-store only)
    InboundUserNotification               Enable
    RemoteManagement                      Disable
    UnicastResponseToMulticast            Enable

    Logging:
    LogAllowedConnections                 Disable
    LogDroppedConnections                 Disable
    FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
    MaxFileSize                           4096

    Ok.


    C:\Windows\system32\LogSpace\{37BCCE95-4005-4871-A3B8-463AFA8285F3}>netsh advfirewall monitor show consec

    Global Settings:
    ----------------------------------------------------------------------
    IPsec:
    StrongCRLCheck                        0:Disabled
    SAIdleTimeMin                         5min
    DefaultExemptions                     ICMP
    IPsecThroughNAT                       Never
    AuthzUserGrp                          None
    AuthzComputerGrp                      None
    AuthzUserGrpTransport                 None
    AuthzComputerGrpTransport             None

    StatefulFTP                           Enable
    StatefulPPTP                          Enable

    Main Mode:
    KeyLifetime                           480min,0sess
    SecMethods                            DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
    ForceDH                               No

    Categories:
    BootTimeRuleCategory                  Windows Firewall
    FirewallRuleCategory                  Windows Firewall
    StealthRuleCategory                   Windows Firewall
    ConSecRuleCategory                    Windows Firewall


    Quick Mode:
    QuickModeSecMethods                   ESP:SHA1-None+60min+100000kb,ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3DES+60min+100000kb,AH:SHA1+60min+100000kb
    QuickModePFS                          None

    Security Associations:

    Main Mode SA at 08/28/2012 09:14:10                     
    ----------------------------------------------------------------------
    Local IP Address:                     2001:db8:1:1000:5806:4552:7ba7:955f
    Remote IP Address:                    2002:836b:3::836b:3
    Auth1:                                ComputerCert
    Auth2:                                UserNTLM
    MM Offer:                             None-AES128-SHA256
    Cookie Pair:                          e5159c123282a744:e9241214de1ccbdd
    Health Cert:                          No

    Quick Mode SA at 08/28/2012 09:14:17                    
    ----------------------------------------------------------------------
    Local IP Address:                     2001:db8:1:1000:5806:4552:7ba7:955f
    Remote IP Address:                    2002:836b:3::836b:3
    Local Port:                           Any
    Remote Port:                          Any
    Protocol:                             Any
    Direction:                            Both
    QM Offer:                             ESP:SHA1-AES192+60min+100000kb
    PFS:                                  None

    Quick Mode SA at 08/28/2012 09:14:17                    
    ----------------------------------------------------------------------
    Local IP Address:                     2001:db8:1:1000:5806:4552:7ba7:955f
    Remote IP Address:                    2002:836b:3::836b:3
    Local Port:                           Any
    Remote Port:                          Any
    Protocol:                             Any
    Direction:                            Both
    QM Offer:                             ESP:SHA1-AES192+60min+100000kb
    PFS:                                  None


    IPsec Statistics
    ----------------

    Active Assoc                : 2
    Offload SAs                 : 0
    Pending Key                 : 1
    Key Adds                    : 2
    Key Deletes                 : 0
    ReKeys                      : 0
    Active Tunnels              : 2
    Bad SPI Pkts                : 0
    Pkts not Decrypted          : 0
    Pkts not Authenticated      : 0
    Pkts with Replay Detection  : 0
    Confidential Bytes Sent     : 4,560
    Confidential Bytes Received : 5,768
    Authenticated Bytes Sent    : 5,352
    Authenticated Bytes Received: 5,768
    Transport Bytes Sent        : 0
    Transport Bytes Received    : 0
    Bytes Sent In Tunnels       : 5,352
    Bytes Received In Tunnels   : 5,768
    Offloaded Bytes Sent        : 0
    Offloaded Bytes Received    : 0

    Ok.


    C:\Windows\system32\LogSpace\{37BCCE95-4005-4871-A3B8-463AFA8285F3}>Certutil -store my 
    my "Personal"
    ================ Certificate 0 ================
    Serial Number: 380000000dbe91b1dab34366cc00000000000d
    Issuer: CN=corp-APP1-CA, DC=corp, DC=chiarito, DC=com
     NotBefore: 8/28/2012 3:11 AM
     NotAfter: 8/28/2013 3:11 AM
    Subject: EMPTY (DNS Name=CLIENT1.corp.chiarito.com)
    Non-root Certificate
    Template: 1.3.6.1.4.1.311.21.8.16154045.9063597.8996278.738781.12949753.63.5581288.15056868, Client-Server Authentication
    Cert Hash(sha1): b6 63 72 4e ec 43 fb 76 54 b0 97 d8 51 74 53 33 8b bf af 1b
      Key Container = 3477f4a9619fed2c6a685525828ef943_434177d3-2010-43cf-8f6e-eca3777dabd6
      Simple container name: le-Client-ServerAuthentication-b11fed80-9e0b-47c4-846c-7a7be5f67017
      Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed

    ================ Certificate 1 ================
    Serial Number: 380000000e2f45c56b6527a74200000000000e
    Issuer: CN=corp-APP1-CA, DC=corp, DC=chiarito, DC=com
     NotBefore: 8/28/2012 3:11 AM
     NotAfter: 8/28/2013 3:11 AM
    Subject: CN=CLIENT1.corp.chiarito.com
    Certificate Template Name (Certificate Type): Machine
    Non-root Certificate
    Template: Machine
    Cert Hash(sha1): 39 b8 f7 57 eb e1 71 c0 c0 2f 22 a7 26 8d 96 1b 3f 4f ba 32
      Key Container = 5b54b50e8aaf6565e386e5efaf7b2966_434177d3-2010-43cf-8f6e-eca3777dabd6
      Simple container name: le-Machine-e88ca228-a945-46d5-b6e7-9c1bd869820d
      Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed
    CertUtil: -store command completed successfully.

    mercredi 29 août 2012 08:42
  • Are you using the built-in "Computer" template for issuing these machine certificates? Based on the output, I assume not. Please try changing over to using this default template and see if it corrects your issue. One thing that stands out at me is that the "subject" of your certificate is EMPTY, this should not be the case if you are using the Computer template.

    mercredi 29 août 2012 19:44
  • Actually I've used the templates, one for Client-server authentication (Cert0) and one for Computer (Cert1)

    the subject is empty on the Client-Server template and is present on the other one (Template: Machine)

    is it correct?

    jeudi 30 août 2012 06:53
  • Sorry, I completely missed the second certificate when I was looking at your log file. Must have had my eyes crossed :)

    Cert1 based off the Computer template - this is the one you want. You don't need the other, and I have had a couple of instances where having multiple certificates caused some problems, so yes I would recommend removing your Cert0 and restart the client and try again. Make sure you don't have any unnecessary certificates on the DA box either, you should only have the same Machine certificate as well as the SSL certificate for IP-HTTPS.

    jeudi 30 août 2012 12:45
  • Ok Jordan,

    I guess I've got too much certificates on DA server...

    which ones are good?

    ____________________________________________________________________________________

    my "Personal"
    ================ Certificate 0 ================
    Serial Number: 17dc3752aa366e8f44c946d398b06987
    Issuer: CN=DirectAccess-RADIUS-Encrypt-EDGE1.corp.chiarito.com
     NotBefore: 8/28/2012 8:45 AM
     NotAfter: 8/28/2017 1:55 AM
    Subject: CN=DirectAccess-RADIUS-Encrypt-EDGE1.corp.chiarito.com
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Cert Hash(sha1): 3e a6 99 de 3a a5 3c 72 a3 33 a2 be e2 13 d1 ce 4e f6 c4 de
      Key Container = 8bc2ef6333ceb03ba7cd9c58d37d3fee_cee17024-5a68-489f-bb6c-0e496a6a9586
      Simple container name: le-4af78aa0-9228-4d50-ba47-1088c5cad521
      Provider = Microsoft Strong Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed

    ================ Certificate 1 ================
    Serial Number: 380000000fb85f69d66236fdad00000000000f
    Issuer: CN=corp-APP1-CA, DC=corp, DC=chiarito, DC=com
     NotBefore: 8/28/2012 7:25 AM
     NotAfter: 8/28/2014 7:25 AM
    Subject: CN=edge1.corp.chiarito.com
    Certificate Template Name (Certificate Type): WebServer
    Non-root Certificate
    Template: WebServer, Web Server
    Cert Hash(sha1): 1e 44 d7 86 1c 8d e8 60 54 be 50 5e a0 d5 e9 fe 97 de ee e4
      Key Container = d65e53ef7099dd8291b41ad05abf0939_cee17024-5a68-489f-bb6c-0e496a6a9586
      Simple container name: le-WebServer-136dbaee-8386-49ce-808b-6d67152d6bba
      Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed

    ================ Certificate 2 ================
    Serial Number: 38000000105d943f3318fdef45000000000010
    Issuer: CN=corp-APP1-CA, DC=corp, DC=chiarito, DC=com
     NotBefore: 8/28/2012 8:49 AM
     NotAfter: 8/28/2013 8:49 AM
    Subject: EMPTY (DNS Name=EDGE1.corp.chiarito.com)
    Non-root Certificate
    Template: Client-ServerAuthentication, Client-Server Authentication
    Cert Hash(sha1): 1b 48 e1 c7 b3 b9 59 ce 3a 72 f6 f0 e8 fb d8 cc d5 5d 78 d6
      Key Container = 24abd3638599cf8a0bc69226c4ae9314_cee17024-5a68-489f-bb6c-0e496a6a9586
      Simple container name: le-Client-ServerAuthentication-8eecbfe5-e5ee-484d-b13d-8bd32df77ab8
      Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed

    ================ Certificate 3 ================
    Serial Number: 2466ef2cfca3c8984e958ad98f56cc3b
    Issuer: CN=edge1.chiarito.com
     NotBefore: 8/28/2012 8:42 AM
     NotAfter: 8/28/2017 1:52 AM
    Subject: CN=edge1.chiarito.com
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Cert Hash(sha1): 05 6c ae c1 a8 08 28 9e 7f b6 bd fe fe 1b be 53 f0 60 1c cd
      Key Container = 8c42e1abf9de09fb3b4927ee60e08ce0_cee17024-5a68-489f-bb6c-0e496a6a9586
      Simple container name: le-120e3a0f-76da-44cb-9838-77e07443f0eb
      Provider = Microsoft Strong Cryptographic Provider
    Private key is NOT exportable
    Signature test passed
    CertUtil: -store command completed successfully.

    jeudi 30 août 2012 13:00
  • Based on an above log, your IP-HTTPS listener is edge1.chiarito.com - so I assume that the SSL certificate you are using for IP-HTTPS is your Certificate 3 because the name matches.

    Then I see another SSL web certificate - Certificate 1 - but it's issued for the edge1.corp.chiarito.com name. I'm not sure why you have an SSL certificate for the internal name of the server, you shouldn't need one. I also don't see a purpose for Certificate 2 or Certificate 4.

    I think you are missing your "Machine" certificate issued to the server. I don't see one in the list. Just like you have a Machine cert issued from the Computer Template on your client machines, you need one on the server as well.

    I wrote an article explaining the different places certificates are necessary a little while ago, this might help with your overall PKI design: http://www.ivonetworks.com/news/2012/05/directaccess-help-im-drowning-in-certificates/

    jeudi 30 août 2012 13:39
  • Yes I've read it, but following theese indication DA OperationStatus give me this error:

    The IP-HTTPS certificate is missing. The Certificate has been removed from computer store

    reviewing the current situation, I have:

    Computer Certificate per each machine (Clients, DA server, and APP server)

    DA Server: Step2 Configuration, Network Adapters, Certificate used for IP-HTTPS is enabled "Use a self signed certificate ..."


    jeudi 30 août 2012 14:06
  • So did you add a computer certificate to the DA server? Or was there already one there? You do not need a machine certificate on the APP server by the way.

    I apologize if my directions caused the certificate being used by IP-HTTPS to be removed, but based on the certificate output in your log file the cert that should have been used by IP-HTTPS was the Web Server cert for edge1.chiarito.com, and I don't think it was using the right one. Also, I know this is a test lab and so it's probably sandboxed, but using self-signed certs for IP-HTTPS is not a great idea. Obviously not for production because of security reasons, but it can also cause issues with connectivity in any circumstance.

    jeudi 30 août 2012 18:23
  • I 've added a new machine certificate on the DA server, basically I have cleaned certificate store and I ve created a new for IP-HTTPS too using it instead of using self-signed certificate.

    The client machine (win 8 RTM Enterprise) is still unable to reach network resources in spite of this certificate configuration.

    Moreover I've created a new client running Win7 Ultimate, it is unable to ping App server in spite of the client policies are applied correctly

    I can't understand where is the poblem, server or client side... why client machines are connected trought iphttps tunnel instead of 6to4?

    thanks for any idea

    jeudi 30 août 2012 18:40
  • I wondered that too when I first saw your log file. In fact, it looks like you have all 3 connected - 6to4, Teredo and IP-HTTPS. Anytime that IP-HTTPS and one of the others are both connected at the same time, IP-HTTPS takes preference and handles the traffic.

    IP-HTTPS usually only connects if the other protocols don't connect themselves in a timely fashion. So maybe this is an indicator of a network slowness or another problem that could be causing all of your trouble. What that would be though I'm not sure. Is this all within a Hyper-V environment? Or are you using real switches and networks?

    jeudi 30 août 2012 18:46
  • Hyper-V Environment...

    is there a way to force 6to4 tunnel ?

    Windows 7 Machine does not recognize any dns server, is it required different configuration than Win8 client?

    jeudi 30 août 2012 19:58
  • You can enable or disable 6to4 and Teredo with netsh commands:

    netsh interface 6to4 set state disabled
    netsh interface 6to4 set state enabled

    netsh interface teredo set state disabled
    netsh interface teredo set state enterpriseclient
    (this enables Teredo and sets it to EnterpriseClient status, which is recommended)

    To enable or disable IP-HTTPS you can either go into Device Manager, choose to show hidden devices and enable or disable it there, or you can use this registry key:

    HKLM\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface\IPHTTPS_ClientState
    To disable the interface, set the value to 3.

    I'm not sure what you mean with your DNS question...?

    vendredi 31 août 2012 14:02
  • According to the IPsec Negotiation Failure message I've decide to disable the authentication from the GPO

    and I've a different error message from troubleshooting:

    website
    (directaccess-WebProbeHost.corp.chiarito.com) is online but isn't responding to
    connection attempts.
    Detected
    Detected

    <data id="Description" name="Description">The remote
    computer isn’t responding to connections on port 80, possibly due to firewall or
    security policy settings, or because it might be temporarily unavailable.
    Windows couldn’t find any problems with the firewall on your computer. </data>

    <data id="Description" name="Description">about DNS on Win7 client side, ping command  can't reach any server from this client </data>

    lundi 3 septembre 2012 06:49
  • Hello Jordan, 

    I am trying to get direct access to work on our server.

    I am currently at the point where everything seems to work on the server but I get a failure on the client when negotiating IPSec connection.

    I can see that IPHTTPS interface is active, i can ping ipv6 dns server, but when i try to resolve internal dns names with the server i get DNS request timeout.

    In my firewall settings I see that no tunnels are established.

    Here is what comes out of windows event log viewer on the client:

    An IPsec main mode negotiation failed.

    Local Endpoint:
    Local Principal Name: -
    Network Address: fd9f:acd1:73f0:1000:e5db:f93a:45bf:d5d1
    Keying Module Port: 500

    Remote Endpoint:
    Principal Name: -
    Network Address: fd9f:acd1:73f0:1000::1
    Keying Module Port: 500

    Additional Information:
    Keying Module Name: IKEv1
    Authentication Method: Unknown authentication
    Role: Initiator
    Impersonation State: Not enabled
    Main Mode Filter ID: 0

    Failure Information:
    Failure Point: Local computer
    Failure Reason: No policy configured

    State: No state
    Initiator Cookie: c10e787b5ed5a298
    Responder Cookie: 0000000000000000

    I have a certificate installed which passes test from direct connect troubleshooting tool from microsoft.

    Any help would be greatly appreciated


    lundi 25 mars 2019 15:43