How to get Windows 7 to work with DirectAccess Server 2012

To get Windows 7 to work, you have to:

- Enable auto-enrollment in GPO
- Create a certificate template for clients and Remote Access server, and enable the templates to be issued.
- Enable Windows 7 client computers to connect via DirectAccess and select the root certificate in Step 2 (in remote access management console).

Auto-enrollment

  1. To enable auto-enrollment, go to your domain controller and open Group Policy Management.
  2.  Go to Computer configuration -> Policies -> Windows Settings -> Security Settings.
  3. Select Public Key Policies. Enable this and check both the boxes.

Certificate Templates

PS: It might be a good idea to make two different security groups in AD, one for Windows 8 and the other for Windows 7. This is because in the steps below, you have to define which clients should receive the certificates. Windows 8 clients does not need any certificates, and I am not sure if this will cause problems (not tested).

Start off by installing AD CS (Certificate Services). For testing purposes, I usually install AD CS on the domaincontroller.

  1. For certificate templates, open Certification Authority, expand Contoso-RootCA and right click on Certificate Templates. Click on Manage.
  2. Go to Certificate Templates Console and right click on Workstation Authentication.
  3. Select Duplicate Template. I chose Windows server 2008 and Windows 7 as the minimum compatibility.
  4. Use DirectAccess IPSec Client as the template display name. Then move over to Security tab and add the security group you have for your DirectAccess clients. Mine is DA_Klienter
  5. Under Permissions, select Read, Enroll and Autoenroll and click OK.
  6. Now we’re going to make a new template for the DA server. Duplicate the workstation Authentication template and use the same minimum compatibility.
  7. Use DirectAccess IPSec Server as the template display name, then go to Extensions and select Application Policies. Click Edit and add Server Authentication.
  8. Go to the Subject Name Tab
  9. Under Subject name format select Common name
  10. Go to the security tab and add your DirectAccess server.
  11. Under permissions, select Read, Enroll and Autoenroll
Enable the certificate templates to be issued
  1. Right click on Certificate Templates, select New and then Certificate Template to Issue.
  2. Select both DirectAccess IPSec Client and DirectAccess IPSec Server. Click OK.
  3. Close the console.
The clients and your DA server will now get the new certificates, however if you want to speed up the process you can use the following command in CMD:
certutil -pulse

Modify Step 2

  1. Open Remote Access Management and then the configuration screen.
  2. Modify Step 2 and click next untill you reach the Authentication page.
  3. Check the box for Enable Windows 7 client computer to connect via DirectAccess
  4. Select your root CA and finish.
Make sure to apply the settings.

5 Responses to “How to get Windows 7 to work with DirectAccess Server 2012”

  1. Hello?

  2. In the DirectAccess IPSec Server certificate template, can I remove all of the info I added in the Security Tab and the Extensions Tab for the DirectAccess IPSec Client certificate I created previously?
    Awesome Blog by the way!!

  3. Hi there!

    I’m quite sure you have to leave those up DBilbie. Sorry for the late answer, hope you see this.

    Fredrik

  4. I always get the error “cannot find the file specified” when selecting the root certificate. I did everything written on the Internet but not really much found there. When I view the cert store I’ll see my root certificate but when I select and apply I get this error. I also tried using power shell, admin privileges. Is there something to change in the registry? please help. I have search for the solution since last november without hope.
    sincerley chris

  5. Any way to get this working without a PKI? Just seems like there should be some way to generate the cert, and populate it to the Win7 machines, (instead of using auto-enroll) but I can’t quite figure out how.

Leave a Reply