Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Issue with using Kerberos authentication when establishing cross-domain IPSec

July 29, 2014, 2:46 am
$
0
0

Our environment has two forests with a two-way forest-trust established. Now we want to use IPSec to enable domain isolation between the two forests.

Since there is a trust already established we configured our environment to use Kerberos authentication with IPSec. We added the 88 TCP and UDP to the exceptions and everything worked fine. After a day or two we started to see random problems with IPSec authentication, as if the trust is not working properly.

We managed to overcome the problem by reverting the group policies from require to request until the machine from one domain successfully communicated with the DC from the other domain and than returned the initial configuration. However this was just a workaround since the issue was detected again after few days.

Can the problem be with Kerberos ticket expiring?

Search

SELFSSL.exe - can you create a Domain Controller certificate?

July 29, 2014, 3:46 am
$
0
0
As the title asks really.  Rather than setting up CA's, can you use selfssl.exe to create domain controller certificates?

Drives not enumerated in BitLocker Control Panel for encryption

July 29, 2014, 9:54 am
$
0
0

I have two W2k8 R2 servers built together with similar configurations.  BitLocker has been enabled on both servers.  One server displays OS drive as a hard disk drive and  the data LUNs under the Bitlocker To Go section of the BitLocker control panel app.  The other displays only the OS drive and no data LUNs.  I run manage-bde -status on the first server and I get a list of the data luns. On the second, I get the following:

C:\Windows\system32>manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 6.1.7601
Copyright (C) Microsoft Corporation. All rights reserved.

ERROR: There are no disk volumes that can be protected with BitLocker Drive
Encryption.

NOTE: In pre-installation or recovery environments, decrypted volumes are not
displayed.

I've restarted the server, uninstalled and reinstalled bitlocker with associated restarts.  The status doesn't change.

There are a couple similar posts but they have not provided any conclusive resolutive actions:
Using Bitlocker-to-go on Server 2008R2 not working on external drives.
http://social.technet.microsoft.com/Forums/en-US/139bc19e-a0d3-4eb6-850b-b4de737f54be/using-bitlockertogo-on-server-2008r2-not-working-on-external-drives?forum=winserversecurity
Bitlocker Can't enumerate, associated data is missing
http://social.technet.microsoft.com/Forums/en-US/7f0ca018-55de-486e-b5d7-b01bd49fa12b/bitlocker-cant-enumerate-associated-data-is-missing?forum=winserversecurity

How can I get the LUNs to enumerate?

The Computer Shogun

Certificate Authority is not being seen by windows server 2003 machines

July 22, 2014, 4:49 pm
$
0
0

Good Afternoon,

We recently installed a certificate authority using windows server 2008 r2. There was an old certificate authority that had went bad and the role could not be uninstalled on the bad server. The new certificate authority works with windows 2008 machines but does not work with server 2003 machines. Mainly trying to get the domain controller certificate. At first it was stating that the rpc was unavailable for the CA. I tried to delete the remnants under the sites and services role of the old server. The error now it states that it can not find a certificate authority. As stated above the newer machines (Server 2008)  can see the certificate authority and request certificates but older machines cant. Any assistance on what to do next will be greatly appreciated. Attached is the error I receive when trying to request a certificate through the CA mmc.

dmg

Proper Steps to Build CA with new CN

July 23, 2014, 9:36 am
$
0
0

Hey all,

I have been pretty busy latly, but I'm ready to take on this CA rebuild plan.

Here's the scenario we currently have a Root (Enterprise) CA that hosts most of your certificates internally, on our Edge server we use verifisign certs, so I'm not to worried there.

I want to sort of follow this, but I want to have a new Common Name, and as shown in the comments this has to be done via building a CA from scratch.

So I built a test enviro and sure enough I removed the CA role from the initial CA, and built it  anew on a fresh built Server 2008 R2 server. After rebuilding I can see the New Root CA Cert being installed on workstations machines, I was even able to request new certs on Lync 2013 server and reassign without issue, on a new sha1RSA based certs. This is good. I also noted that when viewing a workstations users personal cert store that a cert was there signed by the CA with the user SIP address.. I believe this is what was causing the events to populate on my Lync Server. (see below)

I'm concerned about other services while now I think of it I don't see what else this would disrupt since most third party appliances/services run usually do so with self signed certs (I plan to change this to get them hopefully to run of certs signed by this new CA).

The main reason for this is cause I get Events on my Lync Server "GetnPublish Web Service" events which research led me to one technet fourm where it was determined to be due by a bad CA setup, Lync requires sha1RSA, and we were using sha1DSA.

Now in my production enviro I have not removed the CA role from the current CA that is signing Certs using sha1DSA, and I'm runnign the CA role installment on the new server to see what the options are, I get up to type and I can select the option of a Root CA... how does this work when theres already a Root CA configured?

shared folders server 2012

July 29, 2014, 4:05 pm
$
0
0

Hello all, I am trying to orginize my file server to make it look neater i have one hard drive ive shared that stores all my stuff and my familys stuff, i want to hide any unessessary sub folders from indervidule users? for example two users "Jim" and "Jan" A* for creativity, and two folders so say music and videos. Jan can access music and jim videos but when they go to the shared drive for both users they can see the folders they do not have access to is there away so i can make it so if jim went to the shared drive that he can only see what he has access two.  sorry if this is a noob question but im a student learning server 2012 with self study

James

Windows Server 2012 R2 "The password is incorrect. Try again."

May 27, 2014, 4:00 am
$
0
0

Hi,

I tried to login to my Windows Server 2012 R2 and I got this message "The password is incorrect. Try again." Although the username and password are absolutely correct.

Any thoughts. Thanks.


IE 11 compatibility list

July 29, 2014, 9:24 am
$
0
0

We are upgrading our windows 7 IE browsers all to IE 11. We do not have a windows server 2012 domain controller to set the IE 11 compatibility list. We are stuck editing the registry. When I add a site to the compatibility list, it shows up in the registry with binary code.

For each site that you add, does it add the binary code to the reg key? Also, what is the best method to push this out without using group policy?

Search

Default Domain Controller Policy - SceCli 1202 event

July 30, 2014, 1:43 am
$
0
0

My domain controller getting getting endless 1202 SceCli events occuring.  I believe this is tied to a certificate expiring but i am not certain.  When i check what is causing the: "Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done." it appears to be my <DC name>.<domain name>.co.uk within "access this computer from the network".  Does the DC itself need to be in this setting?

My DC and Domain User`s Password Was Hacked

July 29, 2014, 10:59 pm
$
0
0

Hi,


Recently I Find out when I run Query on  my  Active Directory and  get dsa.msc on Primary DC it take Long time to run  , one person claimed My dc Was hacked by him . he tell me till now each user change their password he can see changes password online on his application ,I think he got online replication of NTDS.DIT active directory replication or use periodic query to DC with high user privilege.

I dont know the name of his application and the way he can see user`s password as soon as i change it on active directory?

I changed the domain administrator password and he told me the new password.

I use Microsoft Tcp/View and Microsoft Processed Explorer and I did not see any suspicious process and it seems it is ok ,I use tcp view it show s lots of tcp connection from client machine and server .

I really dont know how could I solve this problem and fin out how he hacked and see domain user`s password.

I want to stop him and solve this problem.

you will be kind enough if you helping me?

Regard

issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

August 4, 2011, 12:38 pm
$
0
0

I would love some help with this issue.  I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0  I have a test account set up with lab.acme.com to use the ACS.

When I log into my site using Windows Auth, everything is great.  However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want to use to log in   and after 3-5 second  and return me the logon page with error message “Authentication failed” 

I base my setup on the technet article

http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx

I validated than all my certificate are valid and able to retrieve the crl

I got in eventlog id 300

The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.

Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

 

Additional Data

Exception details:

Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.

'

  at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)

  at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)

  at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)

  at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()

  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)

  --- End of inner exception stack trace ---

  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)

  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)

  at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)

  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)

  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)

  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext serializationContext, AsyncCallback asyncCallback, Object asyncState)

  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String trustNamespace, AsyncCallback callback, Object state)

 

System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.

'

  at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)

  at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)

  at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)

  at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()

  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)

 

thx

Stef71

Revoked Certificate Removal

July 27, 2014, 5:48 am
$
0
0
Hello!

I have a certificate revocation issue that I'm hoping to find some information on.

The backstory: I had a machine signing certificate template that issued certificates to 500+ computers in my environment.  This template was only intended for a much smaller subset of computers, and we have since revoked all of the incorrectly issued certificates.  So far as I can tell, we have our default domain GPO set to automatically delete revoked certificates, but this does not seem to be happening.

On the client machine,  can check the validity of the certificate via certutil, which confirms that the issued certificate is revoked.

My guess as to why the revoked certificates aren't deleted is that the template on the CA was originally set to have a purpose of "Signature and Encryption" which does not allow the "Delete revoked or expired certificates" option to be selected.  I have since changed the purpose to "Signature" only and selected the "Delete revoked..." box, but it has not made a difference.

Any thoughts on how I can get rid of the revoked certificates from my 500+ clients?  If there's a way for certutil to search a machine's certificate store and delete any certificates issued from a specific template, I can deploy that via GPO.  Even better would be a way to force revoked certificates to be deleted.

Thanks for any help!

Tim

Certificate Authority - Custom Temp not showing up. W2k8R2ent

October 21, 2011, 10:09 am
$
0
0

Hi Guys,

Couldn't see a forum for CA so I had to post it here. Hopefully its the right place.

(Server is test domain 1 single ad no replication. Running Win 2k8 r2 enterprise)

So here's the issue I am trying to create and export certificate for other users (eobo).

It works fine. But I want to do this throught certreq and in order to do that i have to creat custom cert which i did by duplicating User template.

The new template CopyOfUser i changed(of confirmed) following settings:-

General Tab = Publish Cert in Active Directory

Request Handling = Allow private key to be exported & Enroll subject without req any input

Security : I am logging as domain administrator and it has  Read/Write/Enroll

Issurance Req: This number of authorized signature = 1

& Application Policy & Client Authentication.

Subject Name : Build from AD (Fully Distinguished name)

Selected boxes : Include email name / Email name / UPN

Now problem is i cannot see the custom template on Enable Certificate Templates.

I am very new to CA so I am sure i am missing something or doing something wrong.

Would love some help.


Server 2012 wds capturing after sysprep

July 30, 2014, 6:46 am
$
0
0
please help, i have sysprep'd a machine ready for capture i then get into PXE boot and gain access to my two created boot images for wds these are install an image and capture an image, my install an image is working but my capture image starts to load an then gives you the normal windows is currupte please insert your installation media and run a repair is this the sysprep gone wrong or my actual capture image any ideas would be great. thanks an the error code i receive is 0xc000000f

Domain Controller setup Server 2012 R2

July 31, 2014, 2:32 am
$
0
0

Hi All

I've currently been through the process of setting up my own DC on my Server 2012 R2. I've installed AD domain roles along with the DNS role, I do not wish to use Server 2012 R2 as my DHCP as my Fiber optic Router is my DHCP provider. its all configured but when I type in my domain name under the system properties to add my client PC it can't find the server ? static IP is configured in Server 2012 and via my Router. any sudgestions as to what ive done wrong ? 

kind regards

James

Search

Monitoring AD CS issued certs ?

July 31, 2014, 2:20 am
$
0
0

Has anyone come across any good tools for monitoring certificates in particular their life time ?  I know possible through SCOM but the issue is when you need to monitor many different certificates from many different environments it becomes difficult to apply different metrics. 

Is there a ready built tool or script which is easy to manage and use which can either query the CA database periodically for particular certs and their expiry and alert when they are 50%, 60%, 70%...through their life time or a tool which can look in a folder for CERs and check the expiry.

Thanks in advance !

OpenSSL Change Cipher Spec Vul,,

July 31, 2014, 7:36 am
$
0
0
How can I physical found which version of OpenSSL is install in the server ? I try OpenSSL /? is not recognize or try openSSL Version not recognize too. Should I assume is not installed. Is ther a way thru Programs installed to detect the software?

michael john ocasio

Remove unwanted issues Root certificates

July 31, 2014, 1:04 pm
$
0
0

Do some typos in my AIA and CDP ldap paths I had to re-issue a new certificate from my offline root three times.  So within the trusted root certificate authority on all my clients their are three root certificates which have been downloaded from the domain.  Two of the certificates have been superseded by the newest issued root certificate and is not needed. 

Is there anyway to clean up these old root certificates? I want it so that newly joined domain machines only download the newest root certificate into the machine's root certificate authority.

Thanks for everyone's help.

Joel

AUDITPOL.EXE - User rights assignments needed.

July 25, 2014, 3:34 pm
$
0
0

OS: Server 2008R2 Std.

What user rights assignments are required in order to use the following command:

C:\windows\system32>auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

Error 0x00000522 occurred:

A required privilege is not held by the client.

DOS Vader

Problem with GPO, creating Local Users

August 1, 2014, 3:21 am
$
0
0

Hi, I’m trying to create new local users via GPO GPP, in domain environment. The “Password” and “Confirm Password” fields, are gray out:

I know about article MS14-025, however I'm not comfortable with Powershell scripting and I need solution fast, so I’m not in position to learn fast.

Is there any other solution or work around?

Aleksandar B. MCITP/MCSA


Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>