Hotfix Available for DirectAccess OTP Configuration Issues

If you’ve ever tried configuring DirectAccess to use One-Time Password (OTP) authentication, you’ve no doubt discovered that the native Microsoft Remote Access Management console would return the following error when trying to detect and locate Certificate Authority (CA) servers.

No CA servers can be detected, and OTP cannot be configured. Ensure that
servers added to the list are available on each domain controller in the
corporate network.

Configure DirectAccess with OTP Authentication

The workaround for this issue required dropping to the command line and executing PowerShell commands to complete this configuration as I outlined here.

Thankfully Microsoft has made available a hotfix to address this issue, returning full GUI functionality for configuring DirectAccess and OTP authentication. For additional details about this hotfix and to request the update itself, click here.

Unable to Install DirectAccess Hotfix KB2953212 to Disable NRPT

Last year I wrote about Microsoft hotfix KB2953212 that that allowed users to disable the Name Resolution Policy Table (NRPT) on a DirectAccess client. This hotfix addressed a specific scenario where a DirectAccess client on the internal corporate network could not connect to local resources due to Network Location Server (NLS) unreachability.

When installing this update, you many encounter the following error message:

Windows Update Standalone Installer
The update is not applicable to your computer

Unable to Install DirectAccess Hotfix KB2953212 to Disable NRPT

This occurs because the KB2953212 hotfix was included in KB3000850, the November 2014 update rollup for Windows 8.1 and Windows Server 2012 R2. You can verify this by opening the Control Panel and selecting Programs and then clicking View installed updates under Programs and Features.

Unable to Install DirectAccess Hotfix KB2953212 to Disable NRPT

If you have the November 2014 update rollup installed there is no need to install KB2953212, as that hotfix is already included in the rollup.

Hotfix Available to Disable NRPT on Windows 8.x DirectAccess Clients

Updated April 9, 2015: The hotfix referred to in this article is now included in the November 2014 update rollup for Windows 8.1 and Windows Server 2012 R2. You will receive an error message when installing this update on Windows 8.x clients with the update rollup installed. More details here.

The Network Location Server (NLS) is a critical infrastructure component for DirectAccess deployments. The NLS is used by DirectAccess clients to determine if the client is located inside or outside of the corporate network. If the NLS becomes unavailable, DirectAccess clients that are already outside the corporate network are unaffected. However, DirectAccess clients that are inside the corporate network will mistakenly believe that they are outside and the Name Resolution Policy Table (NRPT) will be enabled, forcing name resolution requests for hosts in the internal namespace to be sent to the DNS64 service running on the DirectAccess server. If the DirectAccess server is unreachable from the internal network (a common scenario for a variety of reasons), DirectAccess clients inside the corporate network will be unable to connect to any local network resources by name until the NLS is once again reachable.

Configuring the Network Connectivity Assistant to Allow DirectAccess clients to use local name resolution does not resolve this issue. Although it sounds intuitive, it doesn’t resolve this specific issue where the NLS is unreachable.

Hotfix Available to Disable NRPT on Windows 8.x DirectAccess Clients

When the option to Allow DirectAccess clients to use local name resolution is enabled, the client can only choose to disconnect (use local name resolution) after it has successfully established a connection to the DirectAccess server. If the DirectAccess connection shows that it is still connecting, the option to disconnect is not available.

Hotfix Available to Disable NRPT on Windows 8.x DirectAccess Clients

To address this issue, Microsoft has released update KB2953212 for Windows 8.x clients that allows the disabling of the NRPT regardless if the client has successfully established a DirectAccess connection. With this update, if a DirectAccess client is located on the corporate network and is unable to reach the NLS, the user will be able to disable the NRPT (effectively disconnect DirectAccess) and once again connect to resources on the corporate network.
Hotfix Available to Disable NRPT on Windows 8.x DirectAccess Clients

This update is certainly no excuse not to deploy your NLS in a highly-available configuration using Windows Network Load Balancing (NLB) or a third-party external load balancer (hardware or software), but it can be a life-saver if your NLS becomes unavailable for any reason. I’d recommend deploying this update to all of your Windows 8.x DirectAccess clients soon.

For more information and to download the hotfix, click here.

Error 0x80040001 When Using OTP on Windows 7 SP1 DirectAccess Clients

Microsoft recently released a hotfix to resolve an issue where Windows 7 SP1 DirectAccess clients fail to connect to a DirectAccess server with the IP-HTTPS IPv6 transition protocol and using One-Time Password (OTP) authentication via the DirectAccess Connectivity Assistant (DCA) 2.0. In this scenario you may receive an HTTP 403 error from the DirectAccess server in response to the certificate signing requests and a 0x80040001 error after entering the OTP.

You can learn more about the hotfix for DCA 2.0 on Windows 7 SP1 and download the associated hotfix here.

Hotfix Available for Windows Server 2012 R2 DirectAccess Configuration Issue

A while back I wrote about an issue that I encountered when attempting to configure DirectAccess in Windows Server 2012 R2 using a dedicated Network Location Server (NLS). In this deployment scenario, the Remote Access Setup Wizard would fail and return the following error message:

The configuration was rolled back successfully. The URL specified for the network location server cannot be resolved to an IP address.

Windows Server 2012 R2 DirectAccess Name Resolution Issue

Upon further investigation, the NLS server name does indeed resolve correctly, and clicking validate when defining the NLS works without issue. Originally I proposed a workaround that involved changing a registry setting. However, after working with Microsoft to identify the issue they have released a hotfix to resolve this issue correctly. You can download the hotfix here.

Windows Server 2012 Remote Access Management Service Memory Leak

When Windows Server 2012 is configured for DirectAccess or client-based remote access Virtual Private Networking (VPN), a memory leak may occur in the Remote Access Management service when remote clients access the Internet using the DirectAccess or VPN connection. Microsoft knowledgebase article KB2895930 describes the issue in detail and includes a link to the hotfix to resolve this issue.

Microsoft Windows Server 2012/R2 DirectAccess

Remote Assistance to Windows 7 SP1 DirectAccess Client Fails

Microsoft recently made available a hotfix to address an issue where Remote Assistance connections to remote DirectAccess clients fails. The issue occurs specifically when Windows 7 clients connect to a Windows Server 2012 DirectAccess server using the IP-HTTPS IPv6 transition protocol. In this scenario, DirectAccess clients are assigned a Unique Local IPv6 Address (ULA) using the prefix FD00::/8 for which Remote Assistance service would not listen on. If you are planning to support Windows 7 clients on your Windows Server 2012/R2 DirectAccess server and you need Remote Assistance functionality, you’ll definitely want to ensure that this hotfix is applied to all of your Windows 7 DirectAccess clients.

For more information and to download the hotfix, please refer to Microsoft Knowledge Base article KB2912883.

Forefront UAG Service Pack 4 Now Available for Download

Good news! Service Pack 4 (SP4) for Forefront Unified Access Gateway (UAG) 2010 is now available for download. This latest service pack for UAG includes updates to support Windows 8.1 client devices using Internet Explorer 11, the native mail app, and Remote Desktop Connection (RDC) 8.1 client. In addition, SP4 for Forefront UAG 2010 also includes support for publishing RemoteApps from a Remote Desktop Session Host running on Windows Server 2012 or 2012 R2. The service pack also includes fixes for various reported issues.

KB2907776 – The UserMgrCom service crashes intermittently in Forefront UAG 2010

KB2909151 – Trunk authentication fails when the global catalog server is unavailable in Forefront UAG 2010

KB2909168 – The W3wp.exe process randomly stops and causes all sessions to disconnect in Forefront UAG 2010

KB2909182 – “The URL contains an invalid path” error occurs when you try to access an Exchange 2013 OWA website

KB2909191 – You cannot connect to corporate IPv4 resources by using DirectAccess after Forefront UAG 2010 Service Pack 3 is installed

KB2909350 – An SSL VPN application that has the Socket Forwarding mode set to Disabled uses 100 percent of the CPU’s time in Forefront UAG 2010

KB2909353 – You have to authenticate again to the ADFS server when the published server is configured for single sign-on in Forefront UAG 2010

KB2909356 – A detailed HTTP 403.14 error message occurs when you go to a specific InternalSite URL in a Forefront UAG 2010 environment

KB2909365 – A memory leak in W3wp.exe occurs when Outlook Anywhere is published through a Forefront UAG 2010 trunk

KB2909367 – Intermittent HTTP 500 error codes when you access a Forefront UAG 2010 portal

KB2909376 – File uploads do not occur to SharePoint Server 2013 or SkyDrive Pro through Forefront UAG 2010

KB2910407 – An internal 500 error occurs if a custom URL logoff page is configured in Forefront UAG 2010

KB2910413 – Multiple 4625 event IDs are logged when a user logs on in Forefront UAG 2010

KB2910467 – Configuration activation fails on some servers in a large array in Forefront UAG 2010

KB2910498 – A handle leak occurs in Lsass.exe in Forefront UAG 2010

KB2910506 – An authentication prompt is received even though a user is successfully authenticated in Forefront UAG 2010

KB2910517 – An incorrect domain password policy may be used if Active Directory integrated authentication is configured in Forefront UAG 2010

You must have Forefront UAG 2010 SP3 hotfix rollup 1 installed prior to installing SP4. You can download SP3 rollup 1 here. You can download Forefront UAG 2010 SP4 here. Once the update is installed the new Forefront UAG 2010 build number will be 4.0.4083.10000.

Microsoft Security Update MS13-064 and DirectAccess

With the August security update release cycle, Microsoft issued security bulletin MS13-064 to address a vulnerability in the Windows NAT driver that could result in a denial of service. The vulnerability could be exploited by an attacker who sends a specially crafted ICMP packet to the server running the Windows NAT Driver service. The vulnerability exists only on Windows Server 2012 and the affected driver, winnat.sys, is present when the DirectAccess role is installed. This vulnerability only affects only full installations of Windows Server 2012. Windows Server 2012 Core is not affected. If you are running DirectAccess on a full installation of Windows Server 2012, make sure you install this update as soon as possible to be protected from potential denial of service attacks. For more information about this update, click here. For a comprehensive list of updates that apply to DirectAccess on Windows Server 2012 as well as previous versions, please refer to Jason Jones’ DirectAccess hotfix summary page.

Forefront UAG 2010 Service Pack 3 Hotfix Rollup 1 Now Available

Hotfix rollup 1 for Forefront Unified Access Gateway (UAG) 2010 Service Pack 3 is now available for download. Hotfix rollup 1 for Forefront UAG SP3 addresses the following issues:

KB2810229 – You cannot redirect local computer resources in remote desktop session after you disable the client endpoint components in Forefront UAG 2010 SP3

KB2831570 The URL you requested cannot be accessed error message may be returned when a client sends an HTTP POST request to a portal in Forefront UAG 2010 SP3

KB2831573 – Traffic is not forwarded or you receive an error message about ADVAPI32.dll when you use a Windows XP client to start an application from a Forefront UAG 2010 SP3 portal

KB2831865 – The endpoint policy expression Any Personal Firewall (Windows) is incorrect for Windows 7 and Windows 8 in Forefront UAG 2010 SP3

KB2831868 – Endpoint policies for existing trunks are not updated after you install service pack 3 for Forefront UAG 2010

KB2832679 – You receive a 500 Internal Server error when you run the File Access application from the Forefront UAG 2010 SP3 portal trunk

KB2832681 – You receive a script error that prevents file access configuration in the Management Console in Forefront UAG 2010 SP3

KB2832685 – The Forefront UAG 2010 portal may intermittently become unresponsive to clients after Service Pack 2 is installed

You can download hotfix rollup 1 for Forefront UAG 2010 SP3 here. After installation the Forefront UAG 2010 build number will be 4.0.3206.10100.

%d bloggers like this: