Hi,
Whenever I run PKIVIEW against my WS2012 R2 PKI environment I have an AIA and CDP location that show up even though they have been removed from the CA's extensions. I checked the registry and they do not appear to be there. They only appear in PKIVIEW. I have rebooted the CA listed with the bogus entries, revoked and reissued its CA exchange cert but neither of those actions seems to clear it up.
thanks,
Mike
For the DoD STIGS, they want you to unregister the File System Component and their steps are to unregister scrrun.dll
I'm on Win2008 R2, SP1, 64bit. I open a command prompt with 'run as administrator', I try
regsvr32.exe scrrun.dll /u
or
regsvr32.exe c:\windows\system32\scrrun.dll
And I've tried with the regsvr32.exe that is in c:\windows\syswow64
Everytime I get the same error 'The module 'c:\windows\system32\scrrun.dll' was loaded, but the call to DllUnregisterServer failed with error code 0x8002801c.'
Hits with google infer not running as administrator (but I am) or registry permissions (didn't see anything glaring with Procmon). This is a vanilla box except a few minor adds like IIS, SQL Server 2008 R2.
What can I do to be able to conform to this STIG on Win2008 R2 64bit?
I'm trying to create a group Managed Service Account (gmsa) on a newly installed Win2012 DC (first computer on domain). Creating the gMSA requires you to first create a KDS Root Key. I launch the Active Directory Module for Windows Powershell using Run as Administrator and issue the following:
Add-KDSRootKey -EffectiveTime ((get-date).addhours(-11))I get an error "The request is not supported". If I change it to -EffectiveImmediately, I get the same error.
Add-KDSRootKey : The request is not supported. (Exception from HRESULT: 0x80070032)... Exception from HRESULT: Microsoft.KeyDistributionService.Cmdlets.AddKDSRootKeyCommand
The KDS cmdlets are installed (I can query/use with get-help KDS) and I can use them to list keys (empty) and view configuration - I just can't seem to add a KDS root key. When I look in my AD Sites and Services at the Services\Root Key, it's empty. I've struggled with this for two days now - any suggestions?
Hi everyone, we have a scenario where some supplicants take anywhere from 3-30 seconds to authenticate from when the login screen is presented to users.
The supplicants are all Windows 7 SP1, the authentication server is Microsoft NPS on Server 2012 and we are running EAP-TLS 802.1x. We have a GPO that configures the WiredAutoConfig service to auto, applies a Wired IEEE 802.3 network policy and configures certificate auto enrolment.
When it all works well (which is most of the time) the PC boots up and authenticates before the user has a chance to attempt to login, however when this issue occurs the PC does not authenticate and as such the user receives "No logon servers available" messages until the PC authenticates 3-30 seconds later. We see the following sequence of events in the Wired-AutoConfig operational log;
ID 15515
The wired autoconfig service is starting
ID 15511
The wired autoconfig service entered the running state
ID 14001A previously existing Wired Group Policy was applied to your computer
Wired Group Policy Name: Network Policy
Applied Settings:
AutoConfig Enabled: Yes
Wired Group Policy Summary
Profile applied: Yes
Reason Code: 0
ID 15502
The profile was applied on the network adapter.
Network Adapter: Intel......
Interface GUID: {........}
Profile Type: Interface
Profile Content:
AutoConfig Version: 1
802.1x: Enabled
802.1x: Not Enforced
EAP Type: Microsoft: Protected EAP (PEAP)
802.1x auth credential: Not specified
Cache user information: yes
ID 15508
There has been an NDIS Port State change on this network adapter.
.........
NDIS Control State:UnControlled
NDIS AUth State: UnAuthorized
ID 15502
The profile was applied on the network adapter.
Network Adapter: Intel......
Interface GUID: {........}
Profile Type: Group Policy
Profile Content:
AutoConfig Version: 1
802.1x: Enabled
802.1x: Not Enforced
EAP Type: Microsoft: Smart Card or other certificate
802.1x auth credential: Machine Credential
Cache user information: yes
then Wired 802.1x authentication was started, another NDIS Port state change to Authorized and then a successful Wired 802.1x Authentication is logged.
My concern is that it seems to apply the (default?) PEAP settings originally, then sometimes the time gap between that log entry and the correct "Smart Card or other certificate" entry can be up to 30 seconds. When it works well there is only a 1 second gap between those two entries. Is there anyway to force the PC to always utilise the correct wired policy or to ensure the time delay is minimal? Is it normal behaviour or can anyone replicate the PEAP profile being applied to the interface even though a certificate based policy is the only one that exists in group policy?
Please let me know if you need any other information to assist
Thank You
We encountered the following vulnerability while scanning machines at work. I have address the issue in others forums to suggest for a course of action by time being vendor provide an update to their package software. We have identify three sofwtare packages such as NVIDIA (driver software) when it gets install in the machine, the bin path is written in the registry unquote and having embedded space in the directory path, the tools flag as a vulnerability. What will be the short term fix while vendor provide an update of their software.
I had a mind,
create a script and update the services components and modify the environment variable which points to the bin path.
This an article that addresses the problem,
https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464
michael john ocasio
On a Windows 2008 R2 SP1 Standard virtual machine...it's a DC and is our CA. In a command prompt I type the following: "certutil -deleterow 5/7/2015 cert".
The first time it ran it deleted 145 records. The database is 6GB in size. There are almost 3000 records issued certificate records.
Problem is there are tons of records that have expired left in the "Issued Certificates" view after running the above command.
Why doesn't this delete all expired records?
Thanks in advance,
George
Hi,
Are there any security patch list for windows server 2008R2? As my company deploy group policy to use WSUS without server patch delivery, and block microsoft update site in proxy.
The server guys said download patch manually, are there anything like this?
Thanks
Hello everyone,
I am trying to setup a two tier PKI environment after setting up 5 times single tiers PKI.
It is just a lab environment because I am trying to get familiar with PKI.
The setup is:
1 root ca win2012r2
1 subordinate ca win2012r2
The subordinate has iis installed and I created a virtual directory so its crl's and aia is available in there.
I also created a subfolder called rootca in the virtual dir ( eg:
http://servername/certenroll/rootca ) to drop the aia and crl's of the Root ca in.
On the root ca server I pointed my aia and crl to that location and I copied over my crl and CRT to that location.
After requesting a new subordinate CA from my standalone root ca and accepting and importing it I get the following error on my pkiview on my subordinate CA.
Which certificate has this error ( sub ca or root ) and how do I resolve it.
As an additional question I would like to know if my setup is okay for a beginner and if you got some tips, please tell me :)
Andre
Hello everyone,
I got a question.
I just set up a PKI ( single tier ) and installed it on my DC ( i know, not best practice but hey, it is a lab ).
Just putted a certificate on a smartcard so the user is able to logon.
So far everything is okay.
What I don't get is why the trusted root CA is already in the users trusted root CA certificate store.
I thought this had to be done via a GPO but instead it is already there.
How is it possible that the root ca's cert is already in the trusted root ca cert store of the user?
Andre
Hi,
I would like to install IRM for office. I have Win Server 2008 R2, And office 2007, 2010, 2013.
i would like to prevent from few users print, save.
I looking for guide step by step. how to configure it
Thanks.
Hi,
How can I move a certificate from current user to local computer store in Windows 2012 when the certificate's private key is marked as not exportable ?
Drag and drop is possible in Windows 2008 R2 when I open both current user and local computer stores in the same mmc. But in Windows 2012 it is not possible.
Thanks...
Hi All,
I am seeing the above errors on our ADFS proxy server, not constantly one always is accompanied by the other.
I am running network capture at the moment but thought I would ask in case anyone has any suggestions.
36874 is:
An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
And 36888 is:
An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
I cannot see any coinciding other event errors.
They started on 23rd April, which did coincide with a load of Windows updates (the server is fully patched)
Can anyone help shed any light on this?
Thanks
Andy
Is there a way to completely turn off the Windows Filtering Platform? I just don't want to disable the auditing of events (I believe this just stops the event log entries from being written) I want to completely turn off the process. It's blocking legitimate packets and we have not found a way to stop that.
Thanks
I'm trying to make an LDAPS connection from the LDP tool to a couple of particular domain controllers in our environment but I keep getting the error "Cannot Open Connection" with the following info:
0x0 = ldap_unbind(ld);
ld = ldap_sslinit("dc1.domain.org", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to dc1.domain.org.
I have verified that there is only one certificate for server verification in the personal computer cert store and have tried granting permissions to the Network Service account to the key. SAN checks out with the correct FQDN as well. I have run
certutil -v verifystore my 0
and
certutil -verify -urlfetch
and both commands reported that it is valid and all checks passed.
I also noticed that I am able to make successful LDAPS connections to our 2008 R2 domain controllers and they are using certs from the same template. This issue only occurs on our DC's on 2012 and 2012R2 so I am wondering if there's an extra step for those OS's that I've neglected to perform. I have confirmed that they are both listening on ports 389 and 636. Let me know if you need any further information. Thanks!
http://www.systemcenterdudes.com/internet-based-client-management/
I used the above web site to attempt to configure a DP and MP server in our DMZ for internet based clients. I'm getting the following:
I tried certificate enrollment to install the certificate directly on a client. I got you cannot request a certificate at this time because no certificate types are available. I checked off the show all templates box and my "ConfigMgr 2012 Client Certificate" status is unavailable. "The permissions on the certificate template do allow the current user to enroll for this type of certificate." "You do not have permission to request this type of certificate."
Thoughts on why my clients are not able to get certificates???
My original request pertained to CERTIFICATES. I have, with Microsoft's help, recreated our domain's CA certificate, Key Recovery Agent cert, and the Archive User cert. They were going to expire soon.
I have tried to get the certs recreated on the Exchange Server. Windows 2008 R2 and Exchange Enterprise 2010. Now popups for autodiscover.domainname.net and exchangeservername.domainname.net keep poping up. OWA users get the cert warning. If they don't delete the previous certs then installing the current cert does not allow them to continue.
Please point me in the right direction.
Thanks,
George
I'm trying to make a VPN connection to a Windows Server 2012 Essentials server. I can successfully connect using SSTP, but I want to use IKEv2 to improve performance. However, when I try to connect, I receive the following error messsage: "Error 13819: Invalid certificate type".
The message suggests to me that the certificate being used does not have the correct EKU attributes for an IKEv2 connection. However, I have issued a certificate for the server, placed in the server's Personal Store, which includes the EKUs forServer Authentication and IP security IKE Intermediate, as specified inthis tutorial (albeit for Server 2008) The certificate is self-signed, with the root authority trusted by the client computers.
What I would like to do is to find out exactly which certificate is actually being selected by the server for the IKEv2 connection. I can't see any way of verifying which is being used - I suspect the server may be selecting a different certificate without
the correct EKUs. Once I am sure of the certificate being used, I could verify it on the client computers with certutil.
Could anyone suggest how I could do that?
Thanks.
There was some discussion whether we should set this parameter to a value of 0 or 1.
All our operating systems are Windows 2008 / Windows 7 or above and should be compatible.
Thinking we might gain from the higher level of security apparently provided by setting the value to 1, we did set the value to 1 and issued some test certificates.
This does not seem to cause a problem with the OS itself (IIS web server for example).
On the other hand, it looks like some 3rd party applications are not compatible.
So we reset the value to 0 in the registry manually (and adjusted the value in our post-install scripts in case we ever run them again).
We re-issued the certificates.
Now the applications work.
So what's the problem?
We realize that the certificate issued by our root CA to our subordinate CA was issued with the Alternate Signature Algorithm set to 1. Moreover, this value was also set to 1 for the certificate used to validate the web interface of the subordinate CA.
As far as we can see, the certificates issued to the 3rd party applications do not care what this value is for the subordinate CA cert (as long as the certificates issued to them were issued with the value set to 0).
Is this correct?
We want to be sure before issuing certificates on a broader scale.
The only reason we think this *might* be a problem is because we are still not able to request certificates from the CA web interface using the Firefox browser (various versions of IE work just fine).
Thank you in advance!
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.