(This is a quick note here, but it took me quite a time to understand the root of the problem)
I'm in the process of migration project from UAG DirectAccess (which is officially at the end of the road) to WS2012R2 DA currently and got a very fun troubleshooting case :)
It was rather uneventful installation for me (maybe except NLB part, where I had to use some magic). I'we done it several times before after all. And I've got Windows 8 clients DA connectivity working quite fast.
The problem began with new DCA (DirectAccess Connectivity Assistant) and it's separate group policy. Luckily there are many great resources on the subject like this one online.
DCA was happy for some time but I was still struggling with DA connectivity from Windows 7 machine. The error message for "netsh int http show int" command was very clear 0x80092013.
(It is known as CRL check failed for everyone with some experience in troubleshooting DirectAccess)
Windows 8 works, Windows 7 - doesn't, both with similar set of GPOs, certificates, etc. - cool.
I double checked proxy settings, verified ability to download CA.crl file with IE from CDP URL...
Finally I fired Netmon up and saw the problem:
It was a clear way to solution from there - configure IIS to allow "+" sign in file names.
(Have a look: http://blogs.technet.com/b/lrobins/archive/2008/12/29/publishing-delta-crls-on-iis-7.aspx)
I've reconfigured IIS, rebooted Windows 7 client and it immediately connected to corpnet!
Happy troubleshooting!
I'm in the process of migration project from UAG DirectAccess (which is officially at the end of the road) to WS2012R2 DA currently and got a very fun troubleshooting case :)
It was rather uneventful installation for me (maybe except NLB part, where I had to use some magic). I'we done it several times before after all. And I've got Windows 8 clients DA connectivity working quite fast.
The problem began with new DCA (DirectAccess Connectivity Assistant) and it's separate group policy. Luckily there are many great resources on the subject like this one online.
DCA was happy for some time but I was still struggling with DA connectivity from Windows 7 machine. The error message for "netsh int http show int" command was very clear 0x80092013.
(It is known as CRL check failed for everyone with some experience in troubleshooting DirectAccess)
Windows 8 works, Windows 7 - doesn't, both with similar set of GPOs, certificates, etc. - cool.
I double checked proxy settings, verified ability to download CA.crl file with IE from CDP URL...
Finally I fired Netmon up and saw the problem:
Windows 7 client was trying to download delta crl - CA+.crl file and failed to do so.
Once again:Windows 8 client downloads full CRL and is happy, but Windows 7 - likes delta CRL only!
It was a clear way to solution from there - configure IIS to allow "+" sign in file names.
(Have a look: http://blogs.technet.com/b/lrobins/archive/2008/12/29/publishing-delta-crls-on-iis-7.aspx)
I've reconfigured IIS, rebooted Windows 7 client and it immediately connected to corpnet!
Happy troubleshooting!
