Forefront UAG DirectAccess - Deploying multiple CAs with Forefront UAG and One-Time Password (OTP)

Forefront UAG DirectAccess - Deploying multiple CAs with Forefront UAG and One-Time Password (OTP)


Forefront UAG DirectAccess OTP access control is based on certificates. The DirectAccess IPsec connectivity rules require that the DirectAccess client has certificates from a dedicated OTP Certificate Authority (CA) server in order to gain access to the intranet. A client acquires such certificates by supplying his OTP credentials to the DirectAccess Connectivity Assistant (DCA), which sends them to the DirectAccess server for authentication. Upon successful authentication the DirectAccess server enrolls two certificates from a designated CA and returns them to the DCA, which installs them on the client machine.These certificates are enrolled from scratch whenever a user logs-in with his OTP credentials, and require that the OTP CA is constantly up and running and allows new DirectAccess sessions. DirectAccess OTP can be configured with multiple CAs for failover support.

Failover Support for OTP CAs

 Multiple OTP CAs provide failover when a request to an OTP CA fails, for example when a CA is non-responsive or misconfigured. When multiple CAs are configured in the Two-Factor Authentication optional settings of the Forefront UAG DirectAccess Configuration Wizard, the following takes place when OTP certificates are issued or renewed: 

  • Certificate issuance – All certificate issuance requests are submitted to the first CA in the list of the selected OTP CAs. If that CA fails to issue a certificate, requests are submitted to the second CA in the list, and so on. If the last CA in the list fails to issue a certificate, requests will be submitted to the first CA in the list, and so on.
  • Certificate renewal – This is relevant only when Enable certificate renewal is enabled in the OTP CA Templates wizard page. Once a CA has issued certificates for a DirectAccess client, all renewal requests are submitted to the issuing CA, this is because a CA cannot renew a certificate issued by another CA. If the issuing CA fails to renew the certificate, the DirectAccess client receives a warning popup, must re-authenticate, and is issued a certificate from the CA currently issuing certificates. 

The Common Parent CA

All selected CAs must chain to a common parent OTP CA.  The common parent OTP CA appears in the DirectAccess IPsec connectivity rules as the CA whose certificates open the intranet tunnel. The wizard identifies the common parent CA from the CAs you specify. In a single OTP CA deployment, the dedicated OTP CA is also considered to be the common parent CA.

Figure 1, shows a CA deployment with a common parent OTP CA and three dedicated OTP CAs: SubCA1, SubCA2 and SubCA3.
Figure 2,  shows the configuration of these CAs in the DirectAccess wizard.
Figure 3,  shows how the common parent CA appears in Group Policy in the DirectAccess intranet IPsec tunnel.

Figure 1

Figure 2

Figure 3

When multiple CAs are configured:

  • All CAs that are selected in the list of the OTP CAs (see Figure 2) must support the OTP Workstation and User certificate templates.
  • The common parent CA will be used to issue OTP certificates on request if, and only if, it is explicitly selected in the list of the OTP CAs. If not selected, it can be shut down as a security measure.
  • The common parent CA (as well as the OTP CAs) must be published in the Enrollment Services container in the forest hosting the relevant Active Directory.
  • The common parent CA and all of its subordinate CAs must be OTP dedicated. If they issue other types of certificates, they could be used to open an unauthorized intranet IPsec tunnel, and thereby compromise system security.
  • Specifically, an OTP CA cannot be the CA that issues the certificates for IPsec authentication, or one of its parent CAs. An OTP CA cannot be a CA configured as part of a Network Access Protection (NAP) deployment, or one of their parent CAs.
  • In an array, each Forefront UAG DirectAccess node must have installed in its Local Computer certificate store an OTP Workstation certificate from at least one of the selected OTP CAs, or from the common parent CA.
  • The common parent CA, or one of its parents must be a trusted CA on each DirectAccess client machine.
  • An OTP CA must be an Enterprise CA running Windows Server 2008 R2.
  • It is recommended that the CA is not installed on the Forefront UAG DirectAccess server.

Reviewed by Ziv Ayalon


Leave a Comment
  • Please add 4 and 5 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Page 1 of 1 (1 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
  • Maheshkumar S Tiwari edited Revision 5. Comment: Added tags

Page 1 of 1 (1 items)