Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

LDAP authentication - Only domain admin re allowed.

December 22, 2014, 2:40 am
$
0
0

Hi Guys,

I am testing out my LDAP binding with LDP.exe.

Apparently only users within domain admin group are allowed to bind successfully, normal users cannot bind.

Any idea?

OS is Windows Server 2003

Error when try LDAP binding with LDP.exe

res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='cclim'; Pwd= <unavailable>; domain = 'STARWARS2'.}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece

Search

PKI install issue

December 22, 2014, 1:41 am
$
0
0

Hi 

I am currently setting up a two tier Microsoft PKI using Windows 2012 R2 in a lab, after installing the Standalone RootCA via Server Manager everything seems to be functioning correctly but the CertConfig Share hasn’t been created.

Now when i install the Standalone RootCA via Powershell with the commands below everything still seems to function correctly but the CertConfig share has been created.

Add-WindowsFeature ADCS-Cert-Authority –IncludeManagementTools 

Install-AdcsCertificationAuthority –CAType StandaloneRootCA –CACommonName “TESTROOTCA” –KeyLength 4096 –HashAlgorithm SHA256 –CryptoProviderName “RSA#Microsoft Software Key Storage Provider” –ValidityPeriod Years –ValidityPeriodUnits 10

So my questions are, is the CertConfig share required on a Standalone RootCA?? or is my Powershell command wrong??

Thanks

Alex

all template certificates are duplicated

December 22, 2014, 10:04 am
$
0
0

hello

I have installed an offline ROOT CA and an SUB CA Enterprise  Windows 2012 R2, when i list my certificates templates on SUB CA from the console, i see each Template duplicated ex: two  user certificate Template, two  web certificate Template, two  ipsec certificate Template, two  ocsp certificate Template, two  basic efs certificate Template ...etc

is it a bug...?

thank you in advance

NDES - 401 - Unauthorized: Access is denied due to invalid credentials

December 22, 2014, 1:49 pm
$
0
0

Hello,

I'm having a problem accessing the mscep_admin page to retrieve a password for enrollment.

My current setup:

Server 2012 - CA offline root

Server 2012 - Ca Subordinate

NDES user account - Member of local IIS_Iusers account, domain user

We are trying to setup SCEP to leverage NDES to retrieve certificates for iDevices and everything seems to be configured correctly except I get this error when trying to access http://servername.domain/CertSrv/mscep_admin.

I have created a template from the standard IPSEC offline template and have given read/enroll permissions to the NDES user account.

I have also edited the associated registry keys to allow the user account access.

In IIS, the SCEP service is configured to use the Identity: NetworkService. Both Network Service (local) and NDES user have been given full control of managing both RA private keys.

Interesting note:  In the event logs, I'm getting:

Error ID 8

The Network Device Enrollment Service cannot retrieve information about the certification authority (0x80004005). Unspecified

Any questions about my setup and/or any suggestions on what else I can check?

PKI Install Issue

December 22, 2014, 11:13 am
$
0
0

Hi 

I am currently setting up a two tier Microsoft PKI using Windows 2012 R2 in a lab, after installing the Standalone RootCA via Server Manager everything seems to be functioning correctly but the CertConfig Share hasn’t been created.

Now when i install the Standalone RootCA via Powershell with the commands below everything still seems to function correctly but the CertConfig share has been created.

Add-WindowsFeature ADCS-Cert-Authority –IncludeManagementTools 

Install-AdcsCertificationAuthority –CAType StandaloneRootCA –CACommonName “TESTROOTCA” –KeyLength 4096 –HashAlgorithm SHA256 –CryptoProviderName “RSA#Microsoft Software Key Storage Provider” –ValidityPeriod Years –ValidityPeriodUnits 10

So my questions are, is the CertConfig share required on a Standalone RootCA?? or is my Powershell command wrong??

Thanks

Alex


How to do masking for the following Microsoft services on windows 2012

December 11, 2014, 6:36 pm
$
0
0

Dear All,

Is it possible to mask off the following services Windows Server 2012?

IP Address (tcp/80)
The remote web server type is :
Microsoft-IIS/8.0
IP Address (tcp/80)
The remote web server type is :
Microsoft-IIS/8.0
IP Address (tcp/443)
The remote web server type is :
Microsoft-IIS/8.0

IP Address (tcp/0)
Remote operating system : Microsoft Windows Server 2012
Confidence Level : 75
Method : HTTP

The remote host is running Microsoft Windows Server 2012
IP Address (tcp/0)
Remote operating system : Microsoft Windows Server 2012


Thanks and best regards, Kim Seng This posting is provided with no warranties or guarantees , and confers no rights.

SID S-1-5-18 trying to copy a file - JAVA Service trying to copy files

December 23, 2014, 5:16 am
$
0
0

I have a JAVA.EXE Service, a IBM/MAXIMO application server.

The Service is running on ServerA and the shared folder is on ServerB

The service is trying to copy a file from  the remote system (SERVERB) using a UNC path (it could be use a drive letter too) and the file have to be stored on ServerA

But the result is : "Access Denied"

I´ve tried to configure SYSTEM, NETWOR< NETWORK SERVICE in the NTFS permissions, but nothing works. Everyone does not work too.

PROCMON states that the local attempt is using the well-know SID  S-1-5-18 (SYSTEM, see https://support.microsoft.com/KB/243330?wa=wsignin1.0)

"FAST IO DISALLOWED",""

"OBJECT PATH INVALID","Desired Access: Read Attributes, Dis, Options: Open For Backup, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"

The NetMon shows Access Denied too

229311:08:16 23/12/20141118.8269458SystemSRV-DTC-137 BRDC1-SRV0024 SMB2SMB2:R  - NT Status: System - Error, Code = (34) STATUS_ACCESS_DENIED  CREATE (0x5) , File=NULL@#2292{SMB2:1648, SMBOverTCP:1645, TCP:1644, IPv4:71}

245411:08:59 23/12/20141161.8779369BRDC1-SRV0024 SRV-DTC-137 SMB2SMB2:R  - NT Status: System - Error, Code = (34) STATUS_ACCESS_DENIED  TREE CONNECT (0x3)  {SMBOverTCP:1708, TCP:1707, IPv4:71}


Event ID 675 Failure Code: 0x19 and 0x18

December 16, 2014, 6:42 am
$
0
0

I know why I'm getting event ID 675 failure code 0x19 on my 2003 domain controllers.

The problem we're experiencing is certain users have had their accounts locked out when using Activesync to retrieve their e-mail (Exchange 2010) on mobile devices.  The passwords are correct and they can get and send e-mail, initially.  After a day or two, their accounts get locked out.  This happens on both Android and IOS platforms.  It is not the device that's causing the problem.

Our account lockout policy is 10 attempts within 30 minutes.  The security log shows event ID 675 failure code 0x18 ten times within a 30 minute interval when this happens.

One particular user has been using Activesync successfully for the last couple of years, then this started happening to their account.  If I disable Activesync on their Exchange mailbox or remove the Exchange account from their mobile device, account lockouts no longer occur.

Any ideas?

Search

Authentication with PEAP-MSCHAPv2 against IAS Radius in W2003 Server not working after Windows update

November 13, 2014, 5:15 am
$
0
0

We are using MSCHAPv2 under PEAP against a IAS Radius Server with Windows 2003 Server as authentication method for Wifi and VPN clients. After last Tuesday's (11/11/2014) update on Windows 2003 server, the server does not allow to connect Windows clients. Clients show error 87 ("wrong parameter") and server log shows the EAP type as "unknows", as it seems it does not recognize PEAP. Linux, MacOS, iOS and Android clients are not affected by the problem.

After removing KB2992611 patch, everything seems to work OK again. But of course, we are not confortable with this bypass (in fact, patch removal was not recommended as it was associated to some more).

It is really strange since Microsoft Security Bulletin MS14-066 does not indicate any functional change, but a vulnerability fix and new cipher suites.

Has anybody experienced the same situation? Any news about a problem with this patch? Does Microsoft know anything about this situation?

Many thanks in advance, Jose.

change windows security password

December 9, 2014, 11:18 am
$
0
0

I need to change my password on the screen that displays occasionally before letting me onto windows mail.  title of screen is "Windows Security" and asks for my user ID and password.  I need to change the password but don't remember the old one or the program doesn't as I have put in every combination I have ever used.  Tried making a new acct, did not work. would like to change all windows passwords for that matter and write them down

thanks

bb'

Certificate not enrolling on Windows XP SP3 clients.

February 17, 2014, 10:20 am
$
0
0

We set up a computer certificate needed for our SCCM environment for https, we created the template, set it for auto enroll, and created a GPO.  The certificate deployed fine on all of our clients, and working as expected, except for the ones running Windows XP.  Despite them getting the group policy, they are not auto enrolling.  When I try to enroll them manually I get the following error:

The Certificate request failed.  The Permissions on this certification authority do not allow the current user to enroll for certificates.
We are using the SHA1, though I tried to install the kb968730 hotfix anyway, in the security all Domain Computers and Domain Users have read, enroll, and autoenroll rights.  Under the compatibility tab of the template the Certification Authority is Windows Server 2003, and Certificate recipient is Windows XP / Server 2003.  I am unable figure out while, and I until I do I can't deploy the SCCM client to these computers.


 

approx 700 Files being deleted from file server (server 2003) without permission

December 20, 2014, 10:44 am
$
0
0

Hello,

We had a problem with files being deleted from our file server.

We lost approx. 700 files across approx. 40 directories from the file date codes between Nov. 30 2014 and Dec 3, 2014. All files before this date were not touch.

Our Dec. 1 backup had all of the files. Our Dec. 5 backup only have files before Sept. 1 2014 and after Dec. 3, 2014.

My question is how can this happen without going to each directory and sorted my date cade and delecting files from this date range.

Does anyone have any other ideals on how this could of happen?

Thank You

Bert

Password reset for non domain joined machines

December 16, 2014, 2:21 am
$
0
0

Hi

I have customer who we are moving to Exchange Online and will be using ADFS/DirSync for SSO.

One of the groups in the company is running in a differnet domain, however they will be provided with credentials in the main domain until they are moved over sometime in the future.

As an interim solution I need a mechanism for password resets, so was looking at the features in ADFS from Server 2012 R2 and the workplace join

The workstations are a mix of Windows 7 and windows 8, is it possible to have a machine domain joined to one domain and then workplace join it to another?

Administrator Password Changed by itself - please help

September 9, 2014, 10:48 pm
$
0
0

I have Windows Server 2008 R2, on a Dell PowerEdge T110 II. ABout 3 months ago, my Administrator Password mysteriously changed without me changing it. At the time I suspected one of the employees in our company may have changed it by accident as a few people knew the password. In order to get a new password I was forced to re-install Windows on the Server, and this was very disruptive to our business operations.

After that I kept the new Administrator password a secret, nobody else knew it. Then, 2 weeks ago, the Administrator Password automatically changed again by itself. Since I know now that it was not a human who did this, I am concerned I may have a virus. There is no anti-virus on the Server.

Based on the above, can you suggest any other explanations and some advice so it does not happen again? Is there any other way to re-establish the Administrator password without having to re-install Windows all over again?

Many thanks,

Matt Homfray

An Extended Error has occurred. Failed to save local policy database

March 21, 2012, 4:41 am
$
0
0

I am trying to add a user to the Log on as a service propery in the Local Security Policy of my DC. When I do this I get this error "An Extended Error has occurred. Failed to save local policy database".

If I click OK to the error everything looks OK, but when I go back into the property, the IIS AppPool\Classic .NET AppPool user and any other AppPool users are gone and I am unable to add them back in. I have tested this on two test networks with the same result.

I tried to do this with a GPO, but have now lost the NT Service\All Services user too.

I have checked the database and it is not corrupted.

Any ideas on how to get the AppPool users and the NT Service\All Services user back in would be appreciated.

Thanks

Simon

Search

Error renewing standalone root CA certificate

December 24, 2014, 10:44 am
$
0
0

I have created a clone of our offline root CA in order to play around with.  I successfully migrated the clone from CSP to KSP.  Now I am testing renewing the CA certificate and following the guidance in the following links:

http://technet.microsoft.com/en-us/library/cc780374%28v=ws.10%29.aspx

https://www.youtube.com/watch?v=Q-1Y1ZI9R6k

I'm experiencing an issue when renewing the CA certificate (both with and without generating a new key pair).  After the Certification Authority services stop, I get the following error:

"Cannot create file \\<Root_CA_hostname>\CertConfig\<Root_CA_hostname>_<Root_CA_name>.crt: The network name cannot be found. 0x80070043 (WIN32: 67 ERROR_BAD_NET_NAME)"

Even though I receive this error, it appears the certificate is, in fact, renewed.  I see a new CRT file in C:\Windows\System32\CertSvc\CertEnroll\ and the CRL file has a new timestamp.  The new certificate also appears in the Certificates MMC snap-in as well as the properties of the CA itself.

I noticed that the folder C:\Windows\System32\CertSvc\CertConfig\ does not exist on the system.  I created it and shared it and tried renewing the certificate again and this time I did not get the error.  A CRT file was created in the CertConfig folder.

Both the offline root CA and online, domain-joined issuing CA are running Windows Server 2012 R2.  They were both previously migrated from servers running Windows Server 2003 R2.  I do not know what procedures were followed for the migration as someone else performed it that is not here at this time.  According to the following link, the CertConfig folder is deprecated and is not longer created when you set up Active Directory Certificate Services on newer operating systems (unless you do it via PowerShell):

https://social.technet.microsoft.com/Forums/en-US/18f3822f-6a8c-404a-ac4f-ff084b715909/pki-install-issue?forum=winserversecurity

I did look in the registry on the root CA and I see, under the key containing the root CA settings, a string "CACertFileName" that has a value of "\\<Root_CA_hostname>\CertConfig\%1_%3%4.crt".  I imagine that has something to do with the error I am receiving.

I also looked at the registry on the online, domain-joined issuing CA and it does not have a "CACertFileName" string in the registry under the key containing the issuing CA settings.

Can the error I am receiving when renewing the root CA certificate on the test machine be safely ignored?  Should the value for "CACertFileName" on the root CA be set to something else?  Should it be deleted entirely?

Thank you in advance.

how to modify Local Security policy for memeber server?

December 25, 2014, 3:07 am
$
0
0

Hello all,

we have a member server which has a domain policy applied, but we need to modify the local Security policy to have more restrictive settings as well to control the local accounts settings (i believe that Domain policy doesn't control the local accounts, it controls domain accounts only right?)

when we open the local Security policy (secpol.msc) on the server, we figured out that the settings are greyed out and unable to modify them

please advise

thanks a lot in advance

Best Regards

How to do masking for the following Microsoft services on windows 2012

December 11, 2014, 6:36 pm
$
0
0

Dear All,

Is it possible to mask off the following services Windows Server 2012?

IP Address (tcp/80)
The remote web server type is :
Microsoft-IIS/8.0
IP Address (tcp/80)
The remote web server type is :
Microsoft-IIS/8.0
IP Address (tcp/443)
The remote web server type is :
Microsoft-IIS/8.0

IP Address (tcp/0)
Remote operating system : Microsoft Windows Server 2012
Confidence Level : 75
Method : HTTP

The remote host is running Microsoft Windows Server 2012
IP Address (tcp/0)
Remote operating system : Microsoft Windows Server 2012


Thanks and best regards, Kim Seng This posting is provided with no warranties or guarantees , and confers no rights.

Unable to enroll Computer certificates on Server 2008 R2 and older

December 26, 2014, 4:45 pm
$
0
0

I've found a strange issue with our CA setup, and it didn't used to be a problem.  While renewing some internal certificates a couple of months ago I discovered that systems of the Windows 7/Server 2008 R2 and older families cannot enroll for a Computer certificate or for a custom template I built for web servers.  Systems of the Windows 8/Server 2012 and newer families can enroll using the exact same user and process without any trouble.  Direct IIS "domain certificate" enrollment still works.

I'm enrolling with the Certificates MMC snap-in to allow use of the enhanced security template I built.  I open MMC, add the local computer certificates snap-in, and then attempt to request a certificate with Personal > Certificates > All Tasks> Request New Certificate.  I choose the Active Directory Enrollment Policy but then get the "Certificate types are not available" error message and a blank selection screen.  If I check the box to show all templates the certificates I want are listed with:

"The permissions on this certification authority do not allow the current user to enroll for certificates. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA doesn't' support this operation, or the CA is not trusted."

I've checked Event Viewer on both the CA and the clients, along with the CA request logs, but there's nothing visibly wrong.  The error message seems to say it all but since Windows 8/2012 clients and newer work I know the CA is functional and that the Administrator account can request certificates.  I've searched the web but can't find anything like this specific issue.

Any ideas?

Thank you!

Remove SSL Certificate from ISS version 6.1

December 27, 2014, 7:27 am
$
0
0

Hi Windows Server Expert,

I have one web server with Server 2008 R2 installed and IIS version 6.1. Since the SSL certificate is expiring soon and the website itself doesn't require SSL certificate anymore, how should I remove the SSL certificate from the server?

Thanks.

Regards,

H

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>