New certificate (CA) - Direct Access

Hey

We have demoted an old CA (2003) and create a new 2012 R2 CA. (completely new PKI infrastructure)

Is it possible to "accept" both CAs in Direct Access? (for a couple of months - until all the clients have requested a certificate from the new CA)

Thanks in advance

Mike

January 28th, 2015 6:30pm

Hi,

No it's not possible. At IPSEC tunnel level only one CA is referenced.  

Free Windows Admin Tool Kit Click here and download it now
January 29th, 2015 1:23am

Hey

After adding the new CA to "First Authentication -> DirectAccess - Phase 1 Auth Set" - (to the DirectAccess GPOs) it seems to be working with certificates from both CAs.

Mike

  • Marked as answer by Michael_DK_ Thursday, January 29, 2015 1:05 PM
  • Unmarked as answer by Michael_DK_ Thursday, January 29, 2015 1:05 PM
January 29th, 2015 4:05pm

Hey

After adding the new CA to "First Authentication -> DirectAccess - Phase 1 Auth Set" - (to the DirectAccess GPOs) it seems to be working with certificates from both CAs.

Mike

  • Marked as answer by Michael_DK_ Thursday, January 29, 2015 1:05 PM
  • Unmarked as answer by Michael_DK_ Thursday, January 29, 2015 1:05 PM
Free Windows Admin Tool Kit Click here and download it now
January 29th, 2015 4:05pm

Hey

After adding the new CA to "First Authentication -> DirectAccess - Phase 1 Auth Set" - (to the DirectAccess GPOs) it seems to be working with certificates from both CAs.

Mike

  • Marked as answer by Michael_DK_ Thursday, January 29, 2015 1:05 PM
  • Unmarked as answer by Michael_DK_ Thursday, January 29, 2015 1:05 PM
January 29th, 2015 4:05pm

Hi,

Not tested this but maybe it works because you have a 2 tier PKI infrastructure and didn't revoked your old subCA providing certificates for your clients or your CRL is still not updated on your clients and can be valid for 7 days.

You should be carefull because if something fails in the Computer Certificate checks, your client will not be able to connect to your infrastructure.

Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2015 9:37am

Hi,

Not sure. Strong CRL check is not enabled at DirectAccess client level. Have a look at NETSH ADVFIREWALL SHOW GLOBAL. StringCRLCheck parameter is disabled.

February 2nd, 2015 1:05pm
Cool to see that it works, but also beware of your configuration because it is generally not supported to manually modify the GPO settings (in any way). Your changes could be overwritten by the Remote Access wizard, so it may work today and may break tomorrow. Also, if you ever need to contact Microsoft for support this could present a problem.
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2015 2:01pm

Hi,

Not sure. Strong CRL check is not enabled at DirectAccess client level. Have a look at NETSH ADVFIREWALL SHOW GLOBAL. StringCRLCheck parameter is dis

February 2nd, 2015 4:03pm

Logic : https://technet.microsoft.com/en-us/library/ee649169(v=ws.10).aspx

"If you enable strong CRL checking and the DirectAccess server cannot reach the CRL distribution point, certificate-based IPsec authentication for all DirectAccess connections will fail.

If you are using Network Access Protection (NAP) with DirectAccess and you enable strong CRL checking, certificate-based IPsec authentication for all DirectAccess connections will fail. Health certificates do not contain CRL distribution points because their lifetime is on the order of hours, instead of years for computer certificates"
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2015 4:51pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics