UAG 2010: Error “Unknown error 0xc00000403” when adding UAG machine to a Array

You may encounter the following error while joining an array member to a UAG array.

Cause: After entering username, password and Domain UAG Array Manager machine verifies these credentials with the Domain Controller using kerberos. After successful verification, it allows member to join the array. But if Kerberos communication between the domain controller and the UAG server fails, then the credentials will not be verified and UAG throws the above error.

Soultion: Restart either DC or UAG Array Manager or both. It may re-establish Kerberos communication between DC and UAG and thus credentials can be verified sent by member machine.

UAG 2010: “Applying Network Access Protection configuration failed”

Problem:

When trying to activate the configuration on a UAG server, you might find that the activation failed and you can see the following error messages in the status window:

Error: Applying Network Access Protection configuration failed.

Error: The UAG DirectAccess configuration cannot be activated

Error: DirectAccess could not be activated.

This ironically happens even when Network Access Protection (NAP) is not in use at all. We tested it even with DirectAccess disabled.

Cause:

The reason is that the Health Registration Authority (HRA) sub role under Network Policy Server role is not installed. Under the hood, UAG tries to run the following command routinely as part of the activation process:

netsh nap hra reset caserver

This command resets the HRA settings, but since the HRA sub-role does not exist, NETSH returns an error and UAG activation fails. In the BIT tracing you can see the following line which illustrates that the command could not be executed at all

[2]0B88.0BE8::03/11/2011-18:59:06.579 [DA.ConfigAgent]Command [nap hra reset caserver] failed to execute.

The root cause can be easily seen by opening the Server Manager console on the UAG Server:

Solution:

Install the Health Registration Authority role from the server manager and re-actiavte the configuration

Cheers !!

UAG 2010: “An unknown error occurred while processing the certificate. Contact the site administrator”

A client that is trying to access an SSL enabled application on a backend server (e.g. Exchange) that is published through the Forefront UAG portal gets an error, specifically:

“An unknown error occurred while processing the certificate. Contact the site administrator”.

The cause:

The problem has nothing to do with the UAG certificates themselves, but is most likely caused by an invalid certificate on the backend server. By default, Forefront UAG validates both the certificate and the revocation list of each SSL certificate in the backend server during the TLS handshake procedure. In the event where the certificate or the CRL are not valid, users are denied access to that given backend server. This is also the case if the CRL distribution point is unavailable for any reason. Let’s assume that the certificate is valid, but UAG is not able to reach the CRL distribution point for some reason. As per Microsoft, internet should be enabled in the UAG servers for proper working. Although, we understand that this may not be an appropriate solution for most companies because of their stringent company policies.

There are two ways to do so:

1. Disable the CRL check in the UAG as mentioned at http://blogs.technet.com/b/edgeaccessblog/archive/2010/03/31/an-unknown-error-occurred-while-processing-the-certificate.aspx
2. Enable internet on the UAG which will do the CRL check for you. You can do either by allowing internet traffic from UAG or by using a proxy setting in the internet explorer. Internet Explorer proxy settings are system wide, so sometimes they may not work. If not, then configure the UAG to use proxy via the WINHTTP proxy settings. To do so first run the below command to check the current settings:

Netsh winhttp show proxy

It should come-back with “Direct access (no proxy server)”, if no previous winhttp settings were defined.

Then, run the following command:

Netsh winhttp set proxy <proxy name>:<proxy port>

For example:

Netsh winhttp set proxy WebProxy.company.com:8080

Enjoy !!