No usable IP certificate(s) found (Full Version)

All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess



Message


verukins -> No usable IP certificate(s) found (6.Feb.2011 6:18:46 AM)

Hi all,
relatively new to DA - setting it up to replace our current VPN solution.

I have a UAG 2010 SP1 server and Windows 7 enterprise clients.

I believe i have followed http://social.technet.microsoft.com/wiki/contents/articles/troubleshooting-the-no-usable-certificate-s-ip-https-client-error.aspx to the letter - but i have obviously missed something.

1) I have verified on the server by running "netsh http show sslcert" that DSMapping is enabled for the DA listener
2) The client has a certificate which has the FQDN for both the subject name and SAN (used AD enterprise CA - computer template)
3) The name mappings in AD shows the computer path as specified in the article
4) I have used a wildcard cert on the UAG server for the IP HTTPS listener (step 2, screen 2)
5) I have used the Internal CA root cert for the root certificate in step 2, screen 3 (the same internal CA which has allocated the client certificate and a UAG server certificate)

im hoping its going to be something silly and simple ive missed - can anyone offer assistance ?




tshinder -> RE: No usable IP certificate(s) found (9.Feb.2011 7:15:49 AM)

Hi Verukins,

Is the UAG server part of the same domain/forest as the DirectAccess client computers?

Thanks!
Tom




verukins -> RE: No usable IP certificate(s) found (9.Feb.2011 3:03:32 PM)

hey tom - yes it is - it is a single domain environment. The clients and UAG server are all members of that domain.




tshinder -> RE: No usable IP certificate(s) found (10.Feb.2011 6:54:46 AM)

Hi Verukins,

Can the DirectAccess client reach the CRL for the IP-HTTPS certificate?

Thanks!
Tom




verukins -> RE: No usable IP certificate(s) found (12.Feb.2011 3:41:55 AM)

sure can.... i can download the CRL directly from the URL and the same cert is working for the RDGateway via UAG  - therefore i figured its a fair bet the CRL is fine - as otherwise RDGateway would spit it.

Im going to spend a bunch of time on this tommorow and will post back what i find (if anything!) - i figured a few days away from it might help. 




tshinder -> RE: No usable IP certificate(s) found (17.Feb.2011 8:15:42 AM)

So what happened? Did you figure it out?

Thanks!
Tom




verukins -> RE: No usable IP certificate(s) found (7.Mar.2011 8:15:18 PM)

Hey tom,
apologies for the slow reply - to say we have been busy lately is an understatement.

I have found that this works when we turn toredo on from the client end.... away DA goes. the DACA still compains that things aren't working, but we can access all internal resources.

When we turn toredo off - goes back to not working, still with the same issue.

I saw your additional article about the cert not being in the ntauth store causing this aissue also - but alas, adding it did not seem to fix the issue.

For the moment, we are just using toredo - however i do hope to get back to sussing this out at some stage.




verukins -> RE: No usable IP certificate(s) found (3.Apr.2011 8:31:49 PM)

Hey Tom,
              just an FYI that this is now working. I followed your artiucle - http://blogs.technet.com/b/tomshinder/archive/2011/02/21/another-cause-of-the-no-usable-certificates-s-0x103-error.aspx - with no sucess.

I had to reboot the server for patching - and when it came back up - DA was working - so unfortunately im not sure which of the things that was done made it work, or what the original issue actually was.

On another note - the DACA still reports that its not working when connected from the internet, the reason being is that my network location server AD04.company.com is not contactable.
In the DA config - it is specified that the letwork location server must be excluded from DNS resolution in order for DA to work.... I was really hoping to have the DACA to say "all is good" - is this epxect behaviour or have i configured something else wrong ?

Additionally, with no IPV4 name resolution - ive noticed services that rely on SRV records for server location (such as Lync)  - no longer function. Im guessing there is a way around this - but if you know if it - it would be handy!
Thanks.




Page: [1]