Configure Client Authentication and Certificate Mapping for IP-HTTPS Connections

Applies To: Windows Server 2008 R2

Important

This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=179989).

This procedure helps mitigate possible security issues for Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS)-connected DirectAccess clients.

To complete these procedures, you must be a member of the local Administrators group, or otherwise be delegated permissions to configure HTTPS settings. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To configure client authentication and certificate mapping for the IP-HTTPS certificate

  1. On the DirectAccess server, start a command prompt as an administrator.

  2. From the Command Prompt window, type the certutil –store my command.

  3. From the output of the Certutil.exe tool, find the certificate that is being used for IP-HTTPS authentication and note the Cert Hash(sha1) field.

  4. From the Command Prompt window, type the **netsh http add sslcert ipport=IPHTTPSPublicIPv4Address:443 certhash=**HashofDA_IPHTTPSCert appid={00112233-4455-6677-8899-AABBCCDDEEFF} dsmapperusage=enable command.

    • IPHTTPSPublicIPv4Address is the public IPv4 address that the DirectAccess server is listening on for incoming IP-HTTPS connections. You can obtain this address from the URL in the display of the netsh interface httpstunnel show interfaces command. IPHTTPSPublicIPv4Address is either the Internet Protocol version 4 (IPv4) address in the uniform resource locator (URL) or the IPv4 address to which the fully qualified domain name (FQDN) in the URL resolves on the Internet. IPHTTPSPublicIPv4Address can also be set to 0.0.0.0.

    • HashofDA_IPHTTPSCert is the certificate hash from step 3, a 20-byte hexadecimal number, with the spaces removed.

Note

You can also use the GuidGEN.exe tool (https://go.microsoft.com/fwlink/?Linkid=121586) to generate the GUID for the appid parameter.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.