I have a problemwith the user whoisloggingthroughthe cardexpectsa few minutes tolog on.Another user
onthe same stationlogs ina few
seconds.The userwhologs in to
severalminutestrying tolog on toanother stationandonthe
logsout immediately.What could
be the problem?How can Idiagnose?Can I set upamonitoringthatshowedwhat the problem is?
↧
Very slow login smart card
↧
Unable to Dowload CDP from ldap path
My certificates expired and I needed to renew my issuing CA certificate from the offline root. Using certutil -dspublish I published the new root certificate and the new root CRL file.
Now within Enterprise PKI MMC the ldap path to the AIA certificate is fine and able to download the cert. But the ldap path to the CDP is listed as "unable to download". I checked the path with ADSI edit and ldp. The path is correct.
Not sure how to fix this issue. Any help or insight is much appreciated.
Joel
↧
↧
Win2008R2 IIS7.5 multiple SSL certificates
We have 1 IIS website that has multiple bindings. Is it possible to have multiple SSL certificates on the one IIS website bound to 443.
e.g. https binding with SSL certificate www.companya.com, another https binding with www.companyb.com certificate and a 3rd https binding with *.company3.com wildcard certificate.
Thank you
JK
↧
"Everyone" can view the EventViewer of the DC's
Hi TechNet Members
I'm here to ask a big question and risky one.
Everyone's in my ORG, can view and scrolldown & up anytime and check the whole "Eventviewer" from the DC's.
It's so risky, And for security matters I just wanted to know if there is a way to control on the permissions.
Thanks,
↧
Interop with *nix systems in corporate enterprise
Hello experts,
Does anyone know of a working (maintained) solution to enable SSH between *nix and Windows servers? I've seen examples of OpenSSH and/or CygWin (stand-alone) implementations but not one that has any enterprise management framework. I realize that certificates
could be a future solution here but the first step, to integrate with the existing ssh key management solution, would help foster that initiative. Any info that you can pass along would be greatly appreciated.
↧
↧
Smart card logon not working until I disable revocation check
Hello-
I have Server 2008 R2 (not running in native 2008 yet), have certificate services installed on a DC, imported all the proper certificates into the store. Server uses Axway (Tumbleweed) validator and the validator is pointed to a working web server that can serve up the CRL's. CRL's show up fine in IE and can be opened. The test in Axway works fine.
I try to log on with Windows 7 and get "The revocation status of the smart card certificate used for authentication could not be determined."
First, do I need the Axway on my Windows 7 machine? I am not a pro with PKI so any insight would really be helpful, what could be wrong?
...Alan
↧
Configure Cisco ASA - Microsoft CA Certificates
Hi All,
we have a cisco ASA and a windows 2008 r2 certificate authority. We require our cisco vpn client users to have a user certificate installed on their remote PCs to authenticate with the cisco. ASA.
How do we setup High Availability for my CA? Our CAis running on our DC will that cause any issues?
Currently use this CA for Exchange.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100413-asavpnclient-ca.html
AS
↧
The parameter is incorrect. 0x80070057 (WIN32: 87)
Hi,
I built a two-tier PKI based on this guide: http://social.technet.microsoft.com/wiki/contents/articles/15037.step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx
I set "AlternateSignatureAlgorithm" to 0 on both the root and intermediate CA as I have XP and 2003 clients.
After the Intermediate CA installation, I have a lot of failed requests:
My current user is a member of the Enterprise Admins group and it seems like it's failing on getting the CA Exchange certificate. The command 'certutil -cainfo xchg' gives the following:
CertUtil: -CAInfo command FAILED: 0x80070057 (WIN32: 87)
CertUtil: The parameter is incorrect.
If I try to issue the failed request, I get 'The requested property value is empty 0x80094004'.
The command 'certutil -dump' gives the right information, the 'Flags' property is set to 13.
Is there anyone who can help me troubleshoot this?
↧
ADCS Certification Authority Web Enrollment - HTTP Error 403.14 - Forbidden
Hi,
I have setup the role service 'Authority Web Enrollment' on the same server hosting the 'Certification Authority' role service. When I try to access the page through the URL: http://localhost/certsrv, I get the error: HTTP Error 403.14 - Forbidden
I noticed the web application is mapped to "C:\Windows\System32\certsrv" in IIS but the real site, with the 'default.asp' file, is located in "C:\Windows\System32\certsrv\en-US".
If I try to access to the website with the URL " http://localhost/certsrv/en-US" or "http://localhost/certsrv/en-US/default.asp", it works but I have to bind MYSELF a SSL certificate on the 443 port to be able to request certificate (as it requires HTTPS).
Actually, all my issues are described on this page:
http://www.cosonok.com/2014/05/2008r2-adcscawe-fixing-error-default.html
I would like to know if anyone around here encounter the same issue(s) and if there is any Microsoft KB on this (can't find anything on this)?
↧
↧
Server 2008 and MS Access 2007 Scheduled Task
I have a Server 2008 with MS Access 2007 installed.
I created a task that is designed to lanuch Access, open a designated database, and run a macro. The macro calls a function within the database that generates a series of reports in PDF format for use in a web app. The task was created to run a local user, with credentials stored. This whole process has been running fine for many months. A recent group policy change has caused this to now stop.
The GP now states that user credentials can no longer be stored. I changed the task so that it is to run as SYSTEM but this is not working either. It seems access is launching as SYSTEM, I can see this in the task manager, but it does not seem to open my database since no .ldb is being created. I also added logging code to my function and nothing ever gets in there. I think the issue is that there is no profile for SYSTEM, so when access starts running it's looking to build a profile for that user.
Does anyone know how I can make this work?
↧
Can Exchange ditribution lists be used for folder security
Hello,
is it possible to use exchange distributon lists as folder security on a windws file server?
Advantage would be that only the distribution list should be updated in order to change folder security.
Regards
Erwin
↧
Server 2012 Three Teir PKI Deployment
Hi
I've been test building this on the bench prior to deployment.
I have;
1x Offline Root CA
1x Online Intermediate Subordinate Enterprise CA
2x Issuing Enterprise Subordinate Enterprise CA's
1x Issuing Enterprise Subordinate Enterprise CA (will be in a trusted domain in the DMZ) (seeded from the Intermediate)
1x Web server providing CRL/AIA/OCSP
I've got it all up and working, but if I look in the Enterprise PKI console I've got an error on my Offline Root.
Fair enough, I've checked in ADSIEdit and that path does not exist (probably because its an offline root CA and not a domain member!)
I'm pretty certain that it's there because, (post setup) I ran the following commands on the root CA............
Certutil –setreg CA\CACertPublicationURLs “1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://pki.group.homeg.com/pki/%1_%3%4.crt”
Certutil –setreg CA\CRLPublicationURLs “1:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n2:http://pki.group.homeg.com/pki/%3%8%9.crl”
I'm assuming the second command above is the cause of the problem? (please confirm).
So my question is, should I NOT have done that? (had the ldap path in the CDP locations)? or should it be there and the error is normal and safe to ignore? If it shouldNOT have been there, what is the correct syntax that I should have used?
Regards,
Pete
Regards Pete Long http://www.petenetlive.com
↧
Applying security to folder according to its username
Hello dear gurus. I have a question. I couldn't find anything on the web..
So I have about 600+ folders. Each folder corresponding to username in domain whom I must grant access to it.
For example: within "Share" folder I have below listed folders
- John Smith
- Will Smith
- Sundra Bullock
- Mark Whalberg
So, John smith must be able to see only what within "John Smith" folder, and when he double click any other folder "Access denied" error message must appear. The same for Will Smith ... The same for Sundra Bullock ... And any 600+ folders.
Is possible to do ????
↧
↧
Decommissioning of CA server and Recommission of ADCS
Hi All,
Recently I have to upgrade my old Windows 2003 with FSMO roles to Windows 2008 R2 while retaining the hostname and IP address of the old server. I have transferred the FSMO roles to another Win2k8 R2 server. On the old windows 2003 server, it was installed
with CA service. I reviewed the Certificates Stores and found out that all the certificates have expired and there isn't any new pending request for a month so I decide to remove the Certificate Services from the old windows 2003 server and not install any
CS on the Win2k8 R2 server.
I used a combination of the following guides
1. http://technet.microsoft.com/en-us/library/ee126170%28v=ws.10%29.aspx
2. http://support.microsoft.com/kb/555151
This morning, my boss informed me that he want to use LDAP over SSL and want me to setup ADCS in the forest.
Questions:
1. Can I install a new ADCS in my current forest on the same server using back the same hostname and IP? What is the step to do this?
2. Before I remove the Certificate Services from the old DC, I did a backup of the database and config. Is that of any use to me? Can I restore the data back?
3. Is there any other way to enable LDAP over SSL?
4. Assuming in the future I have to upgrade all the DCs from Win2k8 R2 to Win12, for the DCs with the Certificate Services, do I have to go through the process of migration again (The steps to remove the CS is lengthy and troublesome)?
5. Can the ADCS be installed on a Member Server running Win2k8 R2 as DC demotion cannot happen until the ADCS service is remove or migrated for that server?
Hope someone can advise me on this.
Thanks & Regards.
↧
ADCS: Export public certificates from CA database using certutil
I need to export a large quantity of users' public certificates from the CA database. I don't want private keys; just the certs. Either Base64 or DER is fine. Is it possible to do this with Certutil? If not, what other options do I have? These certs are published to the users' AD profiles. I am not a domain admin, but I can reach out to that group if need be.
My CA is running on WS2008SP2
Thanks in advance.
↧
Failure reasons eg: 2313 in ID 4625
Hello
Do You have the list with descr of failure reasons eg. %%2313, %%2307... I've searched Net and nothing.. :(
Mainly I see it in ID 4625.
Thank you in advance for your help!
Damiano
↧
Windows Server 2012 R2 "The password is incorrect. Try again."
Hi,
I tried to login to my Windows Server 2012 R2 and I got this message "The password is incorrect. Try again." Although the username and password are absolutely correct.
Any thoughts. Thanks.
↧
↧
error code windows firewall cant change some of your settings error core 0x80070437
0x80070437
↧
Does Event 4662 replicate to other DCs?
We have an application that uses LDAP to authenticate against AD. The application talks to a single hostname in DNS that contains all of our domain controllers. Each DC is then accessed via Round Robin.
A few times a day (and slowing increasing in occurrence) we see errors in the app that suggest the LDAP client is unable to "bind".
As far as we can tell, the only thing the end user sees is "unknown username or bad password" - when they type their password again they get in just fine. We are worried, however, that this is indicative of a larger problem and we want to fully understand what is happening should this problem ever grow to the point where users actually notice. Our big question is we don't know if the root of the problem is with our AD environment or on our application. Who's at fault for failing to complete the LDAP bind? Where do I need to focus my efforts?
We can correlate the LDAP bind errors with Event 4662 Failure events in AD (yes, event 4662 can be useful!). The Subject is the LDAP Service account and the Object is the ID attempting to logon. The Access is Control Access. What has us baffled is for each bind failure we see in on our application, we see the 4662 event on ALL of our Domain Controllers! These 4662 events continue for about 30 seconds.
In trying to understand this problem better, I would like to know if the application is actually contacting each DC over and over for 30 seconds - OR - is the app only talking to one DC, getting a bind error, and the 4662 events associated with this issue simply being replicated to all of the other DCs?
Thank you for your help!
Matt
↧
OK icacls command that should work but doesn't.
icacls "c:\windows\system32\spool\PRINTERS" /grant administrators:(IO)(CI)(OI)F /t
When some of my systems go to print a PDF the spooler just locks up. I can't control what type of PDF files are coming in as they are made by all kinds of software and so the problems begin. I have been working on a batch file that will stop the spooler service if it hasn't already, then run the above command to grant rights to the indicated directory so that the offending files can be deleted from the spooler and restart the spooler service after that has happened. The reason for this is that by default a user can't go in and delete the files. I believe that I have the command correct and it used to work fine in Windows XP and Windows 7 but I can't see why it doesn't work in Windows 8.
Here is the batch file. Please tell me what I have wrong in it.
net stop spoolertimeout/t 3 /nobreak
icacls "c:\windows\system32\spool\PRINTERS" /grant administrators:(IO)(CI)(OI)F /t
c:
cd\windows\system32\spool\PRINTERS
Del *.s*
timeout/t 3
net start spooler
exit
↧