Hello,
I'm trying to set up Authentication Mechanism Assurance for users who login with smart cards by following the Technet guide (http://technet.microsoft.com/en-us/library/dd378897%28WS.10%29.aspx).
I've created the certificate based on the Smart Card Logon template and added the "Medium Assurance" Issuance Policy. I linked the "Medium Assurance" issuance policy to a group in AD (CS-SC-MediumAccessLevel in the Users OU), using the get-IssuancePolicy.ps1 script in the guide I can see that my issuance policy is indeed linked to the group.
When the test user logs on with the smart card for the first time, my Authentication Mechanism Assurance certificate gets auto-enrolled without issues. However after a logoff and logon using the smart card, using whoami / groups I can see that the user is not getting added to the group linked to the issuance policy.
Has anyone encountered such an issue? How should I proceed with troubleshooting this issue?
I've found a lot of information on enabling file object access auditing, but nothing that seems to apply to my particular situation. We have a user who claims someone keeps deleting her files (I'm 99.3% certain she's the one doing it). Anyway, the problem is that our remote sites only have one server, which functions as a file server, print server, domain controller, etc. Consequently, when I try to go into Local Policy on this machine, the auditing settings are grayed out - presumably because it's a domain controller. But I don't want to enable it in the Domain Controllers group policy because I've got 9 other domain controllers that I don't necessarily want to introduce this overhead to. So I guess my question is a two-parter:
1) Is there any way to enable this local policy on a single domain controller?
2) If the answer is no, and I have to use the Domain Controllers group policy, does this GP setting really impact anything if there aren't any folders on that machine with a SACL defining an audit?
Thanks.
Hello all
I am having a little trouble understanding the process of setting up a SSL Development site. I've started to put the pieces together. I have gotten as far as using selfssl.exe to issue a self-signed sertificate to a custom port number. The common name of the certificate is the full computer name of my web (IIS 6.0) server. The site does not have a registered domain name through a registrar, and I just use the exact ip address and port number in the address bar on my laptop to test run the site. Yup! All is fine and well :-)
I am having trouble getting the laptop running XP Pro and IE8 to trust the website. I know it is in part because the certificate name does not match the website address. Ok, in the Secure Communications Dialog Box the checkbox for "Require secure channel (SSL)" is checked. Underneath, is the "Require 128-bit encryption". First Question: Should I check that one, too?
Next, we have: ignore client certificates, accept client certificates, require client certificates. Previously is was set to "ignore". I went and set it to "require" and just as I expected, the: ... "The page requires a client certificate" page shows up. Now, I think that this is exactly what I want to do because it means that the only way somone can view the page, is for them to either find a way to steal a client certificate (highly unlikely) or get me to issue one to them. Second Question: Is that correct?
So, the next sequence went like this: 1. set "require" back to "ignore" 2. Refreshed the page on my laptop 3. added the site to the "Trusted Sites" via tools, internet options, security, trusted sites 4. clicked "Certificate Error", clicked view certificate, and installed the certificate via "Place all certificates in the following store" and navigated to "Trusted Root Certification Authorities" store. ... clicked: OK, Next, Accepted the risk presented to me in the warning about the certificate name and the website name. yada... yada...
So, I figured that since the certificate was installed, I could go back and set "ignore client certificates" back to "require client certificates". ... and that is what I did. However, when I refreshed the page on my laptop again, I still get the: "The page requires a client certificate"
Will someone please help me install the client certificate properly? ... I think that I want to use the "require client certificates" setting. And I would like my laptop to trust the web page, as to avoid the "Continue to this website anyway", not to mention the red address bar and the certifiate error.
Thanks in advance! :-)
Student
Hello all,
First, I understand that this is the "General" forum. I am unsure which forum to ask in, so please feel free to direct me to the appropriate forum, if nobody here can help me.
Ok, I've created a self signed certificate for a SSL website on a Windows Server 2003 machine. I am unable to install the certificate on a client machine without receiveing the "Security Warning" dialog box that has to do with not being able to validate where the certificate is coming from. I need to be able to get the client machine to install the certificate without this dialog box from popping, or at least be able to somehow validate (confirm) the thumbprint.
Thanks!
Student
Good Day
I have a W2K3 R2 server standard edition.. with an Enterprise CA and is an AD domain controller.
I have added the IPSEC to the template to be issued in the CA and have put the permissions to full contoll for the administrator and domain admins.
Restarted the certificate services and IIS, and still IPSEC isn't showing in the drop down for certificate templates in the web enrollment.
I'm also using the IE 6.0 on the server for web admin.
My enviroment is closed in a lab and has now access to internet.
What am I doing wrong?
Regards
Dana Burton
I have CA template for user certificate with Autoenrolemt setting.
I have setup separate GPO object, to activate Credential roaming.
Both GPO object are linked to specific OU.
In AD I see attribute ms-PKI-AccountCredentials and msPKIDPAPIMasterKeys. What I do not understand is, that users still get new certificate enrolled from CA. I thought that when user is under Credential Roaming policy, he or she will not get new certificate, until that certificate expire.
Do I understand wrong, how credential roaming with Auto enrolment work.
Folowup : I add :
The Do not automatically re-enroll if a duplicate certificate exists in Active Directory option is applied when the subject attempts to enroll for a certificate based on this template from a computer running Windows XP or later. With this option, certificate autoenrollment will not submit a re-enrollment request if a duplicate certificate exists in Active Directory Domain Services (AD DS). This allows certificates to be renewed but prevents multiple duplicate certificates from being issued.Hi everybody, I'm instaling a subca and I'm submitting the request to a standalone CA. I need to make the key usage extension of the subca certificate critical, to do so after I submitted the request, I run this command
certutil -setextension Request_ID 2.5.29.15
1 @File_Name.txt
(exactly as what is said in the article below), but after the standalone ca issues the request, the key usage extension is not marked as critical.
http://support.microsoft.com/kb/888180
plaese help me solve this problem, thank you.
I have setup nps server to authenticate my WLAN clients using client authentication certificates. This is working great.
Now when I revoke a cert it still works! This is not great.
I have checked all my settings and I can't find why the NPS server is ignoring the CRL and still successfully authenticating clients with revoked certs.
Doing a "certutil -f –urlfetch -verify test.cer"on the NPS Server I get the following at the end:
"The certificate is revoked. 0x80092010 (-2146885616)
------------------------------------
Certificate is REVOKED
Leaf certificate is REVOKED (Reason=6)
CertUtil: -verify command completed successfully."
So the CRL is working ok. But the NPS is not checking it as part of the authentication process?!
I have checked out these keys as mentioned in this technet article: http://technet.microsoft.com/en-us/library/cc771995(v=ws.10).aspx
but non of these are set so I am runnning with default settings and it should work right?!
I don't know whats going wrong and am hopeing someone will be able to point me in the right direction...
Hello,
I am just testing anonymous LDAP access to Active Directory on Windows 2003. I have enable anonymous access in the dsHeuristics. Pre-Windows 2000 Compatible Access group contains ANONYMOUS LOGON as its member. I can successfully bind and also list domain contents using LDP (bind with credentials - empty). The Security log on the DC shows event 540 Successful network logon, logon type 3, user NT AUTHORITY\ANONYMOUS LOGON.
Up to this point, everything is perfectly fine.
But. I have assigned the ANONYMOUS LOGON the right "Deny access to this computer from network" and I have also removed everything except for Authenticated Users from the "Allow access to this computer from network" user right.
Still, I can bind and browse the directory. The security log still shows the 540 network logon event for ANONYMOUS LOGON. How it is possible? I thought that I denied network logon for ANONYMOUS USER through the user rights, but it does not take effect.
ondrej.
Hi All ,
We are planning to host a server farm behind a load balancer , one of which is a web service . This web service should use two way SSL authentication (both server and client mutually authenticate each other with their certs). Any idea how to do this ??
Load balancer - Brocade ADX 1000 is used , it supports SSL . But am clueless how to carry out client authentication with the web server mediated by a load balancer .Because SSL termination would happen at the Load Balancer , even if we enforce client authentication on the web server -only the load balancer will authenticate itself against webserver for all requests from the actual clients
Pl help
thanks
Shaun
Let me preface this by stating that although I am well versed in PKI, I have virtually no experience with provisioning Smart Cards.
We have some folks traveling to mainland China later in the year, and I was asked to look into leveraging some extra Aladdin eToken USB smartcard fobs that we have lying around to implement 2-factor authentication for these users.
As an initial test, in my sandbox, I created a V2 copy of the "smartcard logon" template, gave myself read and enroll permissions against it, and then requested this type of cert through the CAPI console with my eToken attached. The request was successful, and I can see the certificate both in my CAPI store and on my eToken when looking in the Aladdin console.
So, I locked my machine and re-inserted the fob. The normal username/password prompt became a PIN prompt instead. So far, so good. But then, when I entered my eToken passphrase, I received "the requested keyset does not exist on the smartcard". What is the keyset that is being requested if it's not the public/private keypair of my cert?
I didn't find anything useful when Googling for that error message. I read through the "Smart Card Deployment" chapter of Brian Komar's book, and while I'm obviously not using an enrollment agent or an LRA in this case, I seem to have configured the template correctly, and the CA is definitely in the NTAuth store.
Any advise would be greatly appreciated.
I'm troubleshooting an issue where the following alert is popping up when emails containing embedded https content are opened -
When the certificates have been viewed and the certificate revocation list (crl) paths have been copied and then opened in a browser there have been no issues reviewing the revoked sites information.
Once 'Yes' is clicked to acknowledge that you want to proceed there is usually no problem viewing the content of the emails.
I don't think therefore that the problem is with the crl location not being available then, although the issue may be that it isn't accessible from Outlook.
Has anyone come across this issue before?
Additionally does anyone know where on the client the acknowledgement is cached when you click 'Yes'.
Many thanks
Dee P
Hi there,
Is there a Windows Server 2008 Utility or features that can audit or track when a computer was Deleted in Active directory.
We encountered this problem more than 3 times and I'm interested to find out when or who Deleted the Computer Object in
Active Directory.
Best
ACUC
Trying to RDP from Win7 to Win7 domain workstations in the same vlan.
RDP settings are all set. Under system properties, remote: allow connections only from computers running Remote Desktop with Network Level Authentication(more secure).
User in RDP Group on destination pc. firewall exception.
Group Policy - Access this computer from the network(remote desktop users) allow log on through rdservices(remote desktop users), allow log on locally(users, authenticated users)
rdp connection throws error:
"An authentication error has occurred, the local security authority cannot be contacted."
The user's password is not expired, passwords are not blank. Correct dns servers are listed. User has domain profile on destination computer. Lowering the rdp setting to "allow connections from computers running any version of Remote Desktop (less secure) works. Or putting the user in the local admin group also resolves rdp. We would like to use NLA and have the user only in the rdp group. What might we be missing here? Is being an admin required to use NLA for rdp?
I'm trying to make a VPN connection to a Windows Server 2012 Essentials server. I can successfully connect using SSTP, but I want to use IKEv2 to improve performance. However, when I try to connect, I receive the following error messsage: "Error 13819: Invalid certificate type".
The message suggests to me that the certificate being used does not have the correct EKU attributes for an IKEv2 connection. However, I have issued a certificate for the server, placed in the server's Personal Store, which includes the EKUs forServer Authentication and IP security IKE Intermediate, as specified inthis tutorial (albeit for Server 2008) The certificate is self-signed, with the root authority trusted by the client computers.
What I would like to do is to find out exactly which certificate is actually being selected by the server for the IKEv2 connection. I can't see any way of verifying which is being used - I suspect the server may be selecting a different certificate without
the correct EKUs. Once I am sure of the certificate being used, I could verify it on the client computers with certutil.
Could anyone suggest how I could do that?
Thanks.
I have a user that is constantly getting locked out after his last password change and we cannot figure out where it his account is attempting to authenticate from as the event ID's 4776,4740 and 4625 do not provide a source workstation or caller machine. I have used Microsoft's Account Lockout Tools and Netwrix and neither are able to identify a service or source workstation. Is there another way this information can be obtained? I have copied and pasted details about each event. Please help!
- System| - | System |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| - | EventData |
| TargetUserName | MichaelT |
| TargetDomainName |
| TargetSid | S-1-5-21-909327312-825771116-666385194-1166 |
| SubjectUserSid | S-1-5-18 |
| SubjectUserName | GO-DCP1$ |
| SubjectDomainName | GLAZER |
| SubjectLogonId | 0x3e7 |
Hi I'm getting the Error Event ID 64 — Certificate Services Client - Auto Enrollment in my event manager
| - | System |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| - | EventData |
| Context | local system |
| ObjId | a2 91 de 79 b1 ad d9 7b 93 ee 01 0b 38 f0 f2 6b d8 8e be eb |
Now I have Identified the expired certificate with the information I found at http://technet.microsoft.com/en-us/library/cc774595(WS.10).aspx but when I try to renew the certificate I get the following message - Enrollment error: the request contains no certificate template information.
Help!!!!!!!