Hi all,
I have been struggling finalise the configuration of my DirectAccess test lab for a few days and I was wondering if you could help.
I believe there is a problem with the certificates being used by Directaccess.
Here are some of the details of the configuration and the errors I am having, any assistance in troubleshooting would be greatly appreciated, I am sure it is something silly I have missed somewhere.
At this moment in time the clients cannot see the NLS server which is currently running on the DirectAccess server. I have a CA running on the DirectAccess server (I would like to emphasise that this is a lab environment for a proof of concept).
Clients appear to believe they are outside of the network at all times.
DNS queries cannot be resolved externally and don't work internally unless DA is disabled.
I have two Public Addresses - 90 and 91 configured on the external adaptor of the DA server.
The Teredo and IPHTTPS tunnel both appear to be working however, IPsec does not.
Here are is the output from a few commands I have been using to troubleshoot :
C:\Users\administrator.HRWPOC>netsh name sh eff
DNS Effective Name Resolution Policy Table Settings
Settings for nla.hrwpoc.local
----------------------------------------------------------------------
Certification authority :
DNSSEC (Validation) : disabled
IPsec settings : disabled
DirectAccess (DNS Servers) :
DirectAccess (Proxy Settings) : Use default browser settings
Settings for .hrwpoc.local
----------------------------------------------------------------------
Certification authority :
DNSSEC (Validation) : disabled
IPsec settings : disabled
DirectAccess (DNS Servers) : 2002:560c:9ff6:3333::1
DirectAccess (Proxy Settings) : Bypass proxy
C:\Users\administrator.HRWPOC>netsh dns sh st
Name Resolution Policy Table Options
--------------------------------------------------------------------
Query Failure Behavior : Always fall back to LLMNR and NetBIOS
if the name does not exist in DNS or
if the DNS servers are unreachable
when on a private network
Query Resolution Behavior : Resolve only IPv6 addresses for names
Network Location Behavior : Let Network ID determine when Direct
Access settings are to be used
Machine Location : Outside corporate network
Direct Access Settings : Configured and Enabled
DNSSEC Settings : Not Configured
C:\Users\administrator.HRWPOC>netsh int ter sh st
Teredo Parameters
---------------------------------------------
Type : client
Server Name : teredo.ipv6.microsoft.com.
Client Refresh Interval : 30 seconds
Client Port : unspecified
State : qualified
Client Type : teredo host-specific relay
Network : unmanaged
NAT : restricted
NAT Special Behaviour : UPNP: No, PortPreserving: No
Local Mapping : 192.168.1.34:58435
External NAT Mapping : 62.49.42.253:19054
C:\Users\administrator.HRWPOC>netsh int htt sh int
Interface IPHTTPSInterface (Group Policy) Parameters
------------------------------------------------------------
Role : client
URL : https://dapoc.contoso.com:443/IPHTTPS
Last Error Code : 0x0
Interface Status : IPHTTPS interface active
IPsec Events
An IPsec main mode negotiation failed.
Local Endpoint:
Local Principal Name: -
Network Address: 2002:560c:9ff6:1000:402c:1c2d:615d:81a2
Keying Module Port: 500
Remote Endpoint:
Principal Name: -
Network Address: 2002:560c:9ff6::560c:9ff6
Keying Module Port: 500
Additional Information:
Keying Module Name: IKEv1
Authentication Method: Unknown authentication
Role: Initiator
Impersonation State: Not enabled
Main Mode Filter ID: 0
Failure Information:
Failure Point: Local computer
Failure Reason: No policy configured
State: No state
Initiator Cookie: 5fbac6fee3d5fe96
Responder Cookie: 0000000000000000
An IPsec main mode negotiation failed.
Local Endpoint:
Local Principal Name: -
Network Address: 2002:560c:9ff6:1000:402c:1c2d:615d:81a2
Keying Module Port: 500
Remote Endpoint:
Principal Name: -
Network Address: 2002:560c:9ff6::560c:9ff6
Keying Module Port: 500
Additional Information:
Keying Module Name: AuthIP
Authentication Method: Unknown authentication
Role: Initiator
Impersonation State: Not enabled
Main Mode Filter ID: 67359
Failure Information:
Failure Point: Local computer
Failure Reason: Negotiation timed out
State: Sent first (SA) payload
Initiator Cookie: 8ece33e6340d05e8
Responder Cookie: 0000000000000000
As I said any help would be massively appreciated I will try and be as responsive as possible if anyone requires any more information.
Thanks !
Adam
I have been struggling finalise the configuration of my DirectAccess test lab for a few days and I was wondering if you could help.
I believe there is a problem with the certificates being used by Directaccess.
Here are some of the details of the configuration and the errors I am having, any assistance in troubleshooting would be greatly appreciated, I am sure it is something silly I have missed somewhere.
At this moment in time the clients cannot see the NLS server which is currently running on the DirectAccess server. I have a CA running on the DirectAccess server (I would like to emphasise that this is a lab environment for a proof of concept).
Clients appear to believe they are outside of the network at all times.
DNS queries cannot be resolved externally and don't work internally unless DA is disabled.
I have two Public Addresses - 90 and 91 configured on the external adaptor of the DA server.
The Teredo and IPHTTPS tunnel both appear to be working however, IPsec does not.
Here are is the output from a few commands I have been using to troubleshoot :
C:\Users\administrator.HRWPOC>netsh name sh eff
DNS Effective Name Resolution Policy Table Settings
Settings for nla.hrwpoc.local
----------------------------------------------------------------------
Certification authority :
DNSSEC (Validation) : disabled
IPsec settings : disabled
DirectAccess (DNS Servers) :
DirectAccess (Proxy Settings) : Use default browser settings
Settings for .hrwpoc.local
----------------------------------------------------------------------
Certification authority :
DNSSEC (Validation) : disabled
IPsec settings : disabled
DirectAccess (DNS Servers) : 2002:560c:9ff6:3333::1
DirectAccess (Proxy Settings) : Bypass proxy
C:\Users\administrator.HRWPOC>netsh dns sh st
Name Resolution Policy Table Options
--------------------------------------------------------------------
Query Failure Behavior : Always fall back to LLMNR and NetBIOS
if the name does not exist in DNS or
if the DNS servers are unreachable
when on a private network
Query Resolution Behavior : Resolve only IPv6 addresses for names
Network Location Behavior : Let Network ID determine when Direct
Access settings are to be used
Machine Location : Outside corporate network
Direct Access Settings : Configured and Enabled
DNSSEC Settings : Not Configured
C:\Users\administrator.HRWPOC>netsh int ter sh st
Teredo Parameters
---------------------------------------------
Type : client
Server Name : teredo.ipv6.microsoft.com.
Client Refresh Interval : 30 seconds
Client Port : unspecified
State : qualified
Client Type : teredo host-specific relay
Network : unmanaged
NAT : restricted
NAT Special Behaviour : UPNP: No, PortPreserving: No
Local Mapping : 192.168.1.34:58435
External NAT Mapping : 62.49.42.253:19054
C:\Users\administrator.HRWPOC>netsh int htt sh int
Interface IPHTTPSInterface (Group Policy) Parameters
------------------------------------------------------------
Role : client
URL : https://dapoc.contoso.com:443/IPHTTPS
Last Error Code : 0x0
Interface Status : IPHTTPS interface active
IPsec Events
An IPsec main mode negotiation failed.
Local Endpoint:
Local Principal Name: -
Network Address: 2002:560c:9ff6:1000:402c:1c2d:615d:81a2
Keying Module Port: 500
Remote Endpoint:
Principal Name: -
Network Address: 2002:560c:9ff6::560c:9ff6
Keying Module Port: 500
Additional Information:
Keying Module Name: IKEv1
Authentication Method: Unknown authentication
Role: Initiator
Impersonation State: Not enabled
Main Mode Filter ID: 0
Failure Information:
Failure Point: Local computer
Failure Reason: No policy configured
State: No state
Initiator Cookie: 5fbac6fee3d5fe96
Responder Cookie: 0000000000000000
An IPsec main mode negotiation failed.
Local Endpoint:
Local Principal Name: -
Network Address: 2002:560c:9ff6:1000:402c:1c2d:615d:81a2
Keying Module Port: 500
Remote Endpoint:
Principal Name: -
Network Address: 2002:560c:9ff6::560c:9ff6
Keying Module Port: 500
Additional Information:
Keying Module Name: AuthIP
Authentication Method: Unknown authentication
Role: Initiator
Impersonation State: Not enabled
Main Mode Filter ID: 67359
Failure Information:
Failure Point: Local computer
Failure Reason: Negotiation timed out
State: Sent first (SA) payload
Initiator Cookie: 8ece33e6340d05e8
Responder Cookie: 0000000000000000
As I said any help would be massively appreciated I will try and be as responsive as possible if anyone requires any more information.
Thanks !
Adam