OTP signing certificate configuration

AP.Remote.Access.Monitor.DA_OTP_HEURISTIC_OTP_SIGN_CERT_TEMPLATE_BAD (UnitMonitor)

The OTP signing certificate is missing or configured incorrectly.

Knowledge Base article:

Summary

An OTP signing certificate cannot be located on the Remote Access server.

Causes

1. The OTP signing certificate cannot be enrolled by the Remote Access server from certificate template.

2. The OTP signing certificate cannot be renewed by the Remote Access server.

3. The OTP signing certificate does not have the required EKU

4. The OTP ISAPI extension does not have permissions to use the OTP signing certificate.

5. The OTP signing certificate has expired.

6. The OTP signing certificate has been revoked.

Resolutions

1. Ensure the certificate template for issuing the OTP signing certificate exists and is configured correctly.

2. Enroll the OTP signing certificate manually from the Remote Access server.

3. Ensure that OTP is configured correctly in the Remote Access Management console.

4. Apply DirectAccess policy with OTP disabled and then enable OTP again.

5. Ensure that activation of OTP configuration settings succeeded.

Element properties:

TargetAP.Remote.Access.Class.Otp
Parent MonitorSystem.Health.ConfigurationState
CategoryCustom
EnabledTrue
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
Alert Auto ResolveTrue
Monitor TypeAP.Remote.Access.Monitor.HeuristicMonitorType
RemotableTrue
AccessibilityPublic
Alert Message
OTP signing certificate misconfigured

Error Description - {0}
Error Cause - {1}
Error Resolution - {2}
RunAsDefault

Source Code:

<UnitMonitor ID="AP.Remote.Access.Monitor.DA_OTP_HEURISTIC_OTP_SIGN_CERT_TEMPLATE_BAD" Accessibility="Public" Enabled="true" Target="AP.Remote.Access.Class.Otp" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="AP.Remote.Access.Monitor.HeuristicMonitorType" ConfirmDelivery="true">
<Category>Custom</Category>
<AlertSettings AlertMessage="AP.Remote.Access.Monitor.DA_OTP_HEURISTIC_OTP_SIGN_CERT_TEMPLATE_BAD_AlertMessageResourceID">
<AlertOnState>Warning</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>Error</AlertSeverity>
<AlertParameters>
<AlertParameter1>$Data/Context/DataItem/Property[@Name='ErrorDesc']$</AlertParameter1>
<AlertParameter2>$Data/Context/DataItem/Property[@Name='ErrorCause']$</AlertParameter2>
<AlertParameter3>$Data/Context/DataItem/Property[@Name='ErrorResolution']$</AlertParameter3>
</AlertParameters>
</AlertSettings>
<OperationalStates>
<OperationalState ID="DA_OTP_HEURISTIC_OTP_SIGN_CERT_TEMPLATE_BAD_Error" MonitorTypeStateID="Error" HealthState="Error"/>
<OperationalState ID="DA_OTP_HEURISTIC_OTP_SIGN_CERT_TEMPLATE_BAD_Warning" MonitorTypeStateID="Warning" HealthState="Warning"/>
<OperationalState ID="DA_OTP_HEURISTIC_OTP_SIGN_CERT_TEMPLATE_BAD_Success" MonitorTypeStateID="Healthy" HealthState="Success"/>
</OperationalStates>
<Configuration>
<Interval>300</Interval>
<SyncTime/>
<ComponentName>Otp</ComponentName>
<HeuristicId>2148466699</HeuristicId>
<Debug>false</Debug>
</Configuration>
</UnitMonitor>