So I finally have Direct Access on 2012 (Single server) running. Single NIC behind a Sonicwall firewall. We're using a third-party IPHTTPS cert. Others are self signed. Everything appears to be working just fine.
In the Remote Access console, under the operations status, IPSec is in a critical state. Details -
Error:
There is no valid certificate to be used by IPsec which chains to the root/intermediate certificate configured to be used by IPsec in the DirectAccess configuration.
Causes:
The certificate has not been installed or is not valid.
Resolution:
Please ensure that a valid certificate is present in the machine store and DA server is configured to use the corresponding root certificate.
The valid certificate must satisfy the following:
a. Should not be expired.
b. Should have a private key.
c. Should be configured to be used for Client authentication.
d. Should chain to the configured root/intermediate cert.
I will be the first to admit I'm just learning DA and IPsec and certs (Other than a normal cert on a web server!) So not sure how to troubleshoot or what I'm missing. Again - everything appears to be working, so not sure what I'm missing. Looking at some other threads, they mention the firewall not being on (It is), GPO not setup for autoenrollment (It is - can see that below). That's about all I'm finding.
Here's the output from certutil -store my
my "Personal"
================ Certificate 0 ================
Serial Number: 607dcf8da089d382423a056682934519
Issuer: CN=DirectAccess-RADIUS-Encrypt-FILE002.domain.local
NotBefore: 1/10/2013 4:29 PM
NotAfter: 1/10/2018 11:39 AM
Subject: CN=DirectAccess-RADIUS-Encrypt-FILE002.domain.local
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): fb 1e cd 3b 4f d3 77 42 47 2e 4c 01 7d af 3e 99 0b 81 d1 c0
Key Container = d1034e536191f1bd46e88dd88e1e8c9e_92404682-ad92-483f-81ee-c5a3d
a31597f
Simple container name: le-d392c1d5-ab80-43d2-aeab-d853268c0a30
Provider = Microsoft Strong Cryptographic Provider
Private key is NOT exportable
Encryption test passed
================ Certificate 1 ================
Serial Number: 4e9fafafe17322
Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=ht
tp://certificates.godaddy.com/repository, O=GoDaddy.com, Inc., L=Scottsdale, S=A
rizona, C=US
NotBefore: 12/14/2012 5:52 PM
NotAfter: 12/14/2015 4:48 PM
Subject: CN=da.domain.com, OU=Domain Control Validated, O=da.tunnellc
onsulting.com
Non-root Certificate
Cert Hash(sha1): 46 f4 e4 83 18 00 89 0e 57 0b 64 51 33 36 01 54 71 56 59 07
Key Container = 9d88e1f832431493b0de3b0e5ed80c20_92404682-ad92-483f-81ee-c5a3d
a31597f
Simple container name: le-8cb20e9a-6221-4b4e-aaa1-87a2bff529db
Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test passed
================ Certificate 2 ================
Serial Number: 6000000002e21219a5a198722d000000000002
Issuer: CN=TC-DC004-CA, DC=domain, DC=local
NotBefore: 12/17/2012 9:59 AM
NotAfter: 12/17/2013 9:59 AM
Subject: EMPTY (DNS Name=FILE002.domain.local)
Non-root Certificate
Template: DirectAccess IPsec Client
Cert Hash(sha1): 23 3b 1e fa b0 1b 0e 92 b7 74 34 8e f1 41 76 72 66 fd 50 80
Key Container = a6288cbae7f8ccfcb52f78ec43e9507d_92404682-ad92-483f-81ee-c5a3d
a31597f
Simple container name: le-DirectAccess IPsec Client-c3b0dc2e-42d0-4530-995d-61
1cf2e15527
Provider = Microsoft RSA SChannel Cryptographic Provider
Private key is NOT exportable
Encryption test passed
================ Certificate 3 ================
Serial Number: 60000000030fcaa67d429df973000000000003
Issuer: CN=TC-DC004-CA, DC=domain, DC=local
NotBefore: 12/17/2012 9:59 AM
NotAfter: 12/17/2013 9:59 AM
Subject: CN=FILE002.domain.local
Non-root Certificate
Template: DirectAccess IPsec Server
Cert Hash(sha1): 18 b5 51 2c fd dc ca 80 ab d8 65 d2 59 0b 99 86 ce 75 29 a6
Key Container = 42b91bf19d080da28eaa594684073d5d_92404682-ad92-483f-81ee-c5a3d
a31597f
Simple container name: le-DirectAccess IPsec Server-fa48d3a0-0ee5-4743-bafb-9b
c5b1b06545
Provider = Microsoft RSA SChannel Cryptographic Provider
Private key is NOT exportable
Encryption test passed
CertUtil: -store command completed successfully.