Forefront UAG 2010 DirectAccess Clients and Repeated OTP Prompts

In a very specific DirectAccess deployment scenario it is possible that users may be prompted repeatedly for One-Time Password (OTP) credentials. Specifically this may occur when you have Windows 7 clients accessing a Forefront UAG 2010 DirectAccess server with two-factor authentication enabled with OTP, along with forced tunneling required and the client configured to use a corporate web proxy server. The root cause of the issue has to do with Network Connectivity Status Indicator (NCSI) probes and security permissions on the private key of the certificate used for OTP authentication. To resolve the issue will require creating a custom certificate template for use with two-factor authentication and setting key permissions for the NETWORK SERVICE on the certificate template. You can also workaround this issue by disabling forced tunneling or disabling the 6to4 and Teredo adapters, which will stop the NCSI probes from occurring. For more detailed information read Microsoft KB article 2797301.

Leave a comment

3 Comments

  1. Jesper Jensen

     /  June 13, 2013

    Hi Richard, great blog!

    Do you know if it’s possible to use Authenticator apps like Microsoft’s own for Windows Phone (http://www.windowsphone.com/en-US/store/app/authenticator/e7994dbc-2336-4950-91ba-ca22d653759b) to authenticate with DA? I can’t seem to find anything on this anywhere.

    /Jesper

    Reply
    • Not to my knowledge, no. You can make use of Smartcards and dynamic passwords (OTP), but as far as I understand that’s about it. That might change in the future, however. In fact, I expect that PhoneFactor will be supported at some point in the future, and I can’t see a reason why Authenticator wouldn’t be as well.

      Reply
      • Jesper Jensen

         /  June 14, 2013

        That’s a shame. Thanks for the quick answer! 🙂

        /Jesper

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: