Forefront UAG 2010 DirectAccess Clients and Repeated OTP Prompts

In a very specific DirectAccess deployment scenario it is possible that users may be prompted repeatedly for One-Time Password (OTP) credentials. Specifically this may occur when you have Windows 7 clients accessing a Forefront UAG 2010 DirectAccess server with two-factor authentication enabled with OTP, along with forced tunneling required and the client configured to use a corporate web proxy server. The root cause of the issue has to do with Network Connectivity Status Indicator (NCSI) probes and security permissions on the private key of the certificate used for OTP authentication. To resolve the issue will require creating a custom certificate template for use with two-factor authentication and setting key permissions for the NETWORK SERVICE on the certificate template. You can also workaround this issue by disabling forced tunneling or disabling the 6to4 and Teredo adapters, which will stop the NCSI probes from occurring. For more detailed information read Microsoft KB article 2797301.

IPv6 Readiness Update for Windows 7 and Windows Server 2008 R2

Microsoft has made available an update for Windows 7 and Windows Server 2008 R2 to improve the operability and performance for these operating systems when you migrate from IPv4 to IPv6. Specifically the update resolves an issue where clients with a public IPv4 address, which are automatically assigned a 6to4 IPv6 address, may not be able to reach IPv6 hosts. The update includes a feature that allows the client to check and verify end-to-end IPv6 connectivity through the 6to4 relay before adding the IPv6 route to the routing table. This addresses one of the IPv6 “brokenness” issues where clients would try to establish an IPv6 connection to an address that could not be reached through the relay. The update also addresses stability issues when many IPv6 addresses and routes are used, and alters the default behavior of Internet Connection Sharing with 6to4. In addition, when clients are configured to use IPv6 as their default connection but don’t have an IPv6 connection to the Internet, the update enables the use of the Network Connectivity Status Indicator (NCSI) functionality to verify IPv6 Internet connectivity before establishing a connection. If an IPv6 connection to the Internet is not available, the client will use IPv4 instead of IPv6.

You can download the IPv6 readiness update for Windows 7 and Windows Server 2008 R2 here.

%d bloggers like this: