Renew DirectAccess Self-Signed Certificates

Renew DirectAccess Self-Signed CertificatesImportant! Updated April 29, 2020 to resolve an issue where the DirectAccess RADIUS encryption certificate was not published to the DirectAccess Server Settings GPO in Active Directory.

When DirectAccess is deployed using the Getting Started Wizard (GSW), sometimes referred to as the “simplified deployment” method, self-signed certificates are created during the installation and used for the IP-HTTPS IPv6 transition technology, the Network Location Server (NLS), and for RADIUS secret encryption. Administrators may also selectively choose to use self-signed certificates for IP-HTTPS, or when collocating the NLS on the DirectAccess server. The RADIUS encryption certificate is always self-signed.

Renew DirectAccess Self-Signed Certificates

Certificate Expiration

These self-signed certificates expire 5 years after they are created, which means many DirectAccess administrators who have used this deployment option will need to renew these certificates at some point in the future. Unfortunately, there’s no published guidance from Microsoft on how to accomplish this. However, the process is simple enough using PowerShell and the New-SelfSignedCertificate cmdlet.

PowerShell Script on GitHub

The PowerShell script to renew DirectAccess self-signed certificates has been published on GitHub. You can download Renew-DaSelfSignedCertificates.ps1 here.

Important Considerations

When the IP-HTTPS certificate is renewed using this script, DirectAccess clients outside will be immediately disconnected and will be unable to reconnect until they update group policy. This will require connecting to the internal network locally or remotely using another VPN solution. The NLS and RADIUS encryption certificates can be updated without impacting remote users.

In addition, internal clients that are not online when this change is made will be unable to access internal resources by name until they update group policy. If this happens, delete the Name Resolution Policy Table (NRPT) on the client using the following PowerShell command and reboot to restore connectivity.

Get-Item -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig” | Remove-Item -Confirm:$false

Additional Information

PowerShell Recommended Reading for DirectAccess Administrators

Top 5 DirectAccess Troubleshooting PowerShell Commands

 

 

Leave a comment

56 Comments

  1. jonbd

     /  July 1, 2019

    Thanks for this post, the certs on my inherited 2012 R2 DA server have expired so so this is very helpful! I’m getting the following error trying to run it though “a parameter cannot be found that matches parameter name ‘-FriendlyName'” Any ideas why that might be?

    Reply
    • Unusual. Sometimes odd errors can come up if you copied/pasted the code right from the article. If you haven’t already done so, I recommended downloading the script from my GitHub repository here: https://github.com/richardhicks/directaccess/blob/master/Renew-DaSelfSignedCertificates.ps1. Let me know if that helps!

      Reply
      • jonbd

         /  July 1, 2019

        I’ve read that Server 2012 R2 doesn’t have as many parameters as 2016, one of them being -friendlyname, so i’ve given up on that for now. Instead i’ve created a new certificate from my CA server, but for some reason when I run through the wizard to add it, when I click on finish, it gives me an error “DNS name does not exist” and when I check DNS, the A record for it has been deleted. It deletes it every time I add it and run finish to apply the settings. Any idea what could be causing this?

      • Ok, that makes sense. I may have only tested on Windows Server 2016 so that might explain the failure. I will definitely go back and test again to see what can be done for Windows Server 2012 R2. No idea why DirectAccess would be deleting your DNS record. Does this happen even if you’ve added the record manually as a static entry?

      • jonbd

         /  July 1, 2019

        Yes I add the NLS entry as a static A record and it deletes it every time for some reason!

      • Wow, that is definitely unusual! It will certainly happen if you *remove* DirectAccess, but it should not happen when you are simply updating the certificate. You might want to try adjusting the security ACL on the DNS record to prevent the DirectAccess server from removing it. Not ideal, but hopefully it works. 🙂

      • jonbd

         /  July 2, 2019

        It’s almost like the DA server is clearing out the DNS record for the self signed cert, but then can’t see the DNS entry for the new one as it’s the same record it’s just deleted. In the end I set up a new VM with IIS as the NLS and pointed it to that. I’m up and running again now!

      • Having the NLS on a separate server is a good idea anyway. 🙂

  2. Stefan

     /  July 9, 2019

    Hi Richard,
    thank you for this post!
    as our self-signed DA certs will expire end of month, i searched the web for renewal and found your site and script.

    But i´m not able to run it, breaks at sign 166 with
    unexpected token: $newcert

    any idea on this ?

    Unerwartetes Token “$newcert” in Ausdruck oder Anweisung.
    + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnexpectedToken

    best regards
    Stefan

    Reply
  3. NIck

     /  October 14, 2019

    so, my certificate expired for my NLS, am I reading correctly that I will orphan my remote computers by updating the certificate?

    Reply
    • No, an expired NLS certificate will have no effect on DirectAccess clients in the field. However, if you renew the IP-HTTPS certificate using the guidance in this post, you will indeed orphan DirectAccess clients until they can update group policy.

      Reply
  4. Petr

     /  November 13, 2019

    We use in DA configuration public certificate. But in certificate store is selfsign certificate DirectAccess-RADIUS-Encrypt-servername.domain.se which will expire soon. Do we need to issue new certificate? I read article that it is used only for OTP and if OTP is not in use we don’t need to renew this certificate. Is this true? Thank you

    Reply
  5. Roberto

     /  December 17, 2019

    Will this have any impact on Domain Controller(s). When DA was deployed, Group Policies Objects (Direct Access Server & Direct Access Client) were also created, referring among the others to the expiring certificates. So my question is: will this have impact on DA Server itself or something will happen on DCs also (DNS ? – Group Policy for server and client itself?). Thank you.

    Reply
    • When you run this script it will renew the DirectAccess self-signed certificates and then update the configuration to reflect those changes. When this happens, the DirectAccess client and server settings GPOs are updated with the new certificate information. So, there’s no change to the DC itself, but the DirectAccess client and server settings GPOs will be updated. 🙂

      Reply
      • Roberto

         /  December 18, 2019

        Great to hear this. Thanks a lot for your prompt reply and for your excellent work!

      • Yifeng

         /  April 16, 2020

        Thank you so much for sharing this script, Richard.
        I have a question about the DirectAccess in GPOs. I have tried to use New-SelfSignedCertificate cmdlet to clone the exist self signed certificate. However, the old certificate will stay in Cert:\LocalMachine\My with the new one. And, when I check the DirectAccess Server Setting group policy, under Software\Policies\Microsoft\Windows\RemoteAccess\Config\MachineSIDs\S-1-5-21-aaaaaaaa-bbbbbbbbb-oooooooooo-xxxxx\ServerCertForRadius, it still shows the old certificate in that GPO (the expiration date does not change). Do I need to delete the old one or do something in GPO in order to let the new certificate can apply into that GPO?
        I will appreciate if you could let me know, thanks again.

      • I will have to look in to this. It’s only ever used when OTP authentication is configured, which is not common. I may have to modify the script to update this information in the DirectAccess server settings GPO. If you aren’t using OTP you can disregard this certificate.

      • Yifeng

         /  April 20, 2020

        Thanks a lot, Richard. I think we are not using OTP. But we do have connecting problem after renew those three certificate. I will appreciate if you could let me know if you found anything can help.
        Regards

      • What kind of connectivity issue are you having? After updating the certificates did you update group policy settings on the client before trying to connect?

      • Yifeng

         /  April 23, 2020

        From users computer, the Direct Access just keep showing “Connecting” but cannot success. I renewed all three certificate on our DirectAccess server, but cannot find a way to update the group policy certificate (Software\Policies\Microsoft\Windows\RemoteAccess\Config\MachineSIDs\S-1-5-21-aaaaaaaa-bbbbbbbbb-oooooooooo-xxxxx\ServerCertForRadius,). Our DA server is Windows 2012 R2 core server (CLI) and I cannot use direct access management console to change the setting. And also, due to shelter in place, seems like all users are working from home now and seems cannot get update from group policy and caused this issue (This is what I guess).
        We let users to use router VPN for now. I will appreciate if you could guide me how to update the direct access certificate (DirectAccess-RADIUS-Encrypt-) in group policy, thank you very much.

      • Unless you have configured DirectAccess with OTP authentication, updating the DirectAccess-RADIUS-Encrypt certificate won’t impact your users at all. However, if you update the IP-HTTPS self-signed certificate then yes, users will have to update group policy to be able to connect. The best solution in this case is not to use self-signed certificates at all, as they should typically be avoided. A better choice is to use an SSL certificate from a public certification authority. If you do this your clients should be able to connect without having to update group policy.

      • Yifeng

         /  April 24, 2020

        Understood, thanks a lot for your help. I am not sure we are using OTP, but I think we don’t. Just wondering the certificate in group policy will be auto updated or not after clone the certificate on DA server (for me, it does not change.)

      • If you aren’t sure you are using OTP authentication then you most likely are not. 😉 Don’t worry about the RADIUS encryption certificate if that’s the case. Today the script only renews the certificate and doesn’t update the group policy with this new information. That’s an oversight on my part and I’m working to address that as we speak. I hope to get the script updated soon. 🙂

      • Yifeng

         /  April 27, 2020

        Thank you so much for the reply. Looking forward to getting the updated script. 🙂

      • I’ve updated the script now to properly publish the certificate to the DirectAccess Server Settings GPO. Updated script can be found here: https://github.com/richardhicks/directaccess/blob/master/Renew-DaSelfSignedCertificates.ps1.

        Enjoy!

    • Yifeng

       /  April 30, 2020

      Thank you for updating. It seems should be work, but I got an error message “You do not have permissions to access GPO domian\{823AAA7F-xxxx-aaaa-bbbb-cccccccccccc}”. I probably need some research about the permission because I have tried that I cannot run Set-RemoteAccess on my Direct Access server. It is not something wrong with your script, it happens before. Before, I was using invoke-command to do “Get-ChildItem -Path Cert:\LocalMachine\My\” and Set-RemoteAccess works on my computer. I did not figure out why yet. If you have any thought, please kindly share to me, thanks.

      Reply
      • Unusual. Wherever you run the script from you must have full control over the GPO. It probably goes without saying that you also have to run the script in an elevated PowerShell command window too. 🙂

      • Yifeng

         /  April 30, 2020

        Yes, I understand that. I run Powershell console as an administrator and I even gave myself domain admin rights, but still have that problem. From DirectAccess server, I just cannot do anything, but from my desktop, it works find. It kind weird for me.

      • Very strange. If you have permission to the GPO you should be able to access it from any machine I would think. :/

      • Yifeng

         /  April 30, 2020

        Yes, that is very strange. No matter I use Enter-Psseion or login to Direct Access server directly, I just can’t use any remote access cmdlet. But if run the command on my computer then it can work…………..So I think I will have to modify your script. I appreciate you provide this updated script so I can know how to update GPO certificate, thanks again. ^__^

      • You would not be able to run this command using Enter-PsSession because the credentials aren’t delegated when you do that. You would have to be logged on to the server to run the script.

      • Yifeng

         /  May 1, 2020

        I have tried both way, even login to that server still get access denied error. Only can use Set-RemoteAccess command via invoke-command on my computer. No idea why that happen………… :~~~

      • Something very strange going on there for sure!

  6. Patrick

     /  February 20, 2020

    I know, DirectAccess is old stuff, but we are still using it in combination with OTP (RSA SecurID) and now that our Windows 10 clients are being updated to 1909, we are having massive problems with opening the user tunnel. In about a third of authentication attempts via OTP (after logon to Windows and then entering the OTP code), the logon attempt fails with error 0x80040004 and the users have to reboot their notebook and try again. RADIUS server tells the DirectAccess server that authentication was OK, still the user tunnel fails. Anyone else having these issues?

    Reply
    • DirectAccess is old, but it should still work! I haven’t heard of anyone else having OTP authentication issues with DirectAccess lately. Perhaps others might though.

      Reply
  7. Seth Allums

     /  March 13, 2020

    Hi Richard,

    Our 3 DA certificates are about to expire in a month. We have about 150 laptops out in the field. We do not use Windows 7, nor do we have DA configured to use OTP. We also have a wildcard domain certificate from a public CA (GoDaddy).

    We want to be able to NOT have to have our users bring their laptops into corporate to have policy updated, and would like to have a seamless transition.

    Given the specifics stated above, is it possible to install the wildcard certificate and key in the DA server’s certificate store, and then in the DA settings choose it for the IP-HTTPS certificate and have a seamless transition (aside from a possible bump of any services needing to be restarted)?

    And if that is true, can we then renew the other 2 (NLS, RADIUS-Encrypt) self-signed certs using the script without having to have the laptops brought back?

    Reply
    • If you are using a public SSL certificate for IP-HTTPS, you can update that without impact to users. You simply import the new certificate on the DirectAccess server and update the configuration. Clients might be momentarily disconnected, but they’ll reconnect automatically. And yes, updating the NLS and RADIUS-Encrypt certificates using this script should not impact external users.

      Reply
  8. Andrew Soper

     /  April 24, 2020

    Hi Richard – both our NLS and Radius internally signed certs are expired and i have all the users working from home in the current world – can they be renewed without impact as we are struggling with the few people we have in the office – server 2012r2 – the iphttps cert is an external one – thank you

    Reply
    • You can renew the self-signed NLS certificate without impact to users. You can renew the RADIUS certificate without impact to users as long as you aren’t using OTP authentication. Renewing the IP-HTTPS self-signed certificate will impact users though. The best solution is not to renew it, but to replace it with a public SSL certificate. You can do that without impact to remote users.

      Reply
      • Andrew

         /  April 27, 2020

        huge thank you for the reply – reassuring to hear – we will plan that and report back – best Andrew

  9. Morten Hansen

     /  April 27, 2020

    Hi, what happens to users who use OTP when the RADIUS certificate is renewed?

    Reply
    • I expect they will fail. I’m not certain though because I’ve never tested with OTP authentication. Configuring DirectAccess for OTP authentication is quite rare though, so unless you’ve specifically enabled this functionality you’d have nothing to worry about.

      Reply
  10. Kevin Spick

     /  May 6, 2020

    Hi, our IP-HTTPS certificates are due to expire in a month and not self-signed but are issued by our internal PKI ICA. Does this mean that we will not require users to update GPO as with Public-assigned keys? Due to the circumstances, we have no offices open at present and want to avoid that debacle..

    Reply
    • As long as the certificate is issued by a CA that your clients trust (public or private) they won’t be impacted. You can update the certificate without disrupting external users.

      Reply
      • Kevin Spick

         /  May 6, 2020

        Thanks RIchard, appreciate the quick response, I can get the CR signed off now 🙂

  11. mtnhansen2014

     /  May 11, 2020

    Just want to thank you for a very good script. Have just run it and updated NLS for new 5 years. Thank you!

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: