locked
Direct Access with Windows 7 and OTP - OtpCredentialProvider ID 10003 RRS feed

  • Question

  • Hello Forum,

    i configured DirectAccess on Windows Server 2012 R2 with IPHTTPS only and OTP support. When connecting with Windows 8.1 everything works fine, the user is asked for alternate credentials and after providing the OTP credentials the user is connected to CorpNet.

    The same Thing on Windows 7 with DCA 2.0 installed and configured using GPOs leads to 0x80040002 (internal error) and the Event Log entry noted in the Headline. Can anybody clear out where the error Comes from and whats the difference between Windows 8.1 and Windows 7 in this case?

    Thank you for any help.

    Andreas


    Andreas Hecker - Blog: http://microsoft-iag.blogspot.com/ Please remember to use “Mark as Answer” or "vote as helpful" on the posts that help you.

    Wednesday, November 12, 2014 11:08 AM

All replies

  • Hi

    0x80040002 means that OTP certificate was not generated. Client sent the signing request but :

    -Maybe the URA Gateway does not have a signing certificate to sign the request

    -Maybe the URA Gateway does not have right to submit such request

    Have a look at event log on your ADCS that deliver the certificates. You might find the reason. have also a look in the ADCS console to see the failed requests for additional informations.

    At last, the OTP DirectAccess diagnostic page : http://technet.microsoft.com/en-us/library/jj618331.aspx Might be usefull


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx


    • Edited by BenoitSMVP Wednesday, November 12, 2014 11:54 AM
    Wednesday, November 12, 2014 11:49 AM
  • Hi,

    the URA Gatway has everything it needs - because on Windows 8.1 everything is running fine an works. It is the same Installation and the same components. There must be a difference between Windows 8.1 and Windows 7. BTW - no force tunnel, OTP Token are using Safenet Radius. As i said before, all the things work fine on Windows 8. No failed requests in ADCS - only the OtpCredentialProvider raises Errors on the Client side.

    Cheers,

    Andreas


    Andreas Hecker - Blog: http://microsoft-iag.blogspot.com/ Please remember to use “Mark as Answer” or "vote as helpful" on the posts that help you.

    Wednesday, November 12, 2014 2:44 PM
  • Hi

    As a début, just enroll a signing certificats on a DirectAccess client to be used to sign an OTP certificats request (May nées to change permissions on ADCS Template and restart ADCS to publish new informations). Maybe an cryptographic algorithm not supported on W7.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Wednesday, November 12, 2014 4:29 PM
  • Hi BenoitS,

    thank you for your reply. I finally got everything up and running. Your second answer was not the shot but kicked me in the right direction. I tried to enroll a DAOTPLogon certificate using mmc. Guess what? On W8.1 the template was visible - on W7 it was not! In every documentation i read (TechNet/Blogs) the recommendation was to change the compatibility for the duplicated Smartcard-Logon Template to CA: 2012 and Recipient: W8/WS2012. In this Dialog there is a short hint that: "This changes may not prevent earlier OSs from using this template". In this case in fact IT DOES!

    After removing the DAOTPLogon template and creating a new one with CA: 2012 and Recipient: W7/W2K8 the template was accessible from W7 also. Then i needed to apply the 0x8004001 patches on W8 and W7 everything runs smooth now!

    This should be corrected in the published TechNet articles asap, to prevent other users to get in time consuming troubles at this step.

    Thank you very much for your quick advice,

    Cheers,

    Andreas


    Andreas Hecker - Blog: http://microsoft-iag.blogspot.com/ Please remember to use “Mark as Answer” or "vote as helpful" on the posts that help you.

    • Proposed as answer by Vasu Deva Thursday, November 13, 2014 6:27 AM
    Wednesday, November 12, 2014 11:31 PM