Welcome to ISAserver.org

UAG error on generating policies

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [Forefront Unified Access Gateway 2010] >> Installation >> UAG error on generating policies

Page: [1]

Message

<< Older Topic Newer Topic >>

UAG error on generating policies - 8.Sep.2010 9:26:06 AM

terran

Posts: 6
Joined: 8.Sep.2010
Status: offline

I've posted this in our Microsoft Partner forums but the engineer said UAG is currently not supported there so I hope someone else might be able to help here:

I've been running into an issue while generating the policies at the end of configuring UAG. It appears to be a certificate issue and I've tried changing the:

"Browse and select a root or intermediate certificate that verifies certificates sent by DirectAccess clients."

to:

1. Use root certificate

2. Use intermediate certificate

but both throw an error while generating the policies with the following error:

> Executing policy script.

Unexpected token 'The' in expression or statement.

At C:\Users\tluk\AppData\Local\Temp\tmpFE62.tmp.ps1:13 char:80

+ if (-not ${UAGDA_CERT_MACHINE_AUTH}) { ${UAGDA_CERT_MACHINE_AUTH}="C=US, O="T

he <<<< Go Daddy Group, Inc.", OU=Go Daddy Class 2 Certification Authority" }

+ CategoryInfo : ParserError: (The:String) [], ParseException

+ FullyQualifiedErrorId : UnexpectedToken

�@

> aborted

It almost looks like there's a parsing issue caused by the name of the go daddy certificate so I exported and opened the script:

# UAGDA Group Policy Configuration Script.
# Generated on Tuesday, 07 September 2010 18:43 UTC.
# Generator Version 4.0.0.0

# Runtime variables
Param(
[parameter(Mandatory=$False, ValueFromPipeline=$true, HelpMessage="A domain controller, in domain.com for faster operations.")][String] $DomainControllerComputerName,
[parameter(Mandatory=$False, ValueFromPipeline=$true, HelpMessage="Additional domains(seperated by '|') to link the app-server's policy to.")][String] $AdditionalAppServerDomains,
[parameter(Mandatory=$False, ValueFromPipeline=$true, HelpMessage="Additional domains(seperated by '|') to link the client's policy to.")][String] $AdditionalClientDomains
)
# Static variables
if (-not ${UAGDA_ACCESS_ENABLING_ADDRESSES_ALL}) { ${UAGDA_ACCESS_ENABLING_ADDRESSES_ALL}="2002:480e:ae7c:8001::ac14:105,2002:480e:ae7c:8000:0:5efe:172.20.1.5,2002:480e:ae7c:8001::ac14:10a,2002:480e:ae7c:8000:0:5efe:172.20.1.10,2002:480e:ae7c:8001::ac14:108,2002:480e:ae7c:8000:0:5efe:172.20.1.8,2002:480e:ae7c:8001::ac14:172,2002:480e:ae7c:8000:0:5efe:172.20.1.114,2002:480e:ae7d::480e:ae7d" }
if (-not ${UAGDA_CERT_MACHINE_AUTH}) { ${UAGDA_CERT_MACHINE_AUTH}="C=US, O="The Go Daddy Group, Inc.", OU=Go Daddy Class 2 Certification Authority" }
if (-not ${UAGDA_CERT_TYPE}) { ${UAGDA_CERT_TYPE}="root" }

Does this have anything with the extra quotes: O="The Go Daddy Group, Inc."

It looks like the extra quotes terminated the parsing of the string too early.

Here's what is displayed before we hit the "Apply now" button:

The root certificate to which remote clients chain is:
C=US, O="The Go Daddy Group, Inc.", OU=Go Daddy Class 2 Certification Authority
The certificate that the DirectAccess server uses for HTTPS is:
CN=portal1.domain.com, OU=Domain Control Validated, O=portal1.domain.com

I made the change in the script to take out the extra quotes then executed it from command shell and while it did run, it failed at: Executing Set UAG DirectAccess Client - Clients Access Enabling Tunnel - All. ... failed. CA name not specified Usage: add rule name=<string> endpoint1=any|localsubnet|dns|dhcp|wins|defaultgatew ay| <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list> endpoint2=any|localsubnet|dns|dhcp|wins|default gateway| <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list> action=requireinrequestout|requestinreques tout| requireinrequireout|requireinclearout|noauthentication [description=<string>] [mode=transport

--------------------------------

Has anyone experienced a similar issue?

Post #: 1

Featured Links*

RE: UAG error on generating policies - 8.Sep.2010 11:57:38 AM

Jason Jones

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

You could try using double quotes or using a single quote before the double quotes as an escape character.

E.g.

if (-not ${UAGDA_CERT_MACHINE_AUTH}) { ${UAGDA_CERT_MACHINE_AUTH}="C=US, O=""The Go Daddy Group, Inc."", OU=Go Daddy Class 2 Certification Authority" }

or if (-not ${UAGDA_CERT_MACHINE_AUTH}) { ${UAGDA_CERT_MACHINE_AUTH}="C=US, O='"The Go Daddy Group, Inc."', OU=Go Daddy Class 2 Certification Authority" }

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to terran)

Post #: 2

RE: UAG error on generating policies - 9.Sep.2010 9:57:08 AM

terran

Posts: 6
Joined: 8.Sep.2010
Status: offline

Thanks Jason. I just tried using a single quote and it failed immediately during parsing:

PS C:\users\tluk\Desktop> .\UAGDirectAccess_GroupPolicy.ps1
Unexpected token 'The Go Daddy Group, Inc.' in expression or statement.
At C:\users\tluk\Desktop\UAGDirectAccess_GroupPolicy.ps1:13 char:103
+ if (-not ${UAGDA_CERT_MACHINE_AUTH}) { ${UAGDA_CERT_MACHINE_AUTH}="C=US, O="'The Go Daddy Group, Inc.' <<<< ", OU=Go
Daddy Class 2 Certification Authority" }
+ CategoryInfo : ParserError: (The Go Daddy Group, Inc.:String) [], ParseException
+ FullyQualifiedErrorId : UnexpectedToken

...so I don't think single quotes are excepted.

The double quote also fails with:

PS C:\users\tluk\Desktop> .\UAGDirectAccess_GroupPolicy.ps1
Unexpected token 'The' in expression or statement.
At C:\users\tluk\Desktop\UAGDirectAccess_GroupPolicy.ps1:13 char:80
+ if (-not ${UAGDA_CERT_MACHINE_AUTH}) { ${UAGDA_CERT_MACHINE_AUTH}="C=US, O="The <<<< Go Daddy Group, Inc.", OU=Go Da
ddy Class 2 Certification Authority" }
+ CategoryInfo : ParserError: (The:String) [], ParseException
+ FullyQualifiedErrorId : UnexpectedToken

PS C:\users\tluk\Desktop>

Any other suggestions are welcomed. I'll continue troubleshooting on my end. Thanks.

< Message edited by terran -- 9.Sep.2010 9:59:51 AM >

(in reply to Jason Jones)

Post #: 3

RE: UAG error on generating policies - 9.Sep.2010 10:15:24 AM

terran

Posts: 6
Joined: 8.Sep.2010
Status: offline

I'm guessing it's failing somewhere else now:

I made the change in the script to take out the extra quotes then executed it from command shell and while it did run, it failed at:

Executing Set UAG DirectAccess Client - Clients Access Enabling Tunnel - All. ... failed. CA name not specified Usage: add rule name=<string> endpoint1=any|localsubnet|dns|dhcp|wins|defaultgatew ay| <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list> endpoint2=any|localsubnet|dns|dhcp|wins|default gateway| <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list> action=requireinrequestout|requestinreques tout| requireinrequireout|requireinclearout|noauthentication [description=<string>] [mode=transport

.. the reference to this line in the code is in:

PsNetshExec "Set UAG DirectAccess Client - Clients Access Enabling Tunnel - All." "localhost" "advfirewall consec add rule name=```"UAG DirectAccess Client - Clients Access Enabling Tunnel - All```" description=```"Policies to enable access granting resources(DC, DNS, NAP, etc.) over IPsec. Generated on Thursday, 09 September 2010 14:11 UTC.```" mode=tunnel action=requireinrequireout profile=private,public localtunnelendpoint=```"any```" remotetunnelendpoint=```"${UAGDA_DTE_ACCESS}```" endpoint1=```"any```" endpoint2=```"${UAGDA_ACCESS_ENABLING_ADDRESSES_ALL}```" auth1=computercert auth1ca=```"${UAGDA_CERT_MACHINE_AUTH} catype:${UAGDA_CERT_TYPE}```" auth2=userntlm qmsecmethods=```"${UAGDA_IPSEC_QM_SECMETHODS}```" "

(in reply to terran)

Post #: 4

RE: UAG error on generating policies - 9.Sep.2010 10:53:03 AM

terran

Posts: 6
Joined: 8.Sep.2010
Status: offline

I think found the problem and fixed it!!! Post back when I get to write this up.

(in reply to terran)

Post #: 5

RE: UAG error on generating policies - 9.Sep.2010 5:53:24 PM

Jason Jones

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

Please do!

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to terran)

Post #: 6

RE: UAG error on generating policies - 9.Sep.2010 11:47:30 PM

terran

Posts: 6
Joined: 8.Sep.2010
Status: offline

Took awhile but I finally wrote up the troubleshooting on my blog:

http://terenceluk.blogspot.com/2010/09/problem-executing-generate-policy-after.html

Thanks for your help Jason!

(in reply to Jason Jones)

Post #: 7

RE: UAG error on generating policies - 10.Sep.2010 8:25:12 AM

Jason Jones

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

Comma's in the org names, what a silly idea!!!

Maybe next time, you can use a CA that does something more sensible than include punctutaion in part of the distinguished name!!!

Thanks for feeding back the answer...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to terran)

Post #: 8

RE: UAG error on generating policies - 10.Sep.2010 9:25:08 AM

terran

Posts: 6
Joined: 8.Sep.2010
Status: offline

Yup. Minor bug in UAG that caught me off guard but I'm still excited about the product.

(in reply to Jason Jones)

Post #: 9

RE: UAG error on generating policies - 30.Aug.2011 4:58:36 AM

Imogen123

Posts: 4
Joined: 21.Aug.2011
Status: offline

I think we found the problem and fixed it! Message back when I get to write that.

_____________________________

Tomorrow is another day.
Tera Online Gold
Buy RS Gold

(in reply to terran)

Post #: 10

RE: UAG error on generating policies - 9.Jul.2012 3:30:27 PM