Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Unable to select "Use TLS 1.1" and "Use TLS 1.2"

May 15, 2014, 10:58 am
$
0
0

Hi,

In order to connect via VPN to one of our client's network, it is required to have IE browser configured to use TLS 1.1 and TLS 1.2.  If I try to check the boxes next to them under IE Tools/Internet Options/Advanced while running IE 11, the boxes are greyed out and I cannot select them.  I get the same behavior if I right click on the IE icon to run it as an administrator.  My computer is a personal laptop running Windows 7 Home Edition that is not controlled by any group policy.  Is there a way I can change these settings in IE 11?

By the way, I have a desktop computer at home, also running IE 11 on Windows 7 Home Edition like my laptop and I was able to check the boxes to use TLS 1.1 and 1.2 without any issues.

I login with an account with administrator rights on both computers.  Why am I allowed to change one and not the other?

Regards,

Willie Torres

Search

Problem with CertEnroll library and request with Subject Alternative Names created with certreq

May 16, 2014, 6:56 am
$
0
0

I have generated a certificate request with SANs using an inf file like this:

[Version] 
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=someone,DC=acme,DC=com"
KeyLength = 2048
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dn=CN=someoneelse,DC=acme,DC=com"

If I submit the request, the certificate includes the SAN correctly.

My problem is that I need to read the request file programmatically:

using CERTENROLLLib;
using System;

class Program {

    const string RequestString = @"-----BEGIN NEW CERTIFICATE REQUEST-----...";

    static void Main(string[] args) {
        CX509CertificateRequestPkcs10 request = new CX509CertificateRequestPkcs10();
        request.InitializeDecode(RequestString, EncodingType.XCN_CRYPT_STRING_BASE64_ANY);
        Console.WriteLine("Subject: {0}", request.Subject.Name);
        foreach (IX509Extension ext in request.X509Extensions) {
            if (ext.ObjectId.Name == CERTENROLL_OBJECTID.XCN_OID_SUBJECT_ALT_NAME2) {
                CX509ExtensionAlternativeNames extensionAlternativeNames = new CX509ExtensionAlternativeNames();
                // Following line fails with this COMException:
                // The requested property value is empty. (Exception from HRESULT: 0x80094004)
                string rawData = ext.RawData[EncodingType.XCN_CRYPT_STRING_BASE64];
                extensionAlternativeNames.InitializeDecode(EncodingType.XCN_CRYPT_STRING_BASE64, rawData);
                foreach (CAlternativeName alternativeName in extensionAlternativeNames.AlternativeNames) {
                    Console.WriteLine("SAN: {0}", alternativeName.strValue);
                }
            }
        }
    }

}

The same code works perfectly if I generate a request with SANs using openssl, for example.

Any hints?

Thanks,
Paolo 

Paolo Tedesco - http://cern.ch/idm


Windows Server 2008 firewall. Inbound connection is blocked as outbound?

September 13, 2008, 10:32 am
$
0
0

I connect using "Computer Management" from computer A to computer B. Both computers are Windows Server 2008 x64 with all current hotfixes. The connection succeedes, and I don't even try to open any of the sub-snapins.

But computer A (the connection source) logs the following event in its System Log:

Log Name:      System
Source:        Microsoft-Windows-DistributedCOM
Date:          9/13/2008 8:59:58 PM
Event ID:      10006
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      <Computer A name's here>
Description:
DCOM got error "2147944122" from the computer <Computer B FQDN's here> when attempting to activate the server:
{03837521-098B-11D8-9414-505054503030}


And computer B (the connection destination) logs the following two events (three times each) in its Security Log:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          9/13/2008 9:00:11 PM
Event ID:      5152
Task Category: Filtering Platform Packet Drop
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      <Computer B name here>
Description:
The Windows Filtering Platform blocked a packet.

Application Information:
 Process ID:  568
 Application Name: \device\harddiskvolume1\windows\system32\services.exe

Network Information:
 Direction:  Inbound
 Source Address:  <Computer B IP's here>
 Source Port:  57144
 Destination Address: <Computer A IP's here>
 Destination Port:  63485
 Protocol:  6

Filter Information:
 Filter Run-Time ID: 0
 Layer Name:  Receive/Accept
 Layer Run-Time ID: 44

and

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          9/13/2008 9:00:11 PM
Event ID:      5157
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      <Computer B name here>
Description:
The Windows Filtering Platform has blocked a connection.

Application Information:
 Process ID:  568
 Application Name: \device\harddiskvolume1\windows\system32\services.exe

Network Information:
 Direction:  Inbound
 Source Address:  <Computer B IP's here>
 Source Port:  57144
 Destination Address: <Computer A IP's here>
 Destination Port:  63485
 Protocol:  6

Filter Information:
 Filter Run-Time ID: 0
 Layer Name:  Receive/Accept
 Layer Run-Time ID: 44

Well, I already know that events 5152 and 5157 are nearly the same, so we need to look only into one of them in each case. But what's next?

It seems to me that the firewall here treats the initial connection and a responce as two different connection. So it allows the initial connection (from A to B) because I have some rules in place that are supposed to allow remote management. But then it blocks the responce (from B to A). In this case, looking into separate connection from B to A, I guess, it should treat it as outbound and not filter at all. But it still calls it "Inbound" for some reason, apply some firewall rules and blocks it.

Are my assumptions wrong? What are the explanation for this behaviour? How do I prevent the packets from being blocked?

Windows server 2008 loses time constantly

May 16, 2014, 8:41 am
$
0
0

I have a server 2008 Enterprise server that constantly loses exactly one hour. I reset it, reboot, it does it again. I checked all the obvious things. Time zone, DST, EST. I once found a command to run the time sync in cmd and ran it. It seemed to stick for a day or so, then started again. This is a virtual machine running on ESXi5 vCenter.

There is another vm in the network that does NOThave the problem. That other vm is set On the local host to sync time with the virtual machine. Maybe I should try making that same setting on the problem server and see what happens? The host time is always correct. The vm was not copied. What could be the issue?


publish Internal simple Http site to Internet and force external client to preauthentication themself

May 13, 2014, 12:05 am
$
0
0

Hi

I have a http site in my internal LAN domain , recently manager ask me to publish the web site to internet for our external employee .

--the web site is http and its simple site without any preauthentication .

I Want to publish it in the way that make external user to force preauthentication and after that they can access the web site and prefer to  use SSL  .

my external user just want to use web browser .(no vpn connection or others...)

thanks



"Error Parsing Request The request subject name is invalid or too long" when trying to create a certificate from a CSR

October 29, 2010, 9:47 am
$
0
0

HI,

     I am using a Windows 2008 server, SP2 with the latest updates on.  I am trying to use a .csr file that I have created on a 3rd party (Nextplane) system to create a certificate however when I try I get the error

Your Request Id is 0. The disposition message is "Error Parsing Request The request subject name is invalid or too long. 0x80094001 (-2146877439)"


I have tried both the "Submit new request" against the server in the CA snapin in MMC and also the method of using a "Router offline request template as suggested in this

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/1ba23ee0-3e69-45f2-a875-2f6206b13c9d/

 

I have checked the csr file using a online csr decoder and it looks OK as far as I can tell (this is a test setup on a private network so I'm not worried about the risk of using a online decoder).  The decoder shows the 'Subject' line as having 78 characters, including spaces etc.  As the server and domain names aren't excessive I don't think that this is unusually long.

Is this likely to be the length of the subject line causing the problem or is the problem something else and the subject length just a red herring?

 

Thanks in advance for any suggestions

 

Neil

 

 

 

 

is there an Active Directory Audit reporting product from microsoft ?

May 9, 2014, 2:58 am
$
0
0

Is there an Active Directory change control product from microsoft ? Example, an alert generated when someone add themselves to domain admin group or modify a group policy object ?

More specifically, is there a microsoft product that does what "Quest Change Auditor for ACtive Directory" do ?

http://www.quest.com/changeauditor-for-active-directory/

CertSvc is not starting due to database restore operation

May 6, 2014, 7:55 pm
$
0
0

Hi, 

Whenever I tried to start the certificate service I get the following error, 
Active Directory Certificate Services did not start: Unable to initialize the database connection for SubCA01.  Certificate service has been suspended for a database restore operation. 0x80094006 (-2146877434).

I did the following to fix the issue;
1.Repair using ESENTUTL /p “SubCA01.edb” -> Successfull 
2.Recovery using ESENTUTL /r edb -> Successfull 
3.Integrity check using  ESENTUTL /g “SubCA01.edb” -> Successfull 

But still when i tried to start the service i get the above error.

I am not sure which process has initiated a restore operation as mentioned in the alert. Any ideas how i can fix this ? (I tried restarting the server, still the same)

Thank you


Search

ERROR: The process "XXXX.exe" with PID 2732 could not be terminated. Reason: Access is denied.

May 18, 2014, 10:27 pm
$
0
0

Hello,

I set up a new Server 2010 and I am an administrator on the local machine and on the domain.

I am trying to stop a process with taskkill /F /IM xxx.exe command and got the error : ERROR: The process "XXXX.exe" with PID 2732 could not be terminated. Reason: Access is denied.

What should I do

Grant access to modify membership of local administrator group

May 9, 2014, 12:57 am
$
0
0

hello

I am active directory administrator and i like to grant a certain user access to modify membership of the local administrator group for computers in a specific OU only. i tried to do that via delegation of control to modify membership of the group, however when he tries to modify administrators group of one computer on that ou, he gets a message with access denied. Is there a way to do that other than delegation of control.



.net patches not listed in wmic qfe list

May 13, 2014, 11:21 am
$
0
0

Hello,

    Trying to find a way to see if the following patch KB2604092 and others are installed from DOS prompt...

wmic qfe list and a query against Win32_QuickFixEngineering seem to list all but the .net patches... is there a way to list out what .net patches have been installed? (it'd be nice to have the KB## in the list but if there is another way to see it that would likely work.)

Thank you

Cert based auth act as second factor authentication in Office 365?

May 12, 2014, 6:10 pm
$
0
0

Team,

Looking for second level of auth. besides SSO by ADFS 2.0 or 3.0 as Primary auth.

BING gave me option of MFA by Office 365, but we dont want to go with it.

Looking at technet article : http://technet.microsoft.com/en-us/library/dn554247.aspx

Primary Auth can be achieved using:

  • Windows Integrated Authentication using Negotiate for Kerberos & NTLM
    OR 
  • Forms Authentication using username/passwords

Secondary Auth can that be achieved using Certificate Authentication:

  • The certificate must map to the user account in AD DS by either of the following methods:

    • The certificate subject name corresponds to the LDAP distinguished name of a user account in AD DS.
    • The certificate subject altname extension has the user principal name (UPN) of a user account in AD DS

      I guess the article, doesnt clearly states that cert authentication can act as second level of auth.

      Team if it can, than the quesiton is what is the procedure to configure and any architecture level overview that clarifies the ports and connectivity mechanism?

Three tier PKI - support both SHA-1 and SHA-2

May 12, 2014, 3:23 am
$
0
0

Hey guys,

We're about to implement a new three tier PKI - root, intermediate and Issuing CA's... is it possible to have the root and intermediate configured as SHA-1, and have multiple Issuing CA's - some SHA-1 and some SHA-2, or do the SHA-2 Issuing CA's need to be signed by SHA-2 certificate chain?

Thanks in advance


Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable

May 8, 2014, 3:13 am
$
0
0

I'm getting the auto-enrollment error above not because of a configuration error but for the reason that the Root CA machine was taken out of service and disposed of! So the unable to contact is a true error. The machine no longer exists!

I have checked the expiration date of the certificate using certmgr in the AD servers (Three Windows 2008 server cluster) and I have found different expiring dates for the same certificate as described below. 

Trusted Root Certification Authorities > CONTOSO-CA (exp 17/05/2018)

Intermediate Certification Authorities > CONTOSO-CA (exp 17/05/2018)

Active directory User Object > CONTOSO-CA (exp 17/05/2014)

We currently have an AD cluster conformed by three Windows server 2008 and no currently Certificate Authority role installed on any of them. 

I also have seen using certmgr that all machines in the company have the certificate CONTOSO-CA in the following way:

Trusted Root Certification Authorities > CONTOSO-CA (exp 17/05/2018)

Intermediate Certification Authorities > CONTOSO-CA (exp 17/05/2018)

Active directory User Object > Not present

My question is, can I safely decommission the certificate? What will be the impact of this certificate (Active directory user object) expiring?

Thanks in advance

How could I know whether Microsoft patch need reboot or not ?

May 30, 2014, 1:12 am
$
0
0

We use win2003R2 and win2008R2 and so on in the domain environment.

When we apply the Microsoft-provided patch, is there any way to know it need OS reboot in advance ? 

Search

mrtstub.exe malware or not?

December 19, 2007, 4:16 pm
$
0
0

 

So, I've been having a malware problem, and I found the file mrtstub.exe, and of course I search for it on the internet and a site says that it is malware and to remove it.  So, I did.  When I first tried to run the MS Removal Tool, it said that it could not run and something about mrtstub.exe.  A few minutes later, I tried to run it again, and it ran.  Matter of fact, it is still scanning.  Now, I've got this file on my system again (I don't know how).  What gives?  Is it legit and a valid MS file, or not?

 

Thanks in advance for your help!

 

--JSS

because of security error we can not connect to remote computer

May 30, 2014, 12:51 am
$
0
0

remote desktop disconnected

because of security error, the client could not connect to the remote computer. Verify that you have logged on to the network, and then try connecting again

Cannot export private key: "key not valid for use in specified state"

May 29, 2014, 7:12 am
$
0
0

Hi,

This is a bit of a long story but I hope someone can give us some guidance.

We use authentication certificates issued from our own Enterprise CA to control user and machine authentication via RADIUS/NPS for our wireless network.  Certificates are deployed via group policy/autoenrollment. In general this works well but we have an intermittent problem where user authentication stops working for a user who was fine before. The user certificate looks OK via Certmgr (shows as valid, shows that there is a private key associated with the certificate).  The NPS server logs show that the machine has been authenticated and granted access, but the user in this situation doesn't show up in the server logs at all. 

The only solution in this case is to connect to the wired network and request a new certificate for the user (either via certmgr or just by deleting the duff cert and logging off/on again to get the cert via autoenrollment).

The interesting thing is that while a "working" certificate can be exported with no problem, a duff certificate cannot be exported with its private key, giving the error "key not valid for use in specified state". (Obviously the certificates come from the same template, and the key is not marked unexportable).  The key files are present in %userprofile%\Appdata\Roaming\Microsoft\Crypto\RSA and the user permissions on these files look correct.

After much searching of the forums I tried running certutil-repairstore on the duff certificate and that also returned the same error.  I also tried an undocumented switch Certutil -user -key -v and again, got a very similar error "Loadkeys returned key not valid for use in specified state. 0x8009000b (-2146893813)".

I'm assuming that the fact that the key is unexportable/corrupt is also the reason why the certificate can no longer be used for authentication.

Does anyone have any clues as to what might be causing this, and/or if a certificate with a key in this state can be repaired?

Thanks!

Remote desktop connecting to another machine

May 30, 2014, 5:30 am
$
0
0

We have a web server which is located outside our windows domain and we have been accessing the machine using remote desktop by entering the IP address and password until this morning. When i enter the computer's IP address it is bringing the remote desktop log in window with is clear indicating the IP address on top but it is rejecting the access credentials we have been using for some time now. Since i am the administrator of our domain network i tried to enter my domain password but it instead logged me into another machine which is within our domain.I have tried to restart the machine from the remote site but nothing is changing.

Thanks

copy CRLs after certutil -CRL

May 28, 2014, 8:47 am
$
0
0

hi!

I am trying to copy CRLs automatically to another server (running under Linux). So what I do is:

certutil -crl    and   scp to somewhere


When I do this as Domain admin, it works, when I do this as a user with local admin rights, I get at the certutil -CRL

0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

Since I want to let this run as a scheduled Task I would prefer a local admin account.

What am I missing?

Yours, Ralf

Ralf Wigand, MVP Windows Server:Directory Services

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>