Hi All-

We are in the process of moving to a new PKI hierarchy and are testing new certificates.  We currently have a 3-server multisite configuration and it is working with no issues.  However, when I change the intermediate certificate to the new SubCA cert, update GPO on my computer and then try and test, I get the infamous Connecting status from my DA connection.  Here is what I have verified:

1) Computers have new certificates from the new CA and can verify chain.  The certificate template I am using for computers contains the DNS entry for the alternate subject name.

2)Verified I received the updated GPO that specifies the new SubCA cert before testing.

When I run the DirectAccess Client Troubleshooting tool:

Teredo interface state value is unknown

No response received from mydomain.com

Certificate tests PASS

Failed to connect to domain sysvol share 

Probes List http://directaccess-WebProbeHost.mydomain.com(FAIL)

As soon as I switch the cert back to the old SubCA, update GPO, connectivity starts working again.  Is there some other configuration I need to do besides simply specifying a new SubCA cert?

Hi All-

We are in the process of moving to a new PKI hierarchy and are testing new certificates.  We currently have a 3-server multisite configuration and it is working with no issues.  However, when I change the intermediate certificate to the new SubCA cert, update GPO on my computer and then try and test, I get the infamous Connecting status from my DA connection.  Here is what I have verified:

1) Computers have new certificates from the new CA and can verify chain.  The certificate template I am using for computers contains the DNS entry for the alternate subject name.

2)Verified I received the updated GPO that specifies the new SubCA cert before testing.

When I run the DirectAccess Client Troubleshooting tool:

Teredo interface state value is unknown

No response received from mydomain.com

Certificate tests PASS

Failed to connect to domain sysvol share 

Probes List http://directaccess-WebProbeHost.mydomain.com(FAIL)

As soon as I switch the cert back to the old SubCA, update GPO, connectivity starts working again.  Is there some other configuration I need to do besides simply specifying a new SubCA cert?

Additional info:

I am getting SChannel errors in the event log with the new cert:

An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

and

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

The new cert uses sha256 and ECC for the public key.

Hi,

You mention failed SSL connections, I suppose your DirectAccess client is already using IP-HTTPS or trying to.

Did you renew the IPHTTPS certificate of your DirectAccess Gateway with your new internal PKI?

Hi BenoitS-

Yes, our clients are currently using IP-HTTPS.  We use a 3rd party cert from Network Solutions for the IP-HTTPS and have not changed that cert, just the IPSEC cert has been changed to the new internal CA.

Hi,

OK, it's a certificate delivered by a public AC. Do we have an IPHTTPS interface operational on DirectAccess client-side. I'm not sure it can accept ECC (Not yet tested).

Hi-

Yes IP-HTTPS tests come back OK.  I was afraid of ECC not being support, maybe I should try RSA?

So if IP-HTTPS interface is operational at client-side (IPv6 address generated), problem might be located at IPSEC Level. Maibe some network traces would help us to check if IPSEC negociation is in trouble.

Going to run some wireshark tests today and report back what I find.  Thanks for the help.

Looks like I found out that it is failing the IPSec authentication.  Here is a log from the DA server:

An IPsec main mode negotiation failed.

Local Endpoint:
Local Principal Name: -
Network Address: fdde:7ffc:453:2222::1
Keying Module Port: 500

Remote Endpoint:
Principal Name: -
Network Address: fdde:7ffc:453:1000:b5eb:3521:f3b4:79ff
Keying Module Port: 500

Additional Information:
Keying Module Name: AuthIP
Authentication Method: Unknown authentication
Role: Responder
Impersonation State: Not enabled
Main Mode Filter ID: 80596

Failure Information:
Failure Point: Local computer
Failure Reason: IKE authentication credentials are unacceptable

State: Sent second (KE) payload
Initiator Cookie: 6adbcf20c2b7ca31
Responder Cookie: f657d4fe6b2dd141

I have this resolved.  It looks like the computer cert cannot use ECC as DA wouldn't authenticate with it.  As soon as I created another computer cert for my clients and DA server to use RSA, everything started working with the new SubCA cert.

• Marked as answer by Ryan Arnold 6 hours 31 minutes ago

I have this resolved.  It looks like the computer cert cannot use ECC as DA wouldn't authenticate with it.  As soon as I created another computer cert for my clients and DA server to use RSA, everything started working with the new SubCA cert.

• Marked as answer by Ryan Arnold Thursday, July 23, 2015 12:49 AM

I have this resolved.  It looks like the computer cert cannot use ECC as DA wouldn't authenticate with it.  As soon as I created another computer cert for my clients and DA server to use RSA, everything started working with the new SubCA cert.

• Marked as answer by Ryan Arnold Thursday, July 23, 2015 12:49 AM

I have this resolved.  It looks like the computer cert cannot use ECC as DA wouldn't authenticate with it.  As soon as I created another computer cert for my clients and DA server to use RSA, everything started working with the new SubCA cert.

• Marked as answer by Ryan Arnold Thursday, July 23, 2015 12:49 AM