All posts tagged troubleshooting

Always On VPN Error Code 858

Always On VPN Error Code 858When configuring Windows 10 Always On VPN using Extensible Authentication Protocol (EAP), the administrator may encounter a scenario in which the client connection fails. The event log will include an event ID 20227 from the RasClient source that includes the following error message.

“The user [domain\username] dialed a connection named [connection name] which has failed. The error code returned on failure is 858.”

Always On VPN Error Code 858

RasClient Error 858

RasClient error code 858 translates to ERROR_EAP_SERVER_CERT_EXPIRED. Intuitively, this indicates that the Server Authentication certificate installed on the Network Policy Server (NPS) has expired. To resolve this issue, renew the certificate on the NPS server.

Additional Information

Windows 10 Always On VPN Network Policy Server (NPS) Load Balancing

Windows 10 Always On VPN and Windows Server 2019 NPS Bug

Windows 10 Always On VPN Error Code 864

Leave a comment
by Richard M. Hicks on December 17, 2019  •  Permalink
Posted in Always On VPN, AOVPN, authentication, certificates, Encryption, Enterprise, enterprise mobility, Mobility, network policy server, NPS, Remote Access, routing and remote access service, RRAS, Security, troubleshooting, Windows 10, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on December 17, 2019

https://directaccess.richardhicks.com/2019/12/17/always-on-vpn-error-code-858/

Microsoft Intune NDES Connector Error 0x80004003

Microsoft Intune NDES Connector Error 0x80004003To support certificate deployment for non-domain Windows 10 Always On VPN clients, a Windows Server with the Network Device Enrollment Service (NDES) role can be provisioned on-premises. In addition, the Microsoft Intune Connector must be installed and configured on the NDES server to allow Intune-managed clients to request and receive certificates from the on-premises Certification Authority (CA) server.

Connection Status Error

After installing the Microsoft Intune Connector, the administrator may encounter the following error message.

“An error occurred while connecting to the Intune Service. Error code is 0x80004003. The NDES Connector will retry the connection as soon as possible.”

 Microsoft Intune NDES Connector Error 0x80004003

IE Enhanced Security Configuration

This error can occur if Internet Explorer Enhanced Security Configuration (ESC) is enabled. To resolve this issue, disable ESC for administrators and users by opening the Server Manager on the NDES server and performing the following steps.

1. In the navigation pane click Local Server.
2. Click the On link next to IE Enhanced Security Configuration.
3. Click Off in the Administrators section.
4. Click Off in the Users section
5. Click Ok.

Microsoft Intune NDES Connector Error 0x80004003

Once complete, restart the NDES Connector service using the following PowerShell command.

Restart-Service NDESConnectorSvc -PassThru

Additional Configuration

Microsoft Intune NDES Connector Setup Wizard Ended Prematurely

4 Comments
by Richard M. Hicks on November 25, 2019  •  Permalink
Posted in Always On VPN, AOVPN, authentication, Azure, Enterprise, enterprise mobility, Microsoft Intune, Mobility, NDES, Network Device Enrollment Service, Network Device Enrollment Services, PKI, public cloud, public key infrastructure, Remote Access, Security, troubleshooting, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2019
Tagged , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 25, 2019

https://directaccess.richardhicks.com/2019/11/25/microsoft-intune-ndes-connector-error-0x80004003/

Renew DirectAccess Self-Signed Certificates

Renew DirectAccess Self-Signed CertificatesImportant! Updated April 29, 2020 to resolve an issue where the DirectAccess RADIUS encryption certificate was not published to the DirectAccess Server Settings GPO in Active Directory.

When DirectAccess is deployed using the Getting Started Wizard (GSW), sometimes referred to as the “simplified deployment” method, self-signed certificates are created during the installation and used for the IP-HTTPS IPv6 transition technology, the Network Location Server (NLS), and for RADIUS secret encryption. Administrators may also selectively choose to use self-signed certificates for IP-HTTPS, or when collocating the NLS on the DirectAccess server. The RADIUS encryption certificate is always self-signed.

Renew DirectAccess Self-Signed Certificates

Certificate Expiration

These self-signed certificates expire 5 years after they are created, which means many DirectAccess administrators who have used this deployment option will need to renew these certificates at some point in the future. Unfortunately, there’s no published guidance from Microsoft on how to accomplish this. However, the process is simple enough using PowerShell and the New-SelfSignedCertificate cmdlet.

PowerShell Script on GitHub

The PowerShell script to renew DirectAccess self-signed certificates has been published on GitHub. You can download Renew-DaSelfSignedCertificates.ps1 here.

Important Considerations

When the IP-HTTPS certificate is renewed using this script, DirectAccess clients outside will be immediately disconnected and will be unable to reconnect until they update group policy. This will require connecting to the internal network locally or remotely using another VPN solution. The NLS and RADIUS encryption certificates can be updated without impacting remote users.

In addition, internal clients that are not online when this change is made will be unable to access internal resources by name until they update group policy. If this happens, delete the Name Resolution Policy Table (NRPT) on the client using the following PowerShell command and reboot to restore connectivity.

Get-Item -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig” | Remove-Item -Confirm:$false

Additional Information

PowerShell Recommended Reading for DirectAccess Administrators

Top 5 DirectAccess Troubleshooting PowerShell Commands

 

 

72 Comments
by Richard M. Hicks on May 2, 2019  •  Permalink
Posted in authentication, certificates, DirectAccess, Encryption, enterprise mobility, GitHub, IP-HTTPS, IPv6 Transition, Mobility, name resolution policy table, PowerShell, Remote Access, Security, SSL, SSL and TLS, TLS, transition technology, troubleshooting, Update, Windows 10, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on May 2, 2019

https://directaccess.richardhicks.com/2019/05/02/renew-directaccess-self-signed-certificates/

« Older Posts
Newer Posts »
%d bloggers like this: