Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Certificates generated using NDES + AirWatch publish to the service account and not the actual user

March 13, 2015, 6:47 pm
$
0
0

Hi,

We're trying to use AirWatch (an MDM) to request certificates via SCEP (NDES) and push them down to the devices for authentication to Wi-Fi and VPN, etc.  We also want to use them for SMIME.  The certificate request is working great and the certificate is issued to the correct user.  However, when we try to use the certificate for SMIME, it can't lookup the public key.  After looking in AD, I'm realizing that the certificate is not published for the User even though the option is checked on the certificate template.  Instead it's being published to the service account - scepsvc.

Is there something I'm missing here?  Is there a way for the request to associate to the correct user account in AD and publish it for that user.  I've checked the attributes in AD as well and UserCertificate, UserSMIMECertificate are both blank.

See the screenshot below of the service account having all the certificates published to it and the blank attributes on the actual user account.



Search

Non transitive domain security quesetion

March 18, 2015, 1:51 pm
$
0
0

I think I have this mouthful right, and excuse me as I'm still quite novice to multi-domain and advanced configuration regarding...

We have an incoming, external and non-transitive domain that I'm running a robocopy script against and am getting a security error. We created a file serer role and when looking at the shares properties, our domain admins have full access, yet effective fails for my user and also the script aforementioned. Any ideas?

Using a CA cert across forests

March 18, 2015, 7:05 pm
$
0
0
We use a cert from our Windows Enterprise CA to sign updates we deploy in WSUS for our production domain1. We are in the process of setting up domain2 and want to use the same cert in that new forest. We currently deploy this cert with Group Policy to our clients. We'd like to do the same but are unsure of the best way to use the cert from domain1 in domain2? We have a new Enterprise CA just setup in domain2 as well if that makes any difference.  

Orange County District Attorney

BitLocker Already Configured Issue

March 16, 2015, 6:51 am
$
0
0

System Configuration: Windows Server 2008 R2 Standard Disk Configuration: RAID1

We have a newly built system that is joined to a domain and has the proper GPOs for BitLocker already setup. We install bitlocker, rebooting the machine as instructed. Next, we need to setup BitLocker so we run the following command:

bdehdcfg -target c: shrink -newdriveletter s: -size 1500

We receive the message: This computers hard drive is properly configured for BitLocker. It is not necessary to run BitLocker Setup.

The problem is, BitLocker is NOT ready to be installed at all...there is no additional partition for it to use and creating it manually and running a-merge recalls the same message about it already being configured.

The problem is, its not truly configured when looking at Disk Management the disks do not resemble the other machines in our environment where BitLocker properly works. It will begin encrypting and then fails halfway through.  At that point, a window pops up and asks us to run chkdsk /r, which runs without issue and we then get stuck in a seemingly infinite loop of chkdsk's and reboots.

Any Ideas?


Schannel 36887 Error : The following fatal alert was received: 40.

March 19, 2015, 2:22 am
$
0
0

Hello,

Our Asp.Net MVC 4.0  application is hosted in Windows server 2008 R2 Standard.

Whenever application tries to access external services like Email Service to send email then following error logs in Event Viewer of Server.

Schannel 36887 Error : The following fatal alert was received: 40.

Application also logs an exception as given below:

System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The message received was unexpected or badly formatted
It is random issue. And it gets resolve if application is restarted.
This might be because of some patch or windows update we have made in server. But we are unable to identify exact route cause and solution.

Uninstall AD RMS server and Reinstall failed in windows server 2012 r2

March 19, 2015, 3:24 am
$
0
0

Dear Expert,

When I remove the AD RMS Role, and reinstall again. I face this problem. Please suggest.

applying recommend settings from "microsoft security compliance manager 3.0.60.0" to a standalone Server using LocalGPO.wsf on Server 2012 R2

March 19, 2015, 8:15 am
$
0
0

Hello

Can someone please help me with the following question.

I have a standalone Server and need to apply settings from SCM, I can see how to do this following the instructions in the following article

http://windowsitpro.com/security/q-how-can-i-apply-security-baseline-i-defined-through-microsoft-security-compliance-manager

The problem is  the LocalGPO.wsf that ships with the above version of SCM does not run on Server 2012 R2 (only Server 2012) 

my question is, 

is there a later version of LocalGPO.wsf I can use that works on Server 2012 R2 ?

Thanks

AAnotherUser__

AAnotherUser__

How Does A Root CA Certificate Get Distributed To Domain Clients?

March 19, 2015, 8:14 am
$
0
0
Just setup a 2012 R2 Root CA in a lab. I have a few Windows 2012 R2 member servers in the lab forest and noticed that they do not have the CA Root Cert in their Rusted Root Certification Authorities store. I thought this happened automagically in Active Directory. Do I need to create a Group Policy to deploy it?

Orange County District Attorney

Search

Subordinate certification authority can't start ADCS service: The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

March 19, 2015, 4:21 am
$
0
0

Hi

I have 1 rootCA and 1 subordinate CA. I removed one of the locations to publish CRL and after that the ADCS service can't start. I get the warning first:

Revocation status for a certificate in the chain for CA certificate 2 for siu-SRVDC01-CA could not be verified because a server is currently unavailable.  The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

And then the error:

Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  siu-SRVDC01-CA The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

I've read many threads with similar problems but I can't find the solution. The CDP is online. I've run "certutil -url cert.cer" to verify the CDP and AIA and everything is fine. But the service is still not starting.

See this command too:

C:\>certutil -verify -urlfetch subCADC01.cer
Issuer:
    CN=siu-SRVDC02-CA
    DC=siu
    DC=domain
  Name Hash(sha1): 152a7c43f186d9179c1c3256d3a1a0af4a9df892
  Name Hash(md5): b409e417a38bbe04b5800512bd94efac
Subject:
    CN=siu-SRVDC01-CA
    DC=siu
    DC=domain
  Name Hash(sha1): 5ee421b84c3b18ff134cf2e42226853d78d3409b
  Name Hash(md5): e1a454692361733e45dad374dc14cae3
Cert Serial Number: 1e0000022c707c76c0a27b315700000000022c

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 1 Hours, 2 Minutes, 16 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 1 Hours, 2 Minutes, 16 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=siu-SRVDC02-CA, DC=siu, DC=domain
  NotBefore: 19.03.2015 11:18
  NotAfter: 19.03.2017 11:28
  Subject: CN=siu-SRVDC01-CA, DC=siu, DC=domain
  Serial: 1e0000022c707c76c0a27b315700000000022c
  Template: SubCA
  a1a8a95464c5b586da6e9b304142d59fc5a22ae0
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] http://wwwca/CertEnroll/srvdc02.siu.domain_siu-SRVDC02-CA.crt

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (26)" Time: 0
    [0.0] http://sharepoint.siu.no:8088/siu-SRVDC02-CA.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
    CRL 26:
    Issuer: CN=siu-SRVDC02-CA, DC=siu, DC=domain
    ThisUpdate: 19.03.2015 11:10
    NextUpdate: 15.09.2015 23:30
    e2ee543a68214f9b99dda2e9f58b1ddfc34429d1

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=siu-SRVDC02-CA, DC=siu, DC=domain
  NotBefore: 23.09.2011 13:00
  NotAfter: 23.09.2021 13:10
  Subject: CN=siu-SRVDC02-CA, DC=siu, DC=domain
  Serial: 60fc459ebdefa5b646a081b0c21c259d
  4ea8bb95b0038c69a83c939e8a54f892cd0b5056
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------

Exclude leaf cert:
  691f7e42f5c4a86d03b7225bf7303369ef6dcc7e
Full chain:
  17e5b9477a1736c33dc0ff245e7b06de5b958c4c
------------------------------------
Verified Issuance Policies: None
Verified Application Policies: All
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

Any clue?

A second SubCA in AD Forest

March 12, 2015, 11:11 am
$
0
0

We have two AD Forest, one is a singel domain forest with CA and second one is multidomain forest where we deploy certificates via cross forest enrollment from our singel domain forest.

1. Domain A> Root and Enterprise CA

2. Domain B > Certificates issued from Domain A Enterprise CA

Domain B.A > Certificates issued fromDomain A Enterprise CA

Domain B.B > Certificates issued fromDomain A Enterprise CA

Could i install a second Enterprise CA in my SubdomainDomain B.B without messing up the enrollment from my first Enterprise CA.

I would have to publish the Enterprise CA from my Root Domain B so all other Subdomains will also trust this second CA.

Is it possibel that Templates coexist when i copy them from Domain A to Domain B. The Templates are then deployed from Domain B to subdomains. So if i install an Enterprise CA in Domain B.B will templates also be published to my Root Domain B?

Do i need to be permanently Member of the Enterprise Admin Group to operate the CA or just for installation?

Audit Failure - Advapi. Help Please!!

March 19, 2015, 10:59 am
$
0
0 

- System

  - Provider

   [ Name]  Microsoft-Windows-Security-Auditing
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D}

   EventID 4625

   Version 0

   Level 0

   Task 12544

   Opcode 0

   Keywords 0x8010000000000000

  - TimeCreated

   [ SystemTime]  2015-03-19T17:34:10.574987400Z

   EventRecordID 445434289

   Correlation

  - Execution

   [ ProcessID]  500
   [ ThreadID]  1168

   Channel Security

   Computer

   Security


- EventData

  SubjectUserSid S-1-5-18
  SubjectUserName
  SubjectDomainName
  SubjectLogonId 0x3e7
  TargetUserSid S-1-0-0
  TargetUserName
  TargetDomainName
  Status 0xc000006d
  FailureReason %%2313
  SubStatus 0xc000006a
  LogonType 3
  LogonProcessName Advapi
  AuthenticationPackageName MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  WorkstationName
  TransmittedServices -
  LmPackageName -
  KeyLength 0
  ProcessId 0x1f4
  ProcessName C:\Windows\System32\lsass.exe
  IpAddress
  IpPort 1216

Hi Everyone,

I know this could be the result of many different things, but I was hoping that someone has had the same issue with this before and could shed some light on how to fix it. Or atleast a few suggestions on what it could be. 

Any help is much appreciated!

Certificate issues

March 19, 2015, 8:11 pm
$
0
0

Modification of registry key as below caused certificates not working on a web server. The cert is issued by a local domain CA. How to build a cert with latest security?

Is there a way to download TLS 1.2?

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]

"Enabled"=dword:00000001

"DisabledByDefault"=dword:00000000


Event ID 4768 (0x6)

March 6, 2015, 1:55 am
$
0
0

Hi,

first off, I don't know if this exactly the right forum but here goes.

I ran into numerous event id 4768 audit failures. I figured out the root cause but don't know how to solve it.

Situation is this:

Company has AD which is for example company.local. They have external exchange services from their ISP, and mail domain is for example fullcompany.com. Now let's presume John Smith is employee of the company.

So his AD account would be john.smith@company.local (or company\john.smith) and his email account would be john.smith@fullcompany.com.

The problem is, event id 4768 generates from john.smith@fullcompany.com, as in, for some reason the mail account asks for kerberos auth from AD. Return is audit failure with 0x6, since naturally on this scenario there is no such account on AD.

Now, I got no clue what to do with this. I really don't want to disable the events from showing. Is this outlook (2013) doing this or whats causing it? And how this could be fixed?


Microsoft Windows Security Auditing

March 21, 2015, 3:08 am
$
0
0

Dear Support,

I'm getting below error on event viewer, this is related to my web server which is integrated with Active Directory.

The Windows Filtering Platform has blocked a connection.

Application Information:

Process ID: 496

Application Name: \device\harddiskvolume2\windows\system32\lsass.exe

Network Information:

Direction: Outbound

Source Address: Webserver

Source Port: 58298

Destination Address: Domain Controller.

Destination Port: 49159

Protocol: 6

Regards,

Hakim. B

Hakim.B Sr.System Administrator

account unknown in user profiles

August 24, 2010, 8:28 am
$
0
0

On all our domain controllers (server 2003 R2 and 2008) we have found an "account unknown" listed under My computer-properties advance-user profiles-settings. My concern is that the Account Unknown profiles shows under all our Domain Controllers in the aforementioned place and it shows that that particular profiles is still being access. By being access I mean that the “Modified” date shows that it was modified just a few days ago, and it changes a couple of days. Also, the option to delete the account is grayed out and I can not find any orphaned profiles under documents and Settings.

What I need to know is if that profile is being use by some system account, or have the servers been compromised.

 

Any assistance or clarification of this issue will be greatly appreciated. Thank you.

Search

CRL does not seem to invalidate revoked subordinate CA certificate

March 17, 2015, 5:55 pm
$
0
0

In a test network, I have two CAs:

- PKI-Root-CA (offline)

- PKI-Sub-CA-1 (subordinate issuing CA)

After deciding to change the HTTP Url for AIA and CRL, I consequently had to issue a new certificate for the subordinate CA.

Obviously, I could not change the HTTP Url and expect certificates with the old HTTP Url to find the AIA and CDP locations with the outdated information.

So I revoked the existing subordinate CA certificate, published and new CRL and both requested and installed a new certificate for the subordinate CA.

PKI View shows that everything is OK (none of those red error icons).

This is what I do not understand.

If I look in the certificate store of PKI-Sub-CA-1, I see this:

*

Please note the serial number.

*

If I look at the CRL folder. I see two CRLs. The first (shown below) is difficult to explain. What happened, I believe, is that I copied it from the root CA before running the post install script that sets the CRL validity to 52 weeks (a possible setting for an offline root CA's CRL). Apparently, the default was one week and after setting this project aside for a week or so, I was surprised to see that PKI View was showing the root CA's CRL as already expired! Of course, this CRL will not show the revoked certificate of the subordiante CA, since that took place later.

So I issued a new CRL from the root CA and installed it into the subordinate CA's certificate store.

Here it is, with the serial number of the original subordinate CA's certificate that I revoked after adjusting the HTTP Url:

(See next post - I'm limited to two images per message. Don't worry, I'm only posting three!)

Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.


Replace ISA 2006

March 21, 2015, 12:53 am
$
0
0

Hi,

We want something better to replace the ISA 2006, TGM optional, but it will be over soon support.
I would like to ask good tips, which will be good for at least five years.

Network environment: Windows Server 2012 domain controller, Exchange 2013, IBM Maximo, 15 users and ~30 PC and devices, Windows 7 OS and some Windows XP

Thanks.

by, Mishpatim

Mishpatim


CPS

March 22, 2015, 12:14 pm
$
0
0

How can I add "Issuer Statement" to user certificates?

No Certificates Found by Certificate Server - Though they exist in ADSI

March 22, 2015, 3:42 pm
$
0
0

I've been racking my head on and off for over a month on trying to stand up a PKI in my lab environment.

I used this guide to setup my PKI and after a few modifications it worked perfect!

http://www.derekseaman.com/2014/01/windows-server-2012-r2-two-tier-pki-ca-pt-1.html

When I go to PKI view everything is OK. I have my Offline Root installed properly as it has the CDP and AIA with a OK status my my sub ca has OK for AIA and CDP.

Now the problem happens on the actual CA as it logs event ID 44 in Application everytime Certificate Services Starts.

Specifically the entire code is 

The "Windows default" Policy Module "Initialize" method returned an error. Cannot find object or property. The returned status code is 0x80092004 (-2146885628).  The Active Directory Certificate Services Policy contains no valid Certificate Templates.

After the event is logged I get event ID 26 stating that it started and is running on DC=domain controler FQDN. I also get a DCOM object error in system

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID 
{D99E6E73-FC88-11D0-B498-00A0C90312F3}
 and APPID 
{D99E6E74-FC88-11D0-B498-00A0C90312F3}
 to the user DOMAIN\Username SID (S-1-5-21-2276686680-1213147667-977454713-1105) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

I tried adding my account to the CertSrv object though it did not seem to fix anything and I am not familiar with DCOM object access.

Ive followed the event id 44 guide from https://technet.microsoft.com/en-us/library/cc774512%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396 and I used the MSG_NO_CERT_TYPES and followed the guide for verifying permissions and everything checks out just fine.

I should also mentioned I have tried 2 different Root CAs and 4 sub CAs thinking maybe they installed wrong. I previously had a very broken PKI installed and that was fully removed and replaced by my second iteration which worked fine except I could never get PKI view happy and that's when I tried iteration and 3 and 4. I used this guide to decommission the previous CA environments.

Overall I really would like to get a PKI stood back up in my lab so that I can issue Web Certificates and learn more about it.

I should also not I have deleted the existing Certificate Templates and recreated them several times and when I load Certificate Templates from the sub CA it sees them all just fine and I can edit them and create new ones.

~Wesley K.


Users automatically enroll multiple certificates from template with "Do not automatically reenroll..." checkbox

February 20, 2015, 5:06 am
$
0
0

I have 6 AD forests, one of which is resource forest with centralized services like Exchange and Certification authority. All user forest has two-way trust with resource forest and users can enroll certificate from central CA. On CA was published certificate template with "Do not automatically reenroll.." checkbox. This template copied to all user forests via PKISync.ps1. Central CA publish all certificates to users AD.

I have a problems with multiple certificate issuance in one of user forests. Users in problem forest automatically enroll new certificate even if certificate with same template published to AD.

Need help in diagnosing the cause of the behavior of the certificate autoenrollment client.


Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>