This has been an issue for a while now.  Trying to use certreq -enroll -machine [Template Name] on Windows 7 machines fails with not implemented.  When I run this command with the -q flag I see that the certificate I want is unavailable and displays:

A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.

When I go into the properties of this certificate and goto the Certification Authority tab and check the "Show all enrollment servers" it shows my server greyed out with this message:

The system could not determine if you can access this certificate.  Not implemented.

The template sits on a enterprise 2003 server CA and this process works with Windows 8.1 machines.  Which means that the template has the correct permissions and is issued correctly.

Is this a known issue with Windows 7 or am I missing something in the config?  Help is greatly appreciated.

Thanks,

The OS used is Windows 2012R2 "Legacy mode" OS, my TPM 2.0 chip is displayed as "The TPM is ready for use with reduced functionality" in Windows TPM management console(tpm.msc), I have tried to clear TPM and back to OS again, this issue still exist

And moreover, when I tried to prepare the TPM, it displayed "The TPM security hardware on this computer is ready for use, with reduced functionality(consistent with previous OS versions)"

After that, I try to install Windows 2012R2 "UEFI mode" OS, it seems like it works without problem.("The TPM is ready for use" is displayed in Windows TPM management console)

Does TPM 2.0 is supported by Windows 2012R2 "Legacy" mode OS?

Albert Tseng

I am looking for a way to script requesting a certificate to use on servers for PowerShell remoting (HTTPS listener). I can use the GUI (MMC/Certificates) without any problem to enroll from the template I created. But when I try this with certreq.exe, it gives me an (GUI based) error:

Status:Unavailable

A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.

Here is the command I am running:

certreq.exe -enroll -machine "MyTemplateName"

Also, assuming I do get this working at some point, does anyone know how to include the subject name in the command.  The template requires "CN=SERVERNAME" for the subject name when I use MMC to do this....I was hoping I could add this in as part of the command to completely automate with a PowerShell script.

Thanks

NK

So i have been working on a project with a Java support admin where he needs a Code Signing certificate.  So I do what I always do make a dopy of a default template, then rename it and modify it as we see fit (increase validity period, set permissions, etc.) and then I publish it.  Well when we did that with the Code Signing certificate he would get an error:

The signer certificate's KeyUsage extension doesn't allow code signing.

OK, so we stare and compare the default Code Signing template with the copy and found that the original has Enhanced Key Usage extensions where as the copy does not.  And in the Description of the Enhanced Key Usage it says Code Signing.

So is this a bug?  Do I have to publish the actual default Code Signing template to get this cert to work?

this is just another way for me asking the same question but I wanted the actual error to be searchable in the Title.

Basically when you make a copy of the default Code Signing template you loose the Code Signing usage which is under the Enhanced Key Usage extensions

so how do you fix that? do you have to publish the default Code Signing template instead of making a copy of it like we've been taught to do

I have a lab with two domains each having separate PKI: A.LOCAL and E.A.LOCAL. A.LOCAL has a qualified subordinate CA certificate (Issuer: A.LOCAL -> Subject: E.A.LOCAL).

I have the following error when opening a test page of E.A.LOCAL at the A.LOCAL domain PC:

The web server certificate's Subject:

CN = LabE3.e.a.local

The web server certificate's SAN:

Other Name:
     Principal Name=LABE3$@e.a.local
DNS Name=LabE3.e.a.local

Policy.inf file used while creating the cross-certificate:

[Version]
Signature = $WindowsNT$
[RequestAttributes]
CertificateTemplate = CrossCA
[NameConstraintsExtension]
Include = NameConstraintsPermitted
Exclude = NameConstraintsExcluded
Critical = True
[NameConstraintsPermitted]
DNS = .e.a.local
UPN = @e.a.local
UPN = .e.a.local
DIRECTORYNAME = "DC=e,DC=a,DC=local"
[NameConstraintsExcluded]
DNS = ""
UPN = ""

I am not getting the error message above if I don't specify Name Constraints in the INF file above while creating qualified subordination. It suggests the problem is somewhere in the Name Constraints section. Can someone help?

Dear Community,

i´ve created a new certificate template with enabled EV on our internal Server 2012 R2 PKI and added the OID to the Root Certificated wich is pushed by GPO.

After a test IE 11 shows a green Address-Bar but it displays "Unkown [?]" in the right corner of the adress bar. The info is "Root CA has identified this site as: unkown".

Does anybody know whats wrong do i missed something within the template or is there a wrong EV congiguration?

Hi fellows,

I am currently trying to re-sign a certificate on a Windows Server 2008 R2 (fully patched) system (ADCS CA):

certutil -sign <oldfile> <newfile>

Signing keys are in software (Microsoft Software Key Storage Provider), the cert was issued by this CA, is a CA itself (sub) and is not revoked

Output command

301.3561.0:<2015/11/26, 10:0:3>: 0xc0000005 (-1073741819): 0x0 @ 0x00000000FFF33864
CertUtil: -sign command FAILED: 0xc0000005 (-1073741819)
CertUtil: The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
301.3792.0:<2015/11/26, 10:0:3>: 0xc0000005 (-1073741819)

certutil.log

========================================================================
402.511.948: Begin: 11/26/2015 10:09 AM 53.224s
402.516.0: certutil
402.520.0: GMT + 1.00
301.3888.0: certcli.dll: 6.1:7601.18833 retail
301.3888.0: certutil.exe: 6.1:7601.18151 retail
301.3788.465:<2015/11/26, 10:9:53>: Command Line: CertUtil -sign \temp\sub\sub.cer \temp\sub\new.cer
301.3561.0:<2015/11/26, 10:9:53>: 0xc0000005 (-1073741819): 0x0 @ 0x00000000FFFC3864
301.3792.0:<2015/11/26, 10:9:53>: 0xc0000005 (-1073741819)
301.3807.509:<2015/11/26, 10:9:53>: Command Status: The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. 0xc0000005 (-1073741819)
402.377.949: End: 11/26/2015 10:09 AM 53.255s

certutil verify

Verified Issuance Policies: None
Verified Application Policies: All
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

Nothing interesting in the CAPI2 log, certsrv.log, etc. I can sign with the key, as I can publish a new CRL.

Installed KB2615174. (Actually the sub CA is v1.1 and I want to resign it to v2.1 manually).

Anyone has an idea? :)

Hello

I very briefly skimmed over an article on the CEP/CES (Server 2012 R2 enterprise CAs). From what I read the client requesting a cert via this method needs to be a Windows client. The article did no mention Linux/Unix clients.

Just in case this was missed out of the article can CEP/CES be used by Linux/Unix clients to obtain a cert?

If not what other options do I have.

The Linux/Unix clients are not part of AD and there is no trust between the Linux and Windows world (although there is talk about setting up an inter Kerberos realm trust e.g. the UNIX guys setup a Kerberos realm and once done we setup a trust between our Kerberos realm (AD) and their realm).

In the ideal world we would like the Linux/Unix clients to be able to auto enrol for computer certificates as does the windows computers at the moment. Is this possible? Is there a client that can be installed on the Linux/Unix machines to enable this functionality, or is there a Linux/Unix client to enable enrolment via SCEP/NDES.

We could also allow the Unix/Linux guys to setup an issuing CA (signed by our AD CA) in their world to issue certs to their clients, but would prefer it if the Linux/Unix clients could automatically enrol for certs direct from the Windows CA.

Any advice most welcome

Thanks all

Ernie

Hello,

I’m implementing a integrated solution using EFS end SAFENET Etoken’s based in windows 2012 R2, the goal was to generate a certificate for each user and load it on the token so the encryption and visibility can only be made with the token connected on the machine.

Everything worked fine until we tested to encrypt a file remotely on the file share server using token to certificate. And the following error appears:

“An error occurred applying attributes to the file:

This operation requires an interactive window station”

Do you guys have any idea???

Best Regards

Hi Team,

The Event 528  Successful Logon and Event 4624  An account was successfully logged on for login type 10 are the same meaning that is for RDP or TS login but 528 show in Windows 2000 and 2003 and 4624 is on 2008 and above                                                                                                                                                                                                                                        

=====================================================================

Source                          Microsoft Windows security auditing.
Event Log                       Security
Type                            Success Audit
Event ID                        4624
Category                        Logon
Computer                        HOSTNAME
Description                     An account was successfully logged on.

                                Subject:
Security ID: XXXXXXXXXX
Account Name: HOSTNAME$
Account Domain:DOMAIN
Logon ID: 0x3e7

                              Logon Type:10

                                New Logon:
Security ID: DOMAIN/USER
Account Name: USER
Account Domain:DOMAIN
Logon ID: 0x4d24e9e
Logon GUID: {1C457794-B22F-A3F3-E47C-F097B12940D1}

                                Process Information:
Process ID: 0x91c4
Process Name: C:\Windows\System32\winlogon.exe

                                Network Information:
Workstation Name:HOSTNAME
Source Network Address:x.x.x.x
Source Port: 57869

                                Detailed Authentication Information:
Logon Process:User32 
Authentication Package:Negotiate
Transited Services:-
Package Name (NTLM only):-
Key Length: 0

=====================================================================

DETAILS

Source                          Security
Event Log                       Security
Type                            Success Audit
Event ID                        528
Category                        Logon/Logoff

Computer                        HOSTNAME
Description                     Successful Logon:
User Name: USERNAME
Domain: DOMAIN
Logon ID: (0x0,0x3CFE5E4A)
Logon Type:10
Logon Process:User32  
Authentication Package:Negotiate
Workstation Name:HOSTNAME
Logon GUID: {xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
Caller User Name:HOSTNAME$
Caller Domain:DOMAIN
Caller Logon ID:(0x0,0xxx)
Caller Process ID: 10952
Transited Services: -
Source Network Address:x.x.x.x
Source Port: 62286

Hi everyone

ive followed this setup guide to create a 2-tier PKI environment in my labs: https://technet.microsoft.com/en-us/library/hh831348.aspx

For the overview (Computername, Role):

Domain: pki.local
S01: AD/DC/DNS (2012x64R2)
S02: offline RootCA (2012x64R2) 
|_  S03: online Enterprise SubCA (2012x64R2)

WS01: Windows 7x64

Except the creation of an IIS (for CRL), i did all the steps as precise as possible (only changed servername).

I've duplicated the default smartcard-login-template, and changed the following settings:

• Compatibility Settings:
  Certification Authority -> "Windows Server 2012R2"
  Certificate Recipient -> "Windows 7 / Server 2008R2"
  
• Request Handling -> "Prompt the user during enrollment"
  
  
• Cryptography:
  Provider Category -> "Key Storage Provider"
  CSP -> "Microsoft Smart Card key Storage Provider"
  Request hash -> "SHA512"

Other necessary Templates which are active: "Domain Controller Authentication" and "Workstation Authentication", both have autoenrollment  for the specific group (Domain Computers and Domain Controllers).

Well, so far so good, every node has its certificate (S01, S02, S03, WS01 and the [DomainUser]) and they seem "happy" so far (no event spotted so far).

But unfortunately I wasnt able to log in via smartcard on WS01.

The Error Message is:
"The system could not log you on. The revocation status of the domain controller certificate used for smart card authentication could not be determined."

This is what 'cerutitil -verify C:\CertName.cer' from my smartcard-certificate gave me: 

And this is what 'certutil -scinfo' gave:

But when i do an url-check, it seems fine... well, at least its there:

[pretend to have an image, im not allowed to publish an image on technet yet, but the URL retrieval tool status says: verified]

im pretty sure i did something wrong, but its disturbing being unable to find any solutions for this.

help, please? anyone?

Hi,

We have migrated from Microsoft PKI to Entrust PKI solution. My environment has about 50+ DC's and now i have been asked to install certificates from Entrust to support LDAP/S.

Entrust gives a document to create and install certificates on a single DC using GUID and FQDN.

Is there any possibility request and install certificates on all 50 domain controllers using any automated methods like GPO's?

Regards,
Rafic

If you found this post helpful, please give it a "Helpful" vote.
If it answered your question, remember to mark it as an "Answer".
This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

Hi,

I got several CA templates published in my domain. I want the PKI managers to have full control on the templates to manage access rights for other groups. My problem is, that as soon I tick "full control" the "autoenrollment" checkbox gets ticked too. Now all the CA managers get autoenrolled for certificates and popups apper on their clients to add a subject name (subject name --> supply in request is configured in some templates) . Is there a way to avoid that behaviour?

Cheers

Arno

Hi guys, 

I have a question about user profile history. We have Windows Server 2008 and before a year ago, one of domain users has logged in and next day was this profile deleted. User was logged in via  RDP connection. As we know, user's profile are stored in registry: HKLM\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\ProfileList

Here is no trace of this user.

My question is, where can we find all history of users, which are logged in Windows from beginning installation Windows Server 2008? 

Thanks for help and best regards. 

Ninja 4 IT

Hello,

 I'm using a 2008 R2 Enterprise CA (CA1), I also have a 2008 R2 SP1 Enterprise NDES server (NDES1). After a reboot, NDES1 cannot successfully submit a certificate request, the following  message is shown in the logs:

The Network Device Enrollment Service cannot submit the certificate request (0x800706ba).The RPC server is unavailable

I've tried applying the hotfix https://support.microsoft.com/en-us/kb/2633200, but the installer's progress bar and CPU hits 100% without ever finishing. Rebooting NDES2 doesn't help - I still can't install the patch.

Please advise.

Thanks

I believe that Microsoft are droping (potentailly blocking) support for SHA1 signed certs from 1 July 2016.

I believe this is mainly related to browsers (e.g. data in transit) but what about data at rest?

for example I have a code signing cert which expires mid 2017 (signed by a 2003 R2 CA and thereby signed SHA1)

I have PowerShell execution policy set RemoteSigned and therefore sign scripts where relevent to allow them to run.

Does MS have any plans to release an OS patch or similar to block PowerShell (e.g. AuthenticationCode) from executing scripts signed via a SHA1 cert?

any advise most welcome

Thanks

Ernie

I'd like to start out by saying I'm not primarily a server guy, but have been placed in a position for fix an issue. I do have some knowledge, but I apologize in advance for anything I say incorrectly, as I'm unfamiliar with some of the appropriate lingo.

I'm trying to fix a vulnerability in my Windows Server 2008 R2 server identified by my IA folks saying that despite the fact that I have installed the correct patches, and manually installed the disallowedcert.ctl, is still saying that my disallowed CTL has not been updated. I have KB 2813430 installed and have right clicked on the disallowedcert.ctl that I downloaded from the microsoft page and clicked install. Using mmc with the certificates snap-in, under the certificates for the computer, in Enterprise Trust folder, I see the CTL that I believe I installed.

When I view the CTL it says the certificate trust list is not valid due to the certificate that signed the list is not valid. I'm not sure if this is the reason why the scan is showing this is a vulnerability, or not, but it's the only thing that seems out of the ordinary for me. When I view the CTL and view the signature, it brings up the digital signature details, and then I view that certificate, and look at it's certification path and it shows the MS root ca as valid, then the intermediate MS cert trust list PCA as valid, but under that it shows the MS cert trust list Publisher as invalid. When I click on it, it says "This certificate does not appear to be valid for the selected purpose." It never says what the selected purpose is.

Does anyone have any idea why this CTL I got from Microsoft would appear to have an invalid digital signature. The disallowedcertstl.cab was downloaded from ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab and then extracted to produce the disallowedcert.ctl?

Any help would be greatly appreciated. Thanks in advance for any help.

HI All,

I am hearing the news that SHA-1 certificates will be soon phased out on Chrome and Microsoft platforms. I am Ok with replacing public certificates with SHA-2 certificates.

But I see that our internal certificates are also issued with SHA-1 algorithm. And these SSL certificates are used in LAN to access internal sites. So Do I need to get internal certificates reissued with SHA-2(256)? If so what do I need to make the changes on CA server to use SHA-2 algorithm.

Thanks in advance.

Mahi

The certificate for my Key Recovery agent is expiring so I:

1. Logged in as the KRA agent and requested a new certificate from the MMC console Personal store and selected the Key Recovery Agent template.
2. Logged in as Admin and approved the certificate from the 'Pending Requests' folder

Now what am I to do to retrieve the approved certificate?  The 'Personal' store is empty.

I also used the web interface (http://server/certsrv/Default.asp) but only see three options:

• Request a certificate
• View the status of a pending certificate request
• Download a CA certificate, certificate chain, or CRL.

Your thoughts? I would like to install the certificate on a special desktop and archive a copy of the certificate for safe keeping.

Thanks