Good Evening,

I have Windows Server 2012 R2 Datacenter edition (dreamspark license)

Is it possible to successfully set up smart card logon to a server ? I already have the smart card reader, smart card and the certificate (which is also my digital signature) I know how to setup a DC role (as far as I know, the server has to be in a domain to use smart card logon) I would like to logon using to my PC using a smart card and set the certificate I already have to use as a certificate for logon.

Kind Regards,

Tomasz

I have a new CA running on Windows 2008 R2 which is failing to start after reboot, the SubCA certificate's private key permissions were "updated" in an ill-conceived attempt to provide read access for a softcert recovery process via network service.

The CA fails to restart and in the event viewer application logs we see:

--------------------

 Log Name:      Application
Source:        Microsoft-Windows-CertificationAuthority
Date:          9/22/2014 3:59:44 PM
Event ID:      100
Task Category: None
Level:         Error
Keywords:      Classic
User:          SYSTEM
Computer:      SERVERNAME
Description:
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  CA-NAME An internal error occurred. 0x80090020 (-2146893792).

-----------------

When trying to view the private key permissions through the MMC snap-in, a pop-up reports an internal error occured.

We are also seeing warnings in the application logs:

----------------

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID related to certsrv.exe but its configuration matches a working CA when checked with the Component Services snap-in.

-----------------

Is there a way to use certutil -repairstore or other means to reset the default permissions on the private key and allow the CA to start? The CA is HSM attached for CSP and the security world is online and available.

Thanks for any information or tips, search did not have any leads for this that I could find.

• Hello everyone,

  I’m having issues with workgroup computers, not domain systems when I request a certificate.

  It’s extremely weird. It has something to do with Windows 7 and Windows 2008 machines. In 2003 server I can request a certificate manually with certutil and it see the certificate template. I copy over the exact command on windows 7 and it can’t see the certificate template.

  I have the following configuration:

  1. CA Enterprise
     1. I have created the SCCM Client Certificate
     2. I have created the SCCM Web Server Certificate
     3. I have created the SCCM Distribution Point Certificate
  2. GPO is configured
  3. SCCM 2012 R2 CU2 configured to do HTTP and HTTPS
     1. Installed SCCM Client Certificate
     2. Installed SCCM Web Server Certificate
     3. Installed Distribution Point Certificate
  4. Deployed to a domain computer good on PKI

  Workgroup Computers:

  I’m having issues with deploying certificates

  1. Windows 7 – (ERROR) not successful
  2. Windows Server 2008 R2 – (ERROR) not successful
  3. Windows Server 2003 - successful
  4. Windows XP – successful

  How I’m getting the certs for the clients is by utilizing the following scripts from this URL.

  http://www.ithierarchy.com/ITH/node/48

  I did find a couple of errors in the code, but if it’s working on my Server 2003, then it should work on the others. Windows 7 and Windows 2008 R2 seem to have the same issue. The error I’m getting is the following:

  Command line requesting the cert ---- CertReq –new –f testcomputer.home.pvt.inf c:\client\testcomputer.home.pvt.req

  Error --- Template not found.

  SCCMClientCertificate (this is my template)

Dear All

I have been researching about the below mentioned error message for awhile now.

I have increased the audit report level and noticed this kind of errors.

My searching revealed, that the failure codes 0x1b indicate that the ticket is good for User-to-user authentication only and not for server-client authentication.

There are few things that i do not really get in the error message:

1. It says that AccountName (SQLSERVER01$@DOM...) tries to access toServiceName (SomeUsername).
This one is clearly stated in the footer of the error message.

I am not sure why the computer account wants to "access" to a domain user.

Sometimes also see that the computer name is replaced with the username again. So X user wants to access to itself ?
Should i create SPN for the user? I am a bit confused here ...

2.
With common sense, this is vice versa, so the user wish to access to the machine itself.
The machine runs 2 instance of SQL server.
The SQL instances have SPN set already.
Should I create SPN for the computer account as well?



Any explanation is appreciated, 
Thank you
A

EVENT #	8851845	

EVENT LOG	Security	

EVENT TYPE	Audit Failure	
OPCODE	Info	
SOURCE	Microsoft-Windows-Security-Auditing	
CATEGORY	Kerberos Service Ticket Operations	
EVENT ID	4769	
COMPUTERNAME  	DC01	
DATE / TIME  	03/04/2013 09:15:14	
MESSAGE	A Kerberos service ticket was requested.

Account Information:
Account Name: SQLSERVER01$@DOMAIN01.LOCAL
Account Domain: DOMAIN01.LOCAL
Logon GUID: {00000000-0000-0000-0000-000000000000}

Service Information:
Service Name: SomeUsername
Service ID: NULL SID

Network Information:
Client Address: ::ffff:10.103.22.154
Client Port: 65346

Additional Information:
Ticket Options: 0x40810000
Ticket Encryption Type: 0xffffffff
Failure Code: 0x1b
Transited Services: -

This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.	

                           

patricia hartman

Hello,

I have a client which has a requirement that the passwords in Active Directory should be stored using the Secure Hash Standard (SHS) standard. This could be SHA-1 or SHA-2.

Could you please tell me where can I check the current hashing algorithm and configure the new one?

Windows Server 2008 R2 Enterprise
Forest & Domain functional level: Windows Server 2008 R2

Thanks!

Where it should likely say "All issuance policies", it lists the OID of the root CA. In the general tab of the Certificate:

Certificate Information

This certificate is inteneded for the following purposes(s):

-(stand alone root CA OID)

-All application policies

Something is very off here, uninstalling and reinstalling CA role on root doesn't seem to resolve.

I'm using CACert for certificate verification and in Outlook none of the client certificates can be verified as the server is offline. The root is in Trusted for both HCCE_LOCAL_MACHINE and HCCE_CURRENT_USER.

The most bizarre thing is: all servers are online and I can download the CRLs. They appear to be correct and I can't understand why there's an error (because verification is OK!). I thought maybe because the root CRL against the class 1 root is so large, there could be timeouts, but using the "-t 30" doesn't change behaviour. You can see that everything is verified! But it still shows up with an error status (Class 3 intermediate) with 1000040.

If I use "certutil -f -verify -urlfetch <mycer>", then there is no error, but "failed" is present in the output. I don't know what the difference is as -f is not documented on MSDN (references http://blogs.technet.com/b/pki/archive/2006/11/30/basic-crl-checking-with-certutil.aspx and http://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_verify).

Note, this problem occurs on Windows 7 as well as Windows 8.1.

I have the support of the CA authority to also further investigate.

X:\>certutil -t 30 -verify -urlfetch "20130103 011232 jason@onmicrosoft.cer"
Issuer:
    CN=CAcert Class 3 Root
    OU=http://www.CAcert.org
    O=CAcert Inc.
Subject:
    E=jason@thecurls.onmicrosoft.com
    CN=Jason Curl
Cert Serial Number: 011232

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=104 dwErrorStatus=0
  Issuer: CN=CAcert Class 3 Root, OU=http://www.CAcert.org, O=CAcert Inc.
  NotBefore: 03/01/2013 14:17
  NotAfter: 03/01/2015 14:17
  Subject: E=jason@thecurls.onmicrosoft.com, CN=Jason Curl
  Serial: 011232
  SubjectAltName: RFC822 Name=jason@thecurls.onmicrosoft.com
  f9 3c a2 39 9b 27 0d 84 26 29 7f 9b 23 83 2c 68 56 93 d5 1e
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  Verified "Base CRL" Time: 0
    [0.0] http://crl.cacert.org/class3-revoke.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  Verified "OCSP" Time: 0
    [0.0] http://ocsp.cacert.org

  --------------------------------
    CRL (null):
    Issuer: CN=CAcert Class 3 Root, OU=http://www.CAcert.org, O=CAcert Inc.
    aa ce 2f e9 20 5f 91 1d ce 91 47 51 8f ce b6 55 aa 9b 0b 98
  Application[0] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System
  Application[3] = 1.3.6.1.4.1.311.10.3.3
  Application[4] = 2.16.840.1.113730.4.1

CertContext[0][1]: dwInfoStatus=101 dwErrorStatus=1000040
  Issuer: E=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
  NotBefore: 23/05/2011 19:48
  NotAfter: 20/05/2021 19:48
  Subject: CN=CAcert Class 3 Root, OU=http://www.CAcert.org, O=CAcert Inc.
  Serial: 0a418a
  ad 7c 3f 64 fc 44 39 fe f4 e9 0b e8 f4 7c 6c fa 8a ad fd ce
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] http://www.CAcert.org/ca.crt

  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  Verified "OCSP" Time: 0
    [0.0] http://ocsp.CAcert.org/

  --------------------------------
  Issuance[0] = 1.3.6.1.4.1.18506

CertContext[0][2]: dwInfoStatus=109 dwErrorStatus=0
  Issuer: E=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
  NotBefore: 30/03/2003 14:29
  NotAfter: 29/03/2033 14:29
  Subject: E=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
  Serial: 00
  13 5c ec 36 f4 9c b8 e9 3b 1a b2 70 cd 80 88 46 76 ce 8f 33
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  Verified "Base CRL" Time: 12
    [0.0] https://www.cacert.org/revoke.crl

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------

Exclude leaf cert:
  b3 cf c2 7a ca 14 01 93 ea dc 46 c0 c0 6e b6 d1 b3 7f 39 b3
Full chain:
  f3 71 fa 99 64 60 c4 01 75 62 d9 f8 94 15 bc 11 2f 1b c2 bd
  Issuer: CN=CAcert Class 3 Root, OU=http://www.CAcert.org, O=CAcert Inc.
  NotBefore: 03/01/2013 14:17
  NotAfter: 03/01/2015 14:17
  Subject: E=jason@thecurls.onmicrosoft.com, CN=Jason Curl
  Serial: 011232
  SubjectAltName: RFC822 Name=jason@thecurls.onmicrosoft.com
  f9 3c a2 39 9b 27 0d 84 26 29 7f 9b 23 83 2c 68 56 93 d5 1e
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
------------------------------------
Revocation check skipped -- server offline
Cert is an End Entity certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

Hi

I have been getting these a lot in my event log.

Bascially I had a person change their password, and then not be able to log into Exchange 2010.

I was able to log into OWA (same box), but using NTLM or basic auth via outlook failed.

When i went looking in the event log I saw lots of these

Not sure what the problem is

XML output

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
  <EventID>4625</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>12544</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8010000000000000</Keywords> 
  <TimeCreated SystemTime="2014-09-23T06:55:12.012580500Z" /> 
  <EventRecordID>190196564</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="688" ThreadID="852" /> 
  <Channel>Security</Channel> 
  <Computer>DC1.ybr.com</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-0-0</Data> 
  <Data Name="SubjectUserName">-</Data> 
  <Data Name="SubjectDomainName">-</Data> 
  <Data Name="SubjectLogonId">0x0</Data> 
  <Data Name="TargetUserSid">S-1-0-0</Data> 
  <Data Name="TargetUserName">lb@ybr.com</Data> 
  <Data Name="TargetDomainName" /> 
  <Data Name="Status">0xc000006d</Data> 
  <Data Name="FailureReason">%%2313</Data> 
  <Data Name="SubStatus">0xc000006a</Data> 
  <Data Name="LogonType">3</Data> 
  <Data Name="LogonProcessName">NtLmSsp</Data> 
  <Data Name="AuthenticationPackageName">NTLM</Data> 
  <Data Name="WorkstationName">L-MBA</Data> 
  <Data Name="TransmittedServices">-</Data> 
  <Data Name="LmPackageName">-</Data> 
  <Data Name="KeyLength">0</Data> 
  <Data Name="ProcessId">0x0</Data> 
  <Data Name="ProcessName">-</Data> 
  <Data Name="IpAddress">10.172.210.18</Data> 
  <Data Name="IpPort">57201</Data> 
  </EventData>
  </Event>

Hi,

I am not sure where to post this question. After seeing couple of questions asked in this forum, I thought of doing same. Currently we are storing certificates on windows 2008 servers which also act as database server (SQL Server). Our admin logs into this server using an account (say devact) and installed certificates. So, if I log into server as devact and go to mmc, I see the certificate under CurrentUser\Personal folder. Everything is fine. We are small company and maintained by parent company. Parent company admins put our company admins on this server. My admin can log into this server but he won't be able to do anything to the certificates, if he wants to change or update anything. He needs to request parent admin to remove him from admin group and put him as devact. Then he can see certificates in mmc. It is becoming a hastle.

We have ETL SSIS package that uses vb script to access this certificate. Our admins set up to run the package under devact credentials. That way, package can access certificate and encrypt data that goes to webservice.

X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
X509Certificate2 cert = null;
string signatureValue = null;

//Get Cert
store.Open(OpenFlags.ReadOnly);
cert = store.Certificates.Find(X509FindType.FindBySubjectName, ConfigurationSettings.AppSettings["CertName"], false)[0];

Now our admins are thinking about putting the certificate under service account and see if devact can access this. For this admin logged into windows 2008 database server and did this:

mmc -> file\Add Remove snap in -> double clicked on 'Certificates'. This opened another pop -> seleced Service Account -> click on Next and in next window -> selected Local Computer and clicked on Next button -> selected SQL Server (MSSQL Server) and clicked on Finish.

This created snap under Cosole Root as : Certificates - Service (SQL Server(MSSQLSERVER)) on Local computer. Under this there is a sub folder called MSSQLSERVER\Personal and rest of the folders. We imported certificate into this MSSQLSERVER\Personal store.

How can I access this store in the code in SSIS package. I tried ROOT, CA, My etc to get to this store. But not able to. What is this service account is for. I didn't find much help also.

THanks,

Spunny

Hi all

First time posting here so hopefully someone can help me. I have installed a Windows 2012 R2 Essentials server operating systems on a new HP server.  The server, o/s, domain and Windows 8.1 pcs on the network were all installed from scratch recently (as it is a new company). The server has the event ID 4625 (audit failure - account failed to log on) in the security log on multiple occasions. After hours of researching I have finally found (via a network monitor trace) what I think is the network packet that is related to the event. It is a TLS packet from the Windows 8.1 machines onsite to the server. 

The description of the packet is TLS:TLS Rec Layer -1 Handshake: Certificate. Client Key Exchange. Certificate Verify

The packet makes reference to X509Cert: Issuer: <domain name>-<server name>-<CA>

When we setup the domain - we configured the 2012 Essentials to be a domain controller and just connected the machines to the domain using the server connection wizard (website). We don't have exchange onsite as they use Office 365. We didn't do any configuration with regards Certificates when the server was installed. Everything was left as out of the box.

It is not impacting day to day operations but can anyone explain why this might happen and how to resolve it?

Note: We are now experiencing the same thing at another client site where we just installed a new windows 2012 r2 essentials server. 

Here is the event log information (note the event log does not make any reference to the Windows 8 machine - only the server. The account name in the event properties is the server name with a dollar symbol at the end.)

PROBLEM: Clients keep getting error 0x8007274C when attempting to connect to the VPN server using SSTP.

SYMPTOMS:
- L2TP connections works great
--- L2TP connections generate RemoteAccess events in Event viewer, but none whatsoever for the failed SSTP attempts
- Client CANNOT ACCESS https://vpn.mycompany.net/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}
- After several attempts to check and recheck RRAS Setup.  Added IIS Role (much later) just to prove that cert is valid.
--- If server's RRAS service disabled, IIS enabled, client is able to browse to that VPN server, certificate checks out. http://vpn.mycompany.net&https://vpn.mycompany.net.
--- However, if RRAS service is running, IIS would not respond to either HTTP nor HTTPS traffic.
--- SSTP won't work whether or not WWW service is running.

- Port Scanner tests to the VPN Server reveals that port 80 & 443 are not open when RRAS service is running and IIS service stopped.
--- But, when RRAS service is stopped and IIS is running, port 80 & 443 responds.
--- Not sure whether 443 is [b]supposed to be open[/b] when only RRAS is running.

============================================================================
CLIENT:
============================================================================
- Vista SP1 (32-bit), Windows 7 (32-bit), Windows 7 x64 SP1
- CRL entry is resolvable
- vpn.mycompany.net certificate installed in Local Computer > Trusted Root CA
- SSTP Client connecting to FQDN vpn.mycompany.net
- Windows Firewall is DISABLED  (for testing purposes)
- No Anti Virus nor Anti Malware protection running  (for testing purposes)
- Can access other HTTPS sites

============================================================================
SERVER (Windows 2008 Svr r2; Roles: DNS, AD, RRAS):
============================================================================
- 2 NICS (1 bound to an internal IP, 1 bound to an external IP addr)
-- External NIC bound to a valid ISP IP Address, with a FQDN vpn.mycompany.net
- Windows Firewall Service on Server DISABLED
- No other device in front of the external IP addr NIC
- IPV6 on RRAS DISABLED
- NO RRAS Inbound/Outbound filter at all
- Windows Firewall Service disabled
- Using external Certificate Authority
- Certs bound to port 443 seem to match in registry key HKLM\...\SstpSvc\Parameters

It seems that the VPN server is simply not accepting the SSTP traffic.  I don't think we've even gotten to certificate negotiation.
Been trying for a few days now, have consulted many SSTP online resources (MS and others) before posting.

Am stumped.  Any help would be greatly appreciated.

============================================================================
SERVER CONFIGURATION CHECKLIST:
============================================================================
SERVICE_NAME: remoteaccess
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 4  RUNNING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

============================================================================

SERVICE_NAME: sstpsvc
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

============================================================================

  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       4
  TCP    192.168.2.109:3268     192.168.2.116:45443    ESTABLISHED     500
  TCP    [::]:443               [::]:0                 LISTENING       4
  UDP    0.0.0.0:59443          *:*                                    1616
  UDP    0.0.0.0:60443          *:*                                    1616
  UDP    0.0.0.0:61443          *:*                                    1616

============================================================================

SSL Certificate bindings:
-------------------------

    IP:port                 : 0.0.0.0:443
    Certificate Hash        : 4cbfd1fc43d4fea1cd9dce519a0c0901330a343d
    Application ID          : {ba195980-cd49-458b-9e23-c84ee0adcd75}
    Certificate Store Name  : MY
    Verify Client Certificate Revocation    : Enabled
    Verify Revocation Using Cached Client Certificate Only    : Disabled
    Usage Check    : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout   : 0
    Ctl Identifier          : 
    Ctl Store Name          : 
    DS Mapper Usage    : Disabled
    Negotiate Client Certificate    : Disabled

    IP:port                 : [::]:443
    Certificate Hash        : 4cbfd1fc43d4fea1cd9dce519a0c0901330a343d
    Application ID          : {ba195980-cd49-458b-9e23-c84ee0adcd75}
    Certificate Store Name  : MY
    Verify Client Certificate Revocation    : Enabled
    Verify Revocation Using Cached Client Certificate Only    : Disabled
    Usage Check    : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout   : 0
    Ctl Identifier          : 
    Ctl Store Name          : 
    DS Mapper Usage    : Disabled
    Negotiate Client Certificate    : Disabled

============================================================================

Selected (some, not all) Info about Certificate bound to SSTP viewed through RRAS MMC:
--------------------------------------------------------------------------------------
Version: V3
Valid To: ‎Thursday, ‎August ‎30, ‎2012 6:59:59 PM
Subject:
 CN = vpn.mycompany.net
 OU = nsProtect Secure Xpress
 OU = Domain Control Validated
Enhanced Key Usage:
 Server Authentication (1.3.6.1.5.5.7.3.1)
 Client Authentication (1.3.6.1.5.5.7.3.2)
CRL Distribution Points:
[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               URL=http://crl.netsolssl.com/NetworkSolutionsDVServerCA.crl

Thumbprint Algorithm: sha1
Thumbprint: ‎4c bf d1 fc 43 d4 fe a1 cd 9d ce 51 9a 0c 09 01 33 0a 34 3d

============================================================================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SstpSvc\Parameters]
"ServiceDllUnloadOnStop"=dword:00000001
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  73,00,73,00,74,00,70,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00
"ServerURI"="/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/"
"ListenerPort"=dword:00000000
"UseHttps"=dword:00000001
"SHA1CertificateHash"=hex:4c,bf,d1,fc,43,d4,fe,a1,cd,9d,ce,51,9a,0c,09,01,33,\
  0a,34,3d
"isHashConfiguredByAdmin"=dword:00000001
"SHA256CertificateHash"=hex:ee,06,d8,78,2a,8c,95,d6,a1,40,d1,80,77,2c,e5,4c,f9,\
  83,a1,e4,94,60,82,28,3d,56,49,82,44,bc,1e,a9

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SstpSvc\Parameters\ConfigStore]
"ListenerPort"=dword:000001bb
"UseHttps"=dword:00000001
"V4CertPlumbedBySstp"=dword:00000000
"V6CertPlumbedBySstp"=dword:00000000

============================================================================

SELECTED EVENT VIEWER ENTRIES AFTER RESTART OF RRAS + SUCCESSFUL ATTEMPT OF L2TP (BUT NO ENTRIES AT ALL FOR SSTP CONN ATTEMPTS):
--------------------------------------------------------------------------------------------------------------------------------

Level Date and Time Source Event ID Task Category
Information 8/31/2011 11:36:42 AM Microsoft-Windows-Time-Service 37 None The time provider NtpClient is currently receiving valid time data from zeus.olympia.local (ntp.d|0.0.0.0:123->192.168.2.114:123).
Information 8/31/2011 11:35:22 AM RemoteAccess 20275 None CoID={075CE235-832C-45FE-BE27-8B41BC765125}: The user with ip address 192.168.2.145 has disconnected
Information 8/31/2011 11:35:22 AM RemoteAccess 20272 None CoID={075CE235-832C-45FE-BE27-8B41BC765125}: The user OLYMPIA\inul connected on port VPN2-15 on 8/31/2011 at 11:34 AM and disconnected on 8/31/2011 at 11:35 AM.  The user was active for 0 minutes 32 seconds.  17264 bytes were sent and 21956 bytes were received. The reason for disconnecting was user request. The tunnel used was WAN Miniport (L2TP). The quarantine state was 'not nap-capable'.
Information 8/31/2011 11:34:57 AM Microsoft-Windows-Iphlpsvc 4200 None Isatap interface isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD} with address fe80::5efe:192.168.2.144 has been brought up.
Information 8/31/2011 11:34:51 AM Microsoft-Windows-UserPnp 20003 (7005) Driver Management has concluded the process to add Service tunnel for Device Instance ID ROOT\*ISATAP\0002 with the following status: 0.
Information 8/31/2011 11:34:50 AM RemoteAccess 20274 None CoID={075CE235-832C-45FE-BE27-8B41BC765125}: The user OLYMPIA\inul connected on port VPN2-15 has been assigned address 192.168.2.145
Information 8/31/2011 11:34:50 AM RemoteAccess 20250 None CoID={075CE235-832C-45FE-BE27-8B41BC765125}: The user OLYMPIA\inul has connected and has been successfully authenticated on port VPN2-15.
Information 8/31/2011 11:34:49 AM RemoteAccess 20088 None The Remote Access Server acquired IP Address 192.168.2.144 to be used on the Server Adapter.
Information 8/31/2011 11:30:26 AM Microsoft-Windows-HttpEvent 15007 None Reservation for namespace identified by URL prefixhttps://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ was successfully added.
Information 8/31/2011 11:30:26 AM Microsoft-Windows-HttpEvent 15008 None Reservation for namespace identified by URL prefixhttps://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ was successfully deleted.
Information 8/31/2011 11:30:26 AM Service Control Manager 7036 None The Application Layer Gateway Service service entered the running state.
Information 8/31/2011 11:30:26 AM Service Control Manager 7036 None The Routing and Remote Access service entered the running state.
Error 8/31/2011 11:30:26 AM RemoteAccess 20106 None "Unable to add the interface {BBF2BA88-DCC5-4D36-9256-E1C8AF602467} with the Router Manager for the IPV6 protocol. The following error occurred: Cannot complete this function.
"
Error 8/31/2011 11:30:26 AM RemoteAccess 20106 None "Unable to add the interface {DF914ECC-AC6A-441E-A47C-57CE90C7F8B0} with the Router Manager for the IPV6 protocol. The following error occurred: Cannot complete this function.
"
Information 8/31/2011 11:30:21 AM Service Control Manager 7036 None The Routing and Remote Access service entered the stopped state.
Information 8/31/2011 11:30:20 AM Service Control Manager 7036 None The Application Layer Gateway Service service entered the stopped state.
Information 8/31/2011 11:30:01 AM Microsoft-Windows-Eventlog 104 Log clear The System log file was cleared.

============================================================================
============================================================================

On my Subordinate CA Certsrv is not showing up as an available site in the virtual list in IIS, However on my Root CA it is there. this is a brand new server and I had no issues in my test environment. all roles of the ADCS except for Devices are enabled on the Subordinate server. any idea why the CERTSRV site is not appearing?

Thanks

hi,

I need a certificate for Intranet only  RDS server/s

There is really no big problem for purchasing a cert. But after reading some discussion that there is really no gain security wise between Paid and Unpaid I am looking to other alternatives. I don't have any intention to bring up this topic.

As mentioned I need a certificate for INTERANAL users only.

Let's say I enable Certificate Service on one of the 2012 servers and issue a certificate. I would like then to wipe out this CA VM.

Would my certificate fail? Is there any connection/sync between a certificate and CA?

Sorry if somebody find my question simply saying stupid...

&quot;When you hit a wrong note it's the next note that makes it good or bad&quot;. Miles Davis

We have a new Windows Server 2012 R2 set of servers.

The administrator account is in the domain admins group, it's called site-admin, it's also in the Administrators group.

The site-admin user is also a member of Domain Users group, is it safe to remove site-admin from the Domain Users group??

We don't need this particular user to be affected by Domain Users policies and the like...

Does the site-admin user, being an Administrator, have the ability to remove itself from the Domain Users group??

Thank you, Tom

If the signatures in root certs are not used for anything and have no security value since it requires no verification since it already lives in the trust store then why are some CA's now giving the option to sign a root with SHA2?

Hello Everyone ! First sorry for my bad English (i am French)

I will be very happy to have You "best Practices" on the location of the Web site who store the http\CDP url

Of course my requierments here are that i want this http\cdp can be reach\accessible by both my intranet client and my computer when they are on the Internet

So ... Where do You put this web server ? In the intranet ? in the internet ? in the Dmz ?

Another question (but who somewhere is link to the fist one...)

What kind of url use and how can we solve it ?

For example, if i use and url "myentreprise.com", it's seems to be an Internet\Public url ... so ... does it mean that that my computers on the intranet are dependent (depends on) an public url ? Very risky if the connexion to internet fall ...

or if i use something like  "myentreprise.lan", it's seems to be an intranet\private url ... so ... how can my computer ... when they are on Internet (my requierment !!) have a way to solve and access it ?

Thanks for You answer on that for open this debate !
It's a very important point when designing the Pki and i found no clear best practices or explanations on that ...

Help !!!

Hi All,

I am using Psexec application to run exe on multiple remote machines in the domain. When i run the the .EXE i get the error message saying access is denied.

I am running this script against agents in a list.

Below is the script i am running in the batch:

"C:\Windows\system32\PsExec.exe" @C:\Test.txt cmd

1. I am first connecting to the cmd of the remote computer and it connects successfully.
2. When i enter the .exe file location on the command prompt (which is also in a shared drive but in the same domain).
3. I ran the batch file as Run as administrator
4. I am itself a member of the Domain admins and Administrators group of the domain.
5. Turned off firewall on both sides.
6. Turned off UAC fully as per the below MS article - http://technet.microsoft.com/en-us/library/cc709691(v=ws.10).aspx
7. Pressed shift and right click so i will get the Run as option and mentioned different domain admins user account and password.

Below is the screenshot for your reference: 

Restated both the machines after doing these changes. But still the same issue.

But still i get access is denied. Can anyone please help.

Gautam.75801

I purchased an Asus G75VX i7 64bit notebook computer last year that had windows 8 64 bit installed but it had server software also installed. There was no notification of windows server being installed and it was mask installation. You would have to know about computer configuration to recognize the installation. No company would admit that I had a weird installation purchased at retail even though I furnished Asus the computer two times to the Service center with it being returned two times with the same configuration. I furnished the registry to Asus and Microsoft and the computer Registry in win8 64 bit is 270MB and I stop counting pages in text at over 5000 pages. I purchased windows 7 home premium and on install it was configured the same way except the Registry was a little over 130MB and about 1400 pages. Who do I speak with at Microsoft about my situation or Asus?