Kinit raise krberror

September 10, 2015, 1:24 am

≫ Next: CA 'Cryptographic settings' information in command line

≪ Previous: Domain Admin account entered at elevated privelage prompt authenticates with expired password.

Hi,

I am trying to obtain kerberos ticket for OAM SSO. I keep on getting this error after executing kinit -k -t keytab.service.

My current server environment is

WINDOWS SERVER 2012 R2

JDK8

this is my error

Looking for keys for: HTTP/ssoserver@doman.int
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes
available; only have keys of following type: No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available
; only have keys of following type:
at sun.security.krb5.internal.crypto.EType.getDefaults(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.build(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)

thanks!

↧

CA 'Cryptographic settings' information in command line

September 9, 2015, 8:37 am

≫ Next: Client domain joining issue after upgrade domain controller from Windows Server 2008 R2 to Windows Server 2012

≪ Previous: Kinit raise krberror

Hi,

If I install a Certificate Authority, then select Server Manager >> Tools >> Certificate Authority and click on the CA properties, the 'General' tab has a section called "Cryptographic Settings" which lists the provider and hash algorithm. Is there any way I can see this information from a command line tool, rather than using the GUI steps outlined?

Many thanks,

James

↧

Client domain joining issue after upgrade domain controller from Windows Server 2008 R2 to Windows Server 2012

September 10, 2015, 6:23 am

≫ Next: How to find out the token size of a user

≪ Previous: CA 'Cryptographic settings' information in command line

We have successfully migrated from Windows Server 2008 R2 to Windows Server 2012 R2. All are working fine except new client domain joining issue on Windows 7, 8, 8.1

Computer object not created after join client pc in domain. If We rejoin again then it comes client pc name in AD.

↧

How to find out the token size of a user

September 9, 2015, 9:33 am

≫ Next: Windows 2008 servers massive amounts of event ID logging for 5152, 5156 and 5157

≪ Previous: Client domain joining issue after upgrade domain controller from Windows Server 2008 R2 to Windows Server 2012

How to find out the token size of a user

I am looking how to find out the actual size of a user token size.Any tool can help.

I already have a formula but it will give idea not actual value.

↧

Windows 2008 servers massive amounts of event ID logging for 5152, 5156 and 5157

September 10, 2015, 8:02 am

≫ Next: Event logs filling up with event IDs 5157, 5152, 5156

≪ Previous: How to find out the token size of a user

Why would I see massive numbers of entries in the security logging for event ids 5152, 5156 and 5157? The logs are filling up.

↧

Event logs filling up with event IDs 5157, 5152, 5156

September 10, 2015, 8:31 am

≫ Next: Move certificate authority to new server with new name

≪ Previous: Windows 2008 servers massive amounts of event ID logging for 5152, 5156 and 5157

What needs to be adjusted so that event IDs 5157, 5152 and 5156 do not continue to flood my logs?

↧

Move certificate authority to new server with new name

November 6, 2013, 7:49 am

≫ Next: Radius Authentication Issues

≪ Previous: Event logs filling up with event IDs 5157, 5152, 5156

Hi,

We want to move our certificate authority in our active directory to a new server with a new name.

Currently as far as I can tell the only thing that the certificate authority is even being used for is to maintain a certificate for Lync.

All of the documentation I have read indicates that the new server has to have the same computer name as the old server, but why can't we just create a new certificate for Lync using the new server once it's setup?

thank you,

-Drew

↧

Radius Authentication Issues

September 10, 2015, 11:06 am

≫ Next: Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

≪ Previous: Move certificate authority to new server with new name

Hello,

I am new to Certificate Authorities and building Radius servers. However, my company assigned me the task of building them a Radius server. I believe that I have the server set up properly for the most part because users that authenticate themselves on mobile devices are allowed access to the network. However, I have run into a wall when trying to get our domain computers to access the network. I set up a Network Access Protection for 802.1x Wireless Security which requires authentication with the Radius server before connecting to the company's WiFi. As mentioned before, this works flawlessly with mobile devices, but when users try to connect to the wireless network from their laptops they are prompted to authenticate themselves yet they receive an error stating they were not able to connect to the network. I have dug around in the Radius server for any type of logs that would give me an idea of where the issue lies but the server does not show any instances of failed authentication attempts. If anyone could point me in the right direction as to why mobile devices can connect but domain computers cannot I would greatly appreciate it.

(Below is the error users receive after authentication)

↧

Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

September 10, 2015, 11:37 am

≫ Next: Wireless Certificate Issues

≪ Previous: Radius Authentication Issues

We HAD a windows 2003 Damion, DC01 and DC02. CA was running on DC01.

For some reason one of the Admins thought is was a good idea to upgrade both DC's to Windows 2012.

It's been about a month now and I' just noticing this error "Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable."

I'm not seeing much on recovering CA, what are the ramifications of installing new?

↧

Wireless Certificate Issues

September 10, 2015, 11:39 am

≫ Next: PKI set up issue

≪ Previous: Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

Hello, I am troubleshooting a certificate issue on our wireless laptops. Upon switching from wireless/wired, dock/undocked, the following certificate warning message appears (Sorry TechNet won't let me upload a screen shot)

"The identity of this web site or the integrity of the connection cannot be verified."

[Green Check Mark] The security certificate is from a trusted certifying authority"

[Yellow Caution Exclamation Point] The security certificate has expired or is not yet valid"

[Green Check Mark] The security certificate has a valid name matching the name of the page you are trying to view"

Do you want to proceed? [Yes/No/View Certificate]

An engineer from our security team took a look and he expressed that it isn't a cert tied to his machine rather a web service cert that when the user switched from wired to wireless changes fromcompany.corp to
company.software.com and that is when the cert error pops up. Please let me know if this needs to be moved to another forum, as I wasn't sure if this was the correct one..

↧

PKI set up issue

September 10, 2015, 11:40 am

≫ Next: Smart card login - The function requested is not supported

≪ Previous: Wireless Certificate Issues

Hello Everybody,

I am following the guide

Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy

https://technet.microsoft.com/en-us/library/hh831348.aspx to set up the test PKI environment for my own practice.

On the part - To configure the root CA settings :-

When i try to run the below command in windows power shell, i get the error - certutil:too many arguments.

certutil -setreg CA\DSConfigDN CN=Configuration,DC=corp,DC=contoso,DC=com

Kindly somebody advise on this.

Thanks,

Amit

↧

Smart card login - The function requested is not supported

August 26, 2015, 8:31 am

≫ Next: The security certificate present by this website was issued for a different wsbsite's address

≪ Previous: PKI set up issue

Howdy everyone,

So...I've grabbed up some Gemalto .NET 2.0 smart cards to hopefully use as A.D. authentication and other various requirements. So, what I've done is on my PKI

Requested an Enrollment Agent cert

Duplicated the template Smartcard Logon and set accordingly:
* Purpose: Signature and smartcard login
* Cryptography: Must use one of the following: Microsoft Base Smart Card Crypto Provider
* Issuance: Requires 1 signature, Application Policy/Certificate Request Agent

I'm able to successfully get a cert and confirmed with the certutil scinfo command.

When I try to RDP to a server or workstation I get the following message

Remote Desktop Connection
An authentication error has occurred
The function requested is not supported

Remote computer: *computer name*

When logging in directly onto a machine (after PIN verification):

Signing in with a smart card isn't supported for your account

I have Domain Controller certs on my DC's (combination of 2008 R2 and 2012) that include purposes of Client/Server/Smart Card Logon

I'm obviously forgetting something?

Thanks

↧

The security certificate present by this website was issued for a different wsbsite's address

September 6, 2015, 2:16 am

≫ Next: PKI Question

≪ Previous: Smart card login - The function requested is not supported

Hello,

Windows Server 2012

Exchange Server 2013 Server name: ExServer

From Server:

run "Get-ExchangeCertificate|fl" looks ok

https://localhost/ecp/?ExchClientVer=15 or https://ExServer/ecp/?ExchClientVer=15-> I can use administrator login and setup Exchange server.

Except IE10 will show " The security certificate present by this website was issued for a different wsbsite's address. ..."

From Workstation:

https://ExServer/ecp/?ExchClientVer=15 -> I got "This organization's certificate has been revoked"

IE11 and uncheck "Check for server certificate revocation"

How can I fix this problem?

Thanks

↧

PKI Question

September 10, 2015, 11:58 am

≫ Next: AppLocker on Server 2012 R2 causing memory spike in depedent processes

≪ Previous: The security certificate present by this website was issued for a different wsbsite's address

I have done a lot of research and planning and now know the directions I want to go. Since this is not something I normally do I was hoping there may be some outside counsel I could use to clarify a few points before solidifying the design.

CURRENT STATE:

We are currently running our CA on Windows 2012 R2. This was moved from Windows 2003.

Since this was migrated from a 2003 CA, we are still running Cryptograaphic Service Provider (CSP). Only web and domain controller certificates have been issued from this environment.

DESIRED STATE:

We need to move from a CSP and SHA-1 to a Key Storage Provider (KSP) and SHA-2

I am in the process of architecting a new 2-Tier PKI environment on Windows 2012 R2 servers. This will be replacing the role as the issuing certificate server for all new requests. The root and issuing CA are both Windows 2012 R2 servers. There will also be another Intermediate CA for our Web Filter solution

I cannot see any compelling reason to take the Root CA offline. It seems like much more of a pain than it is worth. Am I missing something?
Since I will be keeping the root online, do I install the Root CA as an Enterprise or Standalone CA?
For the Root CA I plan to select SHA1 with a key length of 4096 for the cryptography. Would you suggest I select SHA256?
For the Issuing CA I plan to select SHA256 with a key length of 2048. Is this what you would recommend?
I plan to set the validity periods as 20-years for the Root CA, 10-years for the Issuing CA, and 5-years for issued certificates. Do you foresee any issues with this?
In order to remove the dependency on a server name I plan to publish the Root and Issuing AIA and CRL to the following locations, which will be hosted from the Issuing CA: http://certificate.DOMAIN.com/CertData/<CAName><DeltaCRLAllowed>.crl http://certificate.DOMAIN.com/CertData/<ServerDNSName>_<CAName><CertificateName>.crt

(4 files total) This will only be resolvable internally. Any issues with the root and issuing CA publishing to the same location (Different file names)?

When I have the new Root/Issuing servers online and configured I plan to disable all templates from the old certificate environment. I will leave these 2 servers online until all issued certificates have expired. Do you see any issues with this?
We still have some XP and 2003 servers online. They are in the process of being removed. Is there any issue with specifying the “AlternateSignatureAlgorithm=1” parameter in the new environment?

brian smith

↧

AppLocker on Server 2012 R2 causing memory spike in depedent processes

September 11, 2015, 11:03 am

≫ Next: Excel saving files to shared drive with no ownership established

≪ Previous: PKI Question

Hello,

I am running AppLocker on my Windows Server 2012 R2 machines, and after several hours of run time, two of the Application Identity service's dependent services using SVCHOST will spike their memory utilization, in some cases to over 2-3 GB each. The processes "families" as they are grouped in the task manager are the "Service Host: Remote Procedure Call" and "Service Host: DCOM Server Process Launcher" - as I said, these are the dependencies of the Application Identity service that AppLocker uses to enforce the defined application control policies.

Has anyone seen this before or have any ideas what could be causing this? I have used AppLocker in the same manner with the same number of rules in Server 2008 R2 with no issues like this. The problem also doesn't occur on the Windows 7 workstations which also run AppLocker.

Is there a memory leak in the Application Identify service somewhere?

Many thanks in advance.

↧

Excel saving files to shared drive with no ownership established

September 11, 2015, 11:40 am

≫ Next: DC Lowest Shutdown Permission Available To Grant

≪ Previous: AppLocker on Server 2012 R2 causing memory spike in depedent processes

I set up DFS to replicate data between two folders. After I noticed that some users were unable to access the original folder, I cancelled the replication and removed the replications relationship from DFS, and users can now see and access the original source folder again.

A few hours later I get a call from a user who is using Excel to open files residing in the Accounting folder on that shared drive (F: on the local workstation).

The user opens an Excel file in the Accounting directory of the F drive, makes a few changes, then saves it in the same directory with a new name.

This new Excel file is not visible to her. When looking at it from the server, you can see that the new file is there, but there is no established ownership of the file. I have to take ownership as the Domain Admin, then re-apply permissions and everything is fine.

It only seems to do this when saving a file out of Excel, not from Word or any other Office product. It also doesn't happen if I just create a new document directly in the directory using right click --> New --> Text Document.

Any ideas?

↧

DC Lowest Shutdown Permission Available To Grant

September 1, 2015, 7:47 am

≫ Next: August 2015 Security Release ISO Image

≪ Previous: Excel saving files to shared drive with no ownership established

https://technet.microsoft.com/en-us/library/Cc756898(v=WS.10).aspx

I've reviewed the above article but it's not quite clear or I have not found what I'm looking for. I need to grant a Domain User another permission that has enough to access the Domain Controller and shut the server down. Is this possible without granting them complete access?

↧

August 2015 Security Release ISO Image

August 18, 2015, 6:24 pm

≫ Next: User with SIDHistory not able to request certain certificate templates

≪ Previous: DC Lowest Shutdown Permission Available To Grant

I'm looking for the latest monthly ISO containing the security updates issued one each month's patch Tuesday (August 2015 Security Release ISO Image). They used to be available in the MS Download Centre on each patch Tuesday though of late they're been coming later. Can you advise when the August 2015 ISO will be available?

Regards

Jennifer Llewellyn

↧

User with SIDHistory not able to request certain certificate templates

September 6, 2015, 12:23 pm

≫ Next: You don't have administrator privileges on the server

≪ Previous: August 2015 Security Release ISO Image

Hello,

I need some light while troubleshooting certificate request for 1 particular user that has SIDHistory attribute due a recent migration (with ADMT) from one child domain to another.

My scenario is composed by:

- 1 Issuing CA un the parent forest located at HUB.

- Each child domain has a DR Domain Controller also located at HUB. Then each region have their DCs remotely where end users authenticate.

- 2 certificate templates that are accesible for user of a particular group, lets call it GroupA

This 1 particular user is member GroupA and AD replication is in place in all DCs from this child domain, I've confirmed via repadmin /showattr CHUILD-DC* "distiniguedName" and group membership is ok.

The user in the previous child domain is no longer existing and had any cert issued before at the issuing CA, therefore there is only 1 user.

When user request manually the cert templates, we click on "Show all templates" and we can see that is CA is not allowing the request because user has no rights.

I've checked via ADSI Edit, Global Catalog option, that at the user object, the global catalog don't contain details for group membership.

Questions:

How can I confirm from the Issuing CA what attibutes of the user object is seeing?

Does the CA check group membership from the closest DC for the child domain or does it check from the closest DC in the parent domain from Global Catalog info?

-- cesaru77--

↧