I am doing a control based product review based on NIST -- does anyone have any white papers for Direct Access that could help me with this?
↧
Any available security white papers on Direct Access?
↧
"The IP-HTTPS certificate is missing. The certificate has been removed from the computer store" after replacing expired certificate
On our DMZ Direct Access Servers we had to renew the SSL certificate from a third party provider for incoming internet traffic that is shared by the farm as the old one was about to expire. We went through the Direct Access document and repeated all the parts referring to this certificate configuration. However, in the remote access dashboard, the IP HTPS service on all servers in the farm are shown as down with the error below:
The IP-HTTPS certificate is missing. The certificate has been removed from the computer store.
Ensure a valid certificate exists in the machine store, and that DirectAccess is configured to use the certificate.
It can only be due to the certificate replacement as it worked before then and another Direct Access server farm where the old certificate is still running fine. There must be something on the farm containing the changed certificate that is still pointing towards the old expired certificate, but as we went through all the setup steps contained in Microsoft's own document, we are uncertain on what it could be. Does anyone have a suggestion on where to look? I found only one MS forum post detailing this error, and going through that, we did not find a solution from the parts we deemed relevant.
↧
↧
DirectAccess Schannel event viewer errors at every user logon
Dear TechNet community,
I recently setup DirectAccess on a Windows Server 2012 R2 machine.
DirectAccess works fine, users are connecting via their Windows 8.1 clients up to DirectAccess, no problem.
However, on the servers side, after every client connection, we get the following events:
Event 36874, Schannel: AN TLS 1.2 connection request was received from a remote client application, but none of the cipher suits supported by the client application are supported by the server. The SSL connection request has failed.
Followed by:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.
The client using non-supported Cipher suits according to the DirectAccess server could be the cause of these errors. We’re using a self signed DirectAccess certificate based on SHA-1. Our DirectAccess server is using TLS 1.2 for encryption of the connection. I’m not a Cipher Suite / TLS / Certificate expert. So I don’t know if this is the cause of the issue.. but I sure can imagine it could be.
Some more background information:
- I've setup DirectAccess using the "Remote Access Setup Wizard". Not the "Getting Started Wizard".
- At the "Remote Access Server Setup" step, i've selected "Use a self-signed certificate created automatically by DirectAccess".
So I've deployed DirectAccess via a self-signed SHA1 certificate, which via GPO gets deployed to the DirectAccess clients.
- the NLS role is installed on the same server as DirectAccess itself.
Any of you got any idea as to why above errors occur?
Any help would be greatly appreaciated.
Greetings,
Teun
I recently setup DirectAccess on a Windows Server 2012 R2 machine.
DirectAccess works fine, users are connecting via their Windows 8.1 clients up to DirectAccess, no problem.
However, on the servers side, after every client connection, we get the following events:
Event 36874, Schannel: AN TLS 1.2 connection request was received from a remote client application, but none of the cipher suits supported by the client application are supported by the server. The SSL connection request has failed.
Followed by:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.
The client using non-supported Cipher suits according to the DirectAccess server could be the cause of these errors. We’re using a self signed DirectAccess certificate based on SHA-1. Our DirectAccess server is using TLS 1.2 for encryption of the connection. I’m not a Cipher Suite / TLS / Certificate expert. So I don’t know if this is the cause of the issue.. but I sure can imagine it could be.
Some more background information:
- I've setup DirectAccess using the "Remote Access Setup Wizard". Not the "Getting Started Wizard".
- At the "Remote Access Server Setup" step, i've selected "Use a self-signed certificate created automatically by DirectAccess".
So I've deployed DirectAccess via a self-signed SHA1 certificate, which via GPO gets deployed to the DirectAccess clients.
- the NLS role is installed on the same server as DirectAccess itself.
Any of you got any idea as to why above errors occur?
Any help would be greatly appreaciated.
Greetings,
Teun
↧
How can I migrate to a new CA without breaking DA?
Hi,
We currently have DA running on Windows 2012 R2 using a SHA1 CA. We've deployed a new SHA256 CA running on Windows 2016. Currently, both CAs are running side by side, with the SHA1 being the primary CA for the organisation, .e.g it's been used by GPOs to auto enroll computer certificates and it's used by the DA server. Both CAs are trusted by the organisation.
We're now in a position to migrate over to the new SHA256 CA, what's the best way to do this without interrupting the current DA service for clients?
Thanks
↧
DirectAccess - Reporting Delegation
Hi,
I thought this would be a nice easy one. How can I give somebody access to just the reporting part of DirectAccess if they have the Remote Access Management MMC installed/enabled on their client?
Thanks!
↧
↧
Direct Access-Win2016 Server to Win 10 Ent client - "Connecting" and "CouldNotContactDirectAccessServer"
Hi,
i have been trying to create a directaccess connection in a lab.
I have a Windows 2012 R2 domain controller, and have deployed a new Windows 2016 Server for this Directaccess lab.
The directaccess server is a domain member and i have installed DriectAccess and configured it using the wizard using one Nic. all the config looks good. and the server setup is healthy, the dashboard show all green ticks.
The server's ip address is accessible from the internet by port forwarding port 443. i have defined an internet resolvable DNS name that points at my server which was used in the wizard.
Group policy's look fine. i've created a security group and added the computer account of the client into it.
Connected to the internal network i have pushed the policy to the client (gpupdate) and can confirm it has the policy (gpresult).
When connected internally, all works as it should. The get-daConnectionStatus command shows "ConnectedLocally". all looks fine.
However, when i disconnect and connect to the internet externally, my clients all just sit there and do not connect. get-daconnectionstatus shows "CouldNotContactDirectAccessServer". It never actually connects or gives me any real error as to what is going wrong. It doesn't tell me much more than that. Clearly that error means something.....but what?
i have verified correct internet DNS settings. i can use EDGE on win10 client to navigate to https://myurl.com.au/IPHTTPS and i cannot see much except i can see the self signed certificate that is from the server. so, that suggest DNS, routing etc. is all working. and group policy etc.
I cannot work out what is failing.
And.....this is my third attempt. So whatever i am doing wrong it is systemic. i have already "nuke'd" the entire lab and rebuilt it twice because i just cannot get this DirectAccess working. The aim is evaluate directaccess for possible deployment at work in the future. but i just cannot get it to work.
i see some people suggest that a one NIC setup is troublesome. And i would try a two-NIC DMZ approach but i do not have that capability in my lab (home lab).
Any suggestions?
PHerbison
Herbie
↧
Direct Access Best Practice Analyzer Results
Hi
I ran BPA against our Direct Access server and i get a number of errors and warnings. Does nayone know if these are anythign to be worried about?
↧
Computer authentication not working 802.11 for Wireless security using NPS Server
Hello,
I am not sure if I submitted this to the correct forum. I couldn't find anything related to Radius server.
Our goal is to centralize the Wireless access from all company locations using Radius server. I have NPS server set up to authenticate domain computer and allow access to network. Current scenarios:
- NPS Server has CA signed cert.
- WiFi profile is pushed to all domain computers using GPO
- Access Points at local and remote locations are RADIUS Clients
- Network policy Authentication using PEAP and secure password EAP-MSCHAP-V2
- The domain computer is authenticated and allowed access from local office (Radius client and NPS are on the same LAN)
- The domain computer is authenticated and allowed access from remote office (Radius client and NPS are connected through WAN)
- Same domain computer cannot authenticate from remote office that the Radius client is connected through Site-to-site VPN. Radius communication is traversed through IPSEC Tunnel.
Are there any adjustment and/or workaround to get this to work from site-to-site VPN office.
↧
DirectAccess - Windows Server 2012 Auditing
Hi,
I'm after some audit information, specifically user connection time and date over the last 3 months. We're trying to identify usage patterns. I've tried the "generate report" option in the remote access console, but that doesn't allow me to export the results into a handy format (i.e. CSV) and it doesn't go back far enough (3 months). What's the best way to get this information?
Thanks
↧
↧
What is the difference in DirectAccess (Connectivity/Settings/Architecture) in Windows 7 Vs Windows 10
How does the Direct Access differs in terms of the architecture/settings/connectivity etc in the Windows 7 and Windows 10 clients.
We are having issues with the Applications connecting to the License Servers hosted internally over the DirectAccess in Windows 10.
With Windows 7 Clients, the applications are connecting to the License servers without any issues over the same DirectAccess enviroment. When the same application installed on Windows 10 Client and connect over DirectAccess, it gives that the License server is not found.
Is there any difference in the way Windows 7 and Windows 10 client handles the IPv4 and IPv6 addressing etc.
I have added some environment variables like FNP_IP_ENV and FNP_IP_PRIORITY etc on the Windows 10 client machines, however, still it is not working...I can ping the license server and it resolves to the IPv6 address.
Thank you
RK
↧
Evaluation version of UAG 2010.
Is it still possible to get hold of an evaluation copy of UAG 2010? This article (https://technet.microsoft.com/en-us/library/ee921433.aspx) states that it should be available via the download Center (https://www.microsoft.com/en-us/download/details.aspx?id=16811)
but this link is now broken. I need the eval copy to do some lab work to cost up a project for a client that needs to keep their UAG environment alive.
↧
DA in Windows Server 2019
I´m curious, will the DA still be present and supported in 2019 version? At autumn Ignite 2017 I heard first time the DA is no longer being developed, but in 2016 it is still fully supported.
Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!
↧
GPUpdate/Firewall Policy Changes on 2012 R2 DirectAccess Server Resets All Client Connections
The DirectAccess server is in its own OU with blocked inheritance. If I unlink every computer policy except for the DirectAccess server configuration policy and run gpupdate /target:computer /force, all of the clients reset their connections.
Firewall is set to "on" when no group policy applied and with a GPO.
Routine 90 minute interval GPUpdates don't cause the issue, but some kind of manual gpupdate is being run by "system" that coincides with 4004 Events in the group policy operational log. The information is usually, "Starting manual processing of policy for computer DOMAIN\COMPUTERACCOUNT$". The times of occurrence for these events are not any kind of predictable intervals, but they do not coincide with console/rdp logins to the server.
This server also has SCCM agent, SCOM agent, and AppLocker running in audit mode. I have noticed that the system generated PolicyConverter task is running one second before GPupdate, but I can manually run the task and not get the gpupdate or reset all of the DA connections. Any ideas? I have failed to find any potential matches to my scenario searching the web.
↧
↧
Installation of sap
Hi,
I have installed sap server through vmvare in windows 07 operating system. i am opening the sap gui only in virtual machine operating system. but i want to connect to that sap server which is running in virtual machine to my windows 07 sap GUI.
So.if anybody knows about how to connect or create a short cut in main operating system for virtually running sap server through VMWARE. please share your answer.
Thanks in Advance...:)
↧
Windows 10 1607 LTSB wont connect via Direct access
We have a Windows Server 2012 DA server setup which is working fine. We have a few clients which for whatever reason stop connecting via DA and the only fix seems to be to re-install the OS. I've tried removing/joining to the domain, resetting the winsock ... but nothing seems to work.
If i go into control panel there is also no Direct Access icon at all.
The below is from a problematic machine. Any tips on what i can try
Windows PowerShellCopyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> Get-DAClientExperienceConfiguration
Description : DA Client Settings
CorporateResources :
IPsecTunnelEndpoints :
CustomCommands :
PreferLocalNamesAllowed : False
UserInterface : False
PassiveMode : False
SupportEmail :
FriendlyName :
ManualEntryPointSelectionAllowed : True
GslbFqdn :
ForceTunneling : Enabled
PS C:\Windows\system32> Get-DAConnectionStatus
Status : ConnectedLocally
Substatus : None
PS C:\Windows\system32> Get-DAConnectionStatus
Status : Error
Substatus : MissingDAClientExperienceConfiguration
PS C:\Windows\system32> Get-DAConnectionStatus
Status : Error
Substatus : MissingDAClientExperienceConfiguration
PS C:\Windows\system32> netsh dnsclient show state
Name Resolution Policy Table Options
--------------------------------------------------------------------
Query Failure Behavior : Always fall back to LLMNR and NetBIOS
if the name does not exist in DNS or
if the DNS servers are unreachable
when on a private network
Query Resolution Behavior : Resolve only IPv6 addresses for names
Network Location Behavior : Let Network ID determine when Direct
Access settings are to be used
Machine Location : Outside corporate network
Direct Access Settings : Configured and Enabled
DNSSEC Settings : Not Configured
PS C:\Windows\system32> netsh int https show int
There are currently no active IP-HTTPS profiles. To view the configured
IP-HTTPS profiles, execute the following Powershell command -
'Get-NetIPHTTPSConfiguration'.
Interface IPHTTPSInterface (Group Policy) Parameters
------------------------------------------------------------
Role : client
URL : https://RAServer.com:443/IPHTTPS
Last Error Code : 0x10df
Interface Status : IPHTTPS interface creation failure
PS C:\Windows\system32> netsh dns show state
Name Resolution Policy Table Options
--------------------------------------------------------------------
Query Failure Behavior : Always fall back to LLMNR and NetBIOS
if the name does not exist in DNS or
if the DNS servers are unreachable
when on a private network
Query Resolution Behavior : Resolve only IPv6 addresses for names
Network Location Behavior : Let Network ID determine when Direct
Access settings are to be used
Machine Location : Outside corporate network
Direct Access Settings : Configured and Enabled
DNSSEC Settings : Not Configured
PS C:\Windows\system32> netsh name show effective
DNS Effective Name Resolution Policy Table Settings
Settings for DAserver.com
----------------------------------------------------------------------
DirectAccess (Certification Authority) :
DirectAccess (IPsec) : disabled
DirectAccess (DNS Servers) :
DirectAccess (Proxy Settings) : Use default browser settings
↧
Direct Access - Unable to disconnect (Win 10 v.1803)
Hi,
We've replaced our old VPN solution with Direct Access. It's working flawlessly, connecting as soon as I switch to a network outside our internal network.
But, we have noticed that when Direct Access is enabled, we're unable to disconnect from it.
Nothing happens when pressing the Disconnect button in the Direct Access settings page. It's like a dummy button, the button reacts to the click, but nothing happens.
We're currently running Windows 10 Enterprise v. 1803. I know that I've been able to disconnect from it before, but that was a while ago, most likely when I was running v. 1703 or 1709.
Anybody seen this before?
BR
P-H
↧
Manage Out devices not receiving an IPv6 address from ISATAP router
We have a working DirectAccess solution in place with no issues for inbound connections from DA clients. We are wanting to manage these clients from SCCM and so I've looked at setting up manage out for this.
I have configured a group policy linked to a security group for manage out clients where I have enabled an ISATAP router and set this as a DNS entry for the internal IP address of our DA server (we only have one). I have also enabled ISATAP in the same group policy, as suggested in the various walkthroughs of this set up.
I have checked clients and the ISATAP interface is enabled via group policy, but they are not receiving an IPv6 address on their tunnel adapter from the ISATAP router. They only have an IPv6 link-local address defined.
Can anyone point me into the direction of why this would be the case?
↧
↧
DirectAccess Configuration - The command cannot be completed because the GPO was not found in the domain
Hello all,
I've been banging my head against the wall trying to get DA set up within our organization. When I run through the Configure Remote Access Wizard it fails on the very last set and produces the following error:
Removing DNS suffix search list settings - the command cannot be completed because a GPO that is named "DirectAccess Client Settings" was not found in the *****.local domain. Make sure that the GPO specified by the name parameter exists in the
domain that is specified for the cmdlet. Then run the command again.
To me this sounds like it's suggesting that it can't find the GPO - which is rubbish, since when I run a GPRESULT/R on the server it shows that the Direct Access Server settings ARE applied!
Can anybody shed some light on this for me please? I am losing the will to live at the moment!
↧
DirectAccess 2012R2 NLB and DNS
After i configured DA in NLB, i am getting DNS error status that DNS server is not responding to DNS quires. NLB VIP became 1st server NIC. I have 2 NIC NLB configuration and going port forwarding to NLB VIP from firewall.
How to mitigate this problem?
↧
DirectAccess DNS Issue
Having an issue with clients registering their IPv6 to the AD DNS. They keep getting 8018 error events saying the DNS server rejected their request. I can't seem to narrow down the issue. All works fine internally and if I change the DNS server over to unsecured updates then it works fine. I would, of course, rather not do this.
If the clients can access the domain from the outside, browse network, run login scripts, get GP...why would the DNS server deny them? Any ideas on how to troubleshoot this? Thanks!
Server 2016 with Win10 1507 & 1809.↧