Good Afternoon,

We recently installed a certificate authority using windows server 2008 r2. There was an old certificate authority that had went bad and the role could not be uninstalled on the bad server. The new certificate authority works with windows 2008 machines but does not work with server 2003 machines. Mainly trying to get the domain controller certificate. At first it was stating that the rpc was unavailable for the CA. I tried to delete the remnants under the sites and services role of the old server. The error now it states that it can not find a certificate authority. As stated above the newer machines (Server 2008)  can see the certificate authority and request certificates but older machines cant. Any assistance on what to do next will be greatly appreciated. Attached is the error I receive when trying to request a certificate through the CA mmc.

dmg

Can anyone here please help me with Robocopy on Windows Server 2012 R2 to copy the file server content from \\OldFileServer\Data share into the local S:\Data drive ?

here's my script that I use to copy 11 TB of file server contents:

robocopy.exe "\\OLDFILESERVER\Data" S:\Data *.* /E /SECFIX /SEC /XO /ZB /COPYALL /MIR /DCOPY:DAT /R:0 /W:0 /NP /NFL /NDL /TEE /LOG:"G:\robocopy.log"

Any kind of help and assistance would be greatly appreciated.

Thanks

/* Server Support Specialist */

We have deployed a Strongswan based IPSec VPN on our premises that uses Certificate authentication. It works great with all OSs except from Windows. When trying to connect to the VPN we get Error 798: A certificate..... The user certificate contains the Client Authentication EKU and under SAN it has a UPN field.

The VPN is IKEv2 with MOBIKE and we want User authentication, not machine authentication (we use EAP-TLS).

The CA runs Hardened Gentoo with OpenSSL 1.0.0e

I have included a link to my certificate (public part only)

it's at rghost(dot)net(slash)56905698

I want to set owner for the file and I get the following error.

This security ID may not be assigned as the owner of this object

Windows 2008R2 DCs, two in one site, one in another

Windows 2008 functional level

I've had two instances in the past week where users, several hours after changing their passwords, had their accounts locked out.  I used LockoutStatus to track down the DC where the event 4740/lockout happened, and then read the calling workstation from there.  In both cases, the user didn't have any active or idle session on the remote desktop server where the lock was being generated.  I checked further with Process Explorer and I couldn't even find any processes running in their user context.

I would unlock the account, and in under a minute, there would be six bad password attempts (our GP setting) and the account would be locked out.  I could repeat this process indefinitely.

In both instances, when I rebooted the RD VM, the issue went away and didn't return.  In one case that was somewhat disruptive as it was an application server.  In the second case it was a domain controller and had no user impact.

I've seen this before when a user has an orphaned RD session idle for months, or with badly behaved applications, but this seeming dissociation from any active user process is really odd.

LockoutStatus always shows the lastPasswordSet timestamp in sync, replication occurs within fifteen minutes, and repadmin shows me both the expected topology and no errors.

I'm at a total loss.  What more can I check for?

I installed a new server for a client 3 months ago.  The new server runs Windows Server 2012 Standard.  Everything was fine until randomly i could not open the Chrome icon on the taskbar.  Error said the following : "windows cannot access the specified device path or file. you may not have the appropriate permission"

I tried to use the control panel but got the same error.  I can, however, using classic shell start menu, right click on control panel and click open to get to it.  If using the start menu i click on control panel the little windows extends and says "empty".  As of note I uninstalled classic shell to no avail.

Trying to run sfc /scannow generates the following error "Windows Resource Protection could not perform the requested operation"

I also cannot open the hosts file, access denied.  I changed ownership and granted all access, still nothing.

In the notification area, the network icon has a red x and says "Connection Status: Unknown" yet internet and network access is uninhibited.

Using the "subinacl /subdirectories c:\*.* /grant=administrator" changed nothing.  

I decided to disable UAC via registry key after which I rebooted and could no longer login.  I received the following error: "The sign-in method you're trying to use isn't allowed.  For more info, contact your network administrator."

In response I attempted to run gpedit and I went to Computer Configuration> Security Settings> Local Policies> User Rights Assignment| and checked the Deny log on locally settings. Only SBS Remote Operators, SBS STS Worker, and Support_38945a0 were listed, none of which are groups that the administrator is a member of.  Also, this led to the discovery that all settings within gpedit are grayed out and cannot be changed.

To fix, I logged in as another user and removed the administrator from the Domain Power Users group which fixed the login issue.  I am unable to perform windows updates.  There are no virus or malware detected by Trend Micro, RogueKiller, TDSSKiller, MalwareBytes, or RKill.

CCleaner did not fix.  

PLEASE HELP!!!

Hi,

I am trying to install certificate services on a windows 2008 server (R2 ENT SP1) with a PCIe nCipher HSM module installed on it. The version of nCipher SW is = 11.30.  It is a RootCA, and I am trying to use a key that is already stored in the HSM (I have done this before with a PCI HSM (older HW version)).  I select “Use existing private key” and “Select an existing private key on this computer” on the wizard, then i change the CSP to nCipher and click on "search" the key I am looking for appears and I select that one.  I repeat, I have done this before and it works with a PCI HSM module.

The installation is finished before being prompted to insert the operator cards, and it ends with two errors:

<Error>: Active Directory Certificate Services setup failed with the following error: Overlapped I/O operation is in progress. 0x800703e5 (WIN32: 997)

And:

<Error>: Active Directory Certificate Services setup failed with the following error: The group or resource is not in the correct state to perform the requested operation. 0x8007139f (WIN32: 5023)

The servermanager.log says:

And:

Has anyone experienced this before? Am I missing something here?

Any help will be very appreciated

Thanks in advance

Best regards

Alejandro Lozano Villanueva

I updated the SSL certificate on a Win2003 SP2 server with IIS6.0

The initial certificat was a single URL certificate and is replaced by a wildcard one.

After installing the certificate (and it's CA chain) using the mmc I changed the certificate in IIS and configured the SSLBinding using "cscript.exe adsutil.vbs".

The result is an SSL ERROR.

The CA chain and the certificate are two CRT files.

Here is the result of the "certutil.exe -store my"command :

C:\Documents and Settings\Administrateur.W2K79>certutil -store my
================ Certificat 0 ================
Numéro de série : 4899717f3b1ba89dedb7c472d575cb01
Émetteur: CN=Thawte SSL CA, O=Thawte, Inc., C=US
Objet: CN=*.bourgenbresse.fr, OU=Collectivite, O=COMMUNE DE BOURG EN BRESSE, L=B
OURG EN BRESSE, S=Ain, C=FR
Il ne s'agit pas d'un certificat racine
Hach. cert. (sha1): eb 03 df 43 a8 03 e5 5f b1 52 fc e7 5b a9 0b 0c 19 2a 15 8a
Aucune information sur le fournisseur de clé
Pas de propriétés pour le jeu de clé dans le magasin

================ Certificat 1 ================
Numéro de série : 023fcc
Émetteur: CN=GeoTrust DV SSL CA, OU=Domain Validated SSL, O=GeoTrust Inc., C=US
Objet: CN=www.portailenfance.bourgenbresse.fr, OU=Domain Control Validated - Qui
ckSSL(R) Premium, OU=See www.geotrust.com/resources/cps (c)11, OU=GT68088061, O=
www.portailenfance.bourgenbresse.fr, C=FR, SERIALNUMBER=R2RJ3sRPOrW0Q3XZYvvpcP05
TqodNAru
Il ne s'agit pas d'un certificat racine
Hach. cert. (sha1): 12 49 a6 95 9a 67 05 86 d9 a3 64 cb a7 a7 78 ee 6c eb 94 52
  Conteneur de clé = cecd6bee4621365b6e763b9bfcd773cf_b3f7eefb-5c14-4333-a5bb-29
d40b271698
  Fournisseur = Microsoft RSA SChannel Cryptographic Provider
Succès du test de cryptage
CertUtil: -store La commande s'est terminée correctement.

Please help !

We're using IIS 7.5 with Windows Server 2008 and there appears to be a known bug in IIS7.5 where, when using TLS 1.1 with AES-256-CBC the server accepts connections and seems to accept uploaded files; however, after a file is uploaded, it responds with error"550 The supplied message is incomplete.  The signature was not verified" and deletes the file.  The problem seems to be:

"At the end of a TLS session, the party wishing to close the connection must send a closure alert over the encrypted channel.  This is needed to distinguish between an orderly end of the session and an attacker dropping connections...Upon seeing the closure alert, it fails the transfer with "550 The supplied message is incomplete.  The signature was not verified." and deletes the complete file."

ref ( https://forum.filezilla-project.org/viewtopic.php?f=2&t=27898&start=120 ).  Apparently there is a hotfix for Windows 8.1 and Server 2012 to address this: ( http://support.microsoft.com/kb/2888853 ).

Apparently there is a workaround to put an RC4 algorithm at the top of the list so it will be chosen, but we have a strict requirement to use AES-256-CBC.

Everything works find with TLS 1.0 and AES-256, but we also have the requirement to use TLS 1.1.

Does anyone know if Microsoft has a fix for Windows 2008 or some "workaround" to enable us to use the IIS 7.5 FTPS server with TLS 1.1 and AES-256-CBC algorithm?

Thanks.

Hey all,

I have been pretty busy latly, but I'm ready to take on this CA rebuild plan.

Here's the scenario we currently have a Root (Enterprise) CA that hosts most of your certificates internally, on our Edge server we use verifisign certs, so I'm not to worried there.

I want to sort of follow this, but I want to have a new Common Name, and as shown in the comments this has to be done via building a CA from scratch.

So I built a test enviro and sure enough I removed the CA role from the initial CA, and built it  anew on a fresh built Server 2008 R2 server. After rebuilding I can see the New Root CA Cert being installed on workstations machines, I was even able to request new certs on Lync 2013 server and reassign without issue, on a new sha1RSA based certs. This is good. I also noted that when viewing a workstations users personal cert store that a cert was there signed by the CA with the user SIP address.. I believe this is what was causing the events to populate on my Lync Server. (see below)

I'm concerned about other services while now I think of it I don't see what else this would disrupt since most third party appliances/services run usually do so with self signed certs (I plan to change this to get them hopefully to run of certs signed by this new CA).

The main reason for this is cause I get Events on my Lync Server "GetnPublish Web Service" events which research led me to one technet fourm where it was determined to be due by a bad CA setup, Lync requires sha1RSA, and we were using sha1DSA.

Now in my production enviro I have not removed the CA role from the current CA that is signing Certs using sha1DSA, and I'm runnign the CA role installment on the new server to see what the options are, I get up to type and I can select the option of a Root CA... how does this work when theres already a Root CA configured?

I've been trying to duplicate the Basic EFS template as either a Windows 2003 or 2008 template and everytime I use the new template via GPO to encrypt (EFS) any files/folder, I keep getting the "Element Not Found" error.  I've looked all over event logs and can not find any errors that will point me in the right direction to troubleshoot this issue.  I noticed it will only work if I use the Basic EFS template.  I've Google and have found several forum posts that states to duplicate the Basic EFS template as a Windows 2003 template to fix this problem, but I'm still getting the same error.  Any help is appreciated.  

Thank you.

Hi,

I´m having hard time to find a solution to my problem. First of all a bit background description to get the bigger picture about what I´m doing.

I have 3 Domain Controllers: 2x Windows Server 2003R2 SP2 (AD1, AD2) and 1x Windows Server 2012 (AD3). PDC and all FSMO roles are at Windows Server 2003R2. The migration proccess to Server 2012 is my next mission after getting PKI to work.

I have 3 CA Servers: (Offline Root CA - non-domain; Issuing CA - domain, Revocation CA/OCSP - domain). All Server 2012.

The problem is that autoenroll for computer and user is turned on and from rsop I can see that GPO is working. But what is happening is when I use gpupdate /force (or restart) then no Certificate is requested. At the same time when I´m using mmc and request certificate manually then everything is working and certificate is requested. I have tried to turn off all the firewalls from all the computers. I can´t see any denial from Cisco firewall so all the traffic is allowed. From client computer I have tried certutil -pulse but no use. Event viewer is showing me: 

Certificate enrollment for DOMAIN\user is successfully authenticated by policy server EVENT ID 65
Certificate enrollment for DOMAIN\user successfully load policy from policy server EVENT ID 64

I have done the same thing and policy in many organisations and everything is working like a charm. Now I don´t undestand what is wrong or what am I missing. Is there anything I can do to monitor what is wrong.

Any help would be appriciated,

Taavi

Hi Navision Expert,

We are running Navision 2013 R2. we would like to export data from Navision database into the Hyperion. however, no matter how we export into certain folder in windows, always have access denied issued. Looks like it is permission issue, however after we check we have login as the domain admins. Our server is using Windows Server 2008 R2.

Please advise.

Thanks so much.

Regards,

H

Hi All,

I am getting the below error message frequently whenever launching the Windows 2008 certificate services.  I had closed and loged off from all the available user profiles and tried to launch after sometime, still no joy.  I am restarting the CA services currently to resolve.  Is there any patch available to fix this?  kindly help, thanks

Illegal operation attempted on a registry key that has been marked for deletion. 0x800703fa(WIN32:1018)

Is there support forECC curve brainpoolP256r1 in ADCS 2012 R2 or in any other version of Microsoft Certificate Services?

If it‘s not supported by default CNG algorithms (suite B) in Windows, then: is it possible to use 3rd party HSM with support of required algorithms and curves (i.e. Thales netHSM) together with ADCS for issuing Root (Standalone) CA, Enterprise CA or end-user certificates? Actually, this is our final goal.

Another possible related issue: if we will manage to generate keys and to issue certificates using ECC brainpoolP256r1 curves, then what about client side – are end-users will be able to use such certificates? According to this article (http://en.wikipedia.org/wiki/Comparison_of_TLS_Implementations), brainpoolP256r1 curve is not supported by Windows clients.

These curves are defined by ETSI TS 102 176-1 (http://www.etsi.org/deliver/etsi_ts/102100_102199/10217601/02.00.00_60/ts_10217601v020000p.pdf) and described in: OID {1(iso) 3(identified organization) 36(teletrust) 3(algorithm) 3(signature algorithm) 2(ecSign) 8(ecStdCurvesAndGeneration)} (https://www.teletrust.de/fileadmin/files/oid/oid_ECC-Brainpool-Standard-curves-V1.pdf).

There is growing demand in Europe Union for Qualified CA to be compatible not with US standards (approved by NSA), but with EU standards. It may be related with latest security issues (especially using ECC algorithms, approved by NSA).

So, the main questions are:

1. Is it possible touse brainpoolP256r1 ECC curve in ADCS?
2. Will such certificates besupported on Windows client devices?

CRL and delta CRL is generated daily at the same time in test environment (sometimes offset may be about 1 minute).

Delta CRL generation statistics (effective date) in production environment :
2014.07.12 23:01
2014.07.14 00:00
2014.07.15 00:43
2014.07.16 01:22
2014.07.17 01:59
2014.07.18 03:10
2014.07.19 03:48

One can see that delta CRL generation time is constantly shifting and it's not the same as time period when delta CRL is being generated. Delta CRL validyti is 1 day, so it should be generated each day at the same time. CRL size is about 10MB, delta CRL size is about 0,5 MB. Delta CRL generation time is about 1,5 H.

Question: is it possible to fix CRL and delta CRL generation time (make it constant), using standard ADCS tools/settings? Role separation is used in solution, therefore it's not safe to run daily task (with CA administrator's permissions) to force publishing time in CA registry (if it's possible at all?), or similar "workoround.

I understand Windows 2008 R2 does not support the new SID S-1-18-1, but I have an issue where Symantec Mail Security 7.0 console searches all group memberships for the logged on user, when launching, and fails due to this new SID not resolving.

My Environment:
Windows Server 2012 Native AD
Windows
Server 2008 R2, Exchange Server 2010 SP2, with Symantec Mail Security
7.0
Windows 8 Client

The Mail Security console on the Exchange Server cannot launch, due to
Windows 2008 R2 not being able to convert the SID S-1-18-1.

My workaround is to use Mail Security console on Windows 8 launches fine, as
Windows 8 can convert the SID.  But, I have not access to Quarantine, as it's
local to the Exchange Server, so not good as a workaround.

Any ideas on getting the console to launch on Windows 2008 R2?  or viewing
remote Quarantine?

NOTE: I cannot migrate Exchange or move it onto Windows 2012, due to the
requirement of Exchange Server 2010 SP3 (not out yet).

Any ideas on how I can get Windows 2008 R2 to resolve this SID?

I've installed a standalone root CA and a enterprise subordinate CA in our environment - both are Windows 2008 R2. Everything is working except for Web Enrollment using a custom User template. I duplicated the default User template and choose 2003 Compatible for the new one. I changed the minimum key length to 2048 and set the validity period to 2 years.

We'd like to avoid using the Advanced Certificate Request page, so I modified certrqtp.inc to point to the new template:

	Else'' Request types for enterprise'
		rgAvailReqTypes(0,FIELD_TEMPLATE)="User-custom"
		rgAvailReqTypes(0,FIELD_FRIENDLYNAME)=L_UserTemplateCert_Text
		rgAvailReqTypes(0,FIELD_CSPLIST)="Microsoft Enhanced Cryptographic Provider v1.0?Microsoft Base Cryptographic Provider v1.0"
		rgAvailReqTypes(0,FIELD_CSPLIST2)="Microsoft Base Cryptographic Provider v1.0?Microsoft Enhanced Cryptographic Provider v1.0"
		rgAvailReqTypes(0,FIELD_EXPORTABLE)="True"
		nAvailReqTypes=1

	End If

I also ran into this issue where Web Enrollment jumps straight to the Advanced page if the original User template isn't present on the CA:
http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/9ab514bc-1f9f-424e-b70d-705874d9c623

So I have both User templates loaded on the CA, and I get this error back when attempting a certificate request using IE 8 or 9:

Your certificate request was denied.

Your Request Id is 25. The disposition message is "Denied by Policy Module".

Contact your administrator for further information.

Looking at the CA's Failed Requests section, I see this error:

The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375)

I double-checked our custom template and it does specify 2048 as the minimum key size.

Also, when trying with Chrome 11.0, I get an extra option during enrollment asking for a key size (1024 or 2048). When I choose 2048, the certificate request succeeds. I don't get the key size option when using IE, though.

We'd like to get this working with IE if possible. Any ideas?

I absolutely cannot get this to work. I simply cannot figure out what I am either doing wrong or missing.

Neither site works and in the event log I get the following:
The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057).
The Network Device Enrollment Service cannot be started (0x80070057).

It seems like I've read every site on this and tried everything but simply cant make it work. Have not tried on 2008 r2. Below is what I have done if someone can help me I would be grateful.

I tried adding more permissions than needed on local machine certs, templates, and domain level as well
Tried the http://support.microsoft.com/kb/2800975 where you move the ExtensionlessUrlHandler-ISAPI-4.0_64bit below
the static file.
I tried using and not using the use local profile in IIS for the SCEP pool
Both the ndesservice acccount and admin account have full control on everything.
I also tried to leave the default settings in the reg for the templates.

This is the NDES log out put when turned on:

========================================================================
402.534.948: Begin: 7/23/2014 4:01 PM 32.507s
402.539.0: taskhost.exe
402.543.0: GMT - 5.00
2005.220.0: certca.dll: 6.3:9600.16384 retail
2005.220.0: certenroll.dll: 6.3:9600.16384 retail
2004.621.0:<2014/7/23, 16:01:32>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
2004.642.0:<2014/7/23, 16:01:32>: 0x80070006 (WIN32: 6 ERROR_INVALID_HANDLE)
402.379.949: End: 7/23/2014 4:01 PM 32.585s

402.534.948: Begin: 7/24/2014 2:31 PM 03.904s
402.539.0: taskhost.exe
402.543.0: GMT - 5.00
2005.220.0: certca.dll: 6.3:9600.16384 retail
2005.220.0: certenroll.dll: 6.3:9600.16384 retail
2004.621.0:<2014/7/24, 14:31:3>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
2004.642.0:<2014/7/24, 14:31:6>: 0x80070006 (WIN32: 6 ERROR_INVALID_HANDLE)
402.379.949: End: 7/24/2014 2:31 PM 06.122s

EVENT LOG

HTTP Error 500.0 - Internal Server Error
Detailed Error Information:
Module   IsapiModule
Notification   ExecuteRequestHandler

Handler   ISAPI-dll     Error Code   0x80070057
Requested URL
   http://localhost:80/certsrv/mscep_admin/mscep.dll

Physical Path
   C:\Windows\system32\CertSrv\mscep\mscep.dll

Logon Method   Negotiate
Logon User   FARAWAY\NdesService

INSTALL STEPS
SETUP DOMAIN ACCTS:
Created Domain acct ndesservice (added to ndes server admin group and IIS group)
Created Domain acct ndesadmin (added to Enterprise Admins and ndes server admin group)

Ndes Server Profile Added
-Logged on as ndesservice account so profile is created on ndes server

DOMAIN CA (Server 2008 r2)
-Applied kb2483564 to 2008 r2 domain CA
-Duplicated (Exchange Enrollment Agent (Offline request),Cep Encryption,IPSec (Offline request) templates)
 Added ndesservice, ndesadmin, and ndes server with read and enroll on all three
-All three cer copies prefixed with ndes
-Issued Certs
-CA properties (added ndesservice account and ndes machine acct read and request)
-Added ndesservice account to local admin group

Set SPN for ndesservice domain account
-setspn –s http/gimli.faraway.com faraway\NdesService)

NDES SERVER (Server 2012 R2)
Installed NDES under CA Role using ndesadmin account (member of enterprrise admins group)
-Added Request Filtering in IIS (tried with adding and without)
-Added .Net extensability options (tried with adding and without)

Post Deployment on NDES Server
-set creds to configure role services to faraway\ndesadmin
-Set service account to faraway\ndesservice
-Set ca to pippin.faraway.com\farway (it picked this up automatically)
-Entered cert info left keys at defualt of 2048

NDES Server Registry changes
-HKLM\Software\Microsoft\Cryptography\MSCEP (changed templates from default of IPSECIntermediateOffline to NDESIPSECIntermediateOffline
 also tried the template name NDESIPSec(Offlinerequest) from the copy
-Added faraway\ndesservice account full control of MSCEP and below
-HKLM\Software\Microsoft\Cryptography\MSCEP\EnforcePassword  (change from 1 to 0)

Ndes Server IIS applicattion Pool Identity
-IIS SCEP App pool set Load User profile from false to true

NDES Server Certificates
There were two Certs created when the role was installed in the machines personal store. I dont think I am supposed to do anything here other than add permissions?
-Added ndesservice account and machine account with full control

Both the CA and NDES server have been restarted multiple time. Am I doing this right and missing something in IIS 8.5? I Hope I provided enough info.