Getting IP-HTTPS error code 0x2AFC?

Welcome back! Today’s posting we are going to cover the reason for IP-HTTPS error code 0x2AFC. Working with a client this week we ran into this IP-HTTPS error code and I wanted to share why this error occurs and how to fix this issue.

If your client is trying to connect using IP-HTTPS, it can encounter this error code when the external DNS name for your DirectAccess IP-HTTPS certificate does not resolve. You can run the following command on your DirectAccess client to check the state of the IP-HTTPS adapter :

netsh int https show int

You will get an output that will show the current state of the connection. A good connection should show error code 0x0 like below :

Interface IPHTTPSInterface (Group Policy) Parameters
————————————————————
Role : client
URL : https://da.contoso.com:443/IPHTTPS
Last Error Code : 0x0
Interface Status : IPHTTPS interface is active.

On a client that has the error code 0x2AFC, you will find that DirectAccess is not working for this particular client. On a Windows 8 machine it will show a status of “Connecting” like so :

Windows 8 DA Connecting

Windows 8 DA Connecting

 

The IP-HTTPS error will show up like this when you run the netsh command :

Interface IPHTTPSInterface (Group Policy) Parameters
————————————————————
Role : client
URL : https://da.constoso.com:443/IPHTTPS
Last Error Code : 0x2afc
Interface Status : failed to connect to the IPHTTPS server. Waiting to reconnect

The cause for this error will be the fact that the DirectAccess client cannot resolve the name da.constoso.com in DNS. If you try to resolve the name da.contoso.com from a non-DirectAccess client, you will find it will resolve just fine in external DNS. So why are your DirectAccess Clients not resolving the DNS name da.contoso.com?

The answer lies with the Name Resolution Policy Table (NRPT). The NRPT plays a pivotal role in DirectAccess to determine which DNS names are supposed to be resolved by DirectAccess Clients. You can view the NRPT by running the following command on a DirectAccess client :

netsh na sh po

You will get an output that looks something like this (though there might be many more entries in your environments) :

DNS Effective Name Resolution Policy Table Settings
Settings for .CONTOSO.COM
———————————————————————-
Certification authority :
DNSSEC (Validation) : disabled
IPsec settings : disabled
DirectAccess (DNS Servers) : fd01:0001:0001:3333::1
DirectAccess (Proxy Settings) : Bypass proxy

Settings for nls.contoso.com
———————————————————————-
Certification authority :
DNSSEC (Validation) : disabled
IPsec settings : disabled
DirectAccess (DNS Servers) :
DirectAccess (Proxy Settings) : Use default browser settings

Now in my scenario, my DirectAccess client is told by group policy settings that it should resolve the entire domain name of *.contoso.com using a DirectAccess DNS server IPv6 address of fd01:0001:0001:3333::1. This IPv6 address is normally automatically configured by the DirectAccess wizards and entered into the DirectAccess Clients GPO. Now in this case, our internal domain name and external DNS entry used for IP-HTTPS both fall inside of the *.contoso.com namespace. Herein lies the problem!

My DirectAccess Client is trying to resolve da.contoso.com but the local NRPT says to resolve the entire *.contoso.com namespace (which da.contoso.com is included) to the IPv6 address of the DirectAccess server. Since we haven’t established the IP-HTTPS tunnel from the client, we have no way to connect to our DirectAccess server to resolve *.contoso.com. This defiantly poses a problem for us to resolve da.contoso.com!

The workaround is to add an entry in the NRPT to tell your DA Clients to resolve da.contoso.com using its normal Internet DNS. You will need to go back to your DirectAccess server and go into the configuration under Step 3, hit edit, go to the DNS section, and then double-click at the bottom of the name list (the line that starts with a *) :

NRPT Settings

NRPT Settings

Add a new DNS suffix of da.contoso.com and leave everything else blank and select apply :

Adding exemption in the NRPT

Adding exemption in the NRPT

As a side note, you can also do this with a one liner PowerShell cmdlet :

Add-DAClientDnsConfiguration -DnsSuffix da.contoso.com

Once you’ve applied this change, you will need to update your DirectAccess client’s GPO settings by connecting them onto your corporate network. Once your client gets the updated GPO, you should be all set and connected to DirectAccess!

Hope this helps anyone else encountering IP-HTTPS error code 0x2AFC.

Tags: , , , , , , , , , , , , , , , ,

Categories: Troubleshooting DirectAccess

23 Comments on “Getting IP-HTTPS error code 0x2AFC?”

  1. Matt
    September 16, 2013 at 19:21 #

    Great article – I had been tearing my hair out as to why name resolution wasn’t working for my hosts… explains it perfectly!

  2. Derrick
    February 13, 2014 at 15:55 #

    what is the fix if only one user is having the issue? I have all ready done this “The workaround is to add an entry in the NRPT to tell your DA Clients to resolve da.contoso.com using its normal Internet DNS”

    • February 14, 2014 at 13:40 #

      Hi Derrick,

      Are the rest of your DirectAccess clients working fine? Do you see your external DirectAccess DNS record when you type the following command on the broken client?

      netsh na sh po

      • Russell Sulli
        April 23, 2014 at 19:25 #

        My company has been working on implementing DirectAccess for quite some time now. We have been facing this issue randomly with some of our clients. We had an idea that an entry in the hosts file may make doubly sure that the client does not resolve the “da.contoso.com” via the corporate DNS. Though, for my own understanding in the processing of the NRPT, is there an order of precedence with the NRPT? By this, I mean, if a certain rule is higher or lower in the NRPT, might one rule ‘win’ over another as in Group Policy. If so, then simply making sure the correct precedence in order may suffice instead of a hosts file entry.

      • April 29, 2014 at 08:06 #

        Hi Russell,

        The NRPT is loaded and it doesn’t matter the order of the entries in the table. The OS will merge the entries together to build a resultant NRPT policy. Now remember that the NRPT does not load while inside of your corporate network so it will only apply for your outside DA clients.

      • Alan
        April 28, 2014 at 20:59 #

        its a great topic. But as Derrick point out that i am get exactly same problem only on one machine. The root cause i guess is my client didn’t get any IPv6 address.

        I tried:

        under internal network:gpupdate /force manytimes
        checked all DA settings in register, all looks fine.
        But even in internal network to ping the IPv6 gateway, it says transmit failure, Gereral failure.

        Really headache! and it is been a month now. Any advice is appreciated!

        ————————————————————————————-
        RED: Corporate connectivity is not working.
        Windows cannot contact the DirectAccess server. Please contact your administrator if this problem persists.
        29/4/2014 3:40:44 (UTC)

        Probes List
        RESOLVED NAME PING: 2002:8a68:e717::8a68:e717
        FAIL HTTP: http://mimi

        DTE List
        RESOLVED NAME PING: 2002:8a68:e717::8a68:e717
        RESOLVED NAME PING: 2002:8a68:e716::8a68:e716

        C:\WINDOWS\system32\LogSpace\{6EF97660-69DE-40EB-BA8F-02E5332DF254}>ipconfig /all

        Windows IP Configuration

        Host Name . . . . . . . . . . . . : cn017789mm
        Primary Dns Suffix . . . . . . . : mottmac.group.int
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : mottmac.group.int
        Cisco
        group.int

        Wireless LAN adapter Wireless Network Connection 3:

        Media State . . . . . . . . . . . : Media disconnected
        Connection-specific DNS Suffix . :
        Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter #2
        Physical Address. . . . . . . . . : B4-B6-76-3A-05-9E
        DHCP Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes

        Wireless LAN adapter Wireless Network Connection 2:

        Media State . . . . . . . . . . . : Media disconnected
        Connection-specific DNS Suffix . :
        Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
        Physical Address. . . . . . . . . : B4-B6-76-3A-05-9E
        DHCP Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes

        Wireless LAN adapter Wireless Network Connection:

        Connection-specific DNS Suffix . : Cisco
        Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6235
        Physical Address. . . . . . . . . : B4-B6-76-3A-05-9D
        DHCP Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        Link-local IPv6 Address . . . . . : fe80::8c2f:82e7:c525:ed9a%18(Preferred)
        IPv4 Address. . . . . . . . . . . : 192.168.1.247(Preferred)
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Lease Obtained. . . . . . . . . . : 29 April 2014 11:36:40
        Lease Expires . . . . . . . . . . : 30 April 2014 11:36:39
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DHCPv6 IAID . . . . . . . . . . . : 397719158
        DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-E1-58-C2-28-92-4A-23-2E-88
        DNS Servers . . . . . . . . . . . : 192.168.1.1
        NetBIOS over Tcpip. . . . . . . . : Enabled

        Ethernet adapter Local Area Connection:

        Media State . . . . . . . . . . . : Media disconnected
        Connection-specific DNS Suffix . : mottmac.group.int
        Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
        Physical Address. . . . . . . . . : 28-92-4A-23-2E-88
        DHCP Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes

        Tunnel adapter isatap.{2AA5AE58-2E72-4128-94A6-936C173A8CDE}:

        Media State . . . . . . . . . . . : Media disconnected
        Connection-specific DNS Suffix . :
        Description . . . . . . . . . . . : Microsoft ISATAP Adapter
        Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
        DHCP Enabled. . . . . . . . . . . : No
        Autoconfiguration Enabled . . . . : Yes

        Tunnel adapter isatap.Cisco:

        Media State . . . . . . . . . . . : Media disconnected
        Connection-specific DNS Suffix . : Cisco
        Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
        Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
        DHCP Enabled. . . . . . . . . . . : No
        Autoconfiguration Enabled . . . . : Yes

        Tunnel adapter iphttpsinterface:

        Media State . . . . . . . . . . . : Media disconnected
        Connection-specific DNS Suffix . :
        Description . . . . . . . . . . . : iphttpsinterface
        Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
        DHCP Enabled. . . . . . . . . . . : No
        Autoconfiguration Enabled . . . . : Yes

        Tunnel adapter Teredo Tunneling Pseudo-Interface:

        Media State . . . . . . . . . . . : Media disconnected
        Connection-specific DNS Suffix . :
        Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
        Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
        DHCP Enabled. . . . . . . . . . . : No
        Autoconfiguration Enabled . . . . : Yes

        Tunnel adapter isatap.{F3D21253-3DA6-4E33-B59B-58D562F4ADB4}:

        Media State . . . . . . . . . . . : Media disconnected
        Connection-specific DNS Suffix . :
        Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
        Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
        DHCP Enabled. . . . . . . . . . . : No
        Autoconfiguration Enabled . . . . : Yes

        C:\WINDOWS\system32\LogSpace\{6EF97660-69DE-40EB-BA8F-02E5332DF254}>netsh int teredo show state
        Teredo Parameters
        ———————————————
        Type : enterpriseclient (Group Policy)
        Server Name : 138.104.231.22 (Group Policy)
        Client Refresh Interval : 30 seconds
        Client Port : unspecified
        State : offline
        Error : secondary teredo server unreachable over UDP

        C:\WINDOWS\system32\LogSpace\{6EF97660-69DE-40EB-BA8F-02E5332DF254}>netsh int httpstunnel show interfaces

        Interface IPHTTPSInterface (Group Policy) Parameters
        ————————————————————
        Role : client
        URL : https://remoteextdaapna.mottmac.com:443/IPHTTPS
        Last Error Code : 0x2afc
        Interface Status : failed to connect to the IPHTTPS server. Waiting to reconnect

        C:\WINDOWS\system32\LogSpace\{6EF97660-69DE-40EB-BA8F-02E5332DF254}>netsh dns show state

        Name Resolution Policy Table Options
        ——————————————————————–

        Query Failure Behavior : Always fall back to LLMNR and NetBIOS
        if the name does not exist in DNS or
        if the DNS servers are unreachable
        when on a private network

        Query Resolution Behavior : Resolve only IPv6 addresses for names

        Network Location Behavior : Let Network ID determine when Direct
        Access settings are to be used

        Machine Location : Outside corporate network

        Direct Access Settings : Configured and Enabled

        DNSSEC Settings : Not Configured

        C:\WINDOWS\system32\LogSpace\{6EF97660-69DE-40EB-BA8F-02E5332DF254}>netsh name show policy

        DNS Name Resolution Policy Table Settings

        Settings for marketqa.mottmac.com
        ———————————————————————-
        Certification authority : CN=Mott MacDonald Root CA
        DNSSEC (Validation) : disabled
        DNSSEC (IPsec) : disabled
        DirectAccess (DNS Servers) : 2002:8a68:e717::8a68:e717
        DirectAccess (IPsec) : disabled
        DirectAccess (Proxy Settings) : Bypass proxy

        Settings for googlesearch.mottmac.com
        ———————————————————————-
        Certification authority : CN=Mott MacDonald Root CA
        DNSSEC (Validation) : disabled
        DNSSEC (IPsec) : disabled
        DirectAccess (DNS Servers) : 2002:8a68:e717::8a68:e717
        DirectAccess (IPsec) : disabled
        DirectAccess (Proxy Settings) : Bypass proxy

        Settings for notes.mottmac.com
        ———————————————————————-
        Certification authority : CN=Mott MacDonald Root CA
        DNSSEC (Validation) : disabled
        DNSSEC (IPsec) : disabled
        DirectAccess (DNS Servers) : 2002:8a68:e717::8a68:e717
        DirectAccess (IPsec) : disabled
        DirectAccess (Proxy Settings) : Bypass proxy

        Settings for pims02.hmmg.cc
        ———————————————————————-
        Certification authority : CN=Mott MacDonald Root CA
        DNSSEC (Validation) : disabled
        DNSSEC (IPsec) : disabled
        DirectAccess (DNS Servers) : 2002:8a68:e717::8a68:e717
        DirectAccess (IPsec) : disabled
        DirectAccess (Proxy Settings) : Bypass proxy

        Settings for fifilos3.mottmac.com
        ———————————————————————-
        Certification authority : CN=Mott MacDonald Root CA
        DNSSEC (Validation) : disabled
        DNSSEC (IPsec) : disabled
        DirectAccess (DNS Servers) : 2002:8a68:e717::8a68:e717
        DirectAccess (IPsec) : disabled
        DirectAccess (Proxy Settings) : Bypass proxy

      • April 29, 2014 at 08:03 #

        Hi Alan,

        Looks like you are getting IP-HTTPS error code 0x2afc from your client when it attempts the SSL connection to the DirectAccess server. Your last comment was too long and text was lost. Can you send me the output of this command below?

        netsh name show policy

  3. Jeremy
    February 19, 2014 at 12:12 #

    We are getting an IPHTTPS interface creation failure. The Last Error Code says 0x34. We only have this on 5 clients and it has happened within the last week. The rest of the clients are fine. Randomly in the past we could go into the network adapters in the device manager and deleted the IPHTTPSInterface and re-boot the PC. What we are running into now is that there is no IPHTTPSInterface in the network adapters to remove and re-booting the PC doesn’t re-add it. Any ideas?

    • Knut
      March 27, 2014 at 00:41 #

      Jeremy, I have the same issue as you do, but has only happend on one PC, three times over. First time we had to reinstall, second time we loaded a previous snapshot, this time even that doesn’t work. Have you figured it out ?

      • March 27, 2014 at 08:04 #

        So the 0×34 error code means the OS encountered an issue with a duplicate name. So my best guess is the OS still has a stale IP-HTTPS adapter present in the registry. First make a backup of the following registry keys on one of your DA clients :

        HKLM\System\CCS\Control\Network\{4d36e972-e325-11ce-bfc1-08002be10318}\
        HKLM\System\CCS\Control\Network\Uninstalled\
        HKLM\System\CCS\Services\iphlpsvc\Parameters\IPHTTPS\

        After you’ve backed up these keys, then delete all of the GUID values under each of the folders (the GUID values start with a squiggly bracket “{” ). Then try to reboot and see if the DA client will rebuild a new working IP-HTTPS adapter (it should).

  4. Knut
    March 27, 2014 at 08:57 #

    Confirmed: the 0x34 registry fix worked for us too.

  5. Valibasha
    May 22, 2014 at 12:08 #

    @ Derrick

    Please refer the below link for single user.

    https://directaccessguide.com/2013/08/05/getting-ip-https-error-code-0x2af9/

  6. June 28, 2014 at 08:45 #

    Hi,

    I am getting the same error above, and here the result one I use the “netsh interface httpstunnel show interfaces”:

    Interface IPHTTPSInterface (Group Policy) Parameters
    ————————————————————
    Role : client
    URL : https://Server.alqallafgroup.com:443/IPHTTPS
    Last Error Code : 0x2afc
    Interface Status : failed to connect to the IPHTTPS server. Waiting to

    I am trying to solve this in many ways but with no success! I even tried the explanation here.

    Here is the “netsh name show policy” result:

    DNS Name Resolution Policy Table Settings

    Settings for .server.alqallafgroup.com
    ———————————————————————-
    Certification authority :
    DNSSEC (Validation) : disabled
    DNSSEC (IPsec) : disabled
    DirectAccess (DNS Servers) : fd45:cd53:82a1:3333::1
    DirectAccess (IPsec) : disabled
    DirectAccess (Proxy Settings) : Bypass proxy

    Settings for DirectAccess-NLS.alqallafgroup.com
    ———————————————————————-
    Certification authority :
    DNSSEC (Validation) : disabled
    DNSSEC (IPsec) : disabled
    DirectAccess (DNS Servers) :
    DirectAccess (IPsec) : disabled
    DirectAccess (Proxy Settings) : Use default browser settings

    Waiting for help please,

    Thank you,

Trackbacks/Pingbacks

  1. DirectAccess Client Troubleshooting Guide | The DirectAccess Guide - February 18, 2014

    […] directaccessguide on Getting IP-HTTPS error code… […]

  2. Fix Error 0x2af9 Errors - Windows XP, Vista & Windows 7, 8 - October 8, 2014

    […] Getting IP-HTTPS error code 0x2AFC? | The DirectAccess … – The IP-HTTPS error will show up like this when you run the netsh command : Interface IPHTTPSInterface (Group Policy) Parameters …… […]

  3. Fix 0x2afc Errors - Windows XP, Vista & Windows 7, 8 - October 10, 2014

    […] Getting IP-HTTPS error code 0x2AFC? | The DirectAccess Guide – URL : https://da.constoso.com:443/IPHTTPS Last Error Code : 0x2afc Interface Status : failed to connect to the IPHTTPS server. Waiting to reconnect. The cause for this error will be the fact that the DirectAccess client cannot resolve the name da.constoso.com in DNS. […]

  4. How To Fix Dns Error Code 0x2afc Errors - Windows Vista, Windows 7 & 8 - October 16, 2014

    […] Getting IP-HTTPS error code 0x2AFC? | The DirectAccess Guide – Last Error Code : 0x2afc Interface Status : failed to connect to the IPHTTPS server. Waiting to reconnect. The cause for this error will be the fact that the DirectAccess client cannot resolve the name da.constoso.com in DNS. […]

  5. How To Fix 0x2afc Direct Access Errors - Windows Vista, Windows 7 & 8 - October 16, 2014

    […] Getting IP-HTTPS error code 0x2AFC? | The DirectAccess … – The IP-HTTPS error will show up like this when you run the netsh command : Interface IPHTTPSInterface (Group Policy) Parameters …… […]

  6. How To Fix 0x2afc Error Code Errors - Windows Vista, Windows 7 & 8 - October 19, 2014

    […] Getting IP-HTTPS error code 0x2AFC? | The DirectAccess Guide – URL : https://da.constoso.com:443/IPHTTPS Last Error Code : 0x2afc Interface Status : failed to connect to the IPHTTPS server. Waiting to reconnect. The cause for this error will be the fact that the DirectAccess client cannot resolve the name da.constoso.com in DNS. […]

  7. How To Fix Ip Https 0x2afc Errors - Windows Vista, Windows 7 & 8 - October 25, 2014

    […] Getting IP-HTTPS error code 0x2AFC? | The DirectAccess Guide – The IP-HTTPS error will show up like this when you run the netsh command : Interface IPHTTPSInterface … URL : https://da.constoso.com:443/IPHTTPS Last Error Code : 0x2afc Interface Status : failed to connect to the IPHTTPS server. Waiting to reconnect. […]

  8. How To Fix Fix Error 0x2afc Errors - Windows Vista, Windows 7 & 8 - October 27, 2014

    […] Getting IP-HTTPS error code 0x2AFC? | The DirectAccess … – The IP-HTTPS error will show up like this when you run the netsh command : Interface IPHTTPSInterface (Group Policy) Parameters …… […]

  9. How To Fix 0x2afc Error Errors - Windows Vista, Windows 7 & 8 - October 29, 2014

    […] Getting IP-HTTPS error code 0x2AFC? | The DirectAccess Guide – URL : https://da.constoso.com:443/IPHTTPS Last Error Code : 0x2afc Interface Status : failed to connect to the IPHTTPS server. Waiting to reconnect. The cause for this error will be the fact that the DirectAccess client cannot resolve the name da.constoso.com in DNS. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: