imageIn the continuing saga of the “No Usable Certificate(s) 0x103” error, which has been discussed in two previous blog posts:

http://blogs.technet.com/b/tomshinder/archive/2010/03/30/troubleshooting-the-no-usable-certificate-s-ip-https-client-error.aspx

and

http://blogs.technet.com/b/tomshinder/archive/2011/02/21/another-cause-of-the-no-usable-certificates-s-0x103-error.aspx#3415408

we’ll expand on the explanation for the reason why the computer certificate isn’t included in the NTAUTH store on the UAG DirectAccess server. In the second link noted above, we discovered that we’ll see the “No Usable Certificate(s) 0x103 error when there is no CA certificate contained in the NTAUTH store of the UAG DirectAccess server.

What we didn’t discuss was “why wasn’t there a CA certificate in the NTAUTH store of the UAG DirectAccess computer?

If you look in the comments section over at http://blogs.technet.com/b/tomshinder/archive/2011/02/21/another-cause-of-the-no-usable-certificates-s-0x103-error.aspx#3415408 you’ll see that a UAG DirectAccess server admin is having this problem – there is no CA certificate in the NTAUTH store on the UAG DirectAccess server. What he discovered is that while the client machines had this certificate installed, the UAG DirectAccess server didn’t and he thought reason for this is that only the client systems were receiving certificates through autoenrollment; the UAG DirectAccess server was not obtaining a computer certificate through autoenrollment.

I thought this was interesting and did a little research on the subject.

At http://msmvps.com/blogs/bradley/archive/2009/02.aspx?PageIndex=3 you can find the following information:

image“…A Windows client's Enterprise NTAuth store is a local cache of certificates
published in the NTAuthCertificates store in Active Directory. These
certificates are propagated from Active Directory to Windows clients via
Group Policy
. Since the workstation is not members of a domain, the local
NTAuth cache is not being updated and so is empty…

Resolution:
---------------------------
The local NTAuth store can be manually populated using certutil.exe.
Certutil -enteprise -addstore NTAuth CaCertificate.cer
The physical location for the NTAuth store is:
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates
When the issuing CA certificate is added to the NTAuth store…”

The distribution of the enterprise CA certificate is separate from the distribution of the computer certificates through autoenrollment. Distribution of the CA certificate is automatic and distributed through Group Policy mechanisms and is done when the machine joins the domain. In contrast, distribution of the computer certificate through autoenrollment is something that you need to configure manually and target the machines that you want the certificates assigned to, and then requests are sent to the CA for certificate distribution to the requesting client.

Our UAG DirectAccess server admin discovered the answer at support.microsoft.com/.../295663. Check this out:

“The contents of the NTAuth store are cached in the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates

This registry key should be automatically updated to reflect the certificates that are published to the NTAuth store in the Active Directory configuration container. This behavior occurs when Group Policy settings are updated and when the client-side extension that is responsible for autoenrollment executes. In certain scenarios, such as Active Directory replication latency or when the Do not enroll certificates automatically policy setting is enabled, the registry is not updated. In such scenarios, you can run the following command manually to insert the certificate into the registry location:

certutil -enterprise -addstore NTAuth CA_CertFilename.cer”

imageOur hats are off to you, anonymous UAG DirectAccess admin!

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management
Anywhere Access Group (AAG)
The “Edge Man” blog :
http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter:
http://twitter.com/tshinder
Facebook:
http://www.facebook.com/tshinder

Visit the TechNet forums to discuss all your UAG DirectAccess issues
http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/threads

Stay up-to-date with “just in time” UAG DirectAccess information on the TechNet wiki http://social.technet.microsoft.com/wiki/tags/DirectAccess/default.aspx