We have released Windows 7 & Windows Server 2008 R2 last year. One of the features that we had deployed internally was DirectAccess. You must have heard about DirectAccess many times during our New Efficiency and similar set of launch events. We have been telling Better Together story with Windows 7 & Windows Server 2008 R2.
From the blog topic you must have received some hint what am I going to cover in today’s post. Exactly the same thing i.e. Connecting to your Office Corporate Network using TATA Photon+ and Reliance NetConnect. I believe that many users are connecting to the Internet by using various options such as ADSL, Wireless, ISDN etc. DirectAccess feature works well seamlessly for most of the connections such Wireless at home, hotel, airports etc. I will be covering about connectivity in India where we have some of the major players offering high speed CDMA broadband connection. These players are TATA Photon+ and Reliance NetConnect Broadband. Both of them offer up to 3.1 Mbps connectivity but anyways we won’t go into that discussion. We will cover specifically connecting to CorpNet using TATA Photon+ and Reliance NetConnection because the very simple fact is that most of the users not able to use DirectAccess feature over these Internet Connection.
I have been on to DirectAccess pilot since long time and by the time I joined it’s been an amazing experience connecting to CorpNet without going through standard VPN/RAS dialing process. But the sad part when I was not able to connect to my CorpNet using TATA Photon+ Card. I am using Tata Photon+ from last December but every time I was trying to connect to my CorpNet using DirectAccess there was no success and I was using regular RAS/VPN process. The same case happened even by trying out Reliance NetConnect Broadband. I tried different settings but no luck and then I decided to let it go. Later I got to know that most of colleagues are also facing similar problem and not able to leverage the DirectAccess feature.
So, last week I was travelling and by that time I decided to find a solid conclusion before quitting
and asking for the product group. And here it is how I found the solution to this problem and here are my findings.
Checking DirectAccess Status
Trying to connect to CorpNet Environment using TATA Photon+ Internet.
Here is the standard TATA Photon+ Dialer, I will click on Connect to get connected to Internet.
The Reliance Dialer looks exactly similar except the logo in the right corner. Basically the complete software is designed by HUAWEI Technologies Co., Ltd.
In the red box, it is the actual profile or the actual Dial Up Connection created by the Huawei Access Manager.
Let me try connecting to my computer in corporate environment, say aviraj-demo is my server in my Microsoft office environment. A minute after connecting to the internet, I will try to ping it and I get the reply in IPv6 format. It means by DirectAccess seems to be operational so far on my machine but not completely functional. Let’s test it.
DirectAccess Attempt #1: Connecting to resources in my CorpNet
Now, that I can ping let me try accessing files on that server or try to take remote of that server.
Resource Output 1: Accessing internal site: http://sharepoint Status: FAILED
The does not open and it goes over the internet to search for this internal portal due to lack of connectivity.
Resource Output 2: File Share (start -> run -> \\aviraj-demo ) Status: FAILED
Resource Output 3: Remote Desktop Protocol – RDP (mstsc) Status: FAILED
TROUBLESHOOTING DirectAccess Using Windows 7 Built-in Troubleshooting Packs
I am getting Ping response but it seems I have not yet got complete CorpNet access due to authentication. Then I decided to run the Troubleshooting Option located in Network and Sharing Centre.
You can do that by clicking on Connection to a Workplace Using DirectAccess. I selected Automatic Repair check box.
After running this wizard I got the following result. This was not much help, I tried updating group policy assuming that something is missing but nothing worked.
TESTING OUTLOOK CLIENT CONNECTION…Hint for the solution!!!
Since I am connected to Internet, I decided to open up Outlook 2010 Client. As soon as clicked on Outlook 2010 here is the prompt I got.
Hmm, surprisingly instead of my own Domain\Alias i.e. fareast\i-aviraj I am prompted with something like internet. At this point I got that that every time I get connected to Internet I am prompted with my Alias so why every time when I get connected using TATA Photon+ I am prompted with internet.
AND NOW THE SOLUTIONS FOR THIS PROBLEM.
Get DirectAccess Working – SOLUTION # 1: Using Huawei Dialer & Credentials Manager
Step 1: Get connected to the internet using the above stated process using TATA PHOTON+ Dialer or RELIANCE NETCONNECT BROADBAND DIALER.
Step 2: Go to Control Panel , double click on Credentials Manager
Step 3: Expand the first entry named *Session in the Windows Credentials with status Modified: Today
IMPORTANT NOTE: DO NOT DISCONNECT THE CONNECTION.
This is the exact reason, the DirectAccess in not fully functional. Every time you connect using HUAWEI Connection Manager, it creates this Windows Credentials named *Session with Persistence: Logon Session. Because of this Logon Session entry, it bypasses the default domain credentials and the dialer provided credentials are used for authentication and subsequently gets failed due to failure of authentication.
What is Logon Session?
A logon session begins whenever a user logs on to a computer. All processes in a logon session have the same primary access token. The access token contains information about the security context of the logon session, including the user's SID, the logon identifier, and the logon SID.
More to read http://msdn.microsoft.com/en-us/library/aa378338(VS.85).aspx
Step 4: Solving this issue and getting back to Domain Credentials
Click on Remove Credentials and click on Yes
Step 5: Success within a Minute. :)
The moment you delete it, wait for few seconds and try to open any internal website say http://msw. Within moments, you will be asked for the prompt you have been for since months over your High Speed CDMA Broadband Connection.
Voila!!! Success, this is what you have been waiting for since long time. DirectAccess over TATA Photon+ and Reliance NetConnect Broadband using HUAWEI Dialer.
Windows Needs your Smart Card Credentials
Double click on the Credential’s icon in system tray, insert Smart Card in reader and Enter PIN
You will see your credentials getting verified.
THAT’S IT. YOUR ARE CONNECTED TO YOUR CORPNET. NO MORE STEPS.
***** SOLUTION 1 ENDS HERE *****
We will test this solution if this really worked.
DirectAccess Attempt #2: Connecting to resources in my CorpNet…Post Applying Solution 1
Now that I have authenticated my credentials using Smart Card, I will check different resources.
Resource Output 1: Accessing internal site: http://sharepoint Status: SUCCESS
Resource Output 2: File Share (start -> run -> \\aviraj-demo ) Status: SUCCESS
This time I go to start run and enter the file share \\aviraj-demo and wait for the response.
While hovering on to the taskbar I see my mouse point showing busy icon, it means my explorer trying to connect to the remote resource. After a minute or so, after resolving the server name here my output.
Resource Output 3: Remote Desktop Protocol - RDP (mstsc) Status: SUCCESS
When Connected to Remote Desktop over DirectAccess
This is solution working with Dialer because many users are willing to use TATA/RELIANCE DIALER because it helps giving the signal strength by showing HSIA/CDMA Status. Secondly, it helps keeping track of usage by providing detailed stastics and real time speed in KB/s.
I hope this will surely help you experience DirectAccess over this high speed connection.
JUST REMEMBER, EVERY TIME YOU GET CONNECTED TO INTERNET USING TATA/RELIANCE DIALER, YOU NEED TO REMOVE *Session ENTRY FROM CREDENTIALS MANAGER TO GET YOUR DirectAccess WORKING.
Get DirectAccess Working – SOLUTION # 2: Using Windows Dialer instead of TATA/RELIANCE DIALER
Let’s start by showing the same image…
As I said the red box indicates this is basically Windows Dial Up connection that get’s dialed at the backend. Instead of using TATA/RELIANCE Dialer you can directly connect to the pre-configure Dial Up Entry from your network.
Step 1: open the HUAWEI DIALER and read the Profile Name: TATA Indicom (in this example) close the dialer.
Step 2: Click on the Network and Sharing Center Icon in system tray. You will see your profile. Click on this Profile name. In this example it is TATA Indicom. Click on Connect and click on Dial
Step 3: Once connected Go to Control Panel , double click on Credentials Manager. You will not find the Windows Credentials containing any *Session entry.
Try to access internal resource, within a minute you will be prompted for Windows Smart Card Credentials.
THAT’S IT. YOUR ARE CONNECTED TO YOUR CORPNET WITHOUT USING TATA/RELIANCE DIALER. NO MORE STEPS.
***** SOLUTION 2 ENDS HERE *****
After then try using the same steps performed in DirectAccess Attempt #2.
I hope that this post has given you sufficient number of ideas about connecting to CorpNet. Many of customers would be benefitted by this and they can now leverage the same over high speed CDMA networks or similar types of connections. Meanwhile, I will try working finding the any other alternate solution that can help us avoid deleting the credential manager data manually.
I will be publishing a quick Screencast and will share it on http://edge.technet.com/people/aviraj
Quick Reminder: We are undergoing Blog migration to newer platform this week. User comments are disabled. Feel free to ask any questions to me over an E-Mail: firstname.lastname@example.org
Enjoy DirectAccess !!!
Indeed a helpful article !
Great Post... Very Informative!! :)
so it means we don't need vpn connection anymore to access the our local environment, but i have a question do we have to do anything at server level to access Direct access.
excellent article - issue got resolved.
Thank you all for your feedback
@Amit. Yes Amit you are absolutely correct. Once the DirectAccess IT Infrastructure in place you don't need to VPN into your corporate environment. The backend connectivity is established with your Corporate Network every time you get connected to Internet.
For DirectAccess it uses Group Policy to apply the connection settings. You don't have to initiate anything from your end e.g. Dialer or any connection.
Great Post... really solved my problem.............
Very much help to fix the DA problem, thanks