Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

The value in the "CSP" field appears as "Loading" when you use the Advanced Certificate Request page to submit a certificate request

April 13, 2010, 2:38 pm
$
0
0

To whom it may concern,

We are getting this message 'The value in the "CSP" field appears as "Loading" ' when we are trying to get an ubuntu linux machine to enroll for a certificate and it will not let us submit the request.  Is the problem on the client or the certificate enrollment site?  The problem does not occur in Windows IE based machines.

Also will Microsoft PKI web enrollment support third party devices (blackberries, iphones/pad/touch, Mac's)?  If so what's the best way to get these devices certificates?

Thanks.

Search

Add 2008 R2 Certificate Authority to 2008 Environment?

May 6, 2014, 1:02 pm
$
0
0

Hi,

Apparently Microsoft Direct Access One Time Password (OTP) issuance requires the use of a Certificate Authority that runs 2008 R2 or above. The problem is that our Certificate Services environment is all 2008 (One offline Root CA, one offline Policy CA and four online issuing CAs). Would it be at all possible to add an additional 2008 R2 CA to the environment without harm?

Thanks!

Patrick

External Site Certificates Issued By Internal Root CA?

May 6, 2014, 2:33 pm
$
0
0

So I've been noticing a kind of weird issue of late, not sure how long it's been going on. We currently have an Enterprise PKI environment with a an offline Root and Policy CA and an online Issuing. Running on Server 2008R2 currently. Anyways, the weird thing is best explained by a screenshot.

As you can see, the Cert for Twitter shows as being issued by our internal PKI. If I look at the chain, it shows our CA's in the chain validating it. Is this normal? Or is something wonky going on here? Are these certs being validated correctly?

CertSvc is not starting due to database restore operation

May 6, 2014, 7:55 pm
$
0
0

Hi, 

Whenever I tried to start the certificate service I get the following error, 
Active Directory Certificate Services did not start: Unable to initialize the database connection for SubCA01.  Certificate service has been suspended for a database restore operation. 0x80094006 (-2146877434).

I did the following to fix the issue;
1.Repair using ESENTUTL /p “SubCA01.edb” -> Successfull 
2.Recovery using ESENTUTL /r edb -> Successfull 
3.Integrity check using  ESENTUTL /g “SubCA01.edb” -> Successfull 

But still when i tried to start the service i get the above error.

I am not sure which process has initiated a restore operation as mentioned in the alert. Any ideas how i can fix this ? (I tried restarting the server, still the same)

Thank you


Securing Windows Server 2012 using RETINA recommendations breaks SYSPREP

May 6, 2014, 11:54 am
$
0
0

When locking down Windows Server 2012, some vulnerability scanners recommend to disable the Task Scheduler service.  This should be done with GPO after the image is created.  Applying the setting prior to running SYSPREP on the OS will cause SYSPREP to fail with a fatal error.

Sysprep produces the following message:

System Preparation Tool 3.14
A fatal error occurred while trying to sysprep the machine.

The sysprep setuperr.log contains entries similar to:

2014-05-06 14:20:27, Error                 SYSPRP SPPNP: Failed to find task '\Microsoft\Windows\Plug and Play\Sysprep Generalize Drivers'. hr = 0x80070003[gle=0x00000003]
2014-05-06 14:20:27, Error                 SYSPRP WSLicenseCleanUpState failed with hr=80070003
2014-05-06 14:20:27, Error      [0x0f0082] SYSPRP ActionPlatform::LaunchModule: Failure occurred while executing 'WSLicenseCleanUpState' from C:\Windows\System32\wsclient.dll; dwRet = 0x80070003
2014-05-06 14:20:27, Error                 SYSPRP ActionPlatform::ExecuteAction: Error in executing action; dwRet = 0x80070003
2014-05-06 14:20:27, Error                 SYSPRP ActionPlatform::ExecuteActionList: Error in execute actions; dwRet = 0x80070003
2014-05-06 14:20:27, Error                 SYSPRP SysprepSession::Execute: Error in executing actions from C:\Windows\System32\Sysprep\ActionFiles\Generalize.xml; dwRet = 0x80070003
2014-05-06 14:20:27, Error                 SYSPRP RunPlatformActions:Failed while executing SysprepSession actions; dwRet = 0x80070003
2014-05-06 14:20:27, Error      [0x0f0070] SYSPRP RunExternalDlls:An error occurred while running registry sysprep DLLs, halting sysprep execution. dwRet = 0x80070003
2014-05-06 14:20:27, Error      [0x0f00a8] SYSPRP WinMain:Hit failure while processing sysprep generalize internal providers; hr = 0x80070003

As a solution, task scheduler settings are not deployed to the local GPO on the machine, but are controlled at the GPO level within the Domain.  Should you require the machine not to be joined to a domain, then apply the settings for Task Scheduler after sysprep and prior to production deployment.

Hopefully this helps someone, as I didn't see it anywhere else online with the same errors.

Mac MacAnanny - Engineer - DoD - Office of the Secretary of Defense - DoD



Domain Admin doesn't have local Administrator privileges

April 21, 2014, 2:14 pm
$
0
0

This was all done using Azure VMs.

machine: server-dc
Setup Windows 2012 R2 as a domain control with user 'testadmin'
Domain: DEV
Added a user 'domainadmin' and made a Member of all the same groups as testadmin (including Domain Admins)

machine: server-a
Setup Windows 2012 R2 with user 'localadmin'
Joined server-a to the domain
"DEV\Domain Admins" was automatically added to the local Administrators group

Login to server-a as "DEV\testadmin"
 - full local admin rights (because is member of "DEV\Domain Admins" - correct?)

Login to server-a as "DEV\domainadmin"
 - does NOT have local admin rights yet is a member of "DEV\Domain Admins"

Why does "DEV\domainadmin" not have the exact same local admin rights on server-a that "DEV\testadmin" does?

Thanks,
Mike

CRL not publishing to web server in DMZ. The directory name is invalid. 0x8007010b (WIN32/HTTP: 267).

April 27, 2014, 9:49 pm
$
0
0

We have a Windows 2008 Root CA and a Windows 2008 Subordinate CA. We have the CRL's published to a DMZ server using a script. This has been working fine for many months. Now suddenly the CRL publishing is not working when the script runs to publish the CRL it gives the following message for the Subordinate CA:

CertUtil: -CRL command FAILED: 0x8007010b (WIN32/HTTP: 267)
CertUtil: The directory name is invalid.

In the event log it shows the following message:

Active Directory Certificate Services could not publish a Base CRL for key 0 to the following location: file://\\example.domain.com\updates\Adatum Issuing CA.crl.  The directory name is invalid. 0x8007010b (WIN32/HTTP: 267).

To my knowledge nothing has changed. I have already followed the article, however the issue still persists.

http://social.technet.microsoft.com/wiki/contents/articles/3081.ad-cs-error-the-directory-name-is-invalid-0x8007010b-win32http-267.aspx

Any suggestions would be greatly appreciated.

Account with admin privilges still prompted by UAC for admin credentials

April 25, 2014, 12:03 pm
$
0
0
I've just added two member servers running Windows Server 2012 R2 to my domain.  I don't wish to use the domain administrator account itself to log into these two servers, but they should have administrative privileges.  So I created an account in Active Directory and added it to the Builtin Adminstrators group as well as the Domain Admins group.  I can log into the new servers with that account, but I still receive prompts for admin credentials each time I attempt to access anything that requires elevation.  The weird thing is that I can simply retype the same credentials at the UAC prompt (the ones with which I just logged into the server) and they will be accepted.  So, if I'm an administrator why is it still prompting for admin credentials?  I tried logging in as the domain admin account and those prompts do not appear.  I even went as far as to individually add this new domain account to the server's local admin group but it has no effect.  Ultimately, I can do my job with this account, but it's a huge pain to have to type my user name and password any time I want to do something.  Does anyone have any thoughts as to what might be causing this?
Search

Data loss prevention solution in windows server

April 30, 2014, 9:07 am
$
0
0
I am wanting to implement a DLP solution on our network, I am looking for starting points for software.

View the CRL version

May 7, 2014, 5:57 am
$
0
0

Hi all,

How to know the version/date  of the CRL downloaded on the application servers?

I would like to know if the servers dowload the latest CRL.

Thanks in advance

 

CA - no certificate templates could be found.

March 24, 2010, 3:59 am
$
0
0

Dear All,

I have a 2008 Domain Controller with the CA Server role installed with the issue that the Web-Enrolement procedure is not working proper. I can´t request any cert´s using the web-browser. Cert requests via powershell works fin thought.

I get the following error:

"No Certificate templates could be found. You do not have the permissions to request a certificate from this CA, or an error occured while accessing the Active Directory"

I allready compared the the sServerConfig value in the Certdat.inc file with the dNSHostName attribute at the pkiEnrollmentService object. The values are the same (case sensitive).

I also checked the permissions on the certificate templates - they are o.k. since I do the request with a domain admin account.

I appreciate an help and thanks in advanced,

Chris

 

 

 

No Certificate Templates could be found

May 3, 2012, 12:43 pm
$
0
0

This seems to be a common problem, but without a common solution. I have stood up a Server 2008 R2 SP1 member server in my domain and installed the certificate services and web enrollment components. Auto enrollment works fine, but the web enrollment portion is giving me the error that no certificate templates could be found. This is an Enterprise CA and we have created custom templates for about half of our active templates, but none of the templates appear to be visible to the web enrollment process. I need to issue certificates to systems that are in a different domain, and I cannot find a way to do that with out the web enrollment service. Does the Web enrollment process require special configuration to get it to work?

I have tried changing application pools so I could change to the Network service, and I have tried adding security settings to give the CA computer account read / enroll permissions on a template or two. It does not seem to matter how the template subject matter tab is configured either.

Any help would be appreciated.

From time to time, I can't verify the expiration of my client certificate on IIS.

April 17, 2014, 6:16 pm
$
0
0
I have a IIS web server and a CA(AD CS) server built on a 2008R2 virtual machine.
I require a client certificate in order to access the web server.

It works very well but FROM TIME TO TIME, a 403 error code is returned.
According to the trace log(FailedReqLogFiles), a 0x80092013 error occurs.
Once this 403 error occurs, it last for about an hour and then everything goes back to normal.

In order to find out what is the problem, I have done setup:

- CRL has a publication time of 1 hour
- (Delta CRL) has a publication time of 30minutes.

also:
- Both web server and CA server are not on a domain but a workgroup
- The CA certificate is registered on the web server & client on the root & intermediate certificate registrar.
- Both setups are patched to the latest windows update

As far as I've checked the log:
- on the web server log(source: CAPI2), there is an event id 53 at almost every hour for both the CRL & delta CRL
but before the problem occurs the event id 53 is only reported on the delta CRL and nothing on the CRL.
- By the way, System32\config\systemprofile\AppData\LocalLow\Microsoft\X509Objects, the .crl file for the problematic update is only present on the delta CRL.
- On the CA server's IIS access log, there is just the delta CRL access that is registered.
- Below is the log on the CA server IIS's access log (XXX-CA is for anonymous sake):
2014-04-16 10:51:34 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1).crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 218
2014-04-16 10:51:39 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1)+.crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 202
2014-04-16 11:52:05 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1)+.crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 265
2014-04-16 12:52:22 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1).crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 218
2014-04-16 12:52:28 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1)+.crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 202
- I think that the 403 error is due to the fact this CRL is not getting reached but why would this happen?
- Is there an other way than to restart the OS in order to clear this problem in a shorter time than 1 hour?
side note:
- this problem happens on the client setup too.
- the log is shorten but if there is any filter to apply to get better information, please tell me.

I would appreciate any helps on this matter!

nb:
this is a translation from a Japanese text.

Advice on tidying up a PKI inf on domain

May 7, 2014, 8:56 am
$
0
0

Background: RootCA setup (not by me) 5 years ago on 2003 server and a subordinate RootCA on 2008R2 server a year ago (on a DC). Required to retire the 2003 server (and conveniently its CA cert is about to expire).

Between the 2 servers there are some Domain Controller, Domain Controller Authentication, Directory Email Replication, Basic EFS and some manually requested certificates.

I know I can migrate the RootCA to another server but I don't really want to carry the old RootCA name as it refers to 2003!

Can I setup another independent RootCA to run in parallel with the old one and let the old CA cert expire?
I am fine with re-requesting the manually requested certs from the new RootCA, but will the Domain Controller, Basic EFS certs and all the others I listed above automatically get a new cert from the new CA??

Once I was happy with the new RootCA functioning, I would carry out the cleanup routine on both the old RootCA and subordinate as in:
http://support.microsoft.com/kb/889250

Anything else I should be wary of?

Windows 2003 R2 certificate authority

May 7, 2014, 2:20 am
$
0
0

Hello all,

I am not sure whether this post has to be here or somewhere else. So, if the moderator consider it should be moved to another forum, is ok.So, here is my problem:

--we got an old Windows 2003 R2 certificate authority, which was installed before i joined the organization.

--we use the certificate for internal applications.

The questions are:

--how do i identify if the CA is standalone or enterprise?

--if it's standalone, is there any way to transform it in an enterprise CA?

--currently we investigate to deploy a subordinate CA(not clear if it's Enterprise or Standalone, because we don't know what the type of the current one). Is it possible to use Windows 2012 as a subordinate?

Any idea/suggestion will be highly appreciated

Many thanks,


Search

Request SAN Certificate from 2003 server to 2008 Internal CA

April 29, 2014, 11:49 am
$
0
0

I'm trying to request a SAN certificate from a 2003 Server running Exchange 2007 to an internal CA running on Server 2008.

Using the MMC, Certificates (Local Computer) I can see the existing self-signed certificate and if I right click on the Certificates store I get the option to "Request New Certificate" but there's no Advanced Request option as I've seen when doing the same thing from a 2008 machine.

I've tried using the Request option that's available, but never get the option to even see the Web Server template (even though I've given the "Domain Computers" group access to Request Certificates.

I can create the required request from a 2008 server in the same domain so assume it's an issue with 2003 Server?

Any ideas?

Cheers for now

Russell

What caused the Windows 2008R2 Security event discarded

May 7, 2014, 8:16 pm
$
0
0

Dear Support team,

I have a windows 2008 R2 server, The security events didn't recorded from last year.

1. The maximum log size set to 100 MB, But the log file is 300 MB.  The retention was set to "archive the log when full,do not overwrite events".

2.  Below last entry security log show the registry key that i modified at that time. After i modify the registry value all of the security event were discarded

A registry value was modified.
Subject:
                Security ID:                              domain\userid
                Account Name:                        userid
                Account Domain:                     domain
                Logon ID:                                0x2c202074
Object:
                Object Name:                           \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\eventlog\Security
                Object Value Name: Retention
                Handle ID:                               0x100
                Operation Type:                       Existing registry value modified
Process Information:
                Process ID:                               0x129c
                Process Name:                          C:\Windows\regedit.exe
Change Information:
                Old Value Type:                       REG_DWORD
                Old Value:                                0
                New Value Type:                      REG_DWORD
                New Value:                              4294967295

3. As i know,The Windows Event Log supersedes the Event Logging API beginning with the Windows Vista operating system. Here is the KB link:  http://msdn.microsoft.com/en-us/library/windows/desktop/aa385780(v=vs.85).aspx?ppud=4

And the registry key which i modified at the before ( \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\eventlog\Security\retention )  Seems only apply to Event logging  for Windows 2003 and prior system. 

Here is the KB link:  http://msdn.microsoft.com/en-us/library/windows/desktop/aa363648(v=vs.85).aspx

May i know what is the reason cause security event discarded ?

Does the retention setting at Registry still working at windows 2008?

Thanks very mush.

Liu

Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

April 12, 2012, 7:56 am
$
0
0

I have a lot of background on this question so bear with me please. :)

I am tasked with getting our domain from 2003 to 2008 level. In order to do that I brought up a 2008 R2 server into the domain and did dcpromo to get it to "play" with the two other 2003 DCs. All is working pretty well except that I'm getting the auto-enrollment error above not because of a configuration error but because before I even came to work here the Root CA machine was taken out of service and disposed of! So the unable to contact is a true error. The machine no longer exists! I'm sure I'll have to re-setup a Root CA but wanted some guidance on the path to take on getting from where I am (broke!) to back to healthy!

thanks in advance,

Leo

MS10-049 fails to install

April 13, 2014, 12:30 pm
$
0
0

Hi,

Server fails to apply patch on a windows server 2008R2 64bit that has been running for quite a while.  Have checked to see if previulys installed but it has not.

Error message below says this update is not applicable to your computer?

Any ideas appreciated

Kerberos Ticket - Can an expired ticket cause an account to be locked out?

May 5, 2014, 10:29 am
$
0
0

Hi All,
Would someone be able to say if the inability to Fetch a Kerberos Ticket can cause an account to be locked out.

I'm getting the following message i my logs

May  2 18:39:03 208.86.142.142 Juniper: 2014-05-02 18:40:26 - ive - [XX.XX.XX.XX] myUser(myOU)[Group1, Group2] - Fetch Kerberos TGT for user myUser, realm myDomain.lab failed: Credential validation failed against mydc_IP
May  2 18:39:03 208.86.142.142 Juniper: 2014-05-02 18:40:26 - ive - [XX.XX.XX.XX] myUser(myOU)[Group1, Group2] - Web SSO: Authentication successful. Credential Used: Username: myUser, Error: (3) Invalid password, Realm: myDomain.lab, Auth Type: (32) Kerberos, Cred Type: (0) System Credential, Target: server1.myDomain.lab, Password: XXXXXX, Server Realm: myDomain.lab, 

Any thoughts would be greatly appreciated.
Thanks Nik

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>