I just added 2 domain controllers to the new child domain.  Both are 2008r2 and are built using the same automated build.   One DC is able to access the certificate enrollment policy through the certificate MMC, successfully pick the domain controller template, and then install the domain controller cert.

When i attempt the same procedure on the other server, I see the  same enrollment policy listed, but when i choose next to view the available templates I get "Enrollment Error". "The specified network password is not correct".  

I also get a couple of stored events in the application log

_____________________________________________________________________________________

Certificate enrollment for Local system failed to load policy from policy servers with ID  {2194C258-E9FD-4265-80C3-415E2BA41553} (The specified network password is not correct. 0x80070056 (WIN32: 86))

Certificate enrollment for Local system failed because no valid policy can be obtained from policy servers with ID{2194C258-E9FD-4265-80C3-415E2BA41553}

______________________________________________________________________________________

When i enter certutil -pulse i get

______________________________________________________________________________________

Certificate enrollment for Local system is successfully authenticated by policy server {2194C258-E9FD-4265-80C3-415E2BA41553}

Certificate enrollment for Local system successfully load policy from policy server {2194C258-E9FD-4265-80C3-415E2BA41553}

______________________________________________________________________________________

I have verified the DC can ping the CA. 

I have downloaded and ran DTCPing to validate that the DCOM connection is good

I have verified the DC has the root CA in trusted root, and the subordinate in Intermediate CAs

When i visually compare the certs in Trusted Root and Intermediate CA between the 2 DCS, they are identical.   But, when i compare using certutil -enterprise -viewstore ROOT  I dont see the enterprise CA that is hosting the template.

Does anyone have any idea why im getting different results trying certutil -enterprise -viewstore ROOT ?

thanks

I seek for your advice in a security issue and how to mitigate this high risk vulnerability.

Microsoft Windows Unquoted Service Path Enumeration.Microsoft Windows Unquoted Service Path EnumerationMicrosoft Windows Unquoted Service Path Enumeration

Synopsis

The remote Windows host has at least one service installed that uses an unquoted service path.

Description

The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker could gain elevated privileges by inserting an executable file in the path of the affected service.

I know very little about computers and from what I can tell, someone has turned my new laptop into a server(?) HP told me to junk the laptop and I thought I would reach out and see if there is anyone who can help me gain control of my computer.  I have had this one for 2 months and have only been able to use it a handful of times.  This has been going on for the past year and, I am fed up.  I would appreciate and help/advice.  Thank you so much.

Amy

I'm using a stand alone Windows Server 2012 Standard edition (no Active Directory), and trying to open port 4500 to all local IP addresses but allow certain public IPs.

Under the Scope tab, I set 'Any IP address' for Local IP address and I specify the under Remote IP address the IP the ones I wish to allow. When trying to telnet to port 4500 from a  local machine, connection fails.

Trying to look into the issue I tried the following:

Specifying the local network IP range

Specifying the computer's local IP address

Both didn't help allowing local computer to telnet port 4500.

I also tried out of curiosity removing public IPs and specifying local computer's IPs and still no connection from local computer.

The only condition allowing the connection was allowing any IP address for both local and remote IP addresses.

Is there a fix for this issue that anyone knows of or a workaround it?

Thanks!

Hello,

We had a problem with files being deleted from our file server.

We lost approx. 700 files across approx. 40 directories from the file date codes between Nov. 30 2014 and Dec 3, 2014. All files before this date were not touch.

Our Dec. 1 backup had all of the files. Our Dec. 5 backup only have files before Sept. 1 2014 and after Dec. 3, 2014.

My question is how can this happen without going to each directory and sorted my date cade and delecting files from this date range.

Does anyone have any other ideals on how this could of happen?

Thank You

Bert

Hi everybody,

we use certificate based authentication of clients to allow acces to the core parts of our IIS web app.

This mean, we create our own CA certificate, store it along with the private key in the Personal Certificates of "Local Machine". in "Trusted Root Certification Authorities" we store the same CA just without a private key.

To known clients we issue certificates that match our CA, so IIS allows them to access our app.

But sometimes - and only sometimes - CAPI2 deletes our root CAs and thus breaks access to the IIS. CAPI2 adds entries to event log like "Successful auto delete of third-party root certificate:...".

This we saw on Server 2008 R2s and Server 2012. But not every time and not on every machine.

We know that we could turn off the "Automatic Root Certificates Update Configuration" completely but this cannot be the solution.

So when does CAPI2 regard a CA as untrustworthy? Is there something we have to change in the certificate maybe?

Best regards,

Lars Wittenburg

I have a small workgroup of about 30 users that are a mix of XP Pro, 7 Pro and 8.1 desktop / laptop users that connect to a Windows 2008 R2 Server to use Quickbooks Enterprise, share files and printers. I dont want the users to be able to save their password on their workstations, I want them to have to log in every time they connect to the server. How do I turn that off?Is the something on the server in Group Policy or a secruity setting that will not allow a saved credential for logging onto the server?

All, we currently have a very damaged domain controller, the last one in the old domain.  I'm not sure if i can keep it up much longer.  i was hoping to use subinacl to just change all the SIDs on the existing fileserver to use the new domain instead of the old one.  We will recreate the groups to be like named on the old server.  However, if I'm reading the docs correctly we need both domains up still.  If we do have to keep both up i'm not sure i can set up a trust relationship as access to sysvol is being blocked for everyone except admins.  Also I'd have to change the ip on the old box and i don't think that will work either... 

So can we use changedomain with only one the new dc active or do we need to look at alt methods?

Thanks,

Dan

Hello,

i am trying to connect to my corporation VPN Server " ISA 2006" using windows 8.1 client built in VPN,  but its returned the following error:

 Event ID 20227: dialed a connection named "VPN connection Name" which has failed. The error code returned on failure is 789.

VPN connection is working fine with windows XP and windows 7 with no issue , this error is only appear when try to connect to using windows 8 client machine.

this error is shows only on windows 8.1 client , same procedures used to enroll the certificate from internal CA " IPsec Type" is followed .

below are the  ISA server specifications:

VPN Server : ISA 2006.

windows Server version 2003. 

i would like to add another point for this case, that when we are trying to enroll a certificate from internal CA web enrollment directly using windows 8 " internet explorer 11"  , its install a certificate without Digital Signature and non-repudiation in key usage property, then when try to connect , its will give the above error 789 ..

when try to enroll a certificate into windows 7 " internet explorer 10" and then export and import  this certificate into windows 8.1 machine "with the name of windows 8.1 machine" into windows 8.1 machine, the VPN is working normally and without issue.

The properties of the Certificate are difference between windows 7 machine and windows 8 machine is key usage missing the Digital Signature and non-repudiation properties when enroll from windows  8.1 " internet explorer 11", this is in fact because of we don't have an option for key usage " both" when subment a certificate on web enrollment page from windows 8 machine ,, the only option available is exchange " no signature and both option available "

i believe that there is something wrong when using windows 8.1 internet explorer 11 so its gave a certificate with wrong key usage property .

appreciate your quick help in this .

Please refer to the following link in order to get more info about this issue:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/73503363-d3b6-4a32-9a1c-37e71ef4c62f/rasclientdialed-a-connection-named-vpn-connection-name-which-has-failed-the-error-code-returned?forum=winserverPN&prof=required

appreciate your quick help and reply .

Thanks

Hello,

where exactly are the PRIVATE keys for DNSSEC stored on Windows 2012? This apparently changed since 2008 R2, so would you please add this info at least here?

a) if the DNS server is running on an AD DC and the keys are configured to be stored and replicated in AD, which object actually holds the private keys?

b) if the DNS server is just a standalone nonDC server, where does it stores the private keys locally?

ondrej.

Hi,

I've reviewed an awful lot of posts but nothing seems to be helping on the issue I have.  I'll explain the background - there was/is a two-tier PKI with Standalone Offline Root and Enterprise Issuing CA. Issuing CA running 2008 R2. Smart cards were working fine.  This was setup many years ago and since then the Root CA has been lost (before my time here - possibly deleted, lost during Datacentre migration - it doesn't matter how, but it's gone so I'm unable to update the CRL).

The CRL certificate expired and smartcards failed to login. Other certs have a warning, but continue to function atm.

I have stood up a new two-tier PKI with 2012 R2, offline root and enterprise issuing CA.  I've removed the templates from the old issuing CA and enabled them on the new Issuing CA. All certs except Smart Cards are working.

PKIView is all good, CDP & AIA are all available with no errors on the new PKI.

Certutil -enterprise -verifystore NTAuth displays the certificate (and the previous Root, and the one before that!)

================ Certificate 2 ================
Serial Number: 41000000027aa36b1fa6fe556c000000000002
Issuer: CN=Root-CA
 NotBefore: 28/11/2014 17:37
 NotAfter: 28/11/2024 16:53
Subject: CN=Issuing-CA1, dc=domain, dc=local
CA Version: V0.0
Certificate Template Name (Certificate Type): SubCA
Non-root Certificate
Template: SubCA, Subordinate Certification Authority
Cert Hash(sha1): 69 dc 5b 2d ce 03 60 9a c8 c7 65 e4 17 66 59 19 f4 f3 9b 23
No key provider information
Cannot find the certificate and private key for decryption.
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 4 Days, 17 Minutes, 57 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 4 Days, 17 Minutes, 57 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=Root-CA
  NotBefore: 28/11/2014 17:37
  NotAfter: 28/11/2024 16:53
  Subject: CN=Issuing-CA1, dc=domain, dc=local
  Serial: 41000000027aa36b1fa6fe556c000000000002
  Template: SubCA
  69 dc 5b 2d ce 03 60 9a c8 c7 65 e4 17 66 59 19 f4 f3 9b 23
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 02:
    Issuer: CN=Root-CA
    e2 4f 10 52 dc 51 ce 69 f3 34 84 20 8d ee 7d cb 35 6c e0 d6

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=Root-CA
  NotBefore: 28/11/2014 16:43
  NotAfter: 28/11/2024 16:53
  Subject: CN=Root-CA
  Serial: 7a06617d72011bbd4eca9c7045377537
  a6 d0 cc ad 60 75 12 6f 93 ce 36 50 56 01 ff 7e c1 de 0e 65
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  78 51 c3 a3 43 70 48 34 4f 77 a6 86 aa 72 b7 cc 85 2c e6 ef
Full chain:
  12 e1 0e 77 c2 7f 9e f8 dc 62 5e 15 70 1d 82 7c b9 a0 ff 5e
  Issuer: CN=Root-CA
  NotBefore: 28/11/2014 17:37
  NotAfter: 28/11/2024 16:53
  Subject: CN=Issuing-CA1, dc=domain, dc=local
  Serial: 41000000027aa36b1fa6fe556c000000000002
  Template: SubCA
  69 dc 5b 2d ce 03 60 9a c8 c7 65 e4 17 66 59 19 f4 f3 9b 23
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800
------------------------------------
Certificate is NOT valid: A certification chain processed correctly, but one of the CA certificates is not trusted by
x800b0112 (-2146762478)

Certutil -verify %cert.crt% looks OK

certutil -verify c:\newdomainauthcert.cer
Issuer:
    CN=Issuing-CA1
    dc=domain
    dc=local
Subject:
    EMPTY (DNS Name=DC1.domain.local)
Cert Serial Number: 67000000407709f626c5a6a2a1000000000040

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 3 Days, 22 Hours, 23 Minutes, 12 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 3 Days, 22 Hours, 23 Minutes, 12 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=Issuing-CA1, dc=domain, dc=local
  NotBefore: 02/12/2014 14:21
  NotAfter: 02/12/2015 14:21
  Subject:
  Serial: 67000000407709f626c5a6a2a1000000000040
  SubjectAltName: DNS Name=DC1.domain.local
  Template: Domain Controller Authentication
  c4 eb fe ac 5c a6 5b b5 37 c2 0d 59 5e 1e 7d c1 ff ac d3 85
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 12:
    Issuer: CN=Issuing-CA1, dc=domain, dc=local
    4c b8 cb c3 ca 25 ad 13 d2 f8 82 6d c0 ab 04 aa 8b 65 e3 c5
    Delta CRL 13:
    Issuer: CN=Issuing-CA1, dc=domain, dc=local
    a7 cd 33 aa b2 ed 8e a7 5c 22 cf 60 98 45 d8 3b 4e 34 45 d4
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=Root-CA
  NotBefore: 28/11/2014 17:37
  NotAfter: 28/11/2024 16:53
  Subject: CN=Issuing-CA1, dc=domain, dc=local
  Serial: 41000000027aa36b1fa6fe556c000000000002
  Template: SubCA
  69 dc 5b 2d ce 03 60 9a c8 c7 65 e4 17 66 59 19 f4 f3 9b 23
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 02:
    Issuer: CN=Root-CA
    e2 4f 10 52 dc 51 ce 69 f3 34 84 20 8d ee 7d cb 35 6c e0 d6

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=Root-CA
  NotBefore: 28/11/2014 16:43
  NotAfter: 28/11/2024 16:53
  Subject: CN=Root-CA
  Serial: 7a06617d72011bbd4eca9c7045377537
  a6 d0 cc ad 60 75 12 6f 93 ce 36 50 56 01 ff 7e c1 de 0e 65
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  66 ef a4 ea bc e8 2e 48 d1 80 81 ef 94 81 63 88 9a 6c d0 ef
Full chain:
  17 08 b2 74 ee 70 70 96 68 0e 8c 9d ac 1a b0 59 a0 12 d7 69
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
    1.3.6.1.5.5.7.3.2 Client Authentication
    1.3.6.1.5.5.7.3.1 Server Authentication
    1.3.6.1.4.1.311.20.2.2 Smart Card Logon
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

On the DCs I am receiving the Kerberos-Key-Distribution-Center Event ID 19 & 29.  I have requested new Domain Controller Authentication & Kerberos Authentication certificates for all DCs, and on the site where we are testing the logon I have removed the old certs from the Computer\Personal store for Domain Controller Authentication/Kerberos Authentication - tried again and still it failed with the message "The system could not log you on. You cannot use a smart card to log on because smart card logon is not supported for your user account...."

When I restart the Kerberos Key Distribution Center service I see the Event ID 29.

I've reviewed the following KB's and all have not helped:

• http://technet.microsoft.com/en-us/library/cc733944%28v=ws.10%29.aspx
• http://technet.microsoft.com/en-us/library/cc734096.aspx

Does anyone have any thoughts why this may be happening?

Thanks

Hello,

    I have following scenario. I have a VPN router from TP Link which I want to connect to Windows Server 2008 r2. So far I router manages to connected via phase 1 (as far as I understand it's main mode configuration), but it's fails. Server is behind NAT I did changes in registry and did opened port 4500 (UDP). TP Link support was nice and just send to the Microsoft.

     I checked all possible settings encryptions, but I still got errors and can't initiate phase 2 quick mode). I was looking for the log in windows but I can't find logs for those connections. Under Network Policy and Access Services, there is simply nothing....

This is log from that router:

Any can help with that?

Kind Regards,

Vladimir

Hi,

I have multiple templates created for MDM solution which caters to requests from mobiles using NDES. Can i check which template is actually in use and the last certificate issued out of them.

I tried to pull issued certificate list but its a long one and hence hanging all the time; am not able to export it.

Thanks

Neha Garg

Can anyone tell me how or if Microsoft products may be affected by the following vulnerability?

http://www.kb.cert.org/vuls/id/852879

Thanks

Mark

Hello
All<o:p></o:p>

Can
someone please help me with the following question<o:p></o:p>

At the moment I have a couple of Windows 2003 R2 Servers with Microsoft
Certificate Services installed (e.g. domain joined enterprise CA infrastructure). <o:p></o:p>

The CDP extension of issued certs contains both and LDAP path and HTTP path to retrieve the CRLthe HTTP path being the standard <o:p></o:p>

URL=http://<CAServer FQDN>/CertEnroll/ENTRootCA.crl<o:p></o:p>

and LDAP being the usual location in AD<o:p></o:p>

Now I need to turn off the 2003 R2 CA in the near future and want to be sure the
clients requesting a CRL can still obtain the CRL.<o:p></o:p>

The CARoot Cert is already distributed to all the workstations (as is the SubCA cert) to the usual containers.<o:p></o:p>

The LDAP Path comes first in the list of CRL locations in the CDP extension followed by the URL location.<o:p></o:p>

I know (believe) in general a UA (user agent i.e. WEB Browser) with check the list of CRL locations in turn and as long as it can reach one of them will be OK.<o:p></o:p>

I am OK on the Windows side of things but we also have a UNIX/Linux environment (like most companies) that also utilize certificates issued by the MS CA’s therefore their respective UG will (or should that be might) check the CRL via
the CDP.<o:p></o:p>

If I turn off the CA then the HTTP path in the CDP will no longer be available (LDAP will still be available).<o:p></o:p>

I just want to check if there are any UG out on the network using HTTP to retrieve the CRL, so I was thinking about checking one or more logs on the CA for HTTP traffic regarding CRL retrieve.<o:p></o:p>

Questions<o:p></o:p>

Is CRL retrieval from the CA (via the default HTTP path) logged in any of the CA

Logs?
If so which logs?

If not logged by default can I turn up logging (i.e. I see there is a Debug option) and if so will this then log HTTP CRL retrieval requests (e.g. clients IP address making the http request)?<o:p></o:p>

I just want to check this in case some UNIX/Linux UG are not trying LDAP first or cannot retrieve via LDAP and therefore have to reply on Http before I turn on the CA <o:p></o:p>

Thanks
all in advance<o:p></o:p>

AAnotherUser__<o:p></o:p>

AAnotherUser__