Tuesday, December 4, 2012

Windows Server 2012 DirectAccess IP-HTTPS Error Route has not been enabled

I was in the middle of setting up DirectAccess 2012 in an IPv4-only environment for one of my customers when I hit a really big roadblock. Originally, I had DA set up using the simple deployment method. Everything installed just fine and the DA services were running normally. But the requirement was to add Windows 7 client support so I needed to add a Certificate Authority and make changes to the DA group policies. This is where I completely screwed up the certificate store policies and improperly configured client auto-enrollment, which then screwed up the IP-HTTPS service on the DirectAccess server. What can I say? This is fairly new technology with very little troubleshooting documentation! The problem was that the IP-HTTPS helper wouldn't work and had a big red X over it's service status. The errors said something like this:

Error: The publish property of the IP-HTTPS route has not been enabled.
Error: The IP-HTTPS route does not have published property enabled.

There was one more error as well in the Remote Access console. After several hours of searching the web and trying to come up with some type of answer to how to fix these problems, I decided to
completely remove all that I did regarding DirectAccess and start all over again. I removed the CA from the domain, deleted all issues CA certificates, completely removed and deleted the DA server from the domain, ramped up a brand new Windows Server 2012 domain member, cleaned up the DNS entries, and so forth.

Everything was good to go so I re-installed the Remote Access server role one more time and got everything set up all over again, but the SAME IPHTTPS error came up! I didn't have any problems with the self-signed certificates from the DA server, just the IPHTTPS services wouldn't start. After a few more hours, I eventually found the not-so-subtle resolution to this problem in the Technet article here: http://technet.microsoft.com/en-us/library/ee844126(v=ws.10).aspx

Apparently, when the server re-enabled the Remote Access role, it did not also automatically re-enable the Internet Protocol over Secure Hypertext Transfer Protocol (IPHTTPS) which is REQUIRED in order for IPv6 NAT64 translation to work. To enable it, open REGEDIT (make sure to Run as Administrator) and navigate to the following location:

HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters

Add the DWORD value "DisabledComponents" with the hex value of "0" (zero).

image

Doing this will enable the IPHTTPS protocol on the DirectAccess server and fix the issue. All of the services should have a green checkmark and the DA service should now say "Working". I didn't need to reboot the server in order for DA to start working again, but you may need to do so. I know this information will help out others. As always, leave a comment below if you have any questions or concerns.
-Joe