This is a brand new build. We thought it was related to a long host name as we had 18 characters. To troubleshoot we uninstalled CA, rebooted, changed the name to 14 characters, rebooted, reinstalled CA. It still didn't work. We are rebuilding the
server now, to verify if this was in fact the issue. I'm curious if someone else has ran into this problem and what their final resolution was. I'll respond in a few hours after we confirm the rebuild worked.
↧
Offline Root CA wont start throwing RPC error (hunch issue, long hostname)
↧
AD Certificate Authority (URI Priority)
Not sure where to ask this question...
When I request a certificate using MMC, Local Machine and choose the Active Directory Enrollment Policy and then next, there are no Certificates to choose from. If I request again as a User then I see all Certs (view all templates).
The issue seems to stem from the fact that (while we have to CAs and they are both published in Active Directory) we added a URI to support our new MDM (Mobile Device Management) solution and NDES/SCEP implementation.
It seems that the Certificate request process only uses the first priority URI (currently 5 for the LDAP URI for SCEP/NDES vs ffffffff for the AD 'empty' LDAP URI).
If I modify the Registry on one computer such that the priority is switched, then the MMC request process works fine for computers and I see all the certificates again.
So I am looking to amend this priority at the source (in AD?). I am not yet sure if this will affect the NDES/SCEP solution so I might have to roll it back after I make the change. Anyone know where I can do this and what I should consider before I do?
Background:
Windows 2003 Enterprise 32bit, Enterprise Root CA, upgraded to Windows 2008 (as couldn't go 64bit).
Implemented new/additional CA 2012R2 Offline Root with an online Enterprise Subordinate CA issuing new certificates. NDES/SCEP pointed at new Subordinate CA for autoenrollment of devices. Added URI to point devices specifically at the new subordinate CA.
↧
↧
How to find the OCSP logs
Dear All,
I have configured a Windows Server 2012 R2 Standard server to run a Certificate Authority and a Online Responder to use OCSP to check on the validity of the issued certificates (a ClearPass appliance is being used to check the certificates). From what I can see, the Online Responder is working and giving OCSP responses that the appliance is interpreting correctly when the certificate is valid, but if I revoke a certificate, OCSP persists in giving them the OK. To troubleshoot this I would like to see event logs of the operation of the Online Responder including each of the responses it gives and why.
My questions are:
1) How do I enable the Online Responder logs?
2) Once enabled, where can I find these logs in Event Viewer? And if they are in an existing Event Log, which IDs do I use to filter them?
3) Is there a cache, time-out, or similar process which is delaying the Online Responder noticing the revoked certificates?
Hoping to hear from you soon.
Yours,
FD
↧
Install Dot Net 4.0 on windows 10
Hello,
I am sorry if I post in a wrong place, I try to post on .Net forum, don't know where to start.
I want to use .net 4.0 on my windows 10 x64, I can't install it. It says it is already part of the windows. I need to have both 4.0 and 4.5 if possible, if not- I would like to install 4.0 only.
Please help.
Thank You
vlmem10
↧
Windows 2008 R2 - Signed Powershell script not trusted
Hi,
I published certificates for code-signing tol my users domain.
It works, every users can run a signed powershell script, but i receive a warning
Security warning Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer...
My CA certificate is well in "Trusted Root Certification Authorities"
If I import my signing certificate in "Trusted Publishers", that work but why certificates published via a Certification Authority and Active Directory are not automatically trusted?
Fa-br-ice
↧
↧
CA - Key Archival Recovery
I just recently migrated my 2003 CA to 2012R2 and I am looking for some advise on some certificate templates. We mainly use Basic, User, EFS Recovery & Web Server certificates and going forward I would like implement Key Archival Recovery in
my certificates so I have a way to recover the users keys if needed. Would you recommend implementing new certificates with Key Archival and remove the old ones? Or should I implement new ones to supersede the old ones?
----E----
↧
Domain Administrator Account getting locked when running a local batch file
Hey there... this looks to be the best place to share my issue. I am hoping to get some troubleshooting guidance.
I have a Windows Server 2012 running SharePoint Server 2013. I have a batch file that scans sub-folders matching a wildcard pattern, then looks for a specific .bat file in those sub-folders. If it finds it, it runs it using the 'start' command (not call). The second batch file creates a sub-directory based on the current date, then moves some files.
Everything happens locally on the server. The batch files run successfully, but the domain administrator account gets locked out. The batch file is being run under the local server administrator account.
I ran a script to dump all of the services and account info to a text file and there are no services configured to run under the domain admin account. I'm scratching my head trying to figure out how to determine what's going on. Why would a batch file running under SERVER/ADMINISTRATOR that is only working with local resources cause a lockout on the DOMAIN/ADMINISTRATOR account?
Anyone have a suggestion? I haven't found much guidance on the Web. Thanks in advance!
↧
Trusted Root Authority Certification Expiring - Renewed - Now cannot renew any certificates
Help
Our Trusted Root Authority Certificate is expiring on 12/7/2015 and wouldn't renew certificates past 12/7/2015 due to this. I renewed the certificate using the same key and am now getting the following error renewing any certificates:
Can someone help a non-expert on certificates solve this problem? Perhaps there is just more then
renewing the certificate?
Thanks.
↧
Providing a Certificate to a Newly Acquired Comany
Our company has a 2 tier certificate infrastructure (one offline CA and one issuing CA). We have recently acquired a company and I would like to push out a computer certificate to their computers once we establish connectivity.
Could you provide me guidance on how to handle this task?
Thanks
↧
↧
kerberos event id 4
Windows Server 2008 R2 sp1
last week, my PDC crashed and I have to seize the FSMO roles on another DC. I was able to successfully.
now in this new PDC, i'm getting this error messages that keeps referring to the old PDC:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server dc01$. The target name used was ACME\DC01$. This indicates that the target server failed to decrypt the ticket provided by the client.
I did the metadata cleanup, also removed any reference to the old PDC from the DNS servers.
as an additional, users who are changing their passwords are not getting registered (event id 627, 628).
↧
Using ADCA to sing Code
Dears,
I have an application that use ActiveX controls with no code signed certificate, so this components are blocked by IE.
I want to know how to use ADCA server to request and generate certificate for code signing.
Thanks
↧
RODC replication in DMZ
Greetings from a 'newbie',
I am involved in network security and am concerned about the number of ports (and destinations) that need to be opened up to allow AD integration from a server in the DMZ to our internal network.
As background we are running a 2008 AD, and the RODC is a 2012 server.
Firstly, I'm not a fan of placing Windows servers in the DMZ, however we have a business requirement to do so, the logical assumption then was to use a RODC in the DMZ so multiple DMZ servers could use this as the authentication server and thus reduce the size of incoming f/w ports.
We have done that, however we seem unable to restrict the RODC from just using a small number of DC's located in our Data Centre. When we force replication from a DC I see a significant number of requests being 'sprayed' from the RODC to any DC within the organisation (typically RPC requests using 135/tcp).
Q: Is there a way to limit the number of servers involved in replication to a RODC? I understand there are a number of ports involved, and they are bi-directional, but if I could restrict the source/destination to 2 nodes (as opposed to 10.0.0.0/8) that would help my security posture greatly.
We have tried several suggestions through various articles but can't seem to get it to work.
Assistance is appreciated.
Reece...
↧
Need to set folder permission to allow create files, no read after creating and allow deleting files.
Hi,
We have a request from customer. Requirement is as below.
Users access the path \\servername\share\folder1\folder2. There are subfolders and files in Folder2. Customer wants to let users write to these locations but not to be able to modify these files after they have been created.
In addition what also is require is to prevent read access to these files to the users, but only allow delete and write access.
I tried various combination under special permissions on NTFS security, but could not achieve it. Is there a possibility to do this?
-Umesh.S.K
↧
↧
Smart card logon with third party CA combined with ADFS to Office 365
Greetings,
I've been trying figure out how to implement ADFS to Office 365 in MS cloud in our environment, with little luck. I have a working 2012 domain and we are already using smart card logon on Windows 7/8 workstations. Certificates on smart cards are issued by 3rd party CA. This far every thing is fine and working, necessary root certificates are added to trusted Trusted Root Certification Authorities, UPN suffixes and users' UPNs are set according to UPN on the certificates and users successfully log on to workstations with smart cards.
Now I face the requirement to enable SSOto Office 365 with accounts from our AD. I've been told by our MS partner and Dr. Google that in order to do that user account name (upn) in AD and in O365 need to match. Now the fact that account UPN in our AD is not usable in O365 (because it is set to match 3rd party certificate UPN) and I have not found a way to enable smart card log on without changing UPN in AD.
Does anyone has experience of such a configuration? Is it possible to use AD federation to O365 at all in our case?
Best regards, and thanks in advance
Timo
↧
Allow vs deny logon locally - want a service account group to be denied by default but allowed on specified servers
We're preparing for Windows 10 and later Windows server 2016. This has given me possibly what is the last chance to create a better security policy - as we have no production devices on these operating system yet.
One of the things that I want to do is to create a group for service accounts, say, "ServiceAccounts". On 95% of servers, I'd like to deny the following in local security policy:
*Log on locally
*Log on through remote desktop
*Access to this computer from the network.
But there are SOME servers that I'd like to grant the right to. So if my enterprise software runs across multiple servers and some of those service accounts traverse those servers, I'd like to grant the "Access this computer from the network" right. However, I cannot think of any simple way to do this. Having a different group policy per group of service accounts is insane. The deny rules seem to overwrite the "allow" rules, so I can't really use a general "deny" rule with exceptions. The "Allow" rules are a little more liberal, especially for workstations - "Users" is the default for allow.
What I'm really after is a more streamlined approach to least privilege - a whitelist of some kind. Any tips? Many thanks!
↧
How can I limit connection to my server from remote?
Hello.
I have a Windows server 2008 R2 and I don't like anyone can connect to it remotely. How can I specific IP for connect?
Thank you.
↧
CAPolicy.inf making no effect on KeyUsage, on Windows 2008 SP1 DC with Enterprise CA
Hi,
I´m setting up a special CA on which I need the Root CA´s certificate´s Key Usage not to be critical and set to c6 (including non-repudiation).
I´ve created a CAPolicy.inf file with:
[Version]
Signature= "$Windows NT$"
[Extensions]
2.5.29.15=AwIBxg==
However, I could not see any difference in the CA´s certificate: it does not show "non repudiation" (bit 0x40 on 0xc6) and while I didn´t include a line specifying it is critical, like many examples on the web, it is marked critical by default.
So the CAPolicy.inf file in %SystemRoot% does not seem to be making any change.
Is there anything I am missing here?
Thanks for any help!
↧
↧
Which Local Group allows users to run VBS script via task scheduler ?
I would like to create a user that would run the Task Scheduler task. The task action is to run .vbs script to check few folder sizes.
Which Local Group should I put the user to ?
Of course it will work if I put the user to Administrators group, but I would like that user has minimum rights.
Thanks
↧
Windows 2008R2 Server Credential Manager clears entries after a couple of days or weeks..
I have been having issues with W2008r2 server deleting credentials in Cred Manager after few days or a couple of weeks. I have to keep restoring the credential vault with the back up file I created. I tried rebooting server to see if that was the issues, It is not.
This is not an issue of sending creditentials. This is about entries in Credential Manager LOSING stored entries.
I am mapping drives to other shares in our domain. Different processes use these shares to either put or get files. The credential manager was working fine for a couple of years. This problem has started in the last 6 months or so. All updates and service packs have been applied to this server after problem surfaced. No Know SECPOL or GPEDIT's made to server.
Thanks, Tom Bates
↧
WS 2012 R2 - CES/CEP setup for domain joined computers
We are planning to use CES/CEP server setup for deploying certificate templates. I have installed the RootCA/Issuing CA/CES/CEP as per Microsoft technote.
But, now when I trying to enroll for a certificate based on the enrollment policy (user/computer - duplicate template of the original template), I am getting an error that "Certificate Types are not available. You cannot request a certificate at this time because no certificate types are available".
Although the certificate template is available in Issuing CA as I can enroll as Active Directory Enrollment Policy.
SPN is setup for the CESCEP service account and I can an event on CEP server (account is impersonating on behalf of the user/computer). CEP server also shows an event that "The Active Directory certificate enrollment policy provider has been initialized to target the default domain controller for the current domain".
Please advise what further troubleshooting should I do see why CEP is not able to retrieve the templates?
Thanks in advance.
Sanjeev Sharda
↧