Updated 6/10/2015: This post was revised to include instructions for enabling OTP support for Windows 7 clients and for configuring OTP on the DirectAccess server using the Remote Access Management console.
Introduction
DirectAccess in Windows Server 2012 R2 provides significantly improved authentication over traditional client-based VPN solutions. When configured to use certificate authentication (a recommended best practice) the DirectAccess client is authenticated using its machine certificate and its Active Directory computer account. Once the client machine has been authenticated, the user is also authenticated via Kerberos against a live domain controller over the existing DirectAccess connection. These multiple authentication steps provide a high level of assurance for DirectAccess-connected clients. If that’s not enough to meet your needs, additional strong user authentication is supported using dynamic One-Time Passwords (OTP).
Drawbacks for DirectAccess with OTP
While OTP provides an additional level of assurance, it does come with a few drawbacks. OTP adds additional complexity and makes troubleshooting more difficult. OTP cannot be configured with force tunneling; the two security features are mutually exclusive. DirectAccess OTP does not support RADIUS challenge-response. For Windows 7 clients, the DirectAccess Connectivity Assistant (DCA) v2.0 must be deployed. In addition, enabling OTP with DirectAccess disables the use of null cipher suites for IP-HTTPS. This can potentially have a negative effect on performance and scalability (more details here). Also, OTP fundamentally breaks the seamless and transparent nature of DirectAccess.
Configuring DirectAccess OTP
OTP for DirectAccess makes use of short-lived certificates for user authentication. Thus, enabling OTP for DirectAccess requires making changes to the internal Public Key Infrastructure (PKI). DirectAccess in Windows Server 2012 R2 can be configured to use the same Certificate Authority (CA) that is used to issue computer certificates to the DirectAccess clients and servers. This differs from DirectAccess with Forefront Unified Access Gateway (UAG) 2010, where a separate, dedicated CA was required.
To configure DirectAccess OTP, follow the instructions below.
OTP Certificate Request Signing Template
Open the Certification Authority management console, right-click Certificate Templates, and then choose Manage. Alternatively you can enter certtmpl.msc in the Start/Run box or search from the Windows Start menu. Right-click the Computer template and choose Duplicate Template. On a Windows Server 2008 or 2008 R2 CA, select Windows Server 2008 Enterprise when prompted for the duplicate certificate template version.
On a Windows Server 2012 or 2012 R2 CA, select Compatibility tab and then select Windows Server 2008 R2 for the Certification Authority and Windows 7/Windows Server 2008 R2 for the Certificate recipient.
Select the General tab and provide a descriptive name for the Template Display Name. Specify a validity period of 2 days and a renewal period of 1 day.
Select the Security tab and click Add. Click Object Types and then select Computers and click Ok. Enter the names of each DirectAccess server separated by semicolons and click Check Names. Click Ok when finished. For each DirectAccess server, grant Read, Enroll, and Autoenroll permissions. Select Authenticated Users and remove any permissions other than Read. Select Domain Computers and remove the Enroll permission. Select Domain Admins and grant Full Control permission. Do the same for Enterprise Admins.
Select the Subject Name tab and choose the option to Build from this Active Directory information. Select DNS name in the Subject name format drop-down list and confirm that DNS name is checked under Include this information in alternate subject name.
Select the Extensions tab, highlight Application Policies and click Edit.
Remove all existing application policies and then click Add and then New. Provide a descriptive name for the new application policy and enter 1.3.6.1.4.1.311.81.1.1 for the Object Identifier. Click Ok for all remaining dialog boxes.
OTP Certificate Template
In the Certificate Templates Console, right-click the Smartcard Logon certificate template and choose Duplicate Template. On a Windows Server 2008 or 2008 R2 CA, select Windows Server 2008 Enterprise when prompted for the duplicate certificate template version.
On a Windows Server 2012 or 2012 R2 CA, select the Compatibility tab and then select Windows Server 2008 R2 for the Certification Authority and Windows 7/Windows Server 2008 R2 for the Certificate recipient.
Select the General tab and provide a descriptive name for the Template Display Name. Specify a validity period of 1 hour and a renewal period of 0 hours.
Note: It is not possible to set the validity period to hours on a Windows Server 2003 Certificate Authority (CA). As a workaround, use the Certificate Templates snap-in on another system running Windows 7/Windows Server 2008 R2 or later. Also, if the CA is running Windows Server 2008 R2, the template must be configured to use a Renewal Period of 1 or 2 hours and a Validity Period that is longer but no more than 4 hours.
Select the Security tab, then highlight Authenticated Users and grant Read and Enroll permissions. Select Domain Admins and grant Full Control permission. Do the same for Enterprise Admins.
Select the Subject Name tab and choose the option to Build from this Active Directory information. Select Fully distinguished name in the Subject name format drop-down list and confirm that User principal name (UPN) is checked under Include this information in alternate subject name.
Select the Server tab and choose the option Do not store certificates and requests in the CA database. Clear the checkbox next to Do not include revocation information issued in certificates.
Select the Issuance Requirements tab and set the value for This number of authorized signatures to 1. Confirm that Application Policy is selected from the Policy type required in signature drop-down list and choose the OTP certificate request signing template created previously.
Select the Extensions tab, highlight Application Policies and click Edit. Highlight Client Authentication and click Remove. Ensure that the only application policy listed is Smart Card Logon.
Certificate Authority Configuration
In the Certificate Authority management console, right-click Certificate Templates, choose New, and then Certificate Template to Issue. Highlight both of the certificate templates created previously and click Ok.
Open an elevated command prompt and enter the following command:
certutil.exe -setreg dbflags +DBFLAGS_ENABLEVOLATILEREQUESTS
Restart the Certificate Authority service by right-clicking the CA in the Certificate Authority management console and choosing All Tasks and then Stop Service. Once complete, repeat these steps and choose Start Service.
DirectAccess Server Configuration
In the Remote Access Management console, select DirectAccess and VPN under Configuration in the navigate pane and then click Edit on Step 2 – Remote Access Server. Select Authentication, choose Two-factor authentication (smart card or one-time password (OTP)), and then check the option to Use OTP.
Click Next and then add the RADIUS servers that will be used for OTP authentication. Provide the hostname, FQDN, or IP address of the server, the shared secret, and specify the service port.
Click Next, select the CA server that will be used to issue certificates to DirectAccess clients for OTP authentication, and then click Add.
Note: When performing this step you may receive the following error.
No CA servers can be detected, and OTP cannot be configured. Ensure that servers added to the list are available on each domain controller in the corporate network.
If this occurs, close out of the Remote Access Management console and install this hotfix.
Click Next and select the certificate templates to be used for the enrollment of certificates that are issued for OTP authentication. Also select a certificate template used to enroll the certificate used by the DirectAccess server to sign OTP certificate enrollment requests.
Click Next and specify whether selected DirectAccess users can authenticate with a user name and password when OTP authentication is disabled. If some users need to be exempted from using OTP, specify the security group as required and click Finish.
Click Edit on Step 3 – Infrastructure Servers. Select Management and add the CA server used for OTP authentication to the list of management servers.
Click Ok and then Finish. Click Finish once more and then apply the changes.
DirectAccess OTP Client Experience
When a DirectAccess client is outside of the corporate network and has established DirectAccess connectivity, users can log on to their machine and access their desktop, but they will not be able to access corporate resources without first providing their OTP.
For Windows 8 clients, swipe in from the right side of the screen or press Window Key + I and click on the active network connection. The DirectAccess Workplace Connection will indicate that action is needed. Clicking on the Workplace Connection will indicate that credentials are needed. Clicking Continue will prompt the user to press Ctrl+Alt+Delete and provide their OTP.
For Windows 7 clients, an alert from the DirectAccess Connectivity Assistant (DCA) in the system tray will indicate that Windows needs your smart card credentials. Clicking on the notification Window will prompt the user to provide their OTP.
Alternatively the user can click on the DCA icon in the system tray and then click Lock and unlock your computer with a smartcard or a one-time password. The user will then press CTRL+ALT+DELETE, choose Other Credentials, select One-time password (OTP), and then provide their OTP.
Summary
Using dynamic, one-time passwords is an effective way to provide the highest level of assurance for remote DirectAccess clients. It does come with some potential drawbacks, so be sure to consider those before implementing OTP.
Luke
/ March 5, 2015Hi, Richard
Thanks for this amazing post.
A question regarding “DirectAccessOTP Logon” certificate template.
I noticed that you mentioned: if the CA is running Windows Server 2008 R2, the template must be configured to use a Renewal Period of 1 or 2 hours and a Validity Period that is longer but no more than 4 hours.
also in your configuration, you set the ” Validity Period ” to be 1 hour, so is that mean every hour the end user has to enter his or her OTP again?
In our Lab environment, we have server 2008 R2 as CA, and we cannot extend the ” Validity Period ” to be more than 4 hours, if I do, OTP will break.
so if we use server 2012 R2 as our CA, does this restriction still apply?
Richard Hicks
/ March 7, 2015The user will not be required to enter their OTP every hour. The certificate will be automatically renewed as long as the user’s logged on session is still valid. Also, I’ve never tested with anything other than a 2012R2 CA. However, 2008R2 should work, just set the validity period to 4 hours and you should be fine.
Luke
/ March 5, 2015Also we noticed the GUI broken problem, Microsoft premier engineer said it has been reported as a “bug”. Do we have any ETA on when this hotfix will be released?
Richard Hicks
/ March 7, 2015It’s been a known issue for quite some time. I’ve not seen any indication that an update is available to fix it yet. If that changes I’ll post something on the blog for sure.
Kaspars
/ March 10, 2015Hi. What RADIUS server we can use? Can we use as OTP password which is send to Phone as SMS?
Richard Hicks
/ March 12, 2015Any RADIUS server should work, as long as it doesn’t require challenge/response. Should work just fine with SMS tokens too.
Luke
/ March 26, 2015Hi, Richard
We have encountered OTP user experience issues since Day 1 of the lab deployment in our firm.
We only have Windows 7 Ent client, and CA is running on Win 2008 R2.
“DirectAccessOTP Logon” Validity Period set to be 4 hours, Renewal period to be 2 hours, however, all the DA client have to re-enter his or her OTP randomly during this 4 hours period.
Then I forced to change the Validity Period to be 24 hours, Renewal period to be 2 hours, users still need to re-enter OTP randomly. [ this action does trigger the remote management console show Red on OTP], but it doesn’t prevent the DA user to authenticate against OTP.
So I am wondering, it is not because the “Validity Period” or “Renewal period” made users to re-enter the OTP, it is something else….
Does the user has to constantly keep the session live by moving mouse and keyboard?
Richard Hicks
/ March 27, 2015Hi Luke,
The user experience is decidedly degraded when using OTP, and especially so with Windows 7 clients. In my experience, Windows 7 clients don’t maintain their IPsec tunnels as long as Windows 8 clients do. When the tunnel goes down, the user will be forced to authenticate again when they reestablish. I’ve never tried changing the validity or renewal periods on the certificate template, to be honest. From your experience it sounds like it breaks things. I’m not sure there’s a workaround.
Luke
/ March 27, 2015We have no plan to migrate to Windows 8.1, at least in the near future. Most likely we will go for Windows 10 directly.
Luke
/ March 26, 2015Also, is there way to find the OTP certificate on DA client machine?
Usually we can view the certificate from MMC console, add snap-in, and go to Computer > Personal > Certificates, for example we can view NAP health certificate from here.
but where do we find the OTP certificate on client?
Richard Hicks
/ March 27, 2015I’m not certain, but perhaps it is located in the user’s personal certificate store?
Luke
/ March 27, 2015I checked in user’s personal certificate store, it is not there.
Richard Hicks
/ March 30, 2015I’ll see if I can find some more information for you on this. Stay tuned… 🙂
Gerald
/ April 13, 2015Hi Richard,
Many thanks for this excellent post and for all the info you are sharing.
Any plan to publish configuration info on the integration of smart cards with DirectAccess ?
Thanks 🙂
Richard Hicks
/ April 14, 2015Hi Gerald,
I’ve considered it, but I don’t currently have a test machine with a suitable TPM. If that changes I will probably author something on the subject as it isn’t very well documented at the moment.
Thanks!
Engineering IT
/ April 20, 2015With the statement “In addition, enabling OTP with DirectAccess disables the use of null cipher suites for IP-HTTPS. ” – I can’t see anything on the Microsoft site that details this. How do you see/confirm if this is the case?
Richard Hicks
/ April 22, 2015Detailed documentation on DirectAccess is difficult to find on the Microsoft web site, unfortunately. I have confirmed this behavior by observing network traffic on the client and server in each deployment scenario.
Mark
/ April 29, 2015I created the two templates using the Certificate Authority console on the 2012 R2 DA server. However our CA is Server 2008 R2, after creating the templates and selecting “New Certificate Template To Issue”, I am unable to select the “DirectAccess OTP Registration Authority” and “DirectAccess OTP Logon” templates that were just created – they are not there. I see other people using the templates with a 2008 R2 CA… so is this something I must change on the “Compaitibility” tab on the templates to see them? The “compatibility” settings for the Certificate Authority can only be dropped to 2012…
Richard Hicks
/ May 2, 2015I’m not sure. I’ve only ever done this using a Windows Server 2012 R2 PKI. :/
Mark
/ May 18, 2015I have in-place upgraded the CA to 2012 R2 and I can now issue them…
Zack
/ August 4, 2015Have you done any testing with Windows 10 and direct access with OTP? We’re trying right now but running into an issue “a certificate for otp authentication cannot be created ”
Event ID 10004. Our windows 7 and 8 clients are working fine but windows 10 will not.
Richard Hicks
/ August 4, 2015I tested it and it did work with earlier preview builds, but I have not yet tested with RTM. Hopefully they didn’t introduce a bug!
Laurens de Koning
/ August 5, 2015I am currently testing OTP with Windows 10, still haven’t got it working. It might be related to the usage of RSA SecurID, not sure yet, still figuring this out.
However, what I have noticed so far, the user doesn’t get -any- notification from the Action Center automatically that an Action is Required from the user (OTP Password). This is not really user-friendly, the user is now obligated to open up the Action Center themselves to see why they are not getting fully connected!
Richard Hicks
/ August 8, 2015Interesting. I’d understood that Windows 10 was actually improved with regard to OTP notification. I haven’t yet tested myself though. :/
Zack
/ August 5, 2015Did you have to make any changes to your configuration to get Windows 10 clients to work?
Richard Hicks
/ August 8, 2015Not at all. Same configuration works for Windows 7, 8.x, and 10. 🙂
Laurens de Koning
/ August 17, 2015In the meantime I have got it working on Windows 8.x (with RSA).
However, Windows 10 doesn’t like what we’re doing, it does show the OTP Logon box. But as soon as I logon using my RSA Token (which does work on Windows 8.x) it will give me an “Authentication failed due to an internal error 0x80040002” message in the OTP Logon box and in the Event Log I can see the following error “A certificate for OTP authentication cannot be created. Error code: 0x80040002”.
Laurens de Koning
/ August 18, 2015I get the exact same error on Windows 7, the only client that does accept this configuration is Windows 8.x.
Richard M. Hicks
/ August 18, 2015Interesting. I have to suspect something is up with the RSA configuration then. Typically OTP authentication will work for all or none. Not sure why it is being selective for you. :/
Laurens de Koning
/ August 21, 2015I find that hard to believe since the authentication method is basically the same and in all cases should be delegated through the DirectAccess Server(s). My guess is as good as yours, in my opinion it should work equally the same on all Operating Systems. I have absolutely no clue why it works on Windows 8.x and not on Windows 7 or 10.
Richard M. Hicks
/ August 24, 2015Agreed. I haven’t had time to thoroughly test this myself yet. When I do I’ll be sure to share the results.
Laurens de Koning
/ August 24, 2015I managed to fix the Windows 7 issue, funny enough it was actually an issue you’ve already written on your blog about (http://directaccess.richardhicks.com/2014/05/09/error-0x80040001-when-using-otp-on-windows-7-sp1-directaccess-clients/).
As for Windows 10, still haven’t found a solution. The error I keep on getting is 0x80040002 when I enter my OTP credentials (which work fine on Windows 7/8.x). The error I see in the Event Log (OtpCredentialProvider) is “A certificate for OTP authentication cannot be created. Error code: 0x80040002”.
Frank Hutcheon
/ August 26, 2015Hi guys – I’ve got exactly the same issue here on Windows 10 clients. It was the same on RTM and I was hoping they’d fix it in the live release but it’s still the same. I’m working fine on Windows 7 / 8 and 8.1 but get the “A certificate for OTP authentication cannot be created. Error code: 0x80040002” message on 10 clients.
Any one made any progess on this they’d be willing to share? We’re keen to get Surface Pro 3’s with 10 on them out there but this is holding us up.
Thanks in advance.
Richard M. Hicks
/ September 1, 2015Interesting. I’m beginning to wonder if this isn’t a bug?!? As soon as time permits I’ll set up my test lab to validate and confirm. Stay tuned…
Laurens de Koning
/ September 30, 2015Richard/Anybody did someone get OTP working on Windows 10 already? 🙂
Richard M. Hicks
/ October 1, 2015I still haven’t had time to test this yet. Sorry! I hope to get to it soon as I’ve had a number of people ask about this. Stay tuned!
Frank Hutcheon
/ October 8, 2015Not me on Windows 10 – still functioning very well on 7/8/8.1 – Just about to launch a support call with Microsoft. I’ll keep you guys posted.
Frank Hutcheon
/ October 19, 2015Just got off the phone to Microsoft – they are aware there is an issue with Windows 10 clients and 2 factor authentication and are working on a hotfix. No ETA though unfortunately.
Frank Hutcheon
/ November 6, 2015The Windows 10 2FA issue is a confirmed bug by Microsoft and a fix is coming.
From Microsoft :
The issue will be fixed in the TH2 (Threshold 2) release of windows 10 that is due in November.
We are still waiting for the product group to decide if it will be fixed in TH1 (current servicing build on windows 10).
Hope this helps ease some pain for someone! 🙂
Richard M. Hicks
/ November 7, 2015Thanks for the update Frank!
Øystein Hansen
/ November 18, 2015I can confirm that OTP in Windows 10 now works after the November update (Threshold2)
Richard M. Hicks
/ November 18, 2015Awesome! Thanks for the report! 🙂
Laurens de Koning
/ August 24, 2015Zack,
I suppose we have a common issue.
Laurens de Koning
/ August 5, 2015Hi Richard,
Does DirectAccess OTP also support RSA SecurID tokens/radius servers as OTP method?
Richard Hicks
/ August 8, 2015It does, yes. 🙂
vannak
/ March 24, 2016Hi Rechard
i try to follow as your guide, but when i access to window server through remote desktop it still not show OTP alert.
could you help me to explain more detail about this task.
need your help
Richard M. Hicks
/ March 25, 2016If you follow the guidance in this post it should work. If not, I suspect you’ve missed something during the configuration. I’d suggest walking back through step-by-step to see what you’re missing.
vannak
/ March 27, 2016Hi Richard
how to configure remote access setup without choose IPv6
i wanna to use only IPv4
Richard M. Hicks
/ March 28, 2016DirectAccess is an IPv6-only solution. It’s configured by default to use IPv4 on the internal network, but you have to use IPv6 on the client side. No way around that.
Engineering IT
/ March 25, 2016We had the issue where clients would not prompt for OTP codes. I’ve documented the fix here https://engineeringit.wordpress.com/2015/12/18/win8-clients-not-prompting-for-directaccess-otp-codes/
Richard M. Hicks
/ March 28, 2016Great tip! I always use HTTP for the web probe so that’s likely why I’ve never encountered this issue before. 🙂
vannak
/ March 27, 2016Hi sir
can you give me the detail documentation for implementing on this task?
i think you may have all detail document about DirectAccess OTP.
if can please help to send me sir.
Richard M. Hicks
/ March 28, 2016Here is a link to the official Microsoft documentation for configuring DirectAccess with OTP authenticaiton: https://technet.microsoft.com/en-us/library/jj134229.aspx.
mfekry86
/ April 17, 2016Hi Richard
is it normal to enable OTP when direct access work with IP-https or shall i switch the protocol as on Microsoft technet its stated belwo in unsupported config
https://technet.microsoft.com/en-us/library/dn464274.aspx#bkmk_iphttps
Richard M. Hicks
/ April 23, 2016OTP is definitely supported when using IP-HTTPS. That support statement has to do with terminating SSL/TLS on an external device when using OTP, which breaks OTP and is of course unsupported.
cblo
/ May 26, 2016I got directaccess configured and green with OTP thanks to this blog.
When i connect a window 10: where and when do i need to enter OTP??? (totp in my case).
I don’t know where and the radius doesn’t get any authentication request.
Thanks anyway for the throughout articles!
Richard M. Hicks
/ May 28, 2016The end-user experience for OTP is not real great, unfortunately. There’s no immediately visible indicator that the user needs to provide their OTP credentials. They’ll have to click on their network connection and then click on the DirectAccess connection where they’ll see that action is needed. Alternatively, the user can press Window Key + I, click Network & Internet, and then select DirectAccess.
Thorsten Frohberg
/ July 28, 2016Hello Richard, i have use your guide here to configure OTP for DirectAccess. In the OTPCredentialProvider from DA Client i can read “OTP authentication has completed susccessfully” The OTP Certificate was issued…. But the User-Tunnel isn’t etablished. and i become application error: faulting application name NetworkUXBroker.exe, faulting module name DAManager.dll, faulting package full name: windows.immersivecontrolpanel_6.2.0.0. DA Client is Windows 10 Enterprise 1511, DA Server Windows Server 2012 R2, the CA Server is Windows Server 2008 R2. Have you a idea for solution ? with kind regards Thorsten
Richard M. Hicks
/ July 28, 2016Very odd. I’ve not encountered that myself, so I don’t have much to offer in the way of advice. Sorry! You might have to open a support case with Microsoft if you can’t get it sorted. :/
Thorsten Frohberg
/ August 8, 2016Hello Richard,
I think your Guide here is not complete. Because for OTP Authentication you need also a “Domain Controller Authentication” Certificate with SmartCard OID on all Domain Controllers. Without this, User-Tunnel can’t established with not error logging on the client. Only on the Domain Controller you can read in System Log Event ID 19 “This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate.”
https://technet.microsoft.com/en-us/library/dd348640(v=ws.10).aspx
I need many hours to find this issue.
with kind regards
Thorsten Frohberg
Richard M. Hicks
/ August 8, 2016Thanks for the details, Thorsten. You bring up an excellent point here, one that I did not consider. However, my article was not meant to be a comprehensive deployment guide for PKI. Rather, it assumes that infrastructure prerequisites are in place to support smart card authentication. The guidance provided here is solely for the configuration of an existing PKI and DirectAccess for OTP authentication. However, I will update this post to reflect this important detail.
Thanks again!
Bueschu
/ March 30, 2017Thank you for this realy interesting article, which helped me by my last Installation – just perfect.
I also bought your book about DirectAccess to better understand all the different topics. The book is a big helper for many customer projects.
best regards
bueschu
Richard M. Hicks
/ March 31, 2017Awesome, thanks so much! 🙂
Daniel Morris
/ April 10, 2017I have configured OTP and have it working successfully. The only issue I seem to have is that Windows 10 clients seem to take around 10 seconds for the authentication to come through whereas Windows 7 auth is sent within a second to our phones. Is there any difference in the way the OS handles the OTP request?
Thank you.
Richard M. Hicks
/ April 10, 2017That’s odd. Fundamentally, Windows 7 and Windows 8.x/10 handle OTP much differently. Windows 7 uses the DCA, but Windows 8.x/10 it is integrated in to the operating system itself. I can only guess that has something to do with it, but I’m not certain.
Toya
/ May 17, 2017Hello, I recently deployed Windows 10 with DA using OTP. Our users receive several different Internal error message; is there a site that tell what each error message means?
example: 0x80040001,0x80040002,0x80040008,0x80040004
Richard M. Hicks
/ May 17, 2017They are probably documented somewhere on the MSDN web site, but they are scattered around depending on which subsystem generates the code. I often use the Exchange Error Code Lookup Tool (err.exe) from Microsoft. It was created for Exchange, but it works for many common Windows error codes. You download it here: https://www.microsoft.com/en-us/download/details.aspx?id=985.
Richard M. Hicks
/ May 17, 2017In addition, you can find DirectAccess OTP troubleshooting guidance on the Microsoft web site here: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/ras/otp/troubleshoot/troubleshooting-enabling-otp. Also, my good friend Benoit has a lot of experience with DirectAccess and OTP, and has documented much of it on his web site here: http://danstoncloud.com/simplebydesign/category/3631/. Hope that helps!
Toya
/ May 24, 2017Hello,
Does anyone have a issue with next token mode on Windows 10/DirectAccess 2012.
Issue: user enters RSA token, OPT tries to authentication but return message stating ‘Additional information required , please contact administrator’ or 0x80040001 error.
Issue: User enters RSA token but there is a delay before it show connecting after the user clicks ok. user continue to click Ok and sometimes gets 0x80040001 error.
Richard M. Hicks
/ May 24, 2017Hi Toya. Neither new PIN or next token modes are supported with DirectAccess. Details here: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/ras/otp/deploy-ra-otp#a-namebkmksoftasoftware-requirements.
Myles
/ August 14, 2017Hi Richard, first of all, this is a great guide! Thank You! We’ve followed your guide to the letter, but for some reason are unable to get it to work. While OTP authentication succeeds, we receive an Event ID 53 on the CA “Active Directory Certificate Services denied request .. because The parameter is incorrect. 0x80070057…. Additional information: Denied by Policy Module”. We are using a 2K8R2 CA, and have followed the directions exactly. We see the Registration Authority certificate in the certificate store of the DA computer, so it should be used for signing the request that goes to the CA. We’ve followed every Microsoft article describing Event ID 53, and can’t seem to get it to work.
Richard M. Hicks
/ August 21, 2017That’s definitely unusual. That error code (0x80070057) seems to indicate a parameter error. Not a lot of help, I know. 😉 However, if your CA is denying the request, I’d look very closely at the configuration and security permissions to ensure you have it right. Other than that, you may end up having to open a support case with Microsoft to get the issue resolved. :/
BMistry
/ July 9, 2018I’m trying to get this working with RSA SecureID. I almost have it working, but on the client when I enter my RSA code, on the OTP prompt:
More information is required to complete OTP authentication
in the event viewer I get this:
OTP Authentication with Remote Access server (servername) for user (domainuser) required a challenge from the user.
I’m not sure what is causing that. Any ideas?
Richard M. Hicks
/ July 10, 2018No idea. I’ve never implemented RSA with Always On VPN. :/
Engineering IT
/ July 10, 2018Direct Access doesn’t support any challenge from radius. E.g no PIN changes or next tokencode
Richard M. Hicks
/ July 13, 2018Correct. Definitely limits your options for MFA, for sure. :/
BMistry
/ July 13, 2018Yup, the radius server was incorrectly configured on the RSA Appliance. I changed the .ini file on it so it does not require the challenge/response and it is working correctly now. Thanks!