hi you all
I have a working environment of DirectAccess 2012 R2 for Win8.1 clients (One DA Server)
I have both Vasco and Azure MFA for OTP authentication and I wanted to add any of them to my DA topology
I installed a new dedicated Enterprise-CA and added the OTP templates , added a new DAProbe user to my radius server and followed the rest of the documentation as described on TechNet.
I know there's a bug in the DA UI wizard for OTP so I just enabled Two-Factor authentication and then from PowerShell I ran the command
Enable-DAOtpAuthentication -CertificateTemplateName 'DirectAccessOTPLogon' -SigningCertificateTemplateName 'DirectAccessOTPRegistrationAuthority' -CAServer 'testdomain.com\CA' -RadiusServer MFA.testdomain.com -SharedSecret Aa123456
and I get the following error:
Enable-DAOtpAuthentication : The specified CA servers are either not valid enterprise CAs or specified incorrectly.
Rerun the cmdlet with a valid CAServer parameter in the correct format (FQDN\CAServerName).
At line:1 char:1
+ Enable-DAOtpAuthentication -CertificateTemplateName 'DirectAccessOTPLogon' -Sign ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CAServer:root/Microsoft/...pAuthentication) [Enable-DAOtpAuthentication],
CimException
+ FullyQualifiedErrorId : HRESULT 80092004,Enable-DAOtpAuthentication
- My radius server is domain joined
- the PowerShell runs as Administrator
- firewalls are disabled on my DC, CA and my radius server and I can ping the CA without any issues
- The CA is Enterprise CA for sure and not Standalone
- I can issue certificates from the CA without any issues
- I tried to input the CA Server like this @{'domain.fqdn'}, 'domain.fqdn', domain.fqdn - all result the same
- I even tried to create another CA from scratch just to be sure the problem is not on my server...
in anyway, I'm stuck. seems like no one else on the web ran into this error...
I'd love to get some help on ways to troubleshoot the problem
thanks
Tamir Levy