Archives mensuelles : juillet 2011

Troubleshooting NAP with DirectAccess

These days, I spend most of my work time with DirectAccess and Network Access Protection (including night!). During A Poc, I was surprised to see a NAP client considered as compliant unable to access the internal Network. Problem, by default NAP client is not configured to trace relevant events. The Group Policy generated by Forefront UAG does not include this option. A little NETSH.EXE magic command can solve this problem :

NAPTRACING

 

Once tracing is activated, I was able to find the following event. NAP client is considered as compliant, but cannot get a certificate from the Health Registration Authority.

HRABUG0

 

Let’s keep in mind that Correlation ID and try to find a corresponding event in the SYSTEM log of my UAG box that is also my HRA. And I can find an event with the same correlation ID. And now the problem appears : 0x80070005, witch is the nick name for Access Denied!

HRABUG1

 

My Health registration does not have the required privileges in order to submit the System Health Authentication certificate. Hera are the good permissions.

HRABUG2

 

Don’t forget to restart the Certificate Services services to make the new permissions operational. Keep this URL in the bookmark of your favorite browser : Network Access Protection Troubleshooting guide.

 

DirectAccess project rule n°1 : always check prerequisites twice, it’s never enough!

 

BenoitS – Simple and Secure by Design but Business compliant

Opinion required on a DirectAccess book chapter

Another new Forefront MVP and I are writing a book on our favorite DirectAccess. We spend a lot of time to create a reference book in French language. We are progressing fast and now we need your option on the last chapter : DirectAccess and beyond.

 

What do you want to see in this chapter (NAP, SCCM integration, IPv6, alternate firewall, alternate enrollment process, …). We have many ideas but our publisher would not appreciate us to write a one thousand pages book. If you have good subjects, you can give your ideas on our French Forefront Facebook group : https://www.facebook.com/microsoft.forefront

 

Note : MultiCast NLB may not be a good Idea, choose something else!

 

Benoît – Simple and Secure by design but Business compliant.