Getting IP-HTTPS error code 0x80090326?

Good morning fellow DirectAcess admins! On a recent customer visit we ran across an IP-HTTPS error code that was new for me. After doing some searches out on the Internet, it looks like this one isn’t well documented so I wanted to share out the findings. The error code in question we discovered was 0x80090326. As reference, you can run the following command on your DirectAccess client to check the state of the IP-HTTPS adapter :

netsh int https show int

You will get an output that will show the current state of the connection. A good connection should show error code 0×0 like below :

Good IP-HTTPS connection

Good IP-HTTPS connection

So what does IP-HTTPS error code 0x80090326 mean? I used the err.exe tool which you can publically download from this location :

http://www.microsoft.com/en-us/download/details.aspx?id=985

The download says this tool is used for looking up Exchange Server error codes but it also will output the description of many Windows internal error codes. It’s quite useful for troubleshooting hex codes that come back in Windows including our IP-HTTPS error code of 0x80090326. So I ran err for this error code and it comes up with the following two possibilities :

# for hex 0x80090326 / decimal -2146893018
SEC_E_ILLEGAL_MESSAGE winerror.h
# The message received was unexpected or badly formatted.
# as an HRESULT: Severity: FAILURE (1), FACILITY_SSPI (0x9), Code 0x326
# for hex 0x326 / decimal 806
ERROR_FILE_HANDLE_REVOKED winerror.h
# Access to the specified file handle has been revoked.
# 2 matches found for “0x80090326”

The first error message of “The message received was unexpected or badly formatted” seemed like the best fit for our situation. After digging in deeper, we found something was modifying the SSL traffic between the DirectAccess client and our DirectAccess server. We had configured the DirectAccess server to use an external load balancer. A Citrix NetScaler was sitting between the DirectAccess server and the Internet and it was configured to load balance SSL. We found that the NetScaler was intercepting the SSL stream between the DirectAccess client and server and modifying the traffic which in turn lead to this IP-HTTPS error code. To solve the problem, we configured the NetScaler to just load balance TCP/443 instead of using their built-in SSL protocol load balancing.

I can see this problem occurring potentially with any brand of load balancing, not just the Citrix NetScaler if the SSL stream is being changed during the communication between the DirectAccess client and server. By changing the load balancing to just TCP/443, this should keep the load balancer from breaking the SSL communications.

Thanks to some folks in South Carolina for being patient as we worked through this one. Hope this helps other folks out there with this rather obscure IP-HTTPS error code!

Tags: , , , , , , , , , , , , , , , ,

Categories: Troubleshooting DirectAccess

2 Comments on “Getting IP-HTTPS error code 0x80090326?”

  1. Rob J
    October 3, 2014 at 04:33 #

    I concur with this. We had the same issue with external load balancing with a Fortinet device in front of the the DA cluster. Set the load balancer to Layer 2 TCP/443 instead of layer 4 HTTPS/443 fixed the connectivity issue..

    Incidentally it also helped to use a load balancing algorithm of Source IP Hash. This ensures that a connected client should stay on the same DA server for any given session. We found with Round Robin or Least Session modes that if the client went idle long enough that subsequent connections may move to another node in the cluster and impacted the reconnection time somewhat..

Trackbacks/Pingbacks

  1. DirectAccess Client Troubleshooting Guide | The DirectAccess Guide - June 1, 2014

    […] Getting IP-HTTPS error code 0×80090326? […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: