Forefront UAG 2010 DirectAccess Clients and Repeated OTP Prompts

In a very specific DirectAccess deployment scenario it is possible that users may be prompted repeatedly for One-Time Password (OTP) credentials. Specifically this may occur when you have Windows 7 clients accessing a Forefront UAG 2010 DirectAccess server with two-factor authentication enabled with OTP, along with forced tunneling required and the client configured to use a corporate web proxy server. The root cause of the issue has to do with Network Connectivity Status Indicator (NCSI) probes and security permissions on the private key of the certificate used for OTP authentication. To resolve the issue will require creating a custom certificate template for use with two-factor authentication and setting key permissions for the NETWORK SERVICE on the certificate template. You can also workaround this issue by disabling forced tunneling or disabling the 6to4 and Teredo adapters, which will stop the NCSI probes from occurring. For more detailed information read Microsoft KB article 2797301.

Leave a comment


  1. Jesper Jensen

     /  June 13, 2013

    Hi Richard, great blog!

    Do you know if it’s possible to use Authenticator apps like Microsoft’s own for Windows Phone ( to authenticate with DA? I can’t seem to find anything on this anywhere.


    • Not to my knowledge, no. You can make use of Smartcards and dynamic passwords (OTP), but as far as I understand that’s about it. That might change in the future, however. In fact, I expect that PhoneFactor will be supported at some point in the future, and I can’t see a reason why Authenticator wouldn’t be as well.

      • Jesper Jensen

         /  June 14, 2013

        That’s a shame. Thanks for the quick answer! 🙂


Leave a Reply

Discover more from Richard M. Hicks Consulting, Inc.

Subscribe now to keep reading and get access to the full archive.

Continue reading