On a DirectAccess deployment with UAG I got a weird issue. Indeed even if the transition interface de transition (IP-HTTPS or Teredo) are up, the IPsec connection refused to be in online state.
While analyzing the network capture I noticed that the problems were on the certificate with the
ERROR_IPSEC_AUTH_FAIL error code, while the certificate administrator said that all the prerequisites were followed.
When looking closely the error code
0x000035E9 ERROR_IPSEC_AUTH_FAIL describe an error on the IKE authentication credentials negotiation.
This error was immediately followed by the
0x000035EE ERROR_IPSEC_IKE_NO_CERT error even with a computer certificate deployed on the client laptop and the DirectAccess gateway.
After analyzing the CAPI2 event log:
- The Forefront UAG server on a DMZ used a dedicated PKI for this zone.
- The client laptop used another PKI on the production network.
But the computer certificate must be issued by the same authority certification chain: same Subordinate authority or same Root. After reissued for every computers their certificate with the same certification chain everything work again.
Moral of this story: never trust people and check again everything in the certificate even the certification chain. This will avoid a loss of time during days and days :).
Aucun commentaire:
Enregistrer un commentaire