Hi, I have been trying to set up a lab using Server 2012 for directaccess, using a Windows Server 2008 R2 DC - I am trying to reflect our production environment. I have confirmed the following to work: - GPOs are distributed properly, - Both the Server and the client receive settings - CRLs are accessible from the internet, -I used certutil to retrieve the CRL from the internet - HTTPS tunnel is accessible from the Internet - netsh int https sh int - shows interface active - I can ping the IPv6 address of the Directaccess as it is specified in the DNS server page, I believe the problem is with IPSEC authentication, As I have enabled IPSEC auditing and receive a lot of Audit failures. The failure reason is "No policy configured" The Client is a Windows 7 machine and not a Windows 8 machine. Both Computer and Server have a computer certificate using the default "Computer" template.

Here is the copy of the Event from the Event Log: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 16.9.2012 13:00:21 Event ID: 4653 Task Category: IPsec Main Mode Level: Information Keywords: Audit Failure User: N/A Computer: W7DAC3.Matrix.int Description: An IPsec main mode negotiation failed. Local Endpoint: Local Principal Name: - Network Address: fda8:2d23:cc0c:1000:b454:18a4:c043:bd66 Keying Module Port: 500 Remote Endpoint: Principal Name: - Network Address: fda8:2d23:cc0c:1000::1 Keying Module Port: 500 Additional Information: Keying Module Name: AuthIP Authentication Method: Unknown authentication Role: Initiator Impersonation State: Not enabled Main Mode Filter ID: 79151 Failure Information: Failure Point: Local computer Failure Reason: Negotiation timed out State: Sent first (SA) payload Initiator Cookie: f15a8d1f6872839f Responder Cookie: 0000000000000000 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4653</EventID> <Version>0</Version> <Level>0</Level> <Task>12547</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2012-09-16T11:00:21.353484400Z" /> <EventRecordID>3693</EventRecordID> <Correlation /> <Execution ProcessID="532" ThreadID="2100" /> <Channel>Security</Channel> <Computer>W7DAC3.Matrix.int</Computer> <Security /> </System> <EventData> <Data Name="LocalMMPrincipalName">-</Data> <Data Name="RemoteMMPrincipalName">-</Data> <Data Name="LocalAddress">fda8:2d23:cc0c:1000:b454:18a4:c043:bd66</Data> <Data Name="LocalKeyModPort">500</Data> <Data Name="RemoteAddress">fda8:2d23:cc0c:1000::1</Data> <Data Name="RemoteKeyModPort">500</Data> <Data Name="KeyModName">%%8223</Data> <Data Name="FailurePoint">%%8199</Data> <Data Name="FailureReason">Negotiation timed out </Data> <Data Name="MMAuthMethod">%%8194</Data> <Data Name="State">%%8202</Data> <Data Name="Role">%%8205</Data> <Data Name="MMImpersonationState">%%8217</Data> <Data Name="MMFilterID">79151</Data> <Data Name="InitiatorCookie">f15a8d1f6872839f</Data> <Data Name="ResponderCookie">0000000000000000</Data> </EventData> </Event>

Hi, Have you tested with a Windows 8 client to see if that works? Start by verifying that you have selected "Enabled Windows 7 client computers to connect via DirectAccess", it is not selected by default. You can find it by opening the Remote Access Management Console, click Edit for Step 2 (Remote Access Server) and then look at "Authentication") Best wishes, Jonas BlomJonas Blom | Relevo AB | http://blog.nrpt.se

Hi, Yes, I have verified, that Windows 7 clients are enabled. I don't have any Windows 8 clients yet. Regards, S

Hi again, Can you post a log from DCA from the Windows 7 client? I often do a quick test to make sure that it is something with the IPSec-tunnels and that it's not related to anything else internally. Use nslookup and set the IPv6 address listed in the NRPT as DNS server and see if you can do DNS lookups? Since it is not ICMP it will try to go through the IPSec tunnels but is still destined to the DA server. Another thing is to enable CAPI2 logs to see if you can see any certificate-related errors when the client tries to establish the IPSec tunnels. Best wishes, Jonas Blom Jonas Blom | Relevo AB | http://blog.nrpt.se

Hi, I don't have DCA installed. I can't post them right now, as I am rebuilding the client from scratch. So you need output from: netsh dns show state netsh name show effective And the diagnostic for the SAs? CAPI2 logging is enabled as described here: http://blogs.technet.com/b/pki/archive/2006/12/16/the-easy-way-of-crl-troubleshooting-in-windows-vista.aspx right? Regards, Simon

Hi again, The DCA logs give a lot of different information. So I always ask for it to be able to quickly look through it. (A good way to avoid missing something obvious that deviates from the standard.) The commands you posted are ofcourse interesting, but since you can reach the DA server the most important part is regarding the certificate. (The output from certutil -store my) If there's nothing strange there, the next suggestion would to go through the IPSec rules and compare the authentication settings between your client and the DA server to see if something differs. (There is also a setting that the Windows Firewall GUI doesn't show that you can only see in the GPO that could be interesting to verify) Regarding the CAPI2 log, the information how to enable it is corret. Clear the log and try to access the DNS service on your DA server and see if you get any errors in it. Best wishes, Jonas Blom Jonas Blom | Relevo AB | http://blog.nrpt.se

Hi, thank you for taking a look at this. I don't have DCA configured, so I will try capturing most of the things needed. Here are outputs: NETSH INT HTTP SHOW INT Interface IPHTTPSInterface (Group Policy) Parameters ------------------------------------------------------------ Role : client URL : https://uagda.src.si:443/IPHTTPS Last Error Code : 0x0 Interface Status : IPHTTPS interface active DNS Effective Name Resolution Policy Table Settings Settings for MATRIXDA.Matrix.int ---------------------------------------------------------------------- Certification authority : DNSSEC (Validation) : disabled IPsec settings : disabled DirectAccess (DNS Servers) : DirectAccess (Proxy Settings) : Use default browser settings Settings for .Matrix.int ---------------------------------------------------------------------- Certification authority : DNSSEC (Validation) : disabled IPsec settings : disabled DirectAccess (DNS Servers) : fda8:2d23:cc0c:3333::1 DirectAccess (Proxy Settings) : Bypass proxy Name Resolution Policy Table Options -------------------------------------------------------------------- Query Failure Behavior : Always fall back to LLMNR and NetBIOS for any kinds of errors Query Resolution Behavior : Resolve only IPv6 addresses for names Network Location Behavior : Let Network ID determine when Direct Access settings are to be used Machine Location : Outside corporate network Direct Access Settings : Configured and Enabled DNSSEC Settings : Not Configured IPSEC output shows no SAs Match both for quick mode and main mode my ================ Certificate 0 ================ Serial Number: 1a4f1c8a00000000000a Issuer: CN=Matrix CA, DC=Matrix, DC=int NotBefore: 17.9.2012 15:48 NotAfter: 17.9.2013 15:48 Subject: CN=W7DAC4.Matrix.int Certificate Template Name (Certificate Type): Machine Non-root Certificate Template: Machine Cert Hash(sha1): 80 b8 68 10 b2 ee 39 f2 4a f7 22 e6 12 63 b2 a8 84 a5 4a d9 Key Container = 03e559fb1e7c9ba25db87da4e5e9b1cf_0fc63c2c-6954-490b-80ec-c890711aba2c Simple container name: le-Machine-ceb9325a-d563-4fba-8f09-87882caaa995 Provider = Microsoft RSA SChannel Cryptographic Provider Private key is NOT exportable Encryption test passed CertUtil: -store command completed successfully. Also CAPI2 logging is enabled and nothing happens there...

Also, I noticed this on the VM: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. File Name: \Device\HarddiskVolume2\Windows\System32\drivers\CVPNDRVA.sys I am using a CISCO VPN client to grab the GPOs. Do you think it could be related?

Sounds really strange, as long as the client gets the GPO settings and has a valid machine certificate it should more or less work. Have you doublechecked the machine certificate on the DA server also? //Jonas Jonas Blom | Relevo AB | http://blog.nrpt.se

Hi, here are certificate outputs from the server. It is a mystery to me too, The lab was built from scratch, new install of DC, with clean GPOs, new DA server, and new client. One thing I am using the same certificate for the NLS and IPSEC. Could that be a problem? my "Personal" ================ Certificate 0 ================ Serial Number: 1437f8f4000000000007 Issuer: CN=Matrix CA, DC=Matrix, DC=int NotBefore: 16.9.2012 11:25 NotAfter: 16.9.2014 11:25 Subject: CN=uagda.src.si, C=SI Certificate Template Name (Certificate Type): WebServer Non-root Certificate Template: WebServer, Web Server Cert Hash(sha1): ab c7 2f 7e ab 63 3f e5 44 51 db 6a f8 3f ff 0a 25 5a 17 57 Key Container = 64d1dda8ffeb73a98600c4a11c9bc859_4ba10873-1ba4-4cb2-9b0f-479e909e1184 Provider = Microsoft RSA SChannel Cryptographic Provider Missing stored keyset ================ Certificate 1 ================ Serial Number: 376379758c5ababc4d430f9e665d5c2e Issuer: CN=DirectAccess-RADIUS-Encrypt-MATRIXDA.Matrix.int NotBefore: 16.9.2012 10:03 NotAfter: 16.9.2017 12:13 Subject: CN=DirectAccess-RADIUS-Encrypt-MATRIXDA.Matrix.int Signature matches Public Key Root Certificate: Subject matches Issuer Cert Hash(sha1): 88 d2 e6 ea a1 0a a4 5b b9 11 85 36 10 98 72 b7 a0 89 77 54 Key Container = 6cd8f3add549b224485be3b117db1f56_4ba10873-1ba4-4cb2-9b0f-479e909e1184 Provider = Microsoft Strong Cryptographic Provider Missing stored keyset ================ Certificate 2 ================ Serial Number: 1437f6d2000000000006 Issuer: CN=Matrix CA, DC=Matrix, DC=int NotBefore: 16.9.2012 11:25 NotAfter: 16.9.2013 11:25 Subject: CN=MATRIXDA.Matrix.int Certificate Template Name (Certificate Type): Machine Non-root Certificate Template: Machine, Computer Cert Hash(sha1): 5a bf 25 f6 64 38 11 f1 1f f8 a6 a3 55 86 40 d6 db 9c fa 71 Key Container = b4a3d5d0cd5bb9de28a26548a1b6a35b_4ba10873-1ba4-4cb2-9b0f-479e909e1184 Provider = Microsoft RSA SChannel Cryptographic Provider Missing stored keyset CertUtil: -store command completed successfully.

Based on your earlier postings and the list of certificates in the last post, it looks like you have two different certificates (Cert 0 for the IPHTTPS interface and Cert 2 for the machine/ipsec connections) I can't really see a problem with that combination/setup, but it could of course be that your server tries to use Cert 0 to establish the IPSec tunnel and then it fails since the WebServer template only has Server Authentication configured. (But then you should really see something in the CAPI2 log on the client and/or the server) //JonasJonas Blom | Relevo AB | http://blog.nrpt.se

This is one of the errors that I get from a CAPI2 output.. + System - Provider [ Name] Microsoft-Windows-CAPI2 [ Guid] {5bbca4a8-b209-48dc-a8c7-b23d3e5216fb} EventID 30 Version 0 Level 2 Task 30 Opcode 0 Keywords 0x4000000000000001 - TimeCreated [ SystemTime] 2012-09-17T20:13:50.175168300Z EventRecordID 6 Correlation - Execution [ ProcessID] 512 [ ThreadID] 1528 Channel Microsoft-Windows-CAPI2/Operational Computer MATRIXDA.Matrix.int - Security [ UserID] S-1-5-20 - UserData - CertVerifyCertificateChainPolicy - Policy [ type] CERT_CHAIN_POLICY_SSL [ constant] 4 - Certificate [ fileRef] 0598E8120FDEDA8EA3C3F9067027685DCC594C19.cer [ subjectName] MATRIXDA.Matrix.int - CertificateChain [ chainRef] {DF706D8C-06D9-4514-8040-453FB55934DA} - Flags [ value] 0 - SSLAdditionalPolicyInfo [ authType] server - IgnoreFlags [ value] 280 [ SECURITY_FLAG_IGNORE_REVOCATION] true [ SECURITY_FLAG_IGNORE_WRONG_USAGE] true - Status [ chainIndex] 0 [ elementIndex] 0 - EventAuxInfo [ ProcessName] lsass.exe [ impersonateToken] S-1-5-20 - CorrelationAuxInfo [ TaskId] {DACC0624-86A2-4565-9708-7FEEFFEAEE9E} [ SeqNumber] 1 - Result A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. [ value] 800B0109

That one is from the server. The only thing that is an error I receive on the Clients is some errors with not being able to download CRLs from Microsoft, nothing wrong with mine :) I checked on the server, I have root certificates installed in the machine store in trusted root certification authority.

Hmm, Read through all your posts again, to make sure I didn't miss anything. Do a test and change the NLS url to another name that is different from the hostname of the DA server. I honestly cannot see that it would block the IPSec tunnels from establishing since you cannot even do a DNS lookup before establishing the IPSec tunnels... but when you do a Quick Setup with the Wizard that Microsoft created it always separates the NLS from the computername. So there might be something with that setup. //JonasJonas Blom | Relevo AB | http://blog.nrpt.se

I tried creating a new certificate on the DA host, created a DNS A record for the host name. But the configuration did not finish as expected as the Hostname did not resolve to a DirectAccess server. I did however move the NLS to another server. Still no success :(

Have you tried forcing the client to connect over Teredo instead of IPHTTPS to see if you get any changes? And perhaps dump the network traffic to try to pinpoint where in the handshake it fails? Jonas Blom | Relevo AB | http://blog.nrpt.se

I can't really fallback to Teredo because the DA server is behind a NAT. Or can I fall back to Teredo even behind NAT? I will try to get a network capture, Do I do a network capture on the physical interface or is the Https Interface enough?

Hi, No then you're not able to switch to Teredo. Yes, you need to capture the traffic on the IPHTTPS interface, something that Wireshark for example will not be able to since it cannot see the interface. (Atleast last time I tried). Network Monitor will be able to though. The fact that Teredo is not encrypted makes you able to capture the traffic on the host interface, thats why it is so nice to be able to switch back to Teredo when troubleshooting. Jonas Blom | Relevo AB | http://blog.nrpt.se

I have the capture. Can I upload it somewhere? But what was interesting is I get a lot of notifications "First exchange with an unknown peer SPN, Iniator provide proposal TLS for negotiation."

I guess I finally entered the 21st century, my first skydrive shared file :) https://skydrive.live.com/redir?resid=587A7695C13E5E7E!128&authkey=!AG__oKtBy96R7Qg I posted the capture from the https interface, hope it provides some clues to you, as I can't really tell anything useful from it..

The traffic capture looks really strange, you only have traffic flowing from your client to the server in the capture you uploaded. Can you try and look at the trafficflow in your NAT firewall (and on your DA server) to see if/that incoming packets reach the DA server and that outgoing responses are sent and can pass the NAT firewall? Jonas Blom | Relevo AB | http://blog.nrpt.se

Hi, This is the Server capture: https://skydrive.live.com/redir?resid=587A7695C13E5E7E!129&authkey=!AArush6yfegdNJE Ok, at first I got IPSEC invalided by old policy. But that didn't repeat here. I also ran the gpresult /z on the server And I got the following, which would seem that GPOs don't get applied, but the settings are all there in the connection security rules: Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0 c 2012 Microsoft Corporation. All rights reserved. Created on 19.9.2012 at 11:31:35 RSOP data for MATRIX\ITSG on MATRIXDA : Logging Mode ----------------------------------------------------- OS Configuration: Member Server OS Version: 6.2.9200 Site Name: N/A Roaming Profile: N/A Local Profile: C:\Users\ITSG Connected over a slow link?: No USER SETTINGS -------------- CN=ITSG,CN=Users,DC=Matrix,DC=int Last time Group Policy was applied: 19.9.2012 at 11:31:19 Group Policy was applied from: DC1.Matrix.int Group Policy slow link threshold: 500 kbps Domain Name: MATRIX Domain Type: Windows 2008 or later Applied Group Policy Objects ----------------------------- N/A The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Local Group Policy Filtering: Not Applied (Empty) DirectAccess Server Settings Filtering: Disabled (GPO) DirectAccess Client Settings Filtering: Disabled (GPO) Default Domain Policy Filtering: Not Applied (Empty) The user is a part of the following security groups --------------------------------------------------- Domain Users Everyone Netmon Users BUILTIN\Users BUILTIN\Administrators REMOTE INTERACTIVE LOGON NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users This Organization LOCAL Domain Admins Group Policy Creator Owners Schema Admins Enterprise Admins Denied RODC Password Replication Group High Mandatory Level The user has the following security privileges ---------------------------------------------- Resultant Set Of Policies for User ----------------------------------- Software Installations ---------------------- N/A Logon Scripts ------------- N/A Logoff Scripts -------------- N/A Public Key Policies ------------------- N/A Administrative Templates ------------------------ N/A Folder Redirection ------------------ N/A Internet Explorer Browser User Interface ---------------------------------------- N/A Internet Explorer Connection ---------------------------- N/A Internet Explorer URLs ---------------------- N/A Internet Explorer Security -------------------------- N/A Internet Explorer Programs -------------------------- N/A

First, the gpresult. The results you see are from a usercontext, you need to run it in an elevated cmd.exe with the flag /scope:computer (ex: gpresult /r /scope:computer) Regarding your trace, it doesnt contain any responses sent from the server to the client either, must say that you have gotten yourself a tough LAB environment :) Some other things to do: * Check that related services are running as they should: IP Helper, IPSec Policy Agent, IKE and AuthIP IPSec Keying Modules * Enable logging of allowed/dropped packets in the Windows firewall to try and find traffic that shouldn't get dropped. * Enable the logs in Eventviewer for Windows Firewall (found below Application and Services Logs\Microsoft\Windows Firewall with Advanced Settings) Jonas Blom | Relevo AB | http://blog.nrpt.se

Ok, glad to understand the gpresult result. The shouldn't be tough as there was absolutely no legacy :). Everything is installed from scratch, from the servers to the client. All services are up and running. I will enable the logging and report back. I do not protect the domain profile in the WIndows firewall, could that be affecting it? Also the Isatap adapter on the server is enabled, should it be enabled?

Hi again, If you don't have ISATAP implemented internally for something, then remove it and rerun the configuration so you will get a fresh setup without using the ISATAP prefix. (It shouldn't be a problem to have ISATAP but it adds another complexity to the setup) Jonas Blom | Relevo AB | http://blog.nrpt.se

hey, I enabled firewall auditing as specified here: http://msdn.microsoft.com/en-us/library/windows/desktop/bb736284(v=vs.85).aspx Here is the security log, I cleared before :) http://sdrv.ms/PI6UCP YOu can see an allowed inbound connection on port 500 udp, the next thing IPSEC main mode audit failure.. Just one question, can I have manage out without ISATAP?