• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Getting "Server error: 403 - Forbidden: Access Denied" when trying to access my DA portal

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> Getting "Server error: 403 - Forbidden: Access Denied" when trying to access my DA portal Page: [1]
Login
Message << Older Topic   Newer Topic >>
Getting "Server error: 403 - Forbidden: Access Den... - 29.Apr.2011 11:31:48 AM   
ramadji

 

Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Hello,

I'm testing UAG DirectAccess but sometimes, when I try to access my portal, I'm getting an error 403: "Server error 403 -0 Forbidden: Access denied. You do not have permission to view this directory or page using the credentials that you supplied." The thing is that I haven't supplied any credentials. I'm just trying to load the homepage of the portal.

Some other times, it works and I see access the published applications(File Access for now) and download/upload files. It's just not very stable and I don't know what I'm doing wrong.

Based on the error, I know it's a permission issue on the IIS but I can't pinpoint the exact problem and I'm afraid to mess with the IIS. Here are the Authentications that I have in place:

Default Web Site:
Anonymous Authentication: ENABLED
Windows Authentication: ENABLED
Everything else is DISABLED.

Main Portal:
Anonymous Authentication: ENABLED
Windows Authentication: ENABLED

Everything else is DISABLED.

Am I doing it the right way or the wrong way? What authentication methods does one need in place to get DA to work smoothly?

Also, once a user connects via DA, what happened to the user network shares? Are they supposed to be connected or disconnected as the user is not physically connected to the network anymore?


What about password management? Are DirectAccess users able to change their passwords and be notified as if they were directly connected to the network?

FYI: I have
- UAG 2010 SP1 installed on a Windows Server 2K8 R2 running on a HP ProLiant DL 360 G7 with 24 GB of RAM.
- I have a Server 2K8 R2 forest with two DC/GCs.
- I have an internal CA,
- a 3rd party SSL certificate for IP-HTTPS,
- a Network Location Server
_ ...

Thanks in advance for your help.

Best regards

Ramadji
Washington, DC
Post #: 1
RE: Getting "Server error: 403 - Forbidden: Access... - 20.May2011 3:41:05 PM   
jshawut

 

Posts: 1
Joined: 20.May2011
Status: offline
I'm assuming you are talking about the IPHTTPS tunnel, the 403 forbidden is the expected result. When you run through the DA configuration, select the URL, the server builds a web interface that isn't exposed through IIS. Is a DA client successful when using IPHTPS? Teredo? 6to4?

Yes, DA users are on the network and will receive PW notifications and can use CTRL-ALT-DEL to change their passwords.

(in reply to ramadji)
Post #: 2
RE: Getting "Server error: 403 - Forbidden: Access... - 26.May2011 3:42:21 PM   
ramadji

 

Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Thanks for taking your time to respond to my message. I really appreciate that.
 
 It's good to know that DA users will be able to receive password notifications and change their passwords. It will be a great feature for my remote users.

That said, how do I know if a DA client is successful using IPHTTPS/Teredo/6to4?
 
I tried to use a DA Connectivity Assistant on the DA client but itís not working properly.

Can I check the success in the UAG Management interface? I'm very new in the UAG arena so bear with me please.

On the DA Client, I'm seeing the output below in the DA Connectivity Assistant's log file (DCADefaultLog.txt)
∑         C:\Windows\system32\LogSpace\{D71B58C8-BE28-49EE-8F59-15BA571770E2}>netsh int httpstunnel show interfaces

Interface IPHTTPSInterface (Group Policy)  Parameters
------------------------------------------------------------
Role                                       : client
URL                                        : https://wdc-uag2010.domainname:443/IPHTTPS
Last Error Code                 : 0x103
Interface Status                : no usable certificate(s) found

There is a 3rd party SSL certificate for the IPHTTPS Interface so I don't know why the Interface status says "no usable certificate found" above. Something is not working right based on the output above, isn't it?
 
When I run the same command from the DA Server, everything comes back ok. I get the output below:
 
∑         C:\Windows\system32>netsh interface httpstunnel show interfaces
 
Interface IPHTTPSInterface Parameters
------------------------------------------------------------
Role                       : server
URL                        : https://wdc-UAG2010.domainname:443/IPHTTPS
Client authentication mode : certificates
Last Error Code            : 0x0
Interface Status           : IPHTTPS interface active
 
The command below shows that the Teredo server is unreachable over UDP.

C:\Windows\system32\LogSpace\{D71B58C8-BE28-49EE-8F59-15BA571770E2}>netsh int teredo show state
Teredo Parameters
---------------------------------------------
Type                                      : client
Server Name                     : x.x.x.x.x(one of the 2 consecutive public IPs) (Group Policy)
Client Refresh Interval   : 30 seconds
Client Port                           : unspecified
State                                     : offline
Error                                      : primary teredo server unreachable over UDP
 
Any hints, suggestions to help me get DirectAccess right will be greatly appreciated.
 
Thanks

Ramadji

(in reply to jshawut)
Post #: 3
RE: Getting "Server error: 403 - Forbidden: Access... - 26.Jul.2011 4:35:53 PM   
ramadji

 

Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Dear All:
Just a quick update to say that I finally got UAG DirectAccess to work. My DA Clients are able to access all their network drives from outside my network as if they were directly connected to the office network. Furthermore, they are able to get GPO, change their passwords,....print from home to the office printer,...It's pretty cool.

I only have one problem now. From outside the corporate network, my DA clients are not able to access a URL that I added to my internal DNS records as a CNAME. The web server is located oustide my network so I'm using a CNAME to point to it. I created an exclusion in the NRRT Table to allow DA Clients to use their local TCP/IP settings to connect to the site not the Internal DNS but for some reason, it's not working as I would like to. Every time a DA Client  tries to access the site, the connection times out and the page is never loaded.

Has someone experienced the same problem before in the process of deploying DirectAccess?

Thanks to everybody for your feedback.

Best regards,

_____________________________

Best regards,
Ramadji Doumnande
Washington, DC

(in reply to ramadji)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> Getting "Server error: 403 - Forbidden: Access Denied" when trying to access my DA portal Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts