DirectAccess - Windows Server 2012 R2 - Windows 8.1 Enterprise - TLS 1.2 cipher suite

Hello,

I have a Windows Server 2012 R2 Standard server and a Windows 8.1 Enterprise client in a domain.

I have configured the simple DirectAccess deployment;

• add the Remote Access role
• enable the DirectAccess and VPN (RAS) role service
• Getting Started Wizard
•    behind an edge device (with a single network adapter)

So far,

• client and server have recieved and applied group policy
• the Remote Access Management Console > Dashboard shows everything with a green tick
• I have configured NAT and DNS
• I have confirmed that the server is accessible from the Internet on TCP 443 and there is a listener there

On Windows 8.1 Enterprise, when I right-click on the network simple, the Networks shows the DirectAccess connection but it is stuck at "Connecting".

The log only reports

DirectAccess connectivity status for user: DOMAIN\USER is

Error: Corporate connectivity is not working. Windows is unable to contact the DirectAccess server

On the server, I am seeing nothing in the Remote Access Management Console.

When I disable, then re-enable the wireless interface so that DirectAccess attempts to establish a connection, (or if I restart the client), then, on the server, in the System log, Event Viewer shows

Log Name:      System
Source:        Schannel
Date:          27/11/2014 13:38:49
Event ID:      36888
Task Category: None
Level:         Error
Keywords:
User:          SYSTEM
Computer:      [deleted: was server FQDN]
Description:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" /><EventID>36888</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2014-11-27T13:38:49.288260200Z" /><EventRecordID>9823</EventRecordID><Correlation /><Execution ProcessID="508" ThreadID="2552" /><Channel>System</Channel><Computer>[deleted: was server FQDN]</Computer><Security UserID="S-1-5-18" /></System><EventData><Data Name="AlertDesc">40</Data><Data Name="ErrorState">1205</Data></EventData></Event>

and

Log Name:      System
Source:        Schannel
Date:          27/11/2014 13:38:49
Event ID:      36874
Task Category: None
Level:         Error
Keywords:
User:          SYSTEM
Computer:      [deleted; was server FQDN]
Description:
An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" /><EventID>36874</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2014-11-27T13:38:49.288260200Z" /><EventRecordID>9822</EventRecordID><Correlation /><Execution ProcessID="508" ThreadID="2552" /><Channel>System</Channel><Computer>[deleted; was server FQDN]</Computer><Security UserID="S-1-5-18" /></System><EventData><Data Name="Protocol">TLS 1.2</Data></EventData></Event>

I don't know much about this, but I have a hypothesis.

Windows 8.1 can use NULL encryption, to avoid double encryption.  The server is not offering NULL encryption.

I have been referring to Richard Hicks site, among other resources.

http://directaccess.richardhicks.com/2014/06/24/directaccess-ip-https-null-encryption-and-sstp-vpn/

The page above shows a screenshot from Qualys SSL Labs SSL Server test.  In the screenshot, the Qualys SSL Labs SSL Server test shows NULL encryption.

TLS_RSA_WITH_NULL_SHA256
TLS_RSA_WITH_NULL_SHA

Now, when I use

Qualys SSL Labs - Projects / SSL Server Test (https://www.ssllabs.com/ssltest/) against my own DirectAccess server, the cipher suites section DOES NOT SHOW NULL encryption in the list.

Hence I think Windows 8.1 Enterprise is attempting to connect with NULL encryption, but the server is rejecting the connection because it does not support NULL encryption.

These are clean, simple, runtime clients and servers.  The server has McAfee VirusScan Enterprise 8.8 installed. Another forum posting mentioned McAfee was the cause, but the logs do not show any detections or blocked behaviour.

There are of course a huge number of massive updates that have been installed on both Windows Server 2012 R2 and Windows 8.1; both are up to date as of 27 November 2014.  It could be that one of the updates has changed something. But, the updates are there for a reason, often to fix a security vulnerability, so can't simply ignore the updates.

There is a related KB article...

SHA512 is disabled in Windows when you use TLS 1.2 (http://support.microsoft.com/kb/2973337)

...but when I examine my certificate (created by the Wizard, not from a trusted certificate authority) I see...

Signature algorithm: sha1RSA
Signature hash algorithm: sha1

...that is, my certificate isn't using the disabled algorithms, so this is unlikely to be the cause.

Any help is welcome!

Anwar