Rexxer

Some tips for me and other

Direct Access + There is no valid certificate to be used by IPsec which chains to the root/intermediate certificate configured to be used by IPsec in the DirectAccess configurationDirect Access

We’ve got an error like: There is no valid certificate to be used by IPsec which chains to the root/intermediate certificate configured to be used by IPsec in the DirectAccess configuration

and in the Dashboard it shows red IPSEC.

We updated the template and re-issued the certificate but the error was still.

The fix: we have the expired Root certificate for DA-Server.

The steps to fix it:

PS C:\WINDOWS\system32> Get-ChildItem Cert:\LocalMachine\Root


   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root

Thumbprint                                Subject
----------                                -------
9777...C20A  CN=company, DC=com

PS C:\WINDOWS\system32> get-daserver


DAInstallType               : FullInstall
InternetInterface           : Ethernet
InternalInterface           : Ethernet
ConnectToAddress            : da.company.com
SslCertificate              : [Subject]
                                CN=da.akvelon.com.ua

                              [Issuer]
                                CN=company, DC=com

                              [Serial Number]
                                XXXXX

                              [Not Before]
                                12/14/2023 8:08:49 PM

                              [Not After]
                                12/14/2025 8:18:49 PM

                              [Thumbprint]
                                B4...4EF615E

GpoName                     : company.com\DirectAccess Server Settings
InternalIPv6Prefix          : {fd94:35d:fc3a:1::/64}
ClientIPv6Prefix            : fd94:35d:fc3a:1000::/64
UserAuthentication          : UserPasswd
ComputerCertAuthentication  : Enabled
IPsecRootCertificate        : [Subject]
                                CN=company, DC=com

                              [Issuer]
                                CN=company, DC=com

                              [Serial Number]
                                XXXX

                              [Not Before]
                                1/5/2019 6:06:16 PM

                              [Not After]
                                1/5/2024 6:06:16 PM

                              [Thumbprint]
                                FB...F2855A

IntermediateRootCertificate : True
TeredoState                 : Disabled
IsSingleNic                 : True
IsNatDeployed               : True

PS C:\WINDOWS\system32> $certificate = (Get-ChildItem Cert:\LocalMachine\Root\9777...C20A)
PS C:\WINDOWS\system32> Set-DAServer -IPsecRootCertificate $certificate

PS C:\WINDOWS\system32> get-daserver


DAInstallType               : FullInstall
InternetInterface           : Ethernet
InternalInterface           : Ethernet
ConnectToAddress            : company.com
SslCertificate              : [Subject]
                                CN=company.com

                              [Issuer]
                                CN=company, DC=com

                              [Serial Number]
                                XXXX

                              [Not Before]
                                12/14/2023 8:08:49 PM

                              [Not After]
                                12/14/2025 8:18:49 PM

                              [Thumbprint]
                                B438...615E

GpoName                     : company.com\DirectAccess Server Settings
InternalIPv6Prefix          : {fd94:35d:fc3a:1::/64}
ClientIPv6Prefix            : fd94:35d:fc3a:1000::/64
UserAuthentication          : UserPasswd
ComputerCertAuthentication  : Enabled
IPsecRootCertificate        : [Subject]
                                CN=company, DC=com

                              [Issuer]
                                CN=company, DC=com

                              [Serial Number]
                                XXXXX

                              [Not Before]
                                1/8/2022 5:44:23 PM

                              [Not After]
                                1/8/2027 5:44:23 PM

                              [Thumbprint]
                                977...C20A

IntermediateRootCertificate : False
TeredoState                 : Disabled
IsSingleNic                 : True
IsNatDeployed               : True

Comments are currently closed.