Forefront UAG DirectAccess Troubleshooting: One-time Password (OTP) Related Event Viewer Messages

The following OTP related events occur on activation of Forefront UAG, and are sent to the Windows Event Viewer. Solutions are provided for the Error and Warning messages where possible.

Event ID	Message
20500	UAG DirectAccess OTP certificate %1 cannot be enrolled because the CA server %2 is unreachable.
20501	UAG DirectAccess OTP certificate %1 cannot be enrolled because it is not supported by CA server %2. Check that the CA template exists in Active Directory, and verify that the CA server is configured to use the template.
20502	UAG DirectAccess OTP certificate %1 cannot be enrolled because the computer account of the UAG server does not have sufficient permissions on the certificate template. Configure the required permissions in Active Directory.
20503	UAG DirectAccess OTP certificate %1 cannot be installed because the CA %2 that issued the certificate is not trusted. Ensure that the CA certificate (or a parent CA certificate) is installed in the Trusted Root CA folder in the Local Computer certificate store of the UAG server.
20504	Enrollment of UAG DirectAccess OTP %1 certificate from the CA server %2 did not complete because the certificate request is pending CA manager approval
20505	UAG DirectAccess OTP certificate %1 cannot be installed because the certificate has not been issued as expected. Contact the CA administrator to ensure the certificate was issued and approved correctly.
20506	UAG DirectAccess OTP certificate %1 cannot be enrolled from CA server %2, and the following error occurred: %3. Ensure that the CA server is configured correctly, verify OTP settings in UAG, and then reactivate the configuration.
20507	UAG DirectAccess OTP certificates cannot be deleted from the UAG server, and the following error occurred: %1.
20508	One or more UAG DirectAccess OTP configuration settings is not valid: CA server(s): %1; CA to which the OTP CA servers chain: %2; Workstation template name: %3; User template name: %4. Verify OTP settings, and then reactivate the configuration.
20510	UAG DirectAccess OTP cannot be configured when UAG DirectAccess is deployed for remote management only.
20511	UAG DirectAccess OTP configuration settings cannot be saved to disk, and the following error occurred: %1. Ensure that disk space is available, and that the UAG application has write permissions for the %2 file.
20512	Activation failed because OTP certificate %1 cannot be enrolled from configured OTP CA servers. Check the event log for specific details.

20500 - UAG DirectAccess OTP certificate %1 cannot be enrolled because the CA server %2 is unreachable

Cause—The Forefront UAG server cannot reach one of the specified CAs to enroll the DirectAccess OTP Workstation certificate. This can be a result of the certification authority (CA) being unreachable from the Forefront UAG server, or the Active Directory Certificate Services (CertSvc) being in a stopped state on the CA server. This is a Warning level event.

Solution—Verify the following and reactivate Forefront UAG:

That the CA specified in the message is reachable from the Forefront UAG server.
That the CertSvc service is started on the CA server. To start the CertSvc service, at an elevated command prompt, type net start CertSvc.

20501 - UAG DirectAccess OTP certificate %1 cannot be enrolled because it is not supported by CA server %2. Check that the CA template exists in Active Directory, and verify that the CA server is configured to use the template.

Cause—The DirectAccess OTP Workstation certificate is not supported by the specified CA. This is a Warning level event.

Solution—Verify the following and reactivate Forefront UAG:

That the DirectAccess OTP Workstation certificate template exists in Active Directory.
That the DirectAccess OTP Workstation certificate template is enabled on the CA specified in the error message.

20502 - UAG DirectAccess OTP certificate %1 cannot be enrolled because the computer account of the UAG server does not have sufficient permissions on the certificate template. Configure the required permissions in Active Directory.

Cause-The computer account of the Forefront UAG server does not have the correct permissions on the DirectAccess OTP Workstation certificate template to enroll the OTP Workstation certificate. This is a Warning level event.

Solution—Ensure that the Forefront UAG server has Read, Enroll, and Autoenroll permissions on the DirectAccess OTP Workstation certificate template, and then reactivate Forefront UAG.

20503 - UAG DirectAccess OTP certificate %1 cannot be installed because the CA %2 that issued the certificate is not trusted. Ensure that the CA certificate (or a parent CA certificate) is installed in the Trusted Root CA folder in the Local Computer certificate store of the UAG server.

Cause—The specified CA that issues the DirectAccess OTP Workstation certificate must be trusted by the Forefront UAG server, so that it can be installed. This is a Warning level event.

Solution—Ensure that a CA certificate from the CA issuing the OTP certificate (or one of its parent CAs) is installed in the Trusted Root Certification Authority folder in the Local computer certificate store on the Forefront UAG server:

On the Forefront UAG server, open the MMC and add the Certificate Templates snap-in for the Computer account on the Local computer.
Expand Certificates (Local computer)\Trusted Root Certification Authorities\Certificates, and ensure that the CA that issues the DirectAccess OTP Workstation certificate (or one of its parent CAs) is included in the list of the Trusted root CAs.
Reactivate Forefront UAG.

20504 - Enrollment of UAG DirectAccess OTP %1 certificate from the CA server %2 did not complete because the certificate request is pending CA manager approval

Cause—When CA certificate manager approval is enabled in the DirectAccess OTP Workstation certificate template properties, certificate requests are placed into a pending state, waiting for a certificate manager to issue the certificate request. This is a Warning level event.

Solution—Clear CA certificate management approval:

On the specified CA server, open the MMC and add the Certificate Templates snap-in.
In the details pane, right-click the DirectAccess OTP Workstation Authentication template, and then click Properties.
Click the Issuance Requirements tab, clear the CA certificate manager approval check box, and then click OK.
Reactivate Forefront UAG.

20505 - UAG DirectAccess OTP certificate %1 cannot be installed because the certificate has not been issued as expected. Contact the CA administrator to ensure the certificate was issued and approved correctly.

Cause—When the CA reports that the specified OTP certificate was not issued correctly. This is a Warning level event.

Solution—Validate that the CA was correctly configured as described in the TechNet topic Configuring two-factor authentication in SP1. If the CA is correctly configured, use associated events in the Windows Event Viewer to troubleshoot further.

20506 - UAG DirectAccess OTP certificate %1 cannot be enrolled from CA server %2, and the following error occurred: %3. Ensure that the CA server is configured correctly, verify OTP settings in UAG, and then reactivate the configuration.

Cause—A general CA related OTP error occurred while trying to enroll the DirectAccess OTP Workstation certificate.

Solution— Use the CA error code specified in the message to investigate further.

For more information on error codes, see Common HRESULT values (http://go.microsoft.com/fwlink/?LinkId=204483), and Winerror.h (http://go.microsoft.com/fwlink/?LinkId=204484).

20507 - UAG DirectAccess OTP certificates cannot be deleted from the UAG server, and the following error occurred: %1.

Cause 1-When the Forefront UAG computer account does not have the correct permissions to the Local Computer certificate store of the Forefront UAG server when activating Forefront UAG.

Solution 1— Ensure that the Forefront UAG computer account has the correct permissions to delete the DirectAccess OTP Workstation certificate. Certificates issued to a computer or service can only be managed by the computer account that has the appropriate permissions. When this has been completed, reactivate Forefront UAG.

Cause 2—A general CA related OTP error occurred while trying to delete the DirectAccess OTP Workstation certificate.

Solution 2— Use the CA error code specified in the message to investigate further.

For more information on error codes, see Common HRESULT values (http://go.microsoft.com/fwlink/?LinkId=204483), and Winerror.h (http://go.microsoft.com/fwlink/?LinkId=204484).

20508 - One or more UAG DirectAccess OTP configuration settings is not valid: CA server(s): %1; CA to which the OTP CA servers chain: %2; Workstation template name: %3; User template name: %4. Verify OTP settings, and then reactivate the configuration.

Cause—Some of the required OTP configuration settings are missing.

Solution—In the Forefront UAG DirectAccess Configuration Wizard, reconfigure OTP Two-Factor Authentication, reapply the Forefront UAG DirectAccess policies and then reactivate Forefront UAG.

20510 - UAG DirectAccess OTP cannot be configured when UAG DirectAccess is deployed for remote management only.

Cause—OTP Two-factor authentication, and Allow DirectAccess clients to connect to internal networks, and enable remote managements of DirectAccess clients are configured, the Forefront UAG DirectAccess policies have been applied and a Forefront UAG activation is successful. You then change the deployment model to Enable remote management of DirectAccess clients only and leave OTP Two-factor authentication (it is disabled on the Forefront UAG DirectAccess Configuration Wizard), apply the Forefront UAG DirectAccess configuration and activate Forefront UAG.

Solution—In the Forefront UAG DirectAccess Configuration Wizard, ensure that OTP Two-factor authentication is not configured together with Enable remote management of DirectAccess clients only, apply the Forefront UAG DirectAccess configuration and reactivate Forefront UAG.

20511 - UAG DirectAccess OTP configuration settings cannot be saved to disk, and the following error occurred: %1. Ensure that disk space is available, and that the UAG application has write permissions for the %2 file.

Cause—During a Forefront UAG activation, the OTP configuration settings are saved to the DaOtp.xml file on the Forefront UAG local disk. This event occurs when the file cannot be saved to disk.

Solution—Verify the following and reactivate Forefront UAG.

That the computer account activating Forefront UAG, has write permissions to the <Forefront UAG installation>\von\conf folder.
That the DaOtp.xml file is not in use by another process.
That there is available disk space on the Forefront UAG server.

20512 - Activation failed because OTP certificate %1 cannot be enrolled from configured OTP CA servers. Check the event log for specific details.

Cause—This is a general error. During Forefront UAG activation the DirectAccess OTP Workstation certificate is enrolled from each specified OTP CA server. This message occurs if none of these enrollments succeeded.

Solution—This event is accompanied by one of the warning messages above (20500-20511). By troubleshooting the related event, you can diagnose the reason for the enrollment failure.

Wiki - Revision Comment List(Revision Comment)

| |

Comments

Maheshkumar S Tiwari

10 Sep 2013 11:25 PM

Maheshkumar S Tiwari edited Revision 2. Comment: Added tags
- Edit
Ed Price - MSFT

17 Dec 2010 5:10 PM

Ed Price MSFT edited Original. Comment: Updated title case to the wiki standards and added a tag.
- Edit

Wikis - Comment List

Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.

Posted by Ed Price - MSFT

on 17 Dec 2010 5:10 PM

Ed Price MSFT edited Original. Comment: Updated title case to the wiki standards and added a tag.
Edit
Posted by Maheshkumar S Tiwari

on 10 Sep 2013 11:25 PM

Maheshkumar S Tiwari edited Revision 2. Comment: Added tags
Edit

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?