Archives mensuelles : août 2011

DirectAccess Deployment Tip : Don’t go too fast to deploy clients!

During one recent DirectAccess deployment, we encountered a special case I called the : “Too fast to deploy DA clients”. Some DirectAccess clients were operational but some others were not. While starting troubleshooting, we noticed that all failed computers shared the same issue : No IPsec certificate. Everything was OK, except the IPsec certificate.

 

Challenge, how to restore DirectAccess connectivity without return these computers to France? We could start building a complex infrastructure to distribute IPsec certificates but we were short in time. Because all computers were located in the same location, we had an idea. Why not using another computer to request computer on behalf of others. That’s a good idea. Let start to see how to do this magic trick.

 

First of all, we need another Certificate Template for these DirectAccess Clients. If we take a look at some properties of my default DA certificate we can notice that DNS name information will be retrieved from Active Directory. Even if we include this information in an Certificate request file, this information will be ignored. For this reason, we need an extra certificate template. This new certificate template will be based on my existing DA certificate template except a few points that must be fixed. In my lab, this new certificate template will be named “Offline Da Certificate”.

 

A new certificate template

In my point of view, certificate file time for this special certificate template must be limited to one day. This is not a normal situation. When DirectAccess connectivity will be restored, we would no longer need this certificate.

CERT0

 

Second point, we need to authorize private key exportation. This is mandatory otherwise, the certificate will be useless when imported on the Computer having the problem.

CERT1

 

And most important we must reconfigure how ADCS will generate subject name that will be registered in delivered certificates. By default, information are extracted from Active Directory. We cannot use this option. Information will be supplied in the request. Note that in the capture bellow, the checkbox “Use Subject information from existing certificates for Auto enrollment renewal request” is no checked. That’s a temporary certificate, there is no need to renew it!

CERT2

 

Request an Offline certificate

Once this new certificate template is published and available on any DirectAccess clients computers, we can start. On an operational DirectAccess client computer, we must logon with required privileges. Our goal is to request a computer certificate on behalf of another. Il my case CLIENT1.DIRECTACCESSLAB.LAN is operational and CLIENT2.DIRECTACCESSLAB.LAN. Si let’s perform a computer certificate enrollment, online, thanks to DirectAccess. This will be a classic new request, no need to perform the request offline

0

 

We will choose “Offline Da Certificate”, but before enrolling, more information’s are expected. So let’s fill in the blanks.

1

 

First missing information, Subject name. We need this information twice, in Distinguished name but also in DNS format. Because theses information are no longer extracted from Active Directory, we must provide them. We could stop here and submit the request but simple way does not means dirty way.

2

 

On the General tab, we will provide the friendly name of the Certificate and a description. This last information will be useful. At the end of the process, our CLIENT2.DIRECTACCESSLAB.LAN will have DirectAccess operational and two certificate. How can we remove the good one?

3

 

Request was processed. Now we have two certificates on CLIENT1.DIRECTACCESSLAB.LAN. Hopefully we can distinguish the good certificate to export.

4

 

Most important, we must export this certificate with it’s private key. Otherwise, certificate will be unusable on CLIENT2.DIRECTACCESSLAB.LAN. Do don’t forget to check the good checkbox!

5

 

A computer with multiple identifies will generate problems at short terms. In order to avoid problems, I recommend to delete the private key once export was performed.

6

 

Because we export the private key, this sensitive information must be secured in the PFX file.

7

 

Import certificate on Failed DirectAccess client

Now let’s move to CLIENT2.DIRECTACCESSLAB.LAN and perform a certificate Import in the Computer node. Sure, we have required information, …

9

 

And magic, we have an IPsec certificate available in the computer node. This is a temporary certificate. Now it’s time to restore DirectAccess Connectivity.

10

 

Restating the computer is a solution but if you have required privileges to import a certificate in the computer store, you can also restart the IP Helper Service.

11

 

This is not magic, this is only DirectAccess. Bellow, we can see I have an IPHTTPS Tunnel. Great. Let’s see if it works.

12

 

A simple “NETSH.EXE ADVFIREWALL MONITOR SHOW MMSA” prove we have IPsec Tunnels. But we can do more. We can prove that this computer is now able to request it’s missing DA certificate.

13

 

Simply run a “CERTUTIL.EXE –PULSE” and the computer will contact enrollment servers to see what certificates can be enrolled.

14

 

yes, the good one. Our failing CLIENT2.DIRECTACCESSLAB.LAN was able to enroll it’s missing certificate. Problem we have now two valid certificates. How can we be sure to delete the good one?

15

 

Have a look at the description extension field. That’s why I always fill it.

16

 

As a conclusion, even if you are confident about your DirectAccess infrastructure, never forget to perform a checklist on DirectAccess enabled computers before they leave outside. This particular problem was easy to solve, but it would be more complicated if group policies objects did not applied. That’s another challenger for a future post.

 

BenoîtS – Simple and Secure by Design but Business compliant

IPHTTPS troubleshooting survival guide

When you have problem with IPHTTPS in DirectAccess, there might be hundreds of reasons, including IT guy errors. Enumerate all errors might be too long, there are too many cases and causes. It would be easier if we have a list of all error code that a NETSH.EXE INTERFACE HTTPSTUNNEL SHOW INTERFACE can generate. This list exists, and it’s available on MSDN at this address. Bookmark this address if you don’t want to spend your time in IPHTTPS troubleshooting.

 

There is only one error code to keep in memory : 0x80090328. It means that IPHTTPS certificate has expired. I also called it Error 40 for 40 centimeters of the IT admin station who did now renew the certificate!

 

BenoîtS – Simple and Secure by Design but Business compliant.

Pour les séances de troubleshooting IPHTTPS

Quand le protocole IPHTTPS utilisé par DirectAccess ne fonctionne pas, il peut y avoir une multitude de raisons. Au lieu de toutes les énumérer, le plus simple c’est déjà d’avoir la liste des codes erreurs qu’une interface IPHTTPS peut inventer pour refuser de fonctionner. Ca existe, c’est disponible sur le MSDN à cette adresse.

 

S’il y en a un à conserver en mémoire : 0x80090328. Il indique un certificat expiré, aussi appelé, code erreur 40 pour 40 centimètres de la station d’admin de l’exploitant.

 

BenoîtS – Simple and Secure by Design but Business compliant.

Le blog à suivre dans les mois qui viennent

Dans l’éco-système Microsoft, s’il y a bien un blog à suivre dans les prochains mois, c’est bien celui tenu par l’équipe de développement de Windows 8. Pour l’instant il n’y a pas encore de grandes révélations, mais avec l’approche de la conférence BUILD (qui semble passionner puisque les inscriptions sont closes), les sujets devraient sortir petit à petit.

 

Microsoft a pour l’instant axé sa communication sur l’expérience utilisateur avec la tablet, reste que derrière, il y a aussi la version serveur qui devrait être une version majeure.

 

BenoîtS – Simple and Secure by Design but Business compliant

Impact du Patriot Act sur Office 365

A première vue, le problème ne devrait pas se poser pour les utilisateurs européens puisque les Datacenters de Microsoft sont localisés aux Pays-Bas et en Irlande. Pourtant, un article de CoudlMagazine.fr a attiré mon attention sur ce sujet. Le Patriot Act s’applique à toute société américaine, quelque soit la localisation des ressources auxquelles la justice américaine demande à accéder.

 

Pour la majorité des entreprises, ce point ne devrait pas poser de problème particulier. Pour les autres, cela ne veut pas dire qu’il faille définitivement renoncer au Cloud mais peut être de réorienter la stratégie vers le cloud Hybride.

 

BenoîtS – Simple and Secure by Design