HeadShot September 2014.jpg

Kieran Jacobsen is the Head of Information Technology at Readify, a Microsoft MVP and regular speaker at conferences throughout Australia.

DirectAccess with Computer Certificates and SHA512 algorithms

I have posted this as a question on the TechNet forums, but also wanted to post it here.

I have just finished another test lab deployment of Direct Access, and have noticed one interesting issue which I am trying to confirm.

In the lab I deployed the PKI part of the infrastructure quite a while ago, its a typical deployment, with an offline root and online issuing authority. They were configured to use the SHA512 for the Signature and Signature Hash algorithms. This selection might seem paranoid, but has never been an issue as all clients have been Windows 7 or higher and thus have full support.

I deployed direct access, and using basically the default settings, everything appears to be working correctly, clients could successfully connect.

I then switched to requiring computer certificates, issued a certificate to the DA Server and the test clients based upon the "Computer" template.

Clients could no longer connect. Looking at the diagnostic logs for Direct Access it appeared that the tunnels were not being established correctly. Looking at get-DAConnectivityStatus, there was definitely an issue present, with a sub status error referring to errors with remote network authentication. Nothing really appeared out of the ordinary in the client diagnostic logs or event viewer.

I went looking on the server, nothing appeared at first to point to a problem, however on inspection of the system event log, there were errors in regards to TLS:

'An TLS 1.2 connection request was recieved from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed'

So I looked around and didn't find anything out there, I couldn't see anything obvious, then it occurred to me that we are using SHA512 in our certificates.

I quickly fired up a new CA in the test environment, this time basically accepting the defaults. Reissued certificates computer certificates to the DA server and the test clients, and I am now successfully connecting.

Does anyone know of this incompatibility? is it documented anywhere? IS this known by anyone? Has anyone seen this as well?

Any more info would be great.

DirectAccess Resources

Password Hashing with BCrypt and PowerShell - Part 3