In a very specific DirectAccess deployment scenario it is possible that users may be prompted repeatedly for One-Time Password (OTP) credentials. Specifically this may occur when you have Windows 7 clients accessing a Forefront UAG 2010 DirectAccess server with two-factor authentication enabled with OTP, along with forced tunneling required and the client configured to use a corporate web proxy server. The root cause of the issue has to do with Network Connectivity Status Indicator (NCSI) probes and security permissions on the private key of the certificate used for OTP authentication. To resolve the issue will require creating a custom certificate template for use with two-factor authentication and setting key permissions for the NETWORK SERVICE on the certificate template. You can also workaround this issue by disabling forced tunneling or disabling the 6to4 and Teredo adapters, which will stop the NCSI probes from occurring. For more detailed information read Microsoft KB article 2797301.
Awards
Pluralsight
Consulting
Newsletter
All posts tagged UAG
Forefront UAG 2010 DirectAccess Clients and Repeated OTP Prompts
Posted by Richard M. Hicks on March 26, 2013
https://directaccess.richardhicks.com/2013/03/26/forefront-uag-2010-directaccess-clients-and-repeated-otp-prompts/
Features Deprecated in Forefront UAG Service Pack 3
With the recent release of Service Pack 3 (SP3) for Microsoft Forefront Unified Access Gateway (UAG) 2010, Microsoft has published a list of features in UAG SP3 that have been deprecated. To be clear, this does not mean these features cease to function after you install SP3 on UAG! It is simply meant to give network engineers and security administrators an idea about what features are likely to be removed from future releases of Forefront UAG. Some of the deprecated features should come as no surprise. For example, DirectAccess support in Forefront UAG is now deprecated in favor of DirectAccess in Windows Server 2012. Also, features such as Secure Sockets Tunneling Protocol (SSTP) for client-based remote access are better handled using the remote access role in Windows Server 2012. Other deprecated features may present more of a challenge if you’ve been relying on them to provide secure remote access to applications, such as the deprecation of support for some authentication repositories (e.g. Novell Directory, Notes Directory, TACACS) or the Java-based Session Cleanup tool. For a complete list of deprecated features in Forefront UAG SP3, click here.
Posted by Richard M. Hicks on February 26, 2013
https://directaccess.richardhicks.com/2013/02/26/features-deprecated-in-forefront-uag-service-pack-3/
Forefront UAG 2010 SP3 Now Available
Service Pack 3 for Microsoft Forefront UAG 2010 is now available for download. SP3 for Forefront UAG 2010 includes several important new features and enhanced functionality, including:
Support for Internet Explorer 10 on Windows 8 – Full support is provided only for Internet Explorer 10 in desktop mode. The modern UI version of Internet Explorer 10 does not provide support for browser add-ons. If a user accesses the Forefront UAG 2010 portal and the trunk is configured to install and launch the UAG client components, the user will receive a message indicating that the site requires add-ons which will require the desktop version of Internet Explorer 10.
Support for the Native Windows 8 Mail App – Windows 8 users can now connect to published Exchange servers using the built-in Windows 8 modern UI mail app
Remote Desktop Connection (RDC) 8.0 client support – Windows 8 users and Windows 7 users who have upgraded to the RDC client v8.0 can now access remote desktop resources published by Forefront UAG 2010 SP3
Exchange Server 2013 – Application publishing wizards in Forefront UAG 2010 SP3 now include native support for Exchange Server 2013
SharePoint Server 2013 – Application publishing wizards in Forefront UAG 2010 SP3 now include native support for SharePoint Server 2013
Support for Office 2013 applications – Publishing Office 2013 applications such as Outlook, PowerPoint, Word, and Excel is now natively supported in Forefront UAG 2010 SP3
You can download SP3 for Forefront UAG 2010 here. After installation the Forefront UAG 2010 build number will be 4.0.3206.10100.
Posted by Richard M. Hicks on February 20, 2013
https://directaccess.richardhicks.com/2013/02/20/forefront-uag-2010-sp3-now-available/
Always On VPN Book
DirectAccess Book
Always On VPN DPC
