DirectAccess IPHTTPS client connections fail after installing December 2012 Windows Updates.
There were two packages available from the December 2012 Windows updates which may have an effect on IPHTTPS client connectivity if installed on the Forefront UAG 2010 DirectAccess server.
· MS12-083 (KB2765809)
· Windows Update for Root Certificates (KB931125).
Both problems will generally manifest as DirectAccess client IPHTTPS interface connection failure with status 0x103 – “no usable certificate(s) found”. You can view the IPHTTPS interface status with the following netsh command:
>netsh interface httpstunnel show interface
Interface IPHTTPSInterface (Group Policy) Parameters
Role : client
Last Error Code : 0x103
Interface Status : no usable certificate(s) found
The first possible issue concerns MS12-083 (KB2765809). MS12-083 is a security update for the IP Helper service (IpHlpSvc) which handles server and client IPHTTPS connectivity. This update resolves an issue where IpHlpSvc was not properly validating client certificate revocation checking. With this security patch installed on the DirectAccess server, you may see an issue with IPHTTPS client connection failures if the DirectAccess server cannot validate the client certificate revocation information.
Client certificate revocation failure may occur for reasons such as if a certificate was not properly issued with the correct revocation information (CRL or CDP) or the DirectAccess server cannot access the revocation location for validation. This may appear as a DirectAccess issue because the client certificate revocation checking was not enforced for the IPHTTPS connection prior to the update. The resolution for this issue will require isolating the actual problem blocking the CRL validation using available tools such as CERTUTIL or Network Monitor.
The second problem will occur if you updated your Third-party Root Certification Authorities on the DirectAccess server with the December 2012 KB 931125 update package. This package is the December Windows Update for Root Certificates (KB931125) and was intended only for client SKUs. However, it was also offered for Server SKUs for a short time on Windows Update and WSUS.
This package installed more than 330 Third-party Root Certificate Authorities. Currently, the maximum size of the trusted certificate authorities list that the Schannel security package supports is 16 kilobytes (KB). Having a large amount of Third-party Root Certificate Authorities will exceed this limit during the client certificate authentication process for the IPHTTPS connections, and you will experience TLS/SSL communication problems.
This problem can be identified by the presence of Schannel 36885 ID events in the DirectAccess server System event log.
Schannel 36885 - When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.
In order to prevent these Schannel errors, the servers trusted certificate authority list must be reduced to a manageable number. This can be done manually by removing any root certificate authorities which are not required from the DirectAccess server. There are instructions available in the KB article for this issue KB2801679
Billy Price – Security Escalation Engineer, Microsoft CSS Forefront Security Edge Team
Richard Barker – Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team