DirectAccess and Expiring Computer Accounts
An interesting question came up a few weeks ago regarding DirectAccess and expiring computer accounts. I thought it was an topical question that brought up some issues worth exploring, so I’m sharing with you some thoughts on the problem here.
First a little background. UAG DirectAccess (and Windows DirectAccess) enables the DirectAccess client to connect to the intranet through the use of two tunnels:
- The Infrastructure Tunnel
- The Intranet Tunnel
The infrastructure tunnel enables the DirectAccess client to reach computers on the intranet that are part of an administrator defined “management servers” group. The DirectAccess client uses this tunnel to communicate with domain controllers, update servers and other servers that you’d like the DirectAccess client to be able to connect to before the user logs on.
The intranet tunnel is opened after the user logs onto the DirectAccess client computer. This tunnel enables access to the rest of the intranet.
Both the intranet and the infrastructure tunnels require two forms of authentication to succeed before the tunnels are established.
For the infrastructure tunnel, the DirectAccess client must be able to succeed at:
- Computer certificate authentication
- Computer account authentication (NTLMv2)
For the intranet tunnel, the DirectAccess client must be able to succeed at:
- Computer certificate authentication
- User account authentication (Kerberos V5)
Note that in order to perform Kerberos authentication, you need to have connectivity to a domain controller. The domain controller should be reachable through the infrastructure tunnel that was established before the user attempts to log on.
With that understanding in place, you can see if that a computer account had expired for some reason, the infrastructure tunnel could not be created, since it depends on computer account (NTLMv2) authentication. And if you can’t get the first tunnel opened, you can’t get the second tunnel opened (the intranet tunnel), since the Kerberos authentication required for the second tunnel depends on the first tunnel coming up.
So what would happen if a computer account password expired? Nothing. The reason for this is that the computer itself is responsible for changing its password. If the computer is offline for six months and then brought online, nothing bad will happen. The computer will change its password when it starts up. This means that if for some reason a DirectAccess client computer is offline for more than 30 days (the default value for computer account password expiration) there won’t be any problems connecting to the intranet and establishing both of the IPsec tunnels.
For more information on how computers change their computer account passwords, see http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx
Watch Out for This Scenario
However, there is one scenario that might be problematic, and if you manage a DirectAccess deployment, you might want to take this into consideration. Some firms “clean up” their computer accounts on a periodic basis. During the clean-up, they might disable the stale computer accounts, or they might delete them. In this scenario, the DirectAccess client will not be able to establish the infrastructure tunnel and therefore will not be able to establish the intranet tunnel. If the computer account is disabled, it will need to be enabled. If it was deleted, the computer will need to leave the domain and rejoin the domain; this can be done over an SSTP connection.
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management
Anywhere Access Group (AAG)
The “Edge Man” blog : http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: https://twitter.com/tshinder
Visit the TechNet forums to discuss all your UAG DirectAccess issues http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/threads
Stay up-to-date with “just in time” UAG DirectAccess information on the TechNet wiki http://social.technet.microsoft.com/wiki/tags/DirectAccess/default.aspx