mardi 5 juillet 2011

[UAG] DiretAccess : ERROR_IPSEC_AUTH_FAIL issue

On a DirectAccess deployment with UAG I got a weird issue. Indeed even if the transition interface de transition (IP-HTTPS or Teredo) are up, the IPsec connection refused to be in online state.

While analyzing the network capture I noticed that the problems were on the certificate with the  ERROR_IPSEC_AUTH_FAIL error code, while the certificate administrator said that all the prerequisites were followed.

When looking closely the error code 0x000035E9 ERROR_IPSEC_AUTH_FAIL describe an error on the IKE authentication credentials negotiation.

This error was immediately followed by the 0x000035EE ERROR_IPSEC_IKE_NO_CERT error even with a computer certificate deployed on the client laptop and the DirectAccess gateway.

After analyzing the CAPI2 event log:
  • The Forefront UAG server on a DMZ used a dedicated PKI for this zone.
  • The client laptop used another PKI on the production network.
But the computer certificate must be issued by the same authority certification chain: same Subordinate authority or same Root. After reissued for every computers their certificate with the same certification chain everything work again.

Moral of this story: never trust people and check again everything in the certificate even the certification chain. This will avoid a loss of time during days and days :).

Aucun commentaire:

Enregistrer un commentaire