Hi,
We're having some troubles implementing OTP-functionality for our DirectAccess-solution. We have DA-server with dual nics (one internal and one external) behind a firewall. We are successfully running it with Windows 7 computers using certificates issued by our own CA. Everything works fine (e.g. 6to4, Teredo and IP-HTTPS) and computers connect instantaneously.
Then we decided to try to implement OTP-functionality using Azure MFA. We have downloaded the on-premises installation and configured a server with a couple of trial users synced from our Active Directory. It works flawlessly when using the portal and the built-in tests on the MFA. We receive the text messages promptly and are granted access.
However when we tried to connect it to our DA-server things got weird.
First of all our DA-server refuses to recognize our Issuing CA even though it is domain joined and published in our Active Directory. It worked the first time we went through the wizard, but even since it just keeps saying that "no CA servers can be detected". We ended up doing it the powershell way and the Operations status shows no error. When we added the Issuing CA and the Radius Server (our MFA-server) as Infrastructure Servers we got an error message saying that "One or more IP addresses of management server cannot be added because they are associated with the web probe URL" (which they don't).
We went ahead and started testing the OTP-functionality - assuming this was some strange bug as well. Following theclosest thing to a requirement specificationwe could find from MS regarding the certificates required. Both with a Windows 8.1 Ent-client and a couple of Windows 7 Ent-clients but neither are getting any password prompts. We can see with wireshark and in the logs that the DAProbeUser can communicate between the DA and the MFA. If we try to access the DaOTP-IIS-site we get a certificate error. The IIS-certificate is issued from the same trusted Root CA as the client certificate and all certificates are valid. The CRL:s are accessible both externally and internally.
We are looking through the local computers OtpCredentialProvider logs but for the Windows 8.1-ones they are only saying Error 10001 (unable to send authentication information to daservername.domain.com error 12175). And for the Windows 7 clients we are getting Error 10003 (Either private key cannot be generated or user cannot access certificate template on the DC. Which we verified that we can using the infrastructure tunnel only). No other IPv4 traffic seems to be communicated between the two servers according to Wireshark.
We have also tried using our SafeNet on-prem RADIUS-solution but no traffic seem to get sent to that server neither.
So TL;DR:
- Can anyone provide the precise certificate requirements for setting up DA OTP?
- Are there any good tools for troubleshooting DA OTP-functionality?