DirectAccess for Windows 7 works! But stops sometimes. Why?

My sometime partner in crime Chad Duffey posted a tip he came across from a couple of DirectAccess deployments where Win7 clients mysteriously stopped working:

I'm seeing lots of cases were a Direct Access proof of concept has been set up and it works really well for a while with both Windows 8 and Windows 7 (Server 2012 for the DA server - don't waste your time with 2008 R2).

The problem is that all of a sudden the Windows 7 test clients stop working. I do it all the time in my lab as well, mostly because i only need it to work for a while so i forget an important step for ongoing Win7 connections. Its really frustrating when you come back to a lab that is saved and its broken, especially when you are trying to show someone how awesome Direct Access is.

To spoil his punchline (you're welcome, Chad!), the reason this happens can be that you've used an internal PKI to issue the server certificate for the DA box, and that the CRL is inaccessible once it expires… unless DirectAccess is already up. So it all works happily at first, but if the laptop sleeps overnight and the CRL validity period expires, it won't be able to contact the CDP to grab the new CRL! And because it can't trust the DA server, it won't continue the connection attempt.

The fix is straightforward but might need some planning: Add an externally accessible CDP to the certificate used by the clients (nb the Server cert installed on the DA box, not necessarily the client certs themselves. Not that it'd hurt).

Posted by Tristan Kington, MSPFE Editor. Currently conferencing in Kuala Lumpur. (This post created entirely on a Surface RT in Word 2013, with a red Touch Cover. Red covers are faster.)