It Calls

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, 29 February 2012

Troubleshooting Direct Access Teredo connectivity on Forefront UAG 2010

Posted on 11:31 by Unknown
I encountered a problem on one of my installations for DirectAccess where all the clients were able to connect to DirectAccess using HTTPS only. After several investigations and with the help of senior Microsoft Engineers we noticed that the Teredo IPV6 route is missing on the server. When the server is trying to respond to Teredo requests, it uses the default Route (6to4) instead of the server Teredo Adapter due to the following route entry:

UAG cannot respond to Teredo


To fix this issue you need to manually add the Teredo route as follows:


  1. We need to obtain the Teredo Adapter interface index (IDX) from running the following elevated command on the UAG server “netsh int ipv6 show int”
  2. Add the route manually (using the obtained IDX from the earlier step) as follows:

Adding Teredo Route manually to UAG 2010 routing table






Read More
Posted in DirectAccess | No comments

Certificate CRL and Delta CRL are not copied automatically to the HTTP Path

Posted on 10:58 by Unknown
A common problem noted on several implementations of Active Directory Certificate Services is the CRL and Delta CRL copies to the HTTP Path.  By default Microsoft Enterprise CA only publishes CRL automatically to LDAP path defined in the CRL Distribution Point (CDP). Normally CA administrators could define CDP in many locations as LDAP and HTTP (Inetpub Folder). Since it’s only copied to LDAP, the HTTP location gets expired and the user would encounter this error.

HTTP CRL location get expired on daily basis


The certificate will try to retrieve the CRL and Delta CRL from each defined location (LDAP and HTTP) when system check the revocation status of certificate. If it can get the CRL from one and only one of these locations then it will pass the revocation process and function normally even if the CRL is not copied to the HTTP location. However it will give the above Expired Status for CRL and Delta CRL HTTP Location.

To solve this issue you have two options:



  1. Copy them manually from the CERTSRV folder to the Inetpub folder
  2. Create a batch file to copy them automatically and add this batch file to the daily scheduled tasks.

The Batch file should be something like this
Xcopy c:\windows\system32\certsrv\CertEnroll\*.crl  C:\Intetpub\


Read More
Posted in PKI | No comments
Newer Posts Older Posts Home
Subscribe to: Posts (Atom)

Popular Posts

  • Error 0x803100B7 Group Policy settings require the creation of a startup PIN, but a pre-boot keyboard is not available on this device
    I Purchased few weeks ago the Microsoft Surface Pro tablet, its a very nice production tablet that really enables remote users to run their ...
  • Microsoft Hyper-V VMMS & System services stop after December 2012 Updates (KB2506143)
    I had an issue recently with some Hyper-V servers where it was noticed that the Hyper-V system services (VMMS, VHDSVC & NVSPWMI) gets st...
  • Two DNS Records with same IP Address. Aging and Scavenging problems with DHCP Lease duration !!
    Aging and Scavenging is very crucial and important for Active Directory Integrated zone, it should be carefully planned and configured. We r...
  • How to Publish New Certificate Revocation List (CRL) from Offline Root CA to Active Directory and Inetpub
    Its highly recommended when building your Microsoft PKI (Public Key Infrastructure) to have your Root CA offline after issuing the Enterpris...
  • Windows 7 Direct Access Client Troubleshooting – Part 1 – Client Transition Technologies
    During the past few months I was heavily engaged with different DirectAccess implementations and passed by several interesting issues/proble...
  • Manual Install of UAG 2010/Remote App and RDS Portal Components
    Microsoft UAG 2010 main functions are Application Publishing and Enhanced DirectAccess deployment. The Application publishing allows you to ...
  • The Card Supplied Requires Drivers that are not present on this System
    I recently started getting the above mentioned Logon warning Message (Check below screen shot) while logging on my old 2003 and 2003R2 serve...
  • UAG Direct Access IP-HTTPS fail with SAN Certificate
    Lately I passed by this issue with a client trying to implement the UAG Direct Access using UCC SAN (Subject Alternative Name) Certificate. ...
  • AD CS not configured for Revocation checking of all certificates
    Recently the SCOM server (One of your best friends on the network) started reporting the error "AD CS not configured for Revocation che...
  • Surface 2 RT Bitlocker Recovery Key problem is fixed
    Windows Surface 2 RT comes already pre-setup with Bitlocker encryption, the user don't need to do anything to enable it or set/type a pa...

Categories

  • Active Directory
  • Bitlocker
  • DirectAccess
  • Hyper-V
  • Lync
  • PKI
  • SQL
  • System Center
  • UAG
  • WSUS

Blog Archive

  • ►  2014 (1)
    • ►  January (1)
  • ►  2013 (27)
    • ►  December (5)
    • ►  November (4)
    • ►  October (2)
    • ►  September (1)
    • ►  August (4)
    • ►  July (4)
    • ►  May (1)
    • ►  April (2)
    • ►  March (3)
    • ►  February (1)
  • ▼  2012 (25)
    • ►  December (2)
    • ►  November (3)
    • ►  October (3)
    • ►  September (2)
    • ►  August (2)
    • ►  July (2)
    • ►  May (2)
    • ►  April (1)
    • ►  March (3)
    • ▼  February (2)
      • Troubleshooting Direct Access Teredo connectivity ...
      • Certificate CRL and Delta CRL are not copied autom...
    • ►  January (3)
  • ►  2011 (5)
    • ►  December (2)
    • ►  November (3)
Powered by Blogger.

About Me

Unknown
View my complete profile