Troubleshooting DirectAccess IP-HTTPS Error Code 0x800b0109

A Windows 7 or Windows 8.x/10 client may fail to establish a DirectAccess connection using the IP-HTTPS IPv6transition technology. When troubleshooting this issue, running ipconfig.exe show that the media state for the tunnel adapter iphttpsinterface is Media disconnected.

Troubleshooting DirectAccess IP-HTTPS Error 0x80090326

Running the Get-NetIPHttpsState PowerShell command on Windows 8.x/10 clients or the netsh interface httpstunnel show interface command on Windows 7 clients returns an error code of 0x800b0109 with an interface status Failed to connect to the IPHTTPS server; waiting to reconnect.

Troubleshooting DirectAccess IP-HTTPS Error 0x80090326

Error code 0x800b0109 translates to CERT_E_UNTRUSTEDROOT, indicating the client was unable to establish an IP-HTTPS connection because the certificate presented during the SSL handshake was issued by a certification authority that was not trusted. This commonly occurs when the DirectAccess server is configured with an SSL certificate issued by the internal PKI and DirectAccess clients are provisioned using offline domain join without using the /rootcacerts switch. This can also happen if DirectAccess is configured to use a self-signed certificate for IP-HTTPS, and the certificate is either renewed or DirectAccess is uninstalled and reinstalled.

Troubleshooting DirectAccess IP-HTTPS Error 0x800b0109

To resolve IP-HTTPS error code 0x800b0109, obtain the root certificate for the certificate authority that issued the SSL certificate used for IP-HTTPS and import it in to the DirectAccess client’s Trusted Root Certification Authorities local computer certificate store. Once complete, restart the IP helper service to reinitiate an IP-HTTPS connection.

Additional Information

Provisioning DirectAccess Clients using Windows Offline Domain Join

Troubleshooting DirectAccess IP-HTTPS Error Code 0x90320

Troubleshooting DirectAccess IP-HTTPS Error 0x2af9

DirectAccess Expired IP-HTTPS Certificate and Error 0x800b0101

SSL Certificate Considerations for DirectAccess IP-HTTPS

Implementing DirectAccess with Windows Server 2016

Leave a comment


  1. Shaun

     /  May 3, 2018

    Hi Richard,

    Got a question regarding DA and changing the root certificate for IPSEC communication. We were using SHA1 certificates and we are in the process of upgrading our internal CA root cert to SHA256. When we change the Root CA cert on DA all our clients disconnect and the IPSEC tunnel fails to come back up.

    Is there a way of doing this swap over without having the laptops come into the office?

    Great book by the way.

    • Typically updating an existing root certificate from SHA1 to SHA2 won’t cause any disruption for connected DirectAccess clients. If you implement a new root CA however, then that is impactful. Reach out to me directly so I can get more details regarding your deployment.

  1. DirectAccess Get-NetIPHttpsState Fails on Windows 10 1803 | Richard M. Hicks Consulting, Inc.

Leave a Reply

%d bloggers like this: