The following OTP related events occur on activation of Forefront UAG, and are sent to the Windows Event Viewer. Solutions are provided for the Error and Warning messages where possible.
20500
UAG DirectAccess OTP certificate %1 cannot be enrolled because the CA server %2 is unreachable.
20501
UAG DirectAccess OTP certificate %1 cannot be enrolled because it is not supported by CA server %2. Check that the CA template exists in Active Directory, and verify that the CA server is configured to use the template.
20502
UAG DirectAccess OTP certificate %1 cannot be enrolled because the computer account of the UAG server does not have sufficient permissions on the certificate template. Configure the required permissions in Active Directory.
20503
UAG DirectAccess OTP certificate %1 cannot be installed because the CA %2 that issued the certificate is not trusted. Ensure that the CA certificate (or a parent CA certificate) is installed in the Trusted Root CA folder in the Local Computer certificate store of the UAG server.
20504
Enrollment of UAG DirectAccess OTP %1 certificate from the CA server %2 did not complete because the certificate request is pending CA manager approval
20505
UAG DirectAccess OTP certificate %1 cannot be installed because the certificate has not been issued as expected. Contact the CA administrator to ensure the certificate was issued and approved correctly.
20506
UAG DirectAccess OTP certificate %1 cannot be enrolled from CA server %2, and the following error occurred: %3. Ensure that the CA server is configured correctly, verify OTP settings in UAG, and then reactivate the configuration.
20507
UAG DirectAccess OTP certificates cannot be deleted from the UAG server, and the following error occurred: %1.
20508
One or more UAG DirectAccess OTP configuration settings is not valid: CA server(s): %1; CA to which the OTP CA servers chain: %2; Workstation template name: %3; User template name: %4. Verify OTP settings, and then reactivate the configuration.
20510
UAG DirectAccess OTP cannot be configured when UAG DirectAccess is deployed for remote management only.
20511
UAG DirectAccess OTP configuration settings cannot be saved to disk, and the following error occurred: %1. Ensure that disk space is available, and that the UAG application has write permissions for the %2 file.
20512
Activation failed because OTP certificate %1 cannot be enrolled from configured OTP CA servers. Check the event log for specific details.
Cause—The Forefront UAG server cannot reach one of the specified CAs to enroll the DirectAccess OTP Workstation certificate. This can be a result of the certification authority (CA) being unreachable from the Forefront UAG server, or the Active Directory Certificate Services (CertSvc) being in a stopped state on the CA server. This is a Warning level event.
Solution—Verify the following and reactivate Forefront UAG:
20501 - UAG DirectAccess OTP certificate %1 cannot be enrolled because it is not supported by CA server %2. Check that the CA template exists in Active Directory, and verify that the CA server is configured to use the template.
Cause—The DirectAccess OTP Workstation certificate is not supported by the specified CA. This is a Warning level event.
20502 - UAG DirectAccess OTP certificate %1 cannot be enrolled because the computer account of the UAG server does not have sufficient permissions on the certificate template. Configure the required permissions in Active Directory.
Cause-The computer account of the Forefront UAG server does not have the correct permissions on the DirectAccess OTP Workstation certificate template to enroll the OTP Workstation certificate. This is a Warning level event.
Solution—Ensure that the Forefront UAG server has Read, Enroll, and Autoenroll permissions on the DirectAccess OTP Workstation certificate template, and then reactivate Forefront UAG.
Cause—The specified CA that issues the DirectAccess OTP Workstation certificate must be trusted by the Forefront UAG server, so that it can be installed. This is a Warning level event.
Solution—Ensure that a CA certificate from the CA issuing the OTP certificate (or one of its parent CAs) is installed in the Trusted Root Certification Authority folder in the Local computer certificate store on the Forefront UAG server:
20504 - Enrollment of UAG DirectAccess OTP %1 certificate from the CA server %2 did not complete because the certificate request is pending CA manager approval
Cause—When CA certificate manager approval is enabled in the DirectAccess OTP Workstation certificate template properties, certificate requests are placed into a pending state, waiting for a certificate manager to issue the certificate request. This is a Warning level event.
Solution—Clear CA certificate management approval:
20505 - UAG DirectAccess OTP certificate %1 cannot be installed because the certificate has not been issued as expected. Contact the CA administrator to ensure the certificate was issued and approved correctly.
Cause—When the CA reports that the specified OTP certificate was not issued correctly. This is a Warning level event.
Solution—Validate that the CA was correctly configured as described in the TechNet topic Configuring two-factor authentication in SP1. If the CA is correctly configured, use associated events in the Windows Event Viewer to troubleshoot further.
Cause—A general CA related OTP error occurred while trying to enroll the DirectAccess OTP Workstation certificate.
Solution— Use the CA error code specified in the message to investigate further.
For more information on error codes, see Common HRESULT values (http://go.microsoft.com/fwlink/?LinkId=204483), and Winerror.h (http://go.microsoft.com/fwlink/?LinkId=204484).
Cause 1-When the Forefront UAG computer account does not have the correct permissions to the Local Computer certificate store of the Forefront UAG server when activating Forefront UAG.
Solution 1— Ensure that the Forefront UAG computer account has the correct permissions to delete the DirectAccess OTP Workstation certificate. Certificates issued to a computer or service can only be managed by the computer account that has the appropriate permissions. When this has been completed, reactivate Forefront UAG.
Cause 2—A general CA related OTP error occurred while trying to delete the DirectAccess OTP Workstation certificate.
Solution 2— Use the CA error code specified in the message to investigate further.
Cause—Some of the required OTP configuration settings are missing.
Solution—In the Forefront UAG DirectAccess Configuration Wizard, reconfigure OTP Two-Factor Authentication, reapply the Forefront UAG DirectAccess policies and then reactivate Forefront UAG.
Cause—OTP Two-factor authentication, and Allow DirectAccess clients to connect to internal networks, and enable remote managements of DirectAccess clients are configured, the Forefront UAG DirectAccess policies have been applied and a Forefront UAG activation is successful. You then change the deployment model to Enable remote management of DirectAccess clients only and leave OTP Two-factor authentication (it is disabled on the Forefront UAG DirectAccess Configuration Wizard), apply the Forefront UAG DirectAccess configuration and activate Forefront UAG.
Solution—In the Forefront UAG DirectAccess Configuration Wizard, ensure that OTP Two-factor authentication is not configured together with Enable remote management of DirectAccess clients only, apply the Forefront UAG DirectAccess configuration and reactivate Forefront UAG.
Cause—During a Forefront UAG activation, the OTP configuration settings are saved to the DaOtp.xml file on the Forefront UAG local disk. This event occurs when the file cannot be saved to disk.
Solution—Verify the following and reactivate Forefront UAG.
20512 - Activation failed because OTP certificate %1 cannot be enrolled from configured OTP CA servers. Check the event log for specific details.
Cause—This is a general error. During Forefront UAG activation the DirectAccess OTP Workstation certificate is enrolled from each specified OTP CA server. This message occurs if none of these enrollments succeeded.
Solution—This event is accompanied by one of the warning messages above (20500-20511). By troubleshooting the related event, you can diagnose the reason for the enrollment failure.
Maheshkumar S Tiwari edited Revision 2. Comment: Added tags
Ed Price MSFT edited Original. Comment: Updated title case to the wiki standards and added a tag.