I have a computer that was successfully connecting to our AD network via DirectAccess 2012. Yesterday I had to do a full system recovery on the computer. After rebooted it would not connect to DirectAccess. In the security log of the direct access server I see the error:
An IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.Local Endpoint:
Principal Name: host/DIRECTACCESS.ad.milwaukee.gov
Network Address: 2002:c7c4:5439::c7c4:5439
Keying Module Port: 500
Remote Endpoint:
Principal Name: -
Network Address: 2002:c7c4:5439:1000:c144:a2f4:e02f:b1c4
Keying Module Port: 500
Additional Information:
Keying Module Name: AuthIP
Authentication Method: NTLM V2
Role: Responder
Impersonation State: Enabled
Quick Mode Filter ID: 489337
Failure Information:
Failure Point: Local computer
Failure Reason: IKE authentication credentials are unacceptable
State: Sent second (SSPI) payload
On our domain controller I see this message:
The computer attempted to validate the credentials for an account.Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: CHAPAN-HOME$
Source Workstation: CHAPAN-HOME
Error Code: 0xC000006A
I turned on the CAPI2 log on the direct access server and it appears there is no problem with the certificate the computer is using, but for some reason the computer cannot authenticate to the domain.