Archive for the ‘Direct Access’ Category

The certificates in DirectAccess has expired – now what

March 17th, 2012 Comments off

Yet another day of troubleshooting DirectAccess, this time it was my colleague and friend Mikael Nystrom asking about expired IPHTTPS and NLS certificates. He already knew about my other post about changing the IPHTTPS certificate.

So he did delete the old binding by using the [netsh http del sslcert] command for both external addresses, and did replace the binding by using the [netsh http add sslcert] and/or the IIS management console.

Now the DirectAccess server is restored in functional state again but Mikael realized another error, the DirectAccess Management Console started showing an error about not being able to read the XML config file due to errors in certificate hashes for the IpHttpsCertHash and NidCertHash?

Now my advice was to manually edit the %WINDIR%\DirectAccess\DirectAccessConfig.xml file and replace the certificate thumbprints in the file with the new ones from the renewed certificates. But the console was still complaining about the hashes! After some thinking and when comparing the old and the new config files we realized that the console needed the certificate hash values in CAPITAL letters!!!!

Yes, the certificate hash/thumbprint is a hex representation, and according to W3C XML Schema Part 2: Datatypes Second Edition

hexBinary has a lexical representation where each binary octet is encoded as a character tuple, consisting of two hexadecimal digits ([0-9a-fA-F]) representing the octet code. For example, “0FB7” is a hex encoding for the 16-bit integer 4023 (whose binary representation is 111110110111).

Reading the above carefully, any developer can simply realize that the expression “digits ([0-9a-fA-F])” means not case sensitive, but this does apparently not apply to whom ever developed the DirectAccess Management Console in Windows Server 2008 R2

To change any of the IPHTTPS or NLS (if NLS is running on the DA server) certificate and keep the DA Management Console happy:

  • Redo the certificate bindings either using the netsh http del/add sslcert command or the IIS console
  • Change the IpHttpsCertHash and NidCertHash in the DirectAccessConfig.xml file and make sure the hash value is in CAPITAL letters

If you happen to know the person responsible for this at Micrososft, please give him/her the link to W3C 😉


Onlineseminarium – Next Generation Windows Security, 18 juni 2009 12:00 – 14:00

June 17th, 2009 Comments off

den 18 juni 2009 12:00 – den 18 juni 2009 14:00 lokal tid, LiveMeeting Sverige


Språk: Svenska.
Produkt(er): Windows 7 och Windows Server 2008.
Publik: IT-expert.


Välkommen att delta i vårt online seminarium för IT-proffs!


Vi startar kl 12 och håller på i minst en men max två timmar, och du har möjlighet att ställa frågor i slutet av seminariet.

Next Generation Windows Security

Äntligen är den här! Nu kan alla bygga det genom tiderna säkraste Windows systemet med hjälp av komponenter från Windows 7 & Windows Server 2008 R2 som innebär en mängd nya och spännande möjligheter inom området säkerhet i Windows plattformen.

Vi granskar Authentication Assurance, NTLM Restrictions, DNSSec, Direct Access, Bitlocker To Go, Managed Service Accounts, SRPv2 och givetvis alla nyheter inom PKI och hantering av certifikat och smartkort.



Talare: Hasain Alshakarti, TrueSec
Målgrupp: IT-proffs