Quantcast
Channel: Forefront Edge Security – DirectAccess, UAG and IAG フォーラム
Viewing all 1485 articles
Browse latest View live

OTP 2FA Problems with DA 2012 R2 and Windows 8.1 Client - Not prompting or OTP Code

$
0
0

Hi 

Just seeing if anyone has come across the same issue with their WIn 8.1 clients not prompting for 2FA once configured with DirectAccess 2012 R2?

I have created the 2x OTP certificates, enabled OTP via PowerShell and set up the RADIUS server but whatever happens the Win 8.1 client does not get prompted for 2FA - They connect seamlessly?

I have also configured the DAProbeUser on the RADIUS server

Any help appreciated

Thanks


Direct Access - IPHTTPS interface active when inside corporate network

$
0
0

We currently have a single Server 2012 R2 server and a handful of clients using Direct Access. Laptops running Windows 8.1 work fine but we have a few Windows 7 laptops where we are having network issues. Surprisingly, the problem isn't getting Direct Access to work. It's getting Windows to deactivate the IPHTTPS interface when the computer is back on the corporate network..

Direct Access knows that the computer is inside the corporate network and is disabled....

C:\WINDOWS\system32>netsh dnsclient show state

Name Resolution Policy Table Options
--------------------------------------------------------------------

Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                        if the name does not exist in DNS or
                                        if the DNS servers are unreachable
                                        when on a private network

Query Resolution Behavior             : Resolve only IPv6 addresses for names

Network Location Behavior             : Let Network ID determine when Direct
                                        Access settings are to be used

Machine Location                      :Inside corporate network

Direct Access Settings                :Configured and Disabled

DNSSEC Settings                       : Not Configured

And yet the IPHTTPS interface is still active.

Interface IPHTTPSInterface (Group Policy)  Parameters
------------------------------------------------------------
Role                       : client
URL                        :https://engr-da1.domain:443/IPHTTPS
Last Error Code            : 0x0
Interface Status           : IPHTTPS interface active

This is causing problems when people try to access local websites with IE (Chrome and Firefox are fine). There is a huge delay before IE actually renders the page which I'm guessing is related to IPv6 and/or DNS. Once the IPHTTPS interface is disabled or is actually deactivated, everything is fine.

Thoughts?

Gpupdate /force re-adds NRPT entries from previous DirectAccess GPO, gpresult cites Local Group Policy as source

$
0
0

I'm in the process of replacing an old 2012 DirectAccess server with a new 2012 R2 server. I have a Win 7 x64 SP1 test machine that will bring back the old servers NRPT entries when I run a gpupdate /force, which breaks DirectAccess due to incorrect name resolution. When I run gpresult to find the source of the entries, "Local Group Policy" is listed.

I can go into Group Policy Editor for local machine manually delete the entries, apply the settings, and see the entries disappear from the registry under HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig when I refresh the registry editor. At this point, if I reboot the machine and log back in, DirectAccess will connect. However, if I gpupdate /force, the entries come back again citing local group policy. There does not appear to be a group policy from the domain creating the entries as extra registry settings. Has anyone experienced or fixed similar behavior?

* The NRPT entries were previously imported using a reg script. However, even using a new reg script to clear all existing entries and generate new ones does not change the gpupdate behavior. Gpupdate without the force parameter does not exhibit the issue.

When updating DA setting I get error

$
0
0

I have a Direct Access server, I have uodated the configuration, but when I try to apply the settings,

I get the erro back that it cannot write/create a file that already exist (I think it means the group policy)

The DA is a windows 2012 server.

Firewall: Deny All - Allow Only Whitelisted?

$
0
0

We have a new DA 2012 R2 server deployed and it's working well. However, I'd like todeny all access to our internal network and only allow traffic to whitelisted servers. This seems pretty straightforward with the combination of GPO and the firewall block list. I've tested it and it seems to apply the policy almost immediately on the client and deny the traffic.

If I want to block all, is allowing (whitelisting) IPv4/IPv6 to the DA server and to our AD servers adequate to allow a user to continue to connect via DA and log into their workstation via their AD account?

Also, although we cannot alter our base network infrastructure at this point, but is there perhaps another way I can accomplish this using DA?

DirectAccess stuck Connecting after VPN disconnect?

$
0
0

We use OpenVPN for our VPN clients coupled with DirectAccess for transparent domain access on Windows 8.1. If I boot a client it connects to DA and everything works as it should. When I connect to OpenVPN on the same client, DA immediately changes to a "Connecting ..." state and stays there, even after I disconnect from the VPN.

If I run a netsh interface httpstunnel show interface it shows a0x274c failed to connect to the IP-HTTPS server. Waiting to reconnect. 

The DirectAccess Client Troubleshooter fails at the IP Connectivity, Infrastructure Tunnel, and User Tunnel Tests.

However, I can access the directaccess server just fine on port 443, even via a web browser.

I've tried restarting the IPHelper service and the IKE service, but DA eventually reverts to the same 0x274c error. The only way to clear it is to reboot the client.

The log from the DA Troubleshooter shows that NLS thinks it's "internal" I believe, as the IsExternal and GetNLS return the internal FQDN of the DA server and try to connect to that, then throw an error 503. Almost everything after that in the log also fails, of course.

I'm at a loss as to how to solve this.

Server 2012 R2 DirectAccess Teredo server cannot be started

$
0
0

Hi all,

Our 2012 R2 DirectAccess server worked without any problems. Last week I enabled cluster configuration with external load balancing and added a second server to the cluster. As a consequence the two consecutive public IP addressed switched over to the load balancer and the first server got two new IPs. Works like described in TechNet and still everything was fine.

For some internal reasons I had to change back to single server configuration. So I removed second server from cluster and disabled load balancing. As a consequence the two new IPs had been removed and the server got its old consecutive IP addresses back, all automatically like it should. But now I have a problem: Teredo server is not starting anymore. Basically the server works and users can establish IPHTTPS connections without any problems. But Remote Access console displays red cross for Teredo and says “Teredo server has stopped working”. If I check Teredo over PowerShell with “netsh interface teredo show state” I get State=offline and Error= unable to open primary socket.

I checked everything. IP addresses configured correctly, restarted services, restared whole server.

I don’t know what to do. Any suggestions? Thanks in advance!

If you have questions or need additional information, just ask!

Sebastian  

DirectAccess not starting when authenticating through a captive portal

$
0
0

I have had some problems with DirectAccess not starting to establish a connection when connecting through a WLAN which requires you to authenticate through a captive portal. Most of companies visitor wireless networks have an authentication based on these so it's a bit of a problem for my users.

Is there some settings that could be configured for DirectAccess to attempt a connection again after a certain time?

Other option that i've been wondering is that could i create shortcuts that would restart the ip helper and network connectivity assistant services as this has always fixed the DirectAcess connection after authenticating to these visitor networks.


WIndows 2012 R2 - Direct Access Problem with force tunneling

$
0
0

Hello

I have one client that asked for we to implement Direct Access. When we implement with split tunneling all works ok. When we choose force tunneling the clients can't access anything not event the internal servers.

My clients have Windows 7 with Sp1. The Client don't use proxy. All the clients have internet to port 443 and port 80.

When i choose split tunneling my DNS configurations are these

when i choose force tunneling became this

I've deleted the configuration, recreated all the configuration, but the problem is the same.


Element not found when trying to change url for httpstunnel

$
0
0

We use DirectAccess 2012 and Windows 7 is able connect via DirectAccess

Netsh dns show state
shows me that I have httpstunnel adapter with a url 

According to the following article I should be able to change that url of the httpstunnel which we use for DirectAccess

https://technet.microsoft.com/en-us/library/dd941590%28v=ws.10%29.aspx#BKMK_4

However, when I use the following command 

netsh interface httpstunnel set interface https://something.com:443/IPHTTPS none

I get the error "Element not found"

What am I doing wrong here?

DirectAccess remove access to UNC drives?

$
0
0

I've setup my first DirectAccess site (for a school with a notebook program). Connection is working fine through our TMG 2010 DMZ (2 NIC's) routing traffic to the DA server (single NIC). 

The initial reason for using DirectAccess was to push students into using the schools filtered proxy server for Internet access from home. We want to be able to restrict access to network shares while at home, but still allow access at school. I've tried to set a deny permission for the DA$ server itself, but that hasn't helped.  The shares are hosted on the DC, which also hosts DNS via AD Integrated.

It's actually not the students we are worried about in this situation, we are more worried about parents browsing the network, which may have student photo's and other data.

If we could restrict via specific shares that would be a better scenario.  This way we could allow them access to their Home drive, while denying access to the photo's and shared drives.

Direct Access IP HTTPS Certificate Auto Enrolment

$
0
0

Hi,

Is it possible instead of manually renewing the IPHTTPS server certificate every time it expires to configure auto enrollment so that it mitigates the risk of an unexpected outage should it be missed and not manually renewed.

Thanks,

Ranjit.

Error while trying to configure DirectAccess with OTP

$
0
0

hi you all

I have a working environment of DirectAccess 2012 R2 for Win8.1 clients (One DA Server)

I have both Vasco and Azure MFA for OTP authentication and I wanted to add any of them to my DA topology

I installed a new dedicated Enterprise-CA and added the OTP templates , added a new DAProbe user to my radius server and followed the rest of the documentation as described on TechNet.

I know there's a bug in the DA UI wizard for OTP so I just enabled Two-Factor authentication and then from PowerShell I ran the command

Enable-DAOtpAuthentication -CertificateTemplateName 'DirectAccessOTPLogon' -SigningCertificateTemplateName 'DirectAccessOTPRegistrationAuthority' -CAServer 'testdomain.com\CA' -RadiusServer MFA.testdomain.com -SharedSecret Aa123456

and I get the following error:

Enable-DAOtpAuthentication : The specified CA servers are either not valid enterprise CAs or specified incorrectly.
Rerun the cmdlet with a valid CAServer parameter in the correct format (FQDN\CAServerName).
At line:1 char:1
+ Enable-DAOtpAuthentication -CertificateTemplateName 'DirectAccessOTPLogon' -Sign ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CAServer:root/Microsoft/...pAuthentication) [Enable-DAOtpAuthentication],
    CimException
    + FullyQualifiedErrorId : HRESULT 80092004,Enable-DAOtpAuthentication

  • My radius server is domain joined
  • the PowerShell runs as Administrator
  • firewalls are disabled on my DC, CA and my radius server and I can ping the CA without any issues
  • The CA is Enterprise CA for sure and not Standalone
  • I can issue certificates from the CA without any issues
  • I tried to input the CA Server like this @{'domain.fqdn'}, 'domain.fqdn', domain.fqdn - all result the same
  • I even tried to create another CA from scratch just to be sure the problem is not on my server...

in anyway, I'm stuck. seems like no one else on the web ran into this error...

I'd love to get some help on ways to troubleshoot the problem

thanks


Tamir Levy



More information is required to complete OTP authentication. Contact your administrator to resolve this issue.

$
0
0

Hi guys

I try to configure my DA environment with OTP using Azure MFA

I used the instructions from TechNet about OTP

I have MFA Server as my radius server, I synced the users from Active Directory, I created a new user named DAProbe (didn't see yet how it does something in the authentication progress but... oh well)

the DA clients got the OTP policy successfullyas the DA client tries to connect it gets an "Action Needed" promptI clock on it, press alt-ctrl-delete and choose One Time Password for the second factor authentication

at this stage I'm required to enter my OTP though I don't get any text message (as I configured on my radius)

I enter my active directory password and then I get this message:

now it seems normal, at this stage I also get a text message to the mobile phone with an OTPbut when I enter the OTP I get this message:

The credentials aren't correct. Please try again

I try the process over and over again. it is definitely not the wrong OTP. any ideas?

I think it's odd I need to enter my AD credentials again on the DA connection. maybe there's something wrong with the OTP settings?

I'm not sure what's the proper way to troubleshoot this issue. maybe I should somehow concatenate my password with my OTP on the same password window?

hope to get some help

thanks


Tamir Levy

Public and Private IP with same DNS causing Direct Access Error?

$
0
0

I'm having trouble getting through the Direct Access wizard.  It gets to "Updating Network Connectivity Assistant settings" and dies with the error "No such host is known."  It'd be nice if it gave a few more details on what host it's talking about but I was wondering if maybe it might be because our Internet facing NIC's IP address and the public IP that it's NAT-ed to have the same name in DNS but they point to different IP addresses depending on whether you're trying to resolve it from the Internet or from the private side of the network.  (For example if I were to ping daserver.mydomain.com from inside I'd get the private IP 10.0.0.10 and if I would ping it from a box that is on the Internet I get a public IP like 164.123.145.160.) 

I've tried entering just the public IP of the DA server and the DNS name into the "Type the public name or IPv4 address used by clients..." field of the wizard and the result is the same.  I also installed KB2929930 and the only difference I noticed is that the public IP is entered in the wizard by default now.

This is a Server 2012 R2 dual NIC DA installation behind a NAT and an edge firewall with only port 443 open to the Internet.


Client works on DA but not on office network.

$
0
0
In a strange reversal of my previous luck with DA I now have a situation where when the Windows 7 client is connected to the Internet and using DA it works but when I plug it back into the office network it doesn't.  We had IPv6 disabled before via the DisabledComponents registry key, I'm wondering if maybe when the DA client gets back onto the IPv4-only office network it's not able to get around because it's trying IPv6 and not getting anywhere.  I tried setting DisabledComponents to 0x20 so it would "prefer" IPv4 but that didn't seem to make much of a difference.  When I do a "netsh dns show state" it does say "Resolve only IPv6 addresses for names" for Query Resolution Behavior, not sure if that's what is messing things up or not.  Any ideas??

UAG 2010 SP4- Exchange 2013 OWA Sign out not working

$
0
0

Hi Fellows,

I am trying to publish OWA using UAG 2010 SP4.

Problem I am facing is that When I access OWA from outside, I am presented with a login interface (UAG look and feel) and able to login properly but I cannot log-off. It says "To finish signing out, please close all open browser windows".

I need external users to be able to sign-out from OWA. How can I achieve this using UAG 2010 SP4?

Additional information:
There is no authentication on UAG Trunk.

Log-Off Scheme is enabled on UAG Trunk.

OWA Virtual Directories are configured as Windows Integrated internally (no FBA).
OWA Application Authentication is set to "Automatically Reply to Application Specific Authentication Requests"

Regards,

Junaid Ahmed


J.A



Direct Access along side Palo Alto's Global Protect VPN

$
0
0

To start with I just want to say I'm also working with Palo Alto on this, but figured I would come here in case someone has experience with these two:

We have recently installed a PA 5020 Firewall and while working on the Global Protect (GP) VPN are unable to get the 2 (Direct Access and GP) VPNs to function properly.

On a machine outside of the corp with no Direct Access configurations and only having GP everything works fine. DNS checks out and you have solid IPv4 routing to all of our desired networks we want access to.

On a machine that has strictly Direct Access running everything works as it has before with us able to access all the desired resources we want and were previously able to. Able to ping domain names and return with IPv6 as expected.

Now the problem comes when you try to connect the 2nd machine that has DA to GP. GP will connect properly and you have IPv4 connectivity to all devices listed in the routes that are published to it, however DNS breaks at this point. You are unable to resolve any DNS name (flushed the dns then try to ping a name and it fails), if you do a nslookup on the same name our internal DNS server does respond and provide the proper IP.

I think part of what is causing the problem is that Direct Access doesn't fully turn itself off as it should. When we had Cisco AnyConnect we had no problems and DA would shut itself after you connected to AnyConnect as it would see itself as "inside" due to it having inside access through the AnyConnect tunnel. With GP though DA still sees itself as being outside the network and does not properly disable, but while not disabled it is also not all the way connected as the various tunnel adapters are shown as disconnected and their is no MM/QM under the Security Associations within the Firewall settings.

Any suggetions would be greatly appreciated!

iphttps cert Renewal

$
0
0

Hello All,

I have deployed the DA 2012 with Multisite option. In one of my site where we have configured NLB the IPHTTPS cert is expiring. Can someone tell me the correct way of renewing it? 

-Ashish

Can't configure DirectAccess

$
0
0

Hi,

Trying to configure DirectAccess on a new server. I have installed the remote access role.

When I click Run the Getting started wizard or run the remote access setup wizard and click Deploy I get one or more prerequisites checks failed.

The server is fully up to date, 2 NICs and Windows Firewall is turned on as it should.

Can anyone help?

Thanks

Viewing all 1485 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>