Renew DirectAccess Self-Signed Certificates

Renew DirectAccess Self-Signed CertificatesWhen DirectAccess is deployed using the Getting Started Wizard (GSW), sometimes referred to as the “simplified deployment” method, self-signed certificates are created during the installation and used for the IP-HTTPS IPv6 transition technology, the Network Location Server (NLS), and for RADIUS secret encryption.

Renew DirectAccess Self-Signed Certificates

Certificate Expiration

These self-signed certificates expire 5 years after they are created, which means many DirectAccess administrators who have used this deployment option will need to renew these certificates at some point in the future. Unfortunately, there’s no published guidance from Microsoft on how to accomplish this. However, the process is simple enough using PowerShell and the New-SelfSignedCertificate cmdlet.

PowerShell Script

Open an elevated PowerShell command window and run the following commands to renew the DirectAccess self-signed certificates.

# // Clone and install IP-HTTPS certificate

$iphttpscert = (Get-ChildItem -Path Cert:\LocalMachine\My\ | Where-Object Thumbprint -eq ((Get-RemoteAccess).SslCertificate | Select-Object -ExpandProperty Thumbprint))
$newcert = New-SelfSignedCertificate -CloneCert $iphttpscert -FriendlyName “DirectAccess-IPHTTPS” | Select-Object -ExpandProperty Thumbprint
$cert = (Get-ChildItem -Path Cert:\LocalMachine\My\ | Where-Object Thumbprint -eq $newcert)
Set-RemoteAccess -SslCertificate $cert -PassThru

# // Clone and install NLS certificate

$nlscert = (Get-ChildItem -Path Cert:\LocalMachine\My\ | Where-Object Thumbprint -eq ((Get-RemoteAccess).NlsCertificate | Select-Object -ExpandProperty Thumbprint))
$newcert = New-SelfSignedCertificate -CloneCert $nlscert -FriendlyName “DirectAccess-NLS” | Select-Object -ExpandProperty Thumbprint
$cert = (Get-ChildItem -Path Cert:\LocalMachine\My\ | Where-Object Thumbprint -eq $newcert)
Set-DANetworkLocationServer -NLSOnDAServer -Certificate $cert

# // Clone RADIUS encryption certificate

$cert = (Get-ChildItem -Path Cert:\LocalMachine\My\ | Where-Object Subject -like “*radius-encrypt*”)
New-SelfSignedCertificate -CloneCert $cert -FriendlyName “Certificate issued by Remote Access for RADIUS shared secrets”

Script on GitHub

I’ve also published this script on GitHub. You can download Renew-DaSelfSignedCertificates.ps1 here.

Important Considerations

When the IP-HTTPS and NLS scripts above are executed, DirectAccess clients outside will be immediately disconnected and will be unable to reconnect until they update group policy (the RADIUS encryption certificate can be updated without impacting users). This will require connecting to the internal network locally or remotely using another VPN solution. In addition, internal clients that are not online when this change is made will be unable to access internal resources by name until they update group policy. If this happens, delete the Name Resolution Policy Table (NRPT) on the client using the following PowerShell command and reboot to restore connectivity.

Get-Item -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig” | Remove-Item -Confirm:$false

Additional Information

PowerShell Recommended Reading for DirectAccess Administrators

Top 5 DirectAccess Troubleshooting PowerShell Commands

 

Always On VPN Updates to Improve Connection Reliability

Always On VPN Updates to Improve Connection ReliabilityA longstanding issue with Windows 10 Always On VPN is that of VPN tunnel connectivity reliability and device tunnel/user tunnel interoperability. Many administrators have reported that Always On VPN connections fail to establish automatically at times, that only one tunnel comes up at a time (user tunnel or device tunnel, but not both), or that VPN tunnels fail to establish when coming out of sleep or hibernate modes. Have a look at the comments on this post and you’ll get a good understanding of the issues with Always On VPN.

Recent Updates

The good news is that most of these issues have been resolved with recent updates to Windows 10 1803 and 1809. Specifically, the February 19, 2019 update for Windows 10 1803 (KB4487029) and the March 1, 2019 update for Windows 10 1809 (KB4482887) include fixes to address these known issues. Administrators are encouraged to deploy Windows 10 1803 with the latest updates applied when implementing Always On VPN. Windows 10 1809 with the latest updates applied is preferred though.

Persistent Issues

Although initial reports are favorable for these updates and based on my experience the effectiveness and reliability of Windows 10 Always On VPN is greatly improved, there have still been some reports of intermittent VPN tunnel establishment failures.

Possible Causes

During my testing, after applying the updates referenced earlier both device tunnel and user tunnel connections are established much more consistently than before the updates were applied. I did encounter some issues, however. Specifically, when coming out of sleep or hibernate, VPN connections would fail to establish. Occasionally VPN connections would fail after a complete restart.

NCSI

After further investigation it was determined that the connectivity failure was caused by the Network Connectivity Status Indicator (NCSI) probe failing, causing Windows to report “No Internet access”.

Always On VPN Updates to Improve Connection Reliability

Cisco Umbrella Roaming Client

In this instance the NCSI probe failure was caused by the Cisco Umbrella Roaming Client installed and running on the device. The Umbrella Roaming Client is security software that provides client protection by monitoring and filtering DNS queries. It operates by configuring a DNS listener on the loopback address. NCSI probes are known to fail when the DNS server is running on a different interface than is being tested.

Resolution

Microsoft released a fix for this issue in Windows 10 1709. The fix involves changing a group policy setting to disable interface binding when perform DNS lookups by the NCSI. You can enable this setting via Active Directory group policy by navigating to Computer Configuration > Administrative Templates > Network > Network Connectivity Status Indicator > Specify global DNS. Select Enabled and check the option to Use global DNS, as shown here.

Always On VPN Updates to Improve Connection Reliability

For testing purposes this setting can be enabled individual using the following PowerShell command.

New-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\” -Name UseGlobalDNS -PropertyType DWORD -Value 1 -Force

Third-Party Software

As Always On VPN connectivity can be affected by NCSI, any third-party firewall or antivirus/antimalware solution could potentially introduce VPN connection instability. Observe NCSI operation closely when troubleshooting unreliable connections with Always On VPN.

Additional Information

Windows 10 1803 Update KB4487029

Windows 10 1809 Update KB4482887

Cisco Umbrella Roaming Client Limited Network Connectivity Warning

Network Connectivity Status Indicator (NCSI) Operation Explained

DirectAccess Inbox Accounting Database Optimization

DirectAccess Inbox Accounting Database OptimizationRecently I wrote about an issue with DirectAccess servers exhibiting high SQL Server CPU usage. In that article I demonstrated a way to resolve the issue by adding a crucial index to a table in the remote access inbox accounting database. The process was a bit involved and required downloading third-party tools to make configuration changes on the DirectAccess server.

Going forward, making these changes will now be much easier. Microsoft has published guidance for optimizing the remote access inbox accounting database using PowerShell. They’ve also provided scripts to back up the database and to confirm that optimization has been implemented.

For more information and to download the remote access inbox accounting database optimization PowerShell scripts, click here.

Windows 10 November Update Available Today

Windows 10 November Update Available TodayToday Microsoft announced the availability of the November Update (formerly Threshold 2) for Windows 10. With this update, Microsoft is now touting Windows 10 build 1511 as “enterprise ready”, with a number of key features and enhancements designed to drive enterprise adoption for the client operating system.

  • Performance Improvements – According to Microsoft, the Windows 10 November Update includes important improvements in performance, improving boot time almost 30% over Windows 7 installed on the same system.
  • Windows Update for Business – Windows Update for Business enables IT to control Windows update within their organization, allowing administrators to roll out updates on their schedule. New features with this service include creating device groups and enabling phased deployment of updates across the organization
  • Windows Store for Business – The Windows Store for Business provides IT with a mechanism to provision and manage apps for Windows 10 devices, both from the Windows Store and their own line-of-business apps.
  • Telemetry Control – Beginning with Windows 10 build 1511, enterprise customers will now have the ability to completely disable all Windows telemetry. Although not recommended, this feature is essential for many organizations to maintain the highest levels of security.

Since Windows 10’s release in late July of this year, enterprise customers have deployed Windows 10 on more than 12 million business PCs. Many organizations who have not yet upgraded are in the planning and pilot stages today, or will be soon. The enterprise adoption rate for Windows 10 continues to accelerate, and no doubt will do so even more with the release of Windows 10 build 1511.

Don’t forget that Windows 10 already includes a number of important security advancements such as Credential Guard to mitigate various credential theft attacks, Device Guard to prevent installation of malicious software, and Windows Hello to strengthen authentication with the use of biometrics. These features, along with the new capabilities and services introduced today, continue to make Windows 10 a compelling client operating system in the enterprise.

Of course the perfect complement to Windows 10 in the enterprise is DirectAccess. To learn more about how to maximize your investment in Windows 10 with DirectAccess, here are some essential references.

In addition, DirectAccess consulting services are also available. More details here.

DirectAccess Client and Server Settings GPOs Deleted

Microsoft Windows Server Active DirectoryFor DirectAccess deployments where domain controllers are running Windows Server 2003 or Windows Server 2003 R2 using the File Replication Service (FRS) for replication, DirectAccess client and server settings Group Policy Objects (GPOs) may be deleted. If these GPOs are deleted, DirectAccess connectivity will be disrupted. If the GPOs cannot be recovered via backup, it will be necessary to rebuild the entire DirectAccess deployment from scratch.

Microsoft recently updated their DirectAccess Unsupported Configurations documentation to reflect new guidance for DirectAccess deployments where the FRS is used for the distribution of Active Directory GPOs. DirectAccess is no longer supported in environments where FRS is used for SYSVOL replication.

What this means is that if you plan to deploy DirectAccess, domain controllers must be running Windows Server 2008 or later, and Distributed File System Replication (DFS-R) must be used for replication.

More details can be found here.

Hotfix Available for DirectAccess OTP Configuration Issues

If you’ve ever tried configuring DirectAccess to use One-Time Password (OTP) authentication, you’ve no doubt discovered that the native Microsoft Remote Access Management console would return the following error when trying to detect and locate Certificate Authority (CA) servers.

No CA servers can be detected, and OTP cannot be configured. Ensure that
servers added to the list are available on each domain controller in the
corporate network.

Configure DirectAccess with OTP Authentication

The workaround for this issue required dropping to the command line and executing PowerShell commands to complete this configuration as I outlined here.

Thankfully Microsoft has made available a hotfix to address this issue, returning full GUI functionality for configuring DirectAccess and OTP authentication. For additional details about this hotfix and to request the update itself, click here.

Critical Update MS15-034 and DirectAccess

Microsoft Security Bulletin MS15-034 Vulnerability in HTTP.sys affects DirectAccessThe April 2015 monthly security update release from Microsoft includes a fix for a serious vulnerability in HTTP.sys. On an unpatched server, an attacker who sends a specially crafted HTTP request will be able to execute code remotely in the context of the local system account. DirectAccess leverages HTTP.sys for the IP-HTTPS IPv6 transition protocol and is critically exposed. Organizations who have deployed DirectAccess are urged to update their systems immediately.

More information can be found on MS15-034 here.

Unable to Install DirectAccess Hotfix KB2953212 to Disable NRPT

Last year I wrote about Microsoft hotfix KB2953212 that that allowed users to disable the Name Resolution Policy Table (NRPT) on a DirectAccess client. This hotfix addressed a specific scenario where a DirectAccess client on the internal corporate network could not connect to local resources due to Network Location Server (NLS) unreachability.

When installing this update, you many encounter the following error message:

Windows Update Standalone Installer
The update is not applicable to your computer

Unable to Install DirectAccess Hotfix KB2953212 to Disable NRPT

This occurs because the KB2953212 hotfix was included in KB3000850, the November 2014 update rollup for Windows 8.1 and Windows Server 2012 R2. You can verify this by opening the Control Panel and selecting Programs and then clicking View installed updates under Programs and Features.

Unable to Install DirectAccess Hotfix KB2953212 to Disable NRPT

If you have the November 2014 update rollup installed there is no need to install KB2953212, as that hotfix is already included in the rollup.

DirectAccess and Windows 10 Technical Preview Build 9926

Looking for more information on Windows 10 and DirectAccess? Click here!

Microsoft recently announced the availability of build 9926 of Windows 10 Technical Preview. This new update includes changes to the user interface that make it easier to view DirectAccess connection status and properties. In this latest build, using the Window Key + I keystroke combination now brings up the Settings menu.

DirectAccess and Windows 10 Technical Preview Build 9926

Figure 1 – Settings Window

To view the DirectAccess connection status, click Network & Internet and then click Show available connections.

DirectAccess and Windows 10 Technical Preview Build 9926

Figure 2 – Network & Internet (Show Available Connections)

Here you’ll find status information for all network connections including DirectAccess. Right-clicking the Workplace Connection will allow the user to disconnect their session, if that option is enabled on the DirectAccess server.

DirectAccess and Windows 10 Technical Preview Build 9926

Figure 3 – DirectAccess Connectivity Status Indicator

Selecting the DirectAccess submenu reveals detailed information about DirectAccess connectivity, including current entry point connection and optional entry point selection, if manual entry point selection is enabled on the DirectAccess server.

DirectAccess and Windows 10 Technical Preview Build 9926

Figure 4 – Network & Internet (DirectAccess Advanced Connection Properties)

Hotfix Available to Disable NRPT on Windows 8.x DirectAccess Clients

Updated April 9, 2015: The hotfix referred to in this article is now included in the November 2014 update rollup for Windows 8.1 and Windows Server 2012 R2. You will receive an error message when installing this update on Windows 8.x clients with the update rollup installed. More details here.

The Network Location Server (NLS) is a critical infrastructure component for DirectAccess deployments. The NLS is used by DirectAccess clients to determine if the client is located inside or outside of the corporate network. If the NLS becomes unavailable, DirectAccess clients that are already outside the corporate network are unaffected. However, DirectAccess clients that are inside the corporate network will mistakenly believe that they are outside and the Name Resolution Policy Table (NRPT) will be enabled, forcing name resolution requests for hosts in the internal namespace to be sent to the DNS64 service running on the DirectAccess server. If the DirectAccess server is unreachable from the internal network (a common scenario for a variety of reasons), DirectAccess clients inside the corporate network will be unable to connect to any local network resources by name until the NLS is once again reachable.

Configuring the Network Connectivity Assistant to Allow DirectAccess clients to use local name resolution does not resolve this issue. Although it sounds intuitive, it doesn’t resolve this specific issue where the NLS is unreachable.

Hotfix Available to Disable NRPT on Windows 8.x DirectAccess Clients

When the option to Allow DirectAccess clients to use local name resolution is enabled, the client can only choose to disconnect (use local name resolution) after it has successfully established a connection to the DirectAccess server. If the DirectAccess connection shows that it is still connecting, the option to disconnect is not available.

Hotfix Available to Disable NRPT on Windows 8.x DirectAccess Clients

To address this issue, Microsoft has released update KB2953212 for Windows 8.x clients that allows the disabling of the NRPT regardless if the client has successfully established a DirectAccess connection. With this update, if a DirectAccess client is located on the corporate network and is unable to reach the NLS, the user will be able to disable the NRPT (effectively disconnect DirectAccess) and once again connect to resources on the corporate network.
Hotfix Available to Disable NRPT on Windows 8.x DirectAccess Clients

This update is certainly no excuse not to deploy your NLS in a highly-available configuration using Windows Network Load Balancing (NLB) or a third-party external load balancer (hardware or software), but it can be a life-saver if your NLS becomes unavailable for any reason. I’d recommend deploying this update to all of your Windows 8.x DirectAccess clients soon.

For more information and to download the hotfix, click here.

%d bloggers like this: