Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Active Directory Cert Services Will Not Start

October 21, 2014, 2:18 pm
$
0
0

I am unable to renew certs in my domain.  My CA ADCS will not start, error from event log "Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  CA-Mercury Keyset does not exist 0x80090016 (-2146893802)." and "The Active Directory Certificate Services service terminated with service-specific error %%-2146893802."

I am thinking of following http://phreek.org/blog/2011/10/windows-2008-ca---keyset-does-not-exist-0x80090016--2146893802 for a fix.

Jason

Search

Is there a way to see expiring computer certificate using event viewer?

October 27, 2014, 2:08 pm
$
0
0

Hi Experts,

Not sure if this is possible but is there a way we can get a warning from the event viewer if ever a computer certificate will expire on the server so we could renew them before they expire? Or are there any ways to manually put it on the events?

Appreciate your help on this.

Thanks!

Reynald

None

Error Starting Certificate Authority after upgrading in place from Server 2003 Enterprise (32 bit) to Server 2008 Enterprise (32 bit).

October 21, 2014, 8:48 am
$
0
0

Hope this is the place to seek help with Active Directory Certificate Services.  We recently upgraded in place an issuing CA in our lab from 2003 to 2008 and the upgrade of the OS was successful but the CA service now will not start. 

The error is:

Error 0xc8000222 (ESE: -546)

More info.  We did stop the CA service prior to doing the upgrade.

RADIUS on 2K8 R2 DC, but NPS is already on a terminal server

October 23, 2014, 3:39 am
$
0
0

I have read the question of installing a RADIUS server on a DC this is what I want to do. However, there is a terminal server on the network that uses NPS for a dedicated set of users using business management software.

What I want to do is set up a RADIUS server for all employees to access our network via a VPN firewall appliance. My concern is that there may be a conflict between the terminal server NPS and the RADIUS NPS installed on the AD-DC. 

What this really boils down to is should I pursue the installation of RADIUS on AD-DC or should I configure the current NPS server/ Terminal server to provide RADIUS services for the entire network (it already provides a RADIUS proxy service for the terminal server)?

Any advice or pointers appreciated.

Certificate Services - Do you still need a CAPOLICY.INF file?

October 28, 2014, 10:14 am
$
0
0

We are building a two tier 2012 R2 PKI with an offline stand alone Root CA and an online issuing CA. 

Do we need to create a CAPolicy.inf file on the Root CA?

It is my understanding that one of the reasons for that file is to prevent the creation of CDP and AIA distribution points on that local machine ie the offline Root CA.

I know back in the day when we built our 2003 servers we had one, but has nothing changed in the last decade?  Is there a wizard we can use instead to tell the configuration not to configure those local distribution points?

So please advise if the CAPolicy.inf file is still prevalent?

Allow users to select new root certification authorities (CAs) to trust - Unable to delete this GPO setting

October 28, 2014, 1:39 pm
$
0
0

This setting and two others impossible to remove live under:

Computer Configuration / Policies / Windows Settings / Security Settings / Public Key Policies/Trusted Root Certification Authorities

Policy.............................................................................................................................................. Setting

Allow users to select new root certification authorities (CAs) to trust........................................................ Enabled

Client computers can trust the following certificate stores....................................................................... Third-Party Root Certification Authorities and Enterprise Root Certification Authorities

To perform certificate-based authentication of users and computers, CAs must meet the following criteria.... Registered in Active Directory only

We are on Windows Server 2008 R2

syntax for certificate additional attribute Basic Constraints

October 27, 2014, 6:51 pm
$
0
0

Ho to request a certificate from https://<servername>/certsrv with  (http://technet.microsoft.com/library/hh831649.aspx)  :

  X509v3 Basic Constraints:
                CA:TRUE

Is it through Additional Attributes,  if so whats the syntax.

Re: Windows Server 2003 Enterprise vs Windows Server 2008 Enterprise option for Custom Certificate Templates

October 28, 2014, 10:03 am
$
0
0

Overview: All our PCs are Windows 7 and all our servers are Windows Server 2008 R2 and we have Windows Server 2003 Domains.

I would like to use X.509 v3 templates (since our environment can handle it) but applications like ADFS and Lync Server don't seem to like the default CNG API that comes with the v3 templates. However, on Windows Server 2012 R2 in the Certification Authority application, there seems to be an option to choose a "Legacy Cryptographic Service Provider" for v3 templates under the "Cryptography" tab for 'Provider Category' in some of the screenshots I've seen online, but this option hasn't been available to me in the Certification Authority application on Windows Server 2008 R2.

Should I just carry on as I am doing with v2 templates, until I can change the default CNG API to the Legacy API for v3 templates?

Thank you,

Steve


Search

Certutil returns 0x8007007e (WIN32/HTTP: 126 ERROR_MOD_NOT_FOUND)

October 29, 2014, 12:42 am
$
0
0

Having weird problem on one issuing ca, when I run certutil on that server, it everytime returns 0x8007007e (WIN32/HTTP: 126 ERROR_MOD_NOT_FOUND): certadm.dll and same for certenroll.dll

Any ideas what's causing this?

No Templates Found in Web Enrollment

October 28, 2014, 9:01 am
$
0
0

Hi All,

I have installed an Offline Standalone Root CA with Enterprise SubCA. I got success in publishing the CDP and AIA files manually but when I am trying to issue certificates through Web Enrollment I get the error "No Template Found". I added a new app pool and still it is giving me the same error. (http://msunleashed.wordpress.com/2011/11/21/no-certificate-templates-could-be-found-on-certsrv/ ). I did check for the path in the DNS hostname for the Certification Authority and it is same as the certdat.inc file in the "%systemroot%\system32\certsrv" folder on the Certification Authority ( http://support.microsoft.com/kb/811418 ). I do see an error in the CDP location when I open the PKI view and I did change the User Authentication and rebooted the IIS but of no use.

Another thing is that each time I request for certificates I see Error 66 in the AD Server Manger

Kindly do assist.

Thanks

Aj

Some logon events are not registered in the Domain Controller under event ID 4768 while others are registered.

October 29, 2014, 1:32 am
$
0
0
Logon events for some users cant be seen while logon for few users can be seen using event ID 4768. Just wondering where these events are going yet account logon success and failure has been enabled in the AD controller.

Change distinguished name on standalone root CA.

October 28, 2014, 9:59 am
$
0
0

Hi!
During installation of standalone root ca I made a mistake in distinguished name of root CA. How can I correct distinguished name and recreate Root CA certificate? I don't want to reinstall everything from "0". Thank you. 

net user and random passwords

October 29, 2014, 9:22 am
$
0
0

When using net user <username> /random with default settings everything works fine.

The moment /minpwlen is set to anything higher than 8 (with or without complexity requirements enabled and minpwage set to 0) I get the following error:

The password does not meet the password policy requirements. Check the minimum p
assword length, password complexity and password history requirements.

More help is available by typing NET HELPMSG 2245.

Incidently, why can't /minpwlen e set to anything higher than 14? Is that not a bit dated?

Self-Signed Certificate Generation

October 29, 2014, 3:20 am
$
0
0

I want to create a Self-Signed Certificate for ADFS 2012 R2 with the name adfs.domain.com. I know the procedure through IIS, but it creates a certificate with a Friendly Name of adfs.domain.com, but Issue To, Issue By and Subject are all host.domain.com. 

1.  Is there a way to modify the Issue To, Issue By or Subject of a certificate that is generated through IIS?

2.  Is there any other way to generate a self-signed certificate where we can provide fields such as Subject

A couple of quetions about Microsoft OCSP

October 29, 2014, 11:14 am
$
0
0

Hello

I have been doing a little reading on the above and have a couple of questions please :)

I see Microsoft OCSP has one Revocation Provider e.g. CRL, thereby it retrieves information about the currently revoked certificats from the CA by way of the CRL.

Therefore I assume if you setup an MS OCSP Server you also have to have CRL/Delta CRL distribution enabled on the CA?

If the above is correct can you remove the CRL URL from the CDP extension and just leave the OCSP in the AIA extenstion, but then configure the OCSP Server to tell it where the CRL is being published (so it can get the list it needs)?

Or do you still leave the CRL in the CDP  and add the OCSP to the AIA and a client like Vista or above will try the OCSP over the CRL if sees both extensions in the certificate it is checking?

Thanks All

AAnotherUser__

AAnotherUser__

Search

Cross Domain Authentication - via Trust, What DC do I authenticate to.

October 27, 2014, 9:18 am
$
0
0

Hello All:

I am trying to get some clarification on what domain controller I authenticate to via a 2 way transitive site.  Our setup is pretty basic. 

2 domains in one forest, 2 way transitive trust, 2003 domain and forest level.

In the one domain I attempting at retiring a domain controller that was a PDC and the original domain controller in that domain (a 2003 domain controller).  I have moved all the FSMO roles and any dependencies.  I then firewalled of the domain controller completely to see if I break anything.  All looks well, however in the other domain when you attempt to authenticate via the trust it complains, "The system detected a possible attempt to compromise security.  Please ensure that you can contact the server that authenticated you".  I clearly understand it is probably attempting to authenicated to the original DC I mention that is firewalled off.  What methodology does the trust use to choose what DC it authenticates to. I looked at the trust properties and nothing is static.

I basically want to try to keep the firewall on and fix this issue, before I flat out demote it.  Any help would be greatly appreciated.

Add Custom Attributes or OID in Subject Field

October 17, 2014, 9:34 am
$
0
0

Good Morning


I need generate a certificate with PKI infraestructure that it has aditional attributes in its subject field like the next image

 


I notice that this certificate has OID attributes in its subject field.

1. How can I do this?
2. Where can I find the all codes OID
3. Can I create custom attributes in this field

I appreciate your help

Validate Server Certificate - Connect to These Servers

October 30, 2014, 1:20 am
$
0
0

Configuring WiFi setting on windows 7 clients with WPA2 and Certificate authentication

under "smartcard and other certificate properties"

i have selected "validate server certificate" but this only works if i manually select "connect to these servers" and input the NPS server name. i understand that the above settings are more secure but i want to understand is:

1. Why isn't "validate server certificate" itself letting me connect?

2.  Why adding  the NPS server info fixes this.

thanks

.

editing inf security template file

October 23, 2014, 12:26 am
$
0
0

hi friends

i need to import a security template to change only options which exist in password policy node of local group policy in an standalone workstation. i don't want other security settings be imported in my local group policy.

i want to know can i edit "%windir%\inf\Defltbase.inf" file & remove all lines except password policy settings lines? and then import it via secedit.  will such edited file work?

thanks in advanced

necessary help please

October 30, 2014, 3:43 am
$
0
0

Dear whom read my message

I am server administrator with windows server 2012 standard edition , I have four server (Primary domain controller /Additional domain controller with two nodes for failover cluster node 1 node2)

you know that there two admin accounts admin domain and admin local

I want to log on with my two domain controller locally but I can not !!??

but I can log locally with both my nodes

so how I can log to my domain servers locally with administrator account

thank you again for help

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>