Hi Windows Server Expert,
I have one web server with Server 2008 R2 installed and IIS version 6.1. Since the SSL certificate is expiring soon and the website itself doesn't require SSL certificate anymore, how should I remove the SSL certificate from the server?
Thanks.
Regards,
H
When I attempt to run SCHTASKS /S {server} some servers return:
ERROR: Access is denied.
On servers where I am a member of the local Administrators group I can run this command successfully. There are many servers where it is not appropriate for me to be a local Administrator but would be fine for me to monitor the status of scheduled tasks on the server.
What permissions need to be granted to me to see the scheduled tasks and not be a local administrator? Is this even possible?
Thanks,
Matthew
Searching the internets we haven't found any other references to this particular Event ID Warning message. It's likely new in Windows Server 2012, we are part of an Active Directory that is at Forest Functional Level: Windows Server 2008, but out Child Domain is at Domain Functional Level: Windows Server 2012 (3 Domain Controllers in our Child Domain). Clicking on the URL in the Description of the Event ID just link to a ‘Windows Server Future Resources’ placeholder page. The full Event ID is pasted in below.
We would like to know how to complete these checks, and if possible, raise our NTLM Authentication to Kerberos. How are these tasks accomplished on Windows Server 2012 Domain Controllers? Thanks in advance for any help!
Log Name: System
Source: LsaSrv
Date: 12/27/2012 6:00:01 PM
Event ID: 6038
Task Category: None
Level:
Warning
Keywords: Classic
User: N/A
Computer: <server FQDN>
Description:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
NTLM is a weaker authentication mechanism. Please check:
Which applications are using NTLM authentication?
Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
If NTLM must be supported, is Extended Protection configured?
Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.
it is my
understanding that DH is an asymmetric method which has a purpose of
establishing a shared secret key later to be used for symmetric
encryption. <o:p></o:p>
first
question would be, is this process of DH negotiations being done in a secure
way, using the previous at IEK phase 1 of PSK/ x.509 certificates?<o:p></o:p>
second
question, DH is using 2 numbers, shared publically between the initiator and
receiver, and then using an additional, private key, further calculation
is being done towards the aim of agreeing on a shared secret key. the question
is, where does this private key come from? DH invents it or is it the private
key of the certificate?<o:p></o:p>
<o:p> </o:p>
Last question,
PSK is symmetric and x.509 is asymmetric correct?<o:p></o:p>
thank you kindly
I need to change my password on the screen that displays occasionally before letting me onto windows mail. title of screen is "Windows Security" and asks for my user ID and password. I need to change the password but don't remember the old one or the program doesn't as I have put in every combination I have ever used. Tried making a new acct, did not work. would like to change all windows passwords for that matter and write them down
thanks
bb'
All, we currently have a very damaged domain controller, the last one in the old domain. I'm not sure if i can keep it up much longer. i was hoping to use subinacl to just change all the SIDs on the existing fileserver to use the new domain instead of the old one. We will recreate the groups to be like named on the old server. However, if I'm reading the docs correctly we need both domains up still. If we do have to keep both up i'm not sure i can set up a trust relationship as access to sysvol is being blocked for everyone except admins. Also I'd have to change the ip on the old box and i don't think that will work either...
So can we use changedomain with only one the new dc active or do we need to look at alt methods?
Thanks,
Dan
Hi everybody,
we use certificate based authentication of clients to allow acces to the core parts of our IIS web app.
This mean, we create our own CA certificate, store it along with the private key in the Personal Certificates of "Local Machine". in "Trusted Root Certification Authorities" we store the same CA just without a private key.
To known clients we issue certificates that match our CA, so IIS allows them to access our app.
But sometimes - and only sometimes - CAPI2 deletes our root CAs and thus breaks access to the IIS. CAPI2 adds entries to event log like "Successful auto delete of third-party root certificate:...".
This we saw on Server 2008 R2s and Server 2012. But not every time and not on every machine.
We know that we could turn off the "Automatic Root Certificates Update Configuration" completely but this cannot be the solution.
So when does CAPI2 regard a CA as untrustworthy? Is there something we have to change in the certificate maybe?
Best regards,
Lars Wittenburg
I'm using a stand alone Windows Server 2012 Standard edition (no Active Directory), and trying to open port 4500 to all local IP addresses but allow certain public IPs.
Under the Scope tab, I set 'Any IP address' for Local IP address and I specify the under Remote IP address the IP the ones I wish to allow. When trying to telnet to port 4500 from a local machine, connection fails.
Trying to look into the issue I tried the following:
Specifying the local network IP range
Specifying the computer's local IP address
Both didn't help allowing local computer to telnet port 4500.
I also tried out of curiosity removing public IPs and specifying local computer's IPs and still no connection from local computer.
The only condition allowing the connection was allowing any IP address for both local and remote IP addresses.
Is there a fix for this issue that anyone knows of or a workaround it?
Thanks!
Hi Guys,
I am testing out my LDAP binding with LDP.exe.
Apparently only users within domain admin group are allowed to bind successfully, normal users cannot bind.
Any idea?
OS is Windows Server 2003
Error when try LDAP binding with LDP.exe
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3Hi,
We are from secured project, disconnected environment with no internet access. During this quarter Vulnerability scan we found 2 vulnerabilities.
1. vulnerability in SSL 3.0 could allow information disclosure (POODLE)
workaround done : SSL 2.0 and SSl 3.0 are disabled and TLS 1.0,1.1,1.2 have been enabled through group policy
In registry - created Dword (Enabled) and set 0 for SSL2.0 and SSl 3.0 ( both client and server)
Created Dword (Enabled) and set value to 1 for TLS 1.0,1.1,1.2 (both client and server)
2. Improperly issued digital certificates could allow spoofing
Installed KB2813430, tried to install KB2677070 (error not applicable)
Tried installing rvkroots - shows no sign of installation
Scan report says " The remote host has KB2677070 or KB2813430, but the disallowed CTL has not been updated.
Kindly help us in fixing the issue at earliest
Regards,
Shan Madhuran
We recently upgraded our Active Directory 2000 to 2003. We also have a few child domain controllers running Server 2008 and 2012 but the primary is 2003. Before the upgrade, our applications worked very well. Since we upgraded, the account used to run one of the application's service often gets locked. I have spent hours on Google looking into numerous cases about account lockout event and I know it's not a special topic. I also read many articles on how AD Account Lockout policy and Kerberos works.
However I haven't still figured yet so my question is quite different: Are there other reasons than bad password that makes the account get locked? Hopefully we find something wrong with Kerberos.
Regards,
-T.s
Thuan Soldier
A 23-year-old man loving Microsoft technologies and making crazy ideas on business journey.
SharePoint Vietnam |
Blog | Twitter
Hello,
I'm having a problem accessing the mscep_admin page to retrieve a password for enrollment.
My current setup:
Server 2012 - CA offline root
Server 2012 - Ca Subordinate
NDES user account - Member of local IIS_Iusers account, domain user
We are trying to setup SCEP to leverage NDES to retrieve certificates for iDevices and everything seems to be configured correctly except I get this error when trying to access http://servername.domain/CertSrv/mscep_admin.
I have created a template from the standard IPSEC offline template and have given read/enroll permissions to the NDES user account.
I have also edited the associated registry keys to allow the user account access.
In IIS, the SCEP service is configured to use the Identity: NetworkService. Both Network Service (local) and NDES user have been given full control of managing both RA private keys.
Interesting note: In the event logs, I'm getting:
Error ID 8
The Network Device Enrollment Service cannot retrieve information about the certification authority (0x80004005). Unspecified
Any questions about my setup and/or any suggestions on what else I can check?
I'm getting thousands of Event ID 4625, logon type 10 errors on the security events log of my server running Server 2008-R2. The SubjectDomainName is our local Windows Workgroup, so I'm thinking this is from computers on our LAN trying to connect with the server which is on the same LAN subnet. The server is running RDS for users in other company locations.
Is there an easy way to stop this?
Thanks!
Ron
Joe_Camel
Greetings,
I was recently tasked with creating a list of user accounts and the computer in which they logged onto. Unfortunately, we do not have time to use the logon script method. I believe we can achieve this goal using software similar to LANSweeper however not all computers will be turned on at a given time and I believe this application gathers it's information from the client PC. One possible solution I see is parsing the data from our domain controllers Security Logs / Successful Logons however this is proving to be a challenge. Any suggestions?
Thanks,
Chris
Hi All,
I am using Psexec application to run exe on multiple remote machines in the domain. When i run the the .EXE i get the error message saying access is denied.
I am running this script against agents in a list.
Below is the script i am running in the batch:
"C:\Windows\system32\PsExec.exe" @C:\Test.txt cmd
1. I am first connecting to the cmd of the remote computer and it connects successfully.
2. When i enter the .exe file location on the command prompt (which is also in a shared drive but in the same domain).
3. I ran the batch file as Run as administrator
4. I am itself a member of the Domain admins and Administrators group of the domain.
5. Turned off firewall on both sides.
6. Turned off UAC fully as per the below MS article - http://technet.microsoft.com/en-us/library/cc709691(v=ws.10).aspx
7. Pressed shift and right click so i will get the Run as option and mentioned different domain admins user account and password.
Below is the screenshot for your reference:
Restated both the machines after doing these changes. But still the same issue.
But still i get access is denied. Can anyone please help.
Gautam.75801
I have 3 servers on a network all running Windows Server 2003, Standard Edition, SP2.
Currently I have a commercial 5 machine license for Kaspersky antivirus. That license is expiring in 6 days but I don't think I'll keep these servers but a few months. The renewal is $290.
Is there another option for Win 2003 Server I could use that would be decent security and not cost as much or better yet be free?
Thanks very much!!
Tommy
Recently, we apply window patches to our machines which are hosting asp.net application and WCF service.
After the window patches, the WCF service run successfully. Both server 1 or server 2 can called the WCF service but they cannot receive or consume the WCF service.
Can i check with you which window patches will affects WCF service?
Our system setup is as follows:
I am unable to received encrypted emails from my work as when I log into my gmail account once I have clicked onto the email message I keep getting an error that says I must log out of my hotmail and into my gmail to receive this message. I do this and still the same message. I have actually gone onto Hotmail and signed out, gone then back to the link to sign into my gmail link for the encrypted message to log in with my gmail and password which I have also changed and still same, I am logged into Hotmail and I must log out and sign in with gmail address to access the encrypted message.
My company apparently has a contract with microsoft for some encrypted package deal for 3 years. Some in our office are able to access their encrypted messages and others not. Please see my answers below
It is not outlook for this it is Browser and we access the emails via browser as well
There is nothing to screen shot. The information just doesn't open after I download the message and try to open the package.
I have migrated the root CA from windows 2003 to 2012R2 according to TechNet instructions
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
The service does not start.
The error shown is:
The dependency service does not exist or has been marked for deletion. 0x433 (WIN32: 1075 ERROR_SERVICE_DEPENDENCY_DELETED)
In the event log:
The Certificate Services service depends on the following service ProtectedStorage. This service might not be installed.
Thanks,
James.
James.
Can anyone recommend a program / utility that I can point to a folder and it generates a SHA-1 hash of all contents?
I'm familiar with using Hashcalc which works very well with single files... a fallback option I have is to take a zip archive the aforementioned folder and then hash the archive... but I'm hoping to not have to do that.
Kind regards, Dave