• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

No usable IP certificate(s) found

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> No usable IP certificate(s) found Page: [1]
Login
Message << Older Topic   Newer Topic >>
No usable IP certificate(s) found - 6.Feb.2011 6:18:46 AM   
verukins

 

Posts: 58
Joined: 27.Sep.2002
Status: offline
Hi all,
relatively new to DA - setting it up to replace our current VPN solution.

I have a UAG 2010 SP1 server and Windows 7 enterprise clients.

I believe i have followed http://social.technet.microsoft.com/wiki/contents/articles/troubleshooting-the-no-usable-certificate-s-ip-https-client-error.aspx to the letter - but i have obviously missed something.

1) I have verified on the server by running "netsh http show sslcert" that DSMapping is enabled for the DA listener
2) The client has a certificate which has the FQDN for both the subject name and SAN (used AD enterprise CA - computer template)
3) The name mappings in AD shows the computer path as specified in the article
4) I have used a wildcard cert on the UAG server for the IP HTTPS listener (step 2, screen 2)
5) I have used the Internal CA root cert for the root certificate in step 2, screen 3 (the same internal CA which has allocated the client certificate and a UAG server certificate)

im hoping its going to be something silly and simple ive missed - can anyone offer assistance ?
Post #: 1
RE: No usable IP certificate(s) found - 9.Feb.2011 7:15:49 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Verukins,

Is the UAG server part of the same domain/forest as the DirectAccess client computers?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to verukins)
Post #: 2
RE: No usable IP certificate(s) found - 9.Feb.2011 3:03:32 PM   
verukins

 

Posts: 58
Joined: 27.Sep.2002
Status: offline
hey tom - yes it is - it is a single domain environment. The clients and UAG server are all members of that domain.

(in reply to tshinder)
Post #: 3
RE: No usable IP certificate(s) found - 10.Feb.2011 6:54:46 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Verukins,

Can the DirectAccess client reach the CRL for the IP-HTTPS certificate?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to verukins)
Post #: 4
RE: No usable IP certificate(s) found - 12.Feb.2011 3:41:55 AM   
verukins

 

Posts: 58
Joined: 27.Sep.2002
Status: offline
sure can.... i can download the CRL directly from the URL and the same cert is working for the RDGateway via UAG  - therefore i figured its a fair bet the CRL is fine - as otherwise RDGateway would spit it.

Im going to spend a bunch of time on this tommorow and will post back what i find (if anything!) - i figured a few days away from it might help. 

(in reply to tshinder)
Post #: 5
RE: No usable IP certificate(s) found - 17.Feb.2011 8:15:42 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
So what happened? Did you figure it out?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to verukins)
Post #: 6
RE: No usable IP certificate(s) found - 7.Mar.2011 8:15:18 PM   
verukins

 

Posts: 58
Joined: 27.Sep.2002
Status: offline
Hey tom,
apologies for the slow reply - to say we have been busy lately is an understatement.

I have found that this works when we turn toredo on from the client end.... away DA goes. the DACA still compains that things aren't working, but we can access all internal resources.

When we turn toredo off - goes back to not working, still with the same issue.

I saw your additional article about the cert not being in the ntauth store causing this aissue also - but alas, adding it did not seem to fix the issue.

For the moment, we are just using toredo - however i do hope to get back to sussing this out at some stage.

(in reply to tshinder)
Post #: 7
RE: No usable IP certificate(s) found - 3.Apr.2011 8:31:49 PM   
verukins

 

Posts: 58
Joined: 27.Sep.2002
Status: offline
Hey Tom,
              just an FYI that this is now working. I followed your artiucle - http://blogs.technet.com/b/tomshinder/archive/2011/02/21/another-cause-of-the-no-usable-certificates-s-0x103-error.aspx - with no sucess.

I had to reboot the server for patching - and when it came back up - DA was working - so unfortunately im not sure which of the things that was done made it work, or what the original issue actually was.

On another note - the DACA still reports that its not working when connected from the internet, the reason being is that my network location server AD04.company.com is not contactable.
In the DA config - it is specified that the letwork location server must be excluded from DNS resolution in order for DA to work.... I was really hoping to have the DACA to say "all is good" - is this epxect behaviour or have i configured something else wrong ?

Additionally, with no IPV4 name resolution - ive noticed services that rely on SRV records for server location (such as Lync)  - no longer function. Im guessing there is a way around this - but if you know if it - it would be handy!
Thanks.

< Message edited by verukins -- 3.Apr.2011 8:36:55 PM >

(in reply to verukins)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> No usable IP certificate(s) found Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts