Updated December 9, 2023: I’ve recently updated this PowerShell script to work more reliably in different configurations other than the Getting Started Wizard. If you’ve had trouble running this script in the past, download the latest version. It should work better! I’ve also published the script in the PowerShell gallery. You can install it by running “Install-Script Renew-DaSelfSignedCertificates”. Enjoy!
When DirectAccess is deployed using the Getting Started Wizard (GSW), sometimes referred to as the “simplified deployment” method, self-signed certificates are created during the installation and used for the IP-HTTPS IPv6 transition technology, the Network Location Server (NLS), and for RADIUS secret encryption. Administrators may also selectively choose to use self-signed certificates for IP-HTTPS, or when collocating the NLS on the DirectAccess server. The RADIUS encryption certificate is always self-signed.
Certificate Expiration
These self-signed certificates expire 5 years after they are created, which means many DirectAccess administrators who have used this deployment option will need to renew these certificates at some point in the future. Unfortunately, there’s no published guidance from Microsoft on how to accomplish this. However, the process is simple enough using PowerShell and the New-SelfSignedCertificate cmdlet.
PowerShell Script on GitHub
The PowerShell script to renew DirectAccess self-signed certificates has been published on GitHub. You can download Renew-DaSelfSignedCertificates.ps1 here.
Important Considerations
When the IP-HTTPS certificate is renewed using this script, DirectAccess clients outside will be immediately disconnected and will be unable to reconnect until they update group policy. This will require connecting to the internal network locally or remotely using another VPN solution. The NLS and RADIUS encryption certificates can be updated without impacting remote users.
In addition, internal clients that are not online when this change is made will be unable to access internal resources by name until they update group policy. If this happens, delete the Name Resolution Policy Table (NRPT) on the client using the following PowerShell command and reboot to restore connectivity.
Get-Item -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig” | Remove-Item -Confirm:$false
Additional Information
PowerShell Recommended Reading for DirectAccess Administrators
jonbd
/ July 1, 2019Thanks for this post, the certs on my inherited 2012 R2 DA server have expired so so this is very helpful! I’m getting the following error trying to run it though “a parameter cannot be found that matches parameter name ‘-FriendlyName'” Any ideas why that might be?
Richard M. Hicks
/ July 1, 2019Unusual. Sometimes odd errors can come up if you copied/pasted the code right from the article. If you haven’t already done so, I recommended downloading the script from my GitHub repository here: https://github.com/richardhicks/directaccess/blob/master/Renew-DaSelfSignedCertificates.ps1. Let me know if that helps!
jonbd
/ July 1, 2019I’ve read that Server 2012 R2 doesn’t have as many parameters as 2016, one of them being -friendlyname, so i’ve given up on that for now. Instead i’ve created a new certificate from my CA server, but for some reason when I run through the wizard to add it, when I click on finish, it gives me an error “DNS name does not exist” and when I check DNS, the A record for it has been deleted. It deletes it every time I add it and run finish to apply the settings. Any idea what could be causing this?
Richard M. Hicks
/ July 1, 2019Ok, that makes sense. I may have only tested on Windows Server 2016 so that might explain the failure. I will definitely go back and test again to see what can be done for Windows Server 2012 R2. No idea why DirectAccess would be deleting your DNS record. Does this happen even if you’ve added the record manually as a static entry?
jonbd
/ July 1, 2019Yes I add the NLS entry as a static A record and it deletes it every time for some reason!
Richard M. Hicks
/ July 1, 2019Wow, that is definitely unusual! It will certainly happen if you *remove* DirectAccess, but it should not happen when you are simply updating the certificate. You might want to try adjusting the security ACL on the DNS record to prevent the DirectAccess server from removing it. Not ideal, but hopefully it works. 🙂
jonbd
/ July 2, 2019It’s almost like the DA server is clearing out the DNS record for the self signed cert, but then can’t see the DNS entry for the new one as it’s the same record it’s just deleted. In the end I set up a new VM with IIS as the NLS and pointed it to that. I’m up and running again now!
Richard M. Hicks
/ July 3, 2019Having the NLS on a separate server is a good idea anyway. 🙂
Stefan
/ July 9, 2019Hi Richard,
thank you for this post!
as our self-signed DA certs will expire end of month, i searched the web for renewal and found your site and script.
But i´m not able to run it, breaks at sign 166 with
unexpected token: $newcert
any idea on this ?
Unerwartetes Token “$newcert” in Ausdruck oder Anweisung.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken
best regards
Stefan
Richard M. Hicks
/ July 9, 2019Are you running this on Windows Server 2012 or 2012 R2?
stefan
/ July 10, 2019it´s a R2 Server
Richard M. Hicks
/ July 10, 2019Ok. I’ve had others report issues running this on Windows Server 2012/R2. I wrote and tested with Windows Server 2016 and never tested on 2012/R2. I’ll do some testing and update the script soon. Sorry for the trouble!
Richard M. Hicks
/ July 15, 2019I’ve update this PowerShell script to work on Windows Server 2012 and 2012 R2. I’ve also added functionality to renew self-signed certificates individually. The updated script is published on GitHub here: https://github.com/richardhicks/directaccess/blob/master/Renew-DaSelfSignedCertificates.ps1. Appreciate any feedback!
stefan esch
/ July 16, 2019Script works now excellent on 2012R2
everything up and running 🙂
Thank you for your work!
best regards
Stefan
Richard M. Hicks
/ July 17, 2019Awesome. Great to hear! 🙂
NIck
/ October 14, 2019so, my certificate expired for my NLS, am I reading correctly that I will orphan my remote computers by updating the certificate?
Richard M. Hicks
/ October 21, 2019No, an expired NLS certificate will have no effect on DirectAccess clients in the field. However, if you renew the IP-HTTPS certificate using the guidance in this post, you will indeed orphan DirectAccess clients until they can update group policy.
Petr
/ November 13, 2019We use in DA configuration public certificate. But in certificate store is selfsign certificate DirectAccess-RADIUS-Encrypt-servername.domain.se which will expire soon. Do we need to issue new certificate? I read article that it is used only for OTP and if OTP is not in use we don’t need to renew this certificate. Is this true? Thank you
Richard M. Hicks
/ November 13, 2019You are correct, the DirectAccess-RADIUS-Encrypt certificate is used when DirectAccess is configured to use One-Time Password (OTP) authentication. If you aren’t using OTP authenticate you can safely ignore this certificate. However, you can renew this certificate using the PowerShell script found here: https://github.com/richardhicks/directaccess/blob/master/Renew-DaSelfSignedCertificates.ps1. Just use the -Radius switch to renew only this self-signed certificate.
Roberto
/ December 17, 2019Will this have any impact on Domain Controller(s). When DA was deployed, Group Policies Objects (Direct Access Server & Direct Access Client) were also created, referring among the others to the expiring certificates. So my question is: will this have impact on DA Server itself or something will happen on DCs also (DNS ? – Group Policy for server and client itself?). Thank you.
Richard M. Hicks
/ December 18, 2019When you run this script it will renew the DirectAccess self-signed certificates and then update the configuration to reflect those changes. When this happens, the DirectAccess client and server settings GPOs are updated with the new certificate information. So, there’s no change to the DC itself, but the DirectAccess client and server settings GPOs will be updated. 🙂
Roberto
/ December 18, 2019Great to hear this. Thanks a lot for your prompt reply and for your excellent work!
Yifeng
/ April 16, 2020Thank you so much for sharing this script, Richard.
I have a question about the DirectAccess in GPOs. I have tried to use New-SelfSignedCertificate cmdlet to clone the exist self signed certificate. However, the old certificate will stay in Cert:\LocalMachine\My with the new one. And, when I check the DirectAccess Server Setting group policy, under Software\Policies\Microsoft\Windows\RemoteAccess\Config\MachineSIDs\S-1-5-21-aaaaaaaa-bbbbbbbbb-oooooooooo-xxxxx\ServerCertForRadius, it still shows the old certificate in that GPO (the expiration date does not change). Do I need to delete the old one or do something in GPO in order to let the new certificate can apply into that GPO?
I will appreciate if you could let me know, thanks again.
Richard M. Hicks
/ April 17, 2020I will have to look in to this. It’s only ever used when OTP authentication is configured, which is not common. I may have to modify the script to update this information in the DirectAccess server settings GPO. If you aren’t using OTP you can disregard this certificate.
Yifeng
/ April 20, 2020Thanks a lot, Richard. I think we are not using OTP. But we do have connecting problem after renew those three certificate. I will appreciate if you could let me know if you found anything can help.
Regards
Richard M. Hicks
/ April 22, 2020What kind of connectivity issue are you having? After updating the certificates did you update group policy settings on the client before trying to connect?
Yifeng
/ April 23, 2020From users computer, the Direct Access just keep showing “Connecting” but cannot success. I renewed all three certificate on our DirectAccess server, but cannot find a way to update the group policy certificate (Software\Policies\Microsoft\Windows\RemoteAccess\Config\MachineSIDs\S-1-5-21-aaaaaaaa-bbbbbbbbb-oooooooooo-xxxxx\ServerCertForRadius,). Our DA server is Windows 2012 R2 core server (CLI) and I cannot use direct access management console to change the setting. And also, due to shelter in place, seems like all users are working from home now and seems cannot get update from group policy and caused this issue (This is what I guess).
We let users to use router VPN for now. I will appreciate if you could guide me how to update the direct access certificate (DirectAccess-RADIUS-Encrypt-) in group policy, thank you very much.
Richard M. Hicks
/ April 24, 2020Unless you have configured DirectAccess with OTP authentication, updating the DirectAccess-RADIUS-Encrypt certificate won’t impact your users at all. However, if you update the IP-HTTPS self-signed certificate then yes, users will have to update group policy to be able to connect. The best solution in this case is not to use self-signed certificates at all, as they should typically be avoided. A better choice is to use an SSL certificate from a public certification authority. If you do this your clients should be able to connect without having to update group policy.
Yifeng
/ April 24, 2020Understood, thanks a lot for your help. I am not sure we are using OTP, but I think we don’t. Just wondering the certificate in group policy will be auto updated or not after clone the certificate on DA server (for me, it does not change.)
Richard M. Hicks
/ April 25, 2020If you aren’t sure you are using OTP authentication then you most likely are not. 😉 Don’t worry about the RADIUS encryption certificate if that’s the case. Today the script only renews the certificate and doesn’t update the group policy with this new information. That’s an oversight on my part and I’m working to address that as we speak. I hope to get the script updated soon. 🙂
Yifeng
/ April 27, 2020Thank you so much for the reply. Looking forward to getting the updated script. 🙂
Richard M. Hicks
/ April 29, 2020I’ve updated the script now to properly publish the certificate to the DirectAccess Server Settings GPO. Updated script can be found here: https://github.com/richardhicks/directaccess/blob/master/Renew-DaSelfSignedCertificates.ps1.
Enjoy!
Yifeng
/ April 30, 2020Thank you for updating. It seems should be work, but I got an error message “You do not have permissions to access GPO domian\{823AAA7F-xxxx-aaaa-bbbb-cccccccccccc}”. I probably need some research about the permission because I have tried that I cannot run Set-RemoteAccess on my Direct Access server. It is not something wrong with your script, it happens before. Before, I was using invoke-command to do “Get-ChildItem -Path Cert:\LocalMachine\My\” and Set-RemoteAccess works on my computer. I did not figure out why yet. If you have any thought, please kindly share to me, thanks.
Richard M. Hicks
/ April 30, 2020Unusual. Wherever you run the script from you must have full control over the GPO. It probably goes without saying that you also have to run the script in an elevated PowerShell command window too. 🙂
Yifeng
/ April 30, 2020Yes, I understand that. I run Powershell console as an administrator and I even gave myself domain admin rights, but still have that problem. From DirectAccess server, I just cannot do anything, but from my desktop, it works find. It kind weird for me.
Richard M. Hicks
/ April 30, 2020Very strange. If you have permission to the GPO you should be able to access it from any machine I would think. :/
Yifeng
/ April 30, 2020Yes, that is very strange. No matter I use Enter-Psseion or login to Direct Access server directly, I just can’t use any remote access cmdlet. But if run the command on my computer then it can work…………..So I think I will have to modify your script. I appreciate you provide this updated script so I can know how to update GPO certificate, thanks again. ^__^
Richard M. Hicks
/ May 1, 2020You would not be able to run this command using Enter-PsSession because the credentials aren’t delegated when you do that. You would have to be logged on to the server to run the script.
Yifeng
/ May 1, 2020I have tried both way, even login to that server still get access denied error. Only can use Set-RemoteAccess command via invoke-command on my computer. No idea why that happen………… :~~~
Richard M. Hicks
/ May 2, 2020Something very strange going on there for sure!
Patrick
/ February 20, 2020I know, DirectAccess is old stuff, but we are still using it in combination with OTP (RSA SecurID) and now that our Windows 10 clients are being updated to 1909, we are having massive problems with opening the user tunnel. In about a third of authentication attempts via OTP (after logon to Windows and then entering the OTP code), the logon attempt fails with error 0x80040004 and the users have to reboot their notebook and try again. RADIUS server tells the DirectAccess server that authentication was OK, still the user tunnel fails. Anyone else having these issues?
Richard M. Hicks
/ February 22, 2020DirectAccess is old, but it should still work! I haven’t heard of anyone else having OTP authentication issues with DirectAccess lately. Perhaps others might though.
Seth Allums
/ March 13, 2020Hi Richard,
Our 3 DA certificates are about to expire in a month. We have about 150 laptops out in the field. We do not use Windows 7, nor do we have DA configured to use OTP. We also have a wildcard domain certificate from a public CA (GoDaddy).
We want to be able to NOT have to have our users bring their laptops into corporate to have policy updated, and would like to have a seamless transition.
Given the specifics stated above, is it possible to install the wildcard certificate and key in the DA server’s certificate store, and then in the DA settings choose it for the IP-HTTPS certificate and have a seamless transition (aside from a possible bump of any services needing to be restarted)?
And if that is true, can we then renew the other 2 (NLS, RADIUS-Encrypt) self-signed certs using the script without having to have the laptops brought back?
Richard M. Hicks
/ March 18, 2020If you are using a public SSL certificate for IP-HTTPS, you can update that without impact to users. You simply import the new certificate on the DirectAccess server and update the configuration. Clients might be momentarily disconnected, but they’ll reconnect automatically. And yes, updating the NLS and RADIUS-Encrypt certificates using this script should not impact external users.
Seth Allums
/ March 24, 2020Thanks! This worked flawlessly during our maintenance window.
Richard M. Hicks
/ March 24, 2020Great to hear. Thanks for the feedback! 🙂
Andrew Soper
/ April 24, 2020Hi Richard – both our NLS and Radius internally signed certs are expired and i have all the users working from home in the current world – can they be renewed without impact as we are struggling with the few people we have in the office – server 2012r2 – the iphttps cert is an external one – thank you
Richard M. Hicks
/ April 24, 2020You can renew the self-signed NLS certificate without impact to users. You can renew the RADIUS certificate without impact to users as long as you aren’t using OTP authentication. Renewing the IP-HTTPS self-signed certificate will impact users though. The best solution is not to renew it, but to replace it with a public SSL certificate. You can do that without impact to remote users.
Andrew
/ April 27, 2020huge thank you for the reply – reassuring to hear – we will plan that and report back – best Andrew
Morten Hansen
/ April 27, 2020Hi, what happens to users who use OTP when the RADIUS certificate is renewed?
Richard M. Hicks
/ April 27, 2020I expect they will fail. I’m not certain though because I’ve never tested with OTP authentication. Configuring DirectAccess for OTP authentication is quite rare though, so unless you’ve specifically enabled this functionality you’d have nothing to worry about.
Kevin Spick
/ May 6, 2020Hi, our IP-HTTPS certificates are due to expire in a month and not self-signed but are issued by our internal PKI ICA. Does this mean that we will not require users to update GPO as with Public-assigned keys? Due to the circumstances, we have no offices open at present and want to avoid that debacle..
Richard M. Hicks
/ May 6, 2020As long as the certificate is issued by a CA that your clients trust (public or private) they won’t be impacted. You can update the certificate without disrupting external users.
Kevin Spick
/ May 6, 2020Thanks RIchard, appreciate the quick response, I can get the CR signed off now 🙂
mtnhansen2014
/ May 11, 2020Just want to thank you for a very good script. Have just run it and updated NLS for new 5 years. Thank you!
Richard M. Hicks
/ May 14, 2020Great to hear. Thanks for the feedback!
Glen Harrison
/ July 24, 2020🙁 Just when I think I’ve got to the point we can roll this out to our users, I’ve just noticed user certificate auto enrolment isn’t working. The templates and gpos are fine, and the user can manually install it. Any ideas?
Richard M. Hicks
/ July 24, 2020Do the users have the certificate auto enrollment GPO applied? And does the GPO stipulate auto enrollment for *user* certificates, not just computer certificates?
Glen Harrison
/ July 24, 2020Yep, user gpo is applied and the machine has the registry key AEPolicy set to 7. Running command certreq -enroll -user -q VPN-User installs the user cert fine. It’s just not doing it automatically. It would be nice to get it working propely but as a workaround I have stuck that command in my SCCM package which installs the profile.PS1 so the user is installing the cert at the same time they are installing the VPN connection. It works ok, but I’d love to know why autoenrolment isn’t working.
Richard M. Hicks
/ July 24, 2020Autenroll permission enabled on the certificate template for a user group? User is a member of that group? User has logged off/on after being added to the group? Verified using whaomi /groups? 🙂
Glen Harrison
/ July 24, 2020Yep, done all that about 20 times today. Even imaged the machine just to be sure.
Richard M. Hicks
/ July 24, 2020Any indication of failure in the event log? Might be a good idea to enable enhanced logging for more visibility. Here are some good reference articles for that.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755801(v=ws.10)
https://docs.microsoft.com/en-us/archive/blogs/instan/troubleshooting-autoenrollment
Glen Harrison
/ July 24, 2020To be honest, and I’d really appreciate your advice on this, is that the way I have it setup now, I kinda like. My users often use different computers, many of which will never leave the office. I have configured the Profile.PS1 package in SCCM to be made available through software center, meaning the users have to manually install the connection. I like this very much, as it means the VPN connection only gets created on machines the user is intending to take offsite. Now I have manually added the certreq command to this package, it means both the certificate and connection only gets installed to machines actually being used for always on VPN. If auto enrollment was working, the user certificate would be installed on lots of computers for no good reason (like desktops, not just laptops). Is there any reason why my way is not a good idea? Going back to the auto enrollment issue, I have just remembered (and I read something about this online) that months ago when I first started looking at AOVPN that my test machine was on the same VLAN as the certificate server. I’m 99% certain that the certs were auto enrolling. My laptops I’m looking at today are on a different VLAN. I read that someone else had this same issue with auto enrolment. I guess I could move the laptop to the same VLAN and test…..but how about leaving my setup as is? good idea? If you think it’s ok, I’ll change the VPN-User template to just enrol and not auto enrol.
Richard M. Hicks
/ July 24, 2020It’s not necessarily a bad thing to selectively target the deployment to only those users who require remote access. If auto enrollment isn’t working for you, executing certreq.exe, while not elegant, should certainly work and meet your needs. I understand that sometimes you have to cut your losses and fight other battles. 🙂 With that, network connectivity could affect certificate auto enrollment. If there’s a firewall blocking RPC access to the issuing CA that would certainly cause this issue. However, you wouldn’t be able to enroll manually either.
vthdblog
/ August 27, 2020Dear Mr. Richrd
after i use the scrpit to renew the certificate some clint donset access the local resources , and then i remove the DNS policys from local regedit it solve the problem , but today i face other issuse (configuration load erro “the system cannot find the file specified”)
Richard M. Hicks
/ August 27, 2020Under some conditions clients will be disconnected or may lose access to internal resources. Those are outlined in the Important Considerations section of this post. The configuration load error is most likely unrelated to renewing these certificates though. That typically has something to do with group policy not being applied correctly on the server. There are other things that can cause this as well.
Matthias
/ February 16, 2021Dear Mr. Richard, we have a 2012 R2 Windows Server for DirectAccess (DA). It was installed in 2016. Also we have an AD-Server for our Domain with CA functionality. The CA root certificate expires on 08.03.2021. It is published via GroupPolicy “Default Domain Policy”. But there are three other self-signed certificates directly on our DirectAccess Server:
1. the nls-certificate -> I renewed it via our AD CA server (expires also on 08.03.2021 because of the expiring root-CA-certificate
2. an self-signed certificate on de DA server “DirectAccess-RADIUS-Encrypt-SERVERNAME.DOMAINNAME.it” which is valid from March 2016 until 21.03.2021
3. an self-signed certificate on the DA server “vpn.DOMAINNAME.com” also valid from March 2016 til 21.03.2021 –> this certificate ist also “integraded” in our “Default Domain Policy” (I can find this certificate in the DA-configuration setup -> RAS-Server -> Network Adapter –> Self signed certificate (IP-HTTPS-connection)
So in the End of February I would like to re-sign our CA-root certificate on our AD-Server.
But how do I proceed regarding the mentioned 2. and 3. certificate? Because of Covid-19 most of our employees are working from HomeOffice via DirectAccess connection. Can I renew both certificates on our DA server using the certlm (certificate-manager), can I prevent the employees to get back to the office regarding the renewed two DA certificates? Just renew both certificates and the user must logoff/logon back again in HomeOffice (e.g. gpudate /force)?
Thank you very much!
Best Matthias
Richard M. Hicks
/ February 24, 2021You should be able to renew the CA certificate without issue. Since it is the same PKI, just a new certificate, it should be ok. The real problem occurs when you try to change to an entirely new PKI.
Ludvig
/ April 30, 2021Hi Richard,
So remote clients will be affected while updating the IP/HTTPS certificate using your script considering the current certificate is self-signed if I understand you correctly.
If we renew the SSL certificate from DigiCert will there be any impact to internal or remote users?
Richard M. Hicks
/ May 3, 2021If you change the configuration to use a public TLS certificate there should be no impact on your users. They’ll be disconnected momentarily while you make the change, but should reconnect automatically after that.
Justin
/ October 20, 2023Server 2022
Script threw an error, sorry didn’t grab it. Something about not being able to convert something into an object.
This one wrecked my brain for a couple hours. So the NLS cert expired. Ugh, ok. Got here. Ran the script. Then none of our clients could connect. I noticed there was a new cert in IIS. Normally IP-HTTP is our GoDaddy cert but it created a new DirectAccess-IPHTTP cert and it said it was created by our wildcard cert. Issued to – *.domain.com – issued by – *.domain.com.
When editing RAS I could see it had the normal cert. If I clicked browse and selected it again it detected no change because the Finish button would be greyed out.
Get-DAServer was showing the wrong thumbprint. So I went back into RAS, picked some other cert. Finish. Went back in and grabbed the right cert then clicked Finish again. Get-DAServer then showed the correct thumbprint. All was well.
I’m guessing the error had something to do with the oddity. So just a heads up for those on W2K22.
As always thanks for the script/fix!
Richard M. Hicks
/ October 22, 2023I haven’t tested this script on Windows Server 2022. It’s possible something has changed. I’ll look at it when time permits. Glad you got things working, though!