hello,

i inherited a two tier PKI. One standalone root-CA-Server and one AD-CA-Server. Both Server are running W2K3

Unfortunately the root-CA was created with CRL settings, so it is not possible to leave the root-CA for security reasons offline. And there are many webserver-certicates in use, which are created directly from the root-CA and some from the AD-CA

Now i want to upgrade the CA environment to W2K8R2 servers. When i export/import the certificate settings i still have the problem with the CRL of the root-CA and both servers have to stay online.

My idea is to set up a new two tier PKI (offline-root-CA without CRL and new AD-CA) let both PKI's running parallel for some months and replace all certificates created from the old root-CA with certificates from the new AD-CA

Is this possible? Which problems may arise? The Active Directory can handleboth AD certificatesat the same time?

Thanks in advance and kind regadrs Boris

I have been in a rabbit hole for a few days now confused and frustrated. Here is the breakdown.

I have a Windows Server 2008 R2 Enterprise machine running AD CS and IIS.

I have a Windows Server 2008 R2 Enterprise machine running NPS.

I have a Windows Server 2008 R2 Standard machine running AD and DNS.

My CA is a Enterprise Sub. CA that got its cert from my corporate Root CA.

So here are some questions:

I want to run EAP-TLS or PEAP-TLS for secure wireless on machines or for users. Does my Ent. Sub CA need to run on a domain controller?

If my NPS server requests a cert from my CA the only option is a computer cert not a user cert.

Do I also need to request a cert on my DC from my CA?

What are the proceedures for deploying certs through GP? Do they get deployed via the default group policy?

Hello,

I have Windows 2008 64 Bit Standard Domain Controllers

Our CA is a member server running Windows 2008 64 Bit Standard

I understand that I cannot use Certificate templates with this non Enterprise CA. 

How can I issue my DCs a domain controller certificate manually?

CL

Hello All,

I am trying to sort out some issues with certificate OID's in our PKI environment. The background is we are in production with our wifi using EAP-TLS. Everything is working great and has been for months. Some of our architects suggested that we could assign unique OID's to the certificates that would represent different parts of the organization. For instance, Human resources would have one OID, Claims would have its own OID, and so forth. It was then suggested that we could use NPS to check for these individual OID's using the "Allowed-certificate-OID" setting and then act upon them as we wanted, like putting them onto different VLAN's. So my first question is, is this even possible?
Our CA is provided by our ISP. I spoke to the CA admin there and he created a new TEST  template and published it. I can validate the users are getting this new certificate and I see the OID he assigned on the "Detail" tab of the certificate's properties page. On the "General" tab
it shows server authentication, client authentication and then simply shows the OID number. Just the number... doesn't state what it's for.
On the "Detail" tab, the "EKU" field which shows the same purposes listed on the General tab and then once again on the "Application Policy" field.

So, armed with the new certificate, I opened the NPS console and edited the "Network Policy". In the "Settings" tab, under the "Radius Attributes" heading, I added a new "Vendor Specific" attribute, selected "Allowed-Certificate-OID"  and entered the new OID.

This did not work. Clients cannot connect. Log's show:

Hi there.

I am a PKI admin at my organization. A server engineer recently alerted me to an odd situation with a few web server certificates that he had requested last November. The certs were issued (for two years) from one of our internal Certificate Authorities, and applied successfully to his ESX servers, enabling secured access to the server's web link. The website now presents the error "There is a problem with this website's security certificate", as well as "The security certificate presented by this website was not issued by a trusted certificate authority." Looking at the cert, the "Issued by:" field has been modified from our CA name to an ip address which belongs to one of our internal Bluecoat Proxy servers. Also, the cert's serial number has been changed as well as a few other cert details.

Has anyone seen an internal PKI certificate overritten before, or know how this could have happend?

Thank you!

Patrick

CA Server is Windows Server 2008 in Standalone mode, clients are both Windows XP and Windows Vista.

How do you renew expiring certificates when your CA is a standalone CA. Any attempts in the MMC snap-ins come back with "request contains No Certificate Template info" which makes sense because Standalone CA's do not use templates. So how do you renew a certificate? Or specifically, how do you create a certificate request for renewal using command-line tools which I'm guessing is the only option? Any help appreciated. 

Hi,

According to http://technet.microsoft.com/en-us/library/cc740209%28v=ws.10%29.aspx

"When you generate a new key pair for a CA that is being renewed, a new certificate revocation list (CRL) distribution point is also created. This is to ensure that the key used to sign a certificate issued by the CA also matches the key used to sign the CRL. For more information about how renewing a CA with a new key affects certificate revocation and the name of CRLs, seeRevoking certificates and publishing CRLs."

However this link contains nothing about CA renewal.  It has a section "Publishing a CRL before the next scheduled publish period", ie the procedure here:

http://technet.microsoft.com/en-us/library/cc778151%28v=ws.10%29.aspx

Is this all you have to do after renewing a root CA and choosing yes to generate a new public and private key pair for the certification authority's certificate?

Many thanks

Brendan

Hi,

This network unlock sounds a good idea. I have heard this is for windows 8 and was asking if their is any plans to roll this out on Windows 7 ?

Regards

Ryan

Hi, I have an issue whereby any certificates that I issue report "You have not chosen to trust the issuer of the server's security certificate". The certificate chain is show as ok and if I validate the certificate using certutil -v -verify -urlfetch certificate.cer and there are no errors. I have tried the issues certificates on a normal IIS web site and there are no errors. The errors only occur when they are used with applications, such as Citrix SSL Relay. I have tried an external certificate as a test and the Citrix application works fine. I have also created a standalone CA, just as test, and issued certificates, both SHA1 and SHA256 and these work fine. It only seems to be certificates that I issue from my issuing CA, which has an offline Policy CA as its parent. The offline Policy CA has an offline Root CA as its parent. I have never had this issue before and we have installed Citrix SSL Relay on other projects. The only difference seems to be, we have a three tier hierarchy and we are using SafeNet HSMs to store the private key material for all of the CAs. Is this an issue with installing certificates in the chain into the client's web browser. I have checked the clients certificate store and the Root CA certificate is in the Trusted Root store and the Issuing and Policy certificates are in the Intermediate store.

Any help in troubleshooting this issue or a resolution would be greatly appreciated.

Here is a screenshot of my error:

We've been using certificate based VPN authentication with Windows 7 for a while without any problems.

Now, as a part of testing for Windows 8 upgrade we've discovered that Windows 8 fails to establish VPN connection with error 798: A certificate could not be found that can be used with this Extensible Authentication Protocol.

Builds 8400 and 9200 have been tested.

Token: eToken Java Pro 72K, Software: SafeNet Client 8.1 SP2 (8.1.425.0)

Certificate is issued using Windows Server 2003 Enterprise option.

Event log provider no details.

Any ideas ?

Problem Overview:

When I attempted to connect to a virtual desktop (VD) using Window’s Remote Desktop (RD) Connection application from an external network, I encountered a certificate subject mismatch error.

“Your computer can’t connect to the remote computer because the Remote Desktop Gateway server address requested and the certificate subject name do not match. Contact your network administrator for assistance.”

Is there a way to get RD Gateway to just avoid certificate authentication in general? (for Windows Server 2012)? If not, below is a more detailed description of the problem (I think it said somewhere “RDS requires certificates for server authentication”).

Network Setup:

Below is a simplified version of my setup.

• Domain Info:
• ~Internal Domain Name: misoit.edu
• ~External Domain Name (from JustHost): outside.net
• ~“outside.net” (from JustHost) is configured to re-direct itself to http://10.10.10.2
• Router Info:
• ~Gateway Router External IP Address (from ISP): 10.10.10.2 [fake]
• ~Router forwards port 3389, 443, and 80 to internal server.
• Server and Client Info:
• ~Same server has the RD services installed(RD Web Access, RD Gateway, RD Virtualization Host).
• ~Same server hosts the VDs.
• ~Server hostname: vd-host
• ~Virtual Desktop (VD) name: Win8VD-0 (I picked one out of a couple).

Background:

I’m currently setting up a VDI environment and have forgone the option of accessing the VDs using a web browser, for I believe the web service did not configure the .rdp files correctly.

Error Re-creation Steps:

Step1: When I first installed RD gateway, I made self-signed certificates using “outside.net” and applied it to all RD services.

Step2: I imported the created certificate, via USB flash drive, to the external client and made sure it got inserted into the “Trusted Root Certification Authorities”.

Step 3: I attempted to use RD Connection in two ways. The first way inserts “outside.net” as the “Server name:” and the second way inserts “10.10.10.2” as the “Server name:” so I essentially tried connecting twice, but changing just one field each time. Both attempts ended up with the error. So visually, when I load RD Connection app, the fields would be

Under General tab

• Computer: Win8VD-0 (Virtual Desktop Name)
• User name: misoitedu\mis.student (Domain\Domain User Name)

Under Advanced tab in Settings

• Server name: outside.net [I used 10.10.10.2 for the second attempt]
• “Bypass RD Gateway server for local addresses” is checked.
• “Use my RD Gateway credentials for the remote computer” is checked.

 Step 4: When I clicked connect, a window asks me for the password so I entered it. I also noticed some details on the same window.

“These credentials will be used to connect to the following computers:

1.)   Outside.net (RD Gateway server) [10.10.10.2 was shown for the second attempt]

2.)   Win8VD-0 (remote computer)”

I continued and it tries to connect “Initiating remote connection…” but the error I mentioned at the beginning of this post pops up each time I connected with the different field. When I clicked on the “View certificate…” which was on the error window, I noticed each attempt has different certificate information. If I use “outside.net” then I see the certificate info

• Issued to: *.JustHost.com
• Issued by: PositiveSSL CA

If I use “10.10.10.2” then I believe I see the certificated I imported.

• Issued to: outside.net
• Issued by: outside.net

Deduction:

I could be wrong, but I’m thinking when I used “outside.net” the external client was using the wrong certificate (not the one I imported). When I used “10.10.10.2” it used the right certificate, but maybe putting an actual IP address in the “Server name:” section threw it off? I was also thinking about using a different FQDN like vd-host.outside.net or Win8VD-0.outside.net but I think I'm getting a bit wild here.

Question:

So, how would I make the external client used the certificate I imported when I use “outside.net” to connect? If I’m way off in my deduction then where should I begin to troubleshoot?

I've encountered an issue while setting up an Enterprise CA w/NDES on a Windows 2012 DC (all roles deployed on a single system).

• Before configuring NDES, I've run "Enable-PSRemoting" on an Admin PS (logged as DC Admin), and I've answered Y to all the questions.
  

Then I've followed the instructions published at the following address to configure the Ndes Account Service: http://technet.microsoft.com/en-us/library/hh831498.asp

More specifically, after executing the following step:

setspn -s http/CA1.cpandl.com cpandl\NdesService

I noticed that launching the following (firewall OFF & NLA Domain Profile):

enter-pssession localhost

I received the following error:

Enter-PSSession : Connecting to remote server localhost failed with the following message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Negotiate authentication: An unknown security error occurred.

BUT, if I remove the NdesService SPN...

setspn -D http/CA1.cpandl.com cpandl\NdesService

PS Remoting works again.

Further testing reveals that when I manually run:

setspn -s http/CA1.cpandl.com cpandl\NdesService
setspn -s WSMAN/CA1.cpandl.com CA1
setspn -s WSMAN/CA1 CA1

then

enter-pssession localhost

successfully logs me in.

• Unfortunately, after a CA1 Reboot (even if the WSMAN SPNs are present - confirmed by launching "setspn -l CA1"), PS Remoting doesn't work.

Anyone able to shed some light re the following (unwanted) behaviour?

Hello Everyone,

I want a solution to my problem.

i'm a newbie with microsft server, currently running windows server 2008 enterprise edition. i want to deploy server which would contain AD,DNS, and DHCP server.RRAS is also enable for internet sharing, all are running good now. I have two NIC with private, which my client be connected to, and public ip for my ISP.

My Problem is that every time i connect my client pc to my private ip it automatically gain access to the internet. it acquire the default gateway and DNS which i created in my server.

What i want to do is that every time i connect my client to my server it would only connectedlocally, not in the internet, and when i join my client to domain (AD) thats the only time that my client would be granted  to access the internet.

please help me out. im just a newbie.

thank you so much.

Hello,

A client with an SBS 2008 asked as to audit a shared area of the server for file openings (read attr). He needs to have reports of when the files are opened and by whom, and since he is not an IT person, we cannot tell him to check Event logs. So he needs to get either e-mail alerts or check some web environment.

Is there any application for this? I have searched but I only found an application from Quest which has minimum purchase of 300 accounts! and it is very expensive.

Best regards

Kostas

Kostas Backas-Systemgraph Technologies

When we look at the XML representation of an AuditPolicyChange event, we see some values like%%8278 or %%13827 or %%8448 in Category, SubCategory, and Changes fields respectively (See the screenshot#1.) However, looking at the same event inGeneral tab of the EventViewer gives me "Account Management", "Distribution Group Management", and"Success removed" for the respective fields (See the screenshot #2).

I've been trying to find the possible values (PlatformSDK, Bing, Google, ...) for those fields with no success. Can anyone from the team shed some light regarding how to decode these values? (Note: I've found the SubCategoryGUIDs to SubCategoryNames but not sure if these values are subject to change)

 SCREENSHOT#1

 SCREENSHOT#2

My domain recently time to time change Domain administrator password

I’m using windows 2008 r2 stranded editor 64 bit server.  I checked my Event viewer but not any special event. I’m using Symantec endpoint protection. And it’s also up-to-date

Please help to me resolved the problem

I've recently implemented a PKI in a new domain where some of the desktops are stateless. Part of the PKI configuration is to enable auto enrollment for all computers in the domain. This is working well but I've noticed every time a stateless desktops reboots and reverts  back to it's base image it requests a new certificate and one is supplied by the CA.

The problem with this is that these desktops could reboot daily and thus obtain a certificate daily, as you can imagine this is growing the amount of certificates that have been issued at an alarming rate and in the Issued Certificates there are multiples for a single computer account.

On the template the option 'Publish certificate in Active Directory' and 'Do not automatically reenroll if a duplicate certificate exists in Active Directory' is checked and the Domain Computers group has Read, Enroll and Autoenroll rights. My understanding is that this will store the certificate for the computer in AD and if a new certificate request is made for the computer this will negate the need for a new certificate.

The Validity period is 1 year and the Renewal period is 6 weeks, I know I could reduce the validity period but then I impact dedicated desktops and servers.

The PKI is 2008 R2.

When a stateless desktop reverts to it's base image the SID of the computer account does not change.