Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Question on CAPolicy.inf file and post-installation script

August 31, 2012, 4:17 pm
$
0
0

I'm preparing a small PKI implementation with a single Enterprise Root CA on Windows 2008 R2 Enterprise.

The primary role of this CA is to provide certificates for about 20 laptops that will use the certificates for authentication to a wireless network.

I have prepared a CAPolicy.inf file and a post installation script (below).

Renewal period for the root cert should be 10 years, CRL publication every 2 days with Delta publication every 12 hours (details in scripts below).

*

I want to make sure the AIA and CRL url commands are correct.

Does this look correct?

AIA

1:%WINDIR%\System32\CertSrv\CertEnroll\%%1_%%3%%4.crt

This should publish the CA certificate to the local file system "certenroll".

*

2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11

This places the LDAP url in the AIA extension of issued certs.

*

I am not planning to use HTTP, hence its absence.

*

CRL

1:%WINDIR%\System32\CertSrv\CertEnroll\%%3%%8%%9.crl

This publishes the CRL to the local file system ("certenroll" subfolder).

*

10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10

Indicates CDP in AD DS and includes CDP url in issued certificates.

##########################################

Complete scripts

##########################################

1. CAPolicy.inf - %windir%


[Version]
Signature= "$Windows NT$"

[certsrv_server]
renewalkeylength=2048
RenewalValidityPeriodUnits=10
RenewalValidityPeriod=years

CRLPeriod = days
CRLPeriodUnits = 2
CRLDeltaPeriod = hours
CRLDeltaPeriodUnits = 12
LoadDefaultTemplates=0

2. Install Role

Follow steps in GUI here

3. Run post-install script

certutil -setreg CA\DSConfigDN CN=Configuration,DC=mydomain,DC=local

certutil -setreg CA\CRLPeriodUnits 2
certutil -setreg CA\CRLPeriod "days"
certutil -setreg CA\CRLDeltaPeriodUnits 12
certutil -setreg CA\CRLDeltaPeriod "hours"

certutil -setreg CA\ValidityPeriodUnits 10
certutil -setreg CA\ValidityPeriod "Years"

certutil –setreg CA\CACertPublicationURLs "1:%WINDIR%\System32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11"

certutil –setreg CA\CRLPublicationURLs "1:%WINDIR%\System32\CertSrv\CertEnroll\%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"

certutil -setreg CA\csp\DiscreteSignatureAlgorithm 1

certutil -setreg CA\AuditFilter 127

net stop certsvc & net start certsvc

certutil -crl

Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.






Search

Account Lock Out Issues

February 21, 2014, 1:44 pm
$
0
0

Hello all,

I am encountering a very strange account lockout issue.

We have a generic active directory account that we use and recently we changed the password on the account.  After changing the password we encountered some issues and so changed the password back.  Even after correcting all instances of the password in services, etc, the account is still being locked out frequently.

I've done some analysis with Microsoft's account lockout tools and with NetWrix excellent tool.  The tools indicate that the account is being locked out from computers that have never even used the account.  In fact, I'm seeing connections under account names to servers from computers that couldn't possibly be using those accounts.  That may be a clue as to what's going on here.

Does anyone have any idea what might be going on?

encrypting a File using Microsoft PKI Basic EFS template

February 21, 2014, 6:42 pm
$
0
0

Hi All;

I created a basic EFS template on my Lab issuing CA and configured it for auto-enrollment on the domain . After doing that  I created a  new domain user(Test) on the Active directory and logged in to my windows client machine which is windows 7 enterprise  using that user (TEST). Now since the machine was set up for auto enrollment the EFS certificate gets issued to the user “TEST” as shown below

Now as per my understanding this Certificate is tied to the User “Test” for doing crypto operation.

So now I created a folder a folder named “Puneet” on the desktop of Windows 7 machine and created a file “secret.txt” inside and now I selected the properties of the file “ secret” and selected the advanced option in which I get the pop up “Advanced Attributes” in that I selected “Encrypt contents to secure data” and now I believe my EFS certificate should come into picture and help me in encrypting the file .

But it fails with below error

I have looked into event log and it does not give much information .

Note: In home Lab setup KRA is up and running on my PKI setup.

Has any one of you encountered this error while doing crypto operation using PKI . Any pointers are welcomedJ

WDS

February 21, 2014, 8:04 pm
$
0
0

Does anyone out there know what this error message is? Error occurred while trying to execute command. Error Code:0xc0000135.  I get this message when try to injecting Dell and Lenovo nic adapter to boot image.


2 tier PKI, offline Root CA, enterprise CA. CDP AIA locations and OID question

February 21, 2014, 7:21 pm
$
0
0

I'm in the planning phase of a simple 2 tier PKI deployment.  I plan on having an offline root CA and 1 or 2 enterprise Subordinate CAs. At this time they will only be used to auto enroll computer certs to windows workstations for 802.1x port based authentication. I'm trying to make sure that I build it out so It covers our needs in the future. In the last few days I've read a lot of blog as well as the MS press 2008 PKI book. I still have some questions that I would like some clarification on.

1) CDP and AIA extensions - Why would I even publish this to AD and use LDAP? Would I not be better off publishing this to two webservers and throw a loadbalancer in front for the clients to connect to? I'm not sure what the benefits of placing it in AD does other then cause slower replication and limit the number of client that can use it.


2) After I install the rootCA do I go into the extensions and point the CDP and AIA to those webservers and then copy the crt and crl the the folder?

3) OID in the CApolicy.inf -  I still don't get it. Do I need this in the CApolicy? what exactly happens if I don't have it? Is this some thing that I can add to the CApolicy and renew the CA cert in the future? If my certs are strictly within my organization will that make a difference?

I appreciate the insight. PKI is something I dont want to redo in 2 years because I messed it up! Thanks.

How to check CRL validity Period before doing CA Migration ?

February 22, 2014, 1:24 pm
$
0
0

Hi ALL,

I am performing a CA migration so for doing that my first step is to

Check that CRLs have a validity period that extends past expected migration duration

So can any one please let me know how can I check the CRLS validity period ??

If not, publish CRLs - ensure that published CRLs have a duration that is reasonably longer than the estimated duration of the migration.

So can any one please let me know how can I should ensure that published CRLs have a duration that is reasonably longer than the estimated duration of the migration ??

ldap over ssl in windows 2008 r2

February 19, 2014, 2:15 am
$
0
0

hi

i wanted to configure ldap over ssl and i have created security template along with apropriate persmission however when i want to add it my domain 2008 R2  computer it gives me error.

""the permision on the certificate template do not allow the current user to enrol for this type of certificate""
""you do not have perssmion to view this type of certificate""

kindly advise me.

greenman

stand alone AD-LDS instance : when adding a newly defined USER to the CN=Administrators ROLE, error code 0x20B5

February 23, 2014, 4:39 pm
$
0
0

i'm working at a large healthcare client.  they have an Active Directory controller, with a naming convention of ... DC=SJMC,DC=LOCAL (their server names are SERVER.sjmc.local).

the software i'm installing requires a stand alone instance of AD-LDS on windows server 2008 r2 enterprise.

we've defined the instance name, ports, with a DN of O=software,DC=sjmc,DC=local.

I was able to then add a user of CN=ldapadmin,O=software,DC=sjmc,DC=local ... set the password, make the password not disabled, encrypted, etc.    all this worked fine.

HOWEVER, WHEN I ATTEMPT TO ADD THE NEWLY DEFINED USER TO THE CN=Administrators ROLE, I receive the following error message:

OPERATION FAILED.  ERROR CODE 0X20B5.  THE NAMES REFERENCE IS INVALID.   000020B5:ATRERR: DSID-03152804, #1 0:000020B5: DSID-03152084, PROBLEM 1005 (CONSTRAINT_ATT_TRYP), DATA 0, ATT 1F (MEMBER)

The NAME is a VALID NAME.   Any ideas form the MS community?

BTW, I looked for a forum governing AD or AD-LDS, I could find any specific naming convention ...

tom/denver

Search

Unable to bind SSL certificate from Network Solutions

December 17, 2013, 9:33 am
$
0
0

I'm not sure if this is the correct forum or not but I didn't see one that looked more suitable.

I have a server running 2012 with the RDS role. I'm trying to install an SSL certificate on it in IIS8 and I'm not getting anywhere.

The SSL certificate is from Network Solutions. Normally I deal with GoDaddy but this client uses NS so that's where I had to go for the cert.

I got the cert and in the zip file were 3 file. One is named AddTrustExternalCARoot.crt, the second NetworkSolutionsDVServerCA.crt and the third is remote.domain.com.crt. No it's not really domain but I didn't want to put in the actual domain name.

I spoke with Network Solutions tech support who were very little help. They only know what their documentation says which is for II6 and IIS7. Following that didn't work and the tech said I'd have to call Microsoft. Some tech support!

Anyway I've tried to follow the generic directions for IIS8. Via the certificate MMC I installed the first .crt file in Trusted Root Certification Authorities and the second .crt file in Intermediate Certification Authorities (NS tech said that .crt file is the intermediate file). I then opened IIS Manager and did the Complete Certificate Request process which completed without error.

I then selected the web site in IIS Manager, selected bindings and added an https binding. But in the SSL certificate dropdown, there is NO certificate.

So I am stumped at this point at getting this cert installed. I checked each of the stores in the Certificates MMC and I can see all 3 certificates in their respective stores of Trusted Root, Intermediate, and Personal. But the remote certificate does not show in the dropdown when trying to assign a certificate to the https binding.

Also, when I look in IIS Manager, click on the server in the Connections pane, then double-click on Server Certificates, there are no certificates to be seen. So somehow the remote certificate is not getting properly installed but I dunno why. I've done this multiple times with GoDaddy certs and didn't have this problem.

Anyone have any idea how to proceed for getting this cert installed?

Jonathan


Changing Provider name in OCSP Template

February 24, 2014, 4:48 pm
$
0
0

Hi ALL,

While installing my Issuing CA in the CAPolicy.inf I made a entry as below

[certsrv_server]
ProviderName="nCipher Security World Key Storage Provider"

Which allows my OSCP certificate template to get the 3 options in cryptography tab which are below

Microsoft smart card key storage provider

Microsoft software key Storage provider

nCipher Security World Key Storage Provider

Now my problem is that due to some reason I need to have CSP based template so I want under cryptography tab other 2 options  which are

nCipher Enhanced Cryptographic Provider
nCipher Enhanced RSA and AES Cryptographic Provider

So is there a way to add them without uninstalling the Issuing CA and reinstalling the Issuing with those value present in CAPolicy.inf ?

 

Firewall ports needed for remote management?

February 13, 2014, 12:10 pm
$
0
0

Hey guys,

Does anyone know the ports needed so that I can remotely connect to other Win7 computer through compmgmt.msc, regedit, msinfo32, remote rsop.msc, etc?  I think those are just rpc connections, but not sure.  Is it tcp 135?

Thanks,

Dan

Dan Heim




How to force password policy requirements on password resets for user accounts reset by the Administrator?

February 18, 2014, 11:55 am
$
0
0

OS: Windows Server 2008 R2 Enterprise

Domain Level: 2008

Forest Level: 2000

We have Domain Administrators in our domain that reset passwords for user accounts, and the passwords the Administrators set them to are not being enforced follow our default domain password policy. For example, I log on the domain controller, as an administrator and can reset a password for a user account to be blank. 

Is there a reason Domain Administrator password resets for user accounts are not enforced by our default domain password policy? Is there a way to enforce this on password resets by Domain Admins? 

MSS settings in GPO

February 16, 2014, 5:44 pm
$
0
0

hi Guys,

how to show the MSS settings in Windows 2012 R2? SCM doesn't seems to be able to install in the OS.

Regards

Seng Leng

Email encryption and signing steps for internal Microsoft PKI

February 18, 2014, 9:05 pm
$
0
0

Hello All.

Our company has an internal PKI system we use for many things, Since we want to extend it so that we can use it for email encryption and Signing as well as document signing internally in the company. So can any one please  point me to a article which gives me step's to achieve it starting from defining certificate template to issuing a certificate to user which he can use for email encryption and signing as well same for document signing.

Revocation Server Offline Error (0x80092013)

February 17, 2014, 12:45 pm
$
0
0

Here is our infrastructure:

Offline root - Server 2012 Standard
Intermediate CA that issues certificates - Server 2012 Standard
PKI server (CDP and AIA over http url) - Server 2012 Standard

Here is the URL configuration for CDP and AIA:

CDP: http://pki.domain.org/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
AIA: http://pki.domain.org/<ServerDNSName>_<CaName><CertificateName>.crt

CRL has 180 day validity period and is generally renewed every 5 months from the offline root CA

I am trying to set up Hyper-V replication over HTTPS so I published a certificate and everything seems fine up to the point where I hit the apply button in the Hyper-V console and it comes up with the error in the following image (thumbprint removed just cuz).

Not sure if this is relevant but I am running Hyper-V Server 2012 but also recreated this issue on Server 2012 R2 Datacenter. I have run the tests described in the following paragraph on both servers and both had the same results.

I might add that If I choose a cert from a previously set up 2008 R2 Standard CA Root/issuing server (remnants from previous admin) that is used for Client and Server Authentication, I do not receive this error although I am not familiar with how that previous setup was accomplished except that it is a standalone.

I have gone back and forth with different certutil commands (such as urlfetch, user urlfetch, and url retrieval tool) and the results are always successful and always says that leaf certificate revocation check passed. I have even run this as SYSTEM and NETWORKSERVICE accounts and always seem to have successful results. I do not want to use the workaround of bypassing the CRL check for fear that there is a greater underlying problem. I have recently created a new CRL from the offline root and copied to the CDP and AIA directory so the CRL should not be expired (nor were expiration errors reported). I will admit that I'm novice at certificate authority management so please excuse my ignorance. Please let me know if there is any more information needed or correct me if I misspoke in any part. Thank you in advance for your time!


Search

Certificate enrollment and expired certificates

February 24, 2014, 3:45 am
$
0
0

We are setting up wireless network to use certificates. I plan to setup auto enrollment with our CA server so each machine gets their own unique certificate, however the server set the certificates to expire in 1 year after you get a cert from the CA server.

How can you setup so these certifications go to the CRL and they can request a new one automatically before the other one expires as this will cause a major issue as everything will stop working.

Auditing File Deletion

February 24, 2014, 9:26 am
$
0
0

On a SBS 2011 Server, I've enabled the Object Access Audit File System Success.

When checking the logs I see mostly read attributes activity.

Reading attributes seems to cloud the logs.  

How can this be configured to capture only deletions, creations and updates?

Software Restriction Policy batch vs vbs

February 24, 2014, 2:46 pm
$
0
0

Hi there,

I have recently implemented a Software Restriction Policy on a Computer level with Disallowed level as default.

I whitelisted the \\mydomain\SysVol so that my Group Policies could run.

I have a few batch files that run upon user logon. The batch files run but the the commands within them do not, they are being "access denied"

example of one of the batch files:

sc start servicexyz, killtask processxyz

if I were to convert my batch script into a vb script, would vb script be treated as a single file? unlike batch file which makes calls to other executables.

Thanks,


Blocking a SERVICE from logging ONLY SECURITY events

February 24, 2014, 11:16 am
$
0
0

Hi,

Is there a way to block a particular service from logging security event on Windows Server 2008? I want that service to have access to all other events like Applications, System, etc  .... but only restrict access to security event when logged in as an administrator.

Thanks! 

Bitlocker issues in business enviroment

March 21, 2012, 11:43 pm
$
0
0

We´re piloting Windows 7 for 50 users and I applied bitlocker during machine installation. Password recovery keys are written in AD fine. Bitlocker advanced tools are not installed. The problem is that some of users have been reporting that bitlocker sometimes requires recovery password during the startup. I know theoretically, why this usually happends but is there any way to track down the real reason for bitlocker requiring recovery password?

Another question - is there anyway to provide user rights to suspend and decrypt the system drive?


Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>