Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Event ID 2887, ActiveDirectory_DomainService - How to prevent the warning from happening?

December 10, 2015, 2:13 am
$
0
0

Hi, new to the forums here :)

I have a problem during a server check up, when I took a look at the event viewer at my server (Windows 2012 R2) apparently everyday at 17:49 (server time) a warning occurred with the event ID 2887 - LDAP Interface. 

I've already done a trap to get the IP Address that is doing this LDAP signing and it turns out that the IP belongs in the firewall that I've owned.

The IP X.X.0.1 belongs to my firewall and unfortunately I cannot determine what client triggers this warning as the firewall do not have any pre-scheduled task for LDAP binding request and every device that connects to the firewall do not have any schedule that occurs at this exact time either. Correct me if I'm wrong but I don't think a firewall can initiate a LDAP binding request so I believe that a client connecting to the firewall must be triggering the firewall to do this.

My question, is there any other methods besides entrapment on how to find the real source of the LDAP binding request? Thanks.
Search

CertUtil: The instruction at 0x%08lx referenced memory at 0x%08lx.

November 26, 2015, 1:56 am
$
0
0

Hi fellows,

I am currently trying to re-sign a certificate on a Windows Server 2008 R2 (fully patched) system (ADCS CA):


certutil -sign <oldfile> <newfile>

Signing keys are in software (Microsoft Software Key Storage Provider), the cert was issued by this CA, is a CA itself (sub) and is not revoked

Output command

301.3561.0:<2015/11/26, 10:0:3>: 0xc0000005 (-1073741819): 0x0 @ 0x00000000FFF33864
CertUtil: -sign command FAILED: 0xc0000005 (-1073741819)
CertUtil: The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
301.3792.0:<2015/11/26, 10:0:3>: 0xc0000005 (-1073741819)

certutil.log

========================================================================
402.511.948: Begin: 11/26/2015 10:09 AM 53.224s
402.516.0: certutil
402.520.0: GMT + 1.00
301.3888.0: certcli.dll: 6.1:7601.18833 retail
301.3888.0: certutil.exe: 6.1:7601.18151 retail
301.3788.465:<2015/11/26, 10:9:53>: Command Line: CertUtil -sign \temp\sub\sub.cer \temp\sub\new.cer
301.3561.0:<2015/11/26, 10:9:53>: 0xc0000005 (-1073741819): 0x0 @ 0x00000000FFFC3864
301.3792.0:<2015/11/26, 10:9:53>: 0xc0000005 (-1073741819)
301.3807.509:<2015/11/26, 10:9:53>: Command Status: The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. 0xc0000005 (-1073741819)
402.377.949: End: 11/26/2015 10:09 AM 53.255s

certutil verify

Verified Issuance Policies: None
Verified Application Policies: All
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

Nothing interesting in the CAPI2 log, certsrv.log, etc. I can sign with the key, as I can publish a new CRL.

Installed KB2615174. (Actually the sub CA is v1.1 and I want to resign it to v2.1 manually).

Anyone has an idea? :)


WS 2012 R2 - CES/CEP setup for domain joined computers

November 16, 2015, 9:06 am
$
0
0

We are planning to use CES/CEP server setup for deploying certificate templates. I have installed the RootCA/Issuing CA/CES/CEP  as per Microsoft technote.

But, now when I trying to enroll for a certificate based on the enrollment policy (user/computer - duplicate template of the original template), I am getting an error that "Certificate Types are not available. You cannot request a certificate at this time because no certificate types are available". 

Although the certificate template is available in Issuing CA as I can enroll as Active Directory Enrollment Policy.

SPN is setup for the CESCEP service account and I can an event on CEP server (account is impersonating on behalf of the user/computer). CEP server also shows an event that "The Active Directory certificate enrollment policy provider has been initialized to target the default domain controller for the current domain".

Please advise what further troubleshooting should I do see why CEP is not able to retrieve the templates?

Thanks in advance.

Sanjeev Sharda

cannot log onto the credentials verification site at Microsoft

December 10, 2015, 12:04 pm
$
0
0
                          

I have a document in Office 2010 on a Windows 10 application that is protected by IRM. Until recently, (November) I could display my credentials and open it. I cant even apply for credentials now--it says that the credentials verification site is untrustworthy, and will not continue. How do I open my document? IT IS VERY VERY IMPORTANT I GAIN ACCESS IMMEDIATELY!

SIGNED

extremely frustrated

certutil.exe -addstore Disallowed sst

August 13, 2015, 3:32 am
$
0
0

Hi

during the security scan the tool found that

HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\e1f3591e769865c4e447acc37eafc9e2bfe4c576 is missing

due to servers don't have access to internet and doesn't download CLT. I follow the link:

https://technet.microsoft.com/en-us/library/dn265983.aspx#BKMK_PrepServer

but it descirbes how to create subset of trusted cert and i need to create subset on UNtrusted cert.

I also tried using certutil but got the following

C:\Users\xxx>certutil -addstore Disallowed \\xxx\source\ctl\disal
lowedcert.sst
Disallowed
CertUtil: -addstore command FAILED: 0x8009310b (ASN: 267)
CertUtil: ASN1 bad tag value met.

Does anyone have na automatic way to do this?

Request.inf ProviderName after upgrading CA to SHA256. Does it change?

December 10, 2015, 5:55 am
$
0
0

I just completed an upgrade to my new Windows 2012 R2 CA two teir infrastructure.  For many usages I manually request certificates using a INF file to start the process. Currently my INF template has the following value:

ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

Should it change to?:

ProviderName = "Microsoft Key Storage Provider"

Thanks, Stu

;----------------- request.inf -----------------

[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=LABCT-HFIB1DC.HFIB1.com" ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
;-----------------------------------------------

Offline Root CA - OCSP URL configuration under extension

December 10, 2015, 4:53 am
$
0
0

Hi,

Recently, in my lab, I have installed and configured Offline Root CA. Under AIA extension, I have added "http://mylab.com/ocsp" URL.

When I run PKIView.msc, I could see the status as 'Error' for Root CA OCSP Location. But for Subordinate CA OCSP Location, the status is OK.

My query is, should we configure OCSP URL in Offline Root CA extension or not?

Note: OCSP Responder is configured for subordinate CA only.

Thanks in advance.

Anil Kumar.


2-Tier PKI (offline Root, online Sub) smart card logon: revocation Check failed

December 3, 2015, 4:50 am
$
0
0

Hi everyone

ive followed this setup guide to create a 2-tier PKI environment in my labs: https://technet.microsoft.com/en-us/library/hh831348.aspx

For the overview (Computername, Role):

Domain: pki.local
S01: AD/DC/DNS (2012x64R2)
S02: offline RootCA (2012x64R2
|_  S03: online Enterprise SubCA (2012x64R2)

WS01: Windows 7x64

Except the creation of an IIS (for CRL), i did all the steps as precise as possible (only changed servername).

I've duplicated the default smartcard-login-template, and changed the following settings:

  • Compatibility Settings:
    Certification Authority -> "Windows Server 2012R2"
    Certificate Recipient -> "Windows 7 / Server 2008R2"
  • Request Handling -> "Prompt the user during enrollment"

  • Cryptography:
    Provider Category -> "Key Storage Provider"
    CSP -> "Microsoft Smart Card key Storage Provider"
    Request hash -> "SHA512"

Other necessary Templates which are active: "Domain Controller Authentication" and "Workstation Authentication", both have autoenrollment  for the specific group (Domain Computers and Domain Controllers).

Well, so far so good, every node has its certificate (S01, S02, S03, WS01 and the [DomainUser]) and they seem "happy" so far (no event spotted so far).

But unfortunately I wasnt able to log in via smartcard on WS01.

The Error Message is:
"The system could not log you on. The revocation status of the domain controller certificate used for smart card authentication could not be determined."

This is what 'cerutitil -verify C:\CertName.cer' from my smartcard-certificate gave me: 

Issuer:
    CN=pkiLocalSubCA
    DC=pki
    DC=local
Subject:
    CN=vilu
Cert Serial Number: 1d00000004ce3d86ea41641832000000000004

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=pkiLocalSubCA, DC=pki, DC=local
  NotBefore: 03.12.2015 10:49
  NotAfter: 02.12.2016 10:49
  Subject: CN=vilu
  Serial: 1d00000004ce3d86ea41641832000000000004
  SubjectAltName: Other Name:Principal Name=vilu@pki.local
  Template: pkiLocalSmartCardLogonSHA512
  a2 a7 cc 52 c4 39 d3 65 db 0f b8 28 5c 7c fa 3d 3f 20 fb 42
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Revocation Check Failed "Certificate (0)" Time: 0
    [0.0] ldap:///CN=pkiLocalSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=pki,DC=local?cACertificate?base?objectClass=certificationAuthority

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (03)" Time: 0
    [0.0] ldap:///CN=pkiLocalSubCA,CN=s03,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=pki,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
    CRL 03:
    Issuer: CN=pkiLocalSubCA, DC=pki, DC=local
    b8 5e 02 f4 31 f6 18 36 80 54 84 19 6e 30 5b 8b da 62 0b c5
  Application[0] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=pkiLocalRootCA, DC=pki, DC=local
  NotBefore: 02.12.2015 15:04
  NotAfter: 02.12.2030 15:14
  Subject: CN=pkiLocalSubCA, DC=pki, DC=local
  Serial: 2800000002843fad26b2b5e72b000000000002
  Template: SubCA
  6b 31 94 de 6a 4d 65 cc d1 80 f6 b8 90 d1 b8 81 e2 ed 6f d8
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificate AIA  ----------------
  Failed "AIA" Time: 0
    Error retrieving URL: The request is not supported. 0x80070032 (WIN32: 50)
    file:////s02/CertEnroll/s02_pkiLocalRootCA.crt

  ----------------  Certificate CDP  ----------------
  Failed "CDP" Time: 0
    Error retrieving URL: More data is available. 0x800700ea (WIN32/HTTP: 234)
    ldap:///CN=pkiLocalRootCA,CN=s02,CN=CDP,CN=Public%20Key%20Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Failed "CDP" Time: 0
    Error retrieving URL: The request is not supported. 0x80070032 (WIN32: 50)
    file:////s02/CertEnroll/pkiLocalRootCA.crl

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=pkiLocalRootCA, DC=pki, DC=local
  NotBefore: 02.12.2015 13:39
  NotAfter: 02.12.2045 13:49
  Subject: CN=pkiLocalRootCA, DC=pki, DC=local
  Serial: 1bb801f4dbdda5b54d6e99c06c399e7f
  e0 a6 f6 a2 d9 ae a8 a9 0b 68 48 d2 51 fa 9d 1f e3 90 c8 99
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------

Exclude leaf cert:
  30 e2 9d 8d f9 97 7d 14 6b 98 83 2a 4c 6e cd cf 73 a7 82 8e
Full chain:
  55 dd 43 51 46 1e 4c 34 73 9f 8d 53 fc 6d dd ec 32 ec da 72
  Issuer: CN=pkiLocalSubCA, DC=pki, DC=local
  NotBefore: 03.12.2015 10:49
  NotAfter: 02.12.2016 10:49
  Subject: CN=vilu
  Serial: 1d00000004ce3d86ea41641832000000000004
  SubjectAltName: Other Name:Principal Name=vilu@pki.local
  Template: pkiLocalSmartCardLogonSHA512
  a2 a7 cc 52 c4 39 d3 65 db 0f b8 28 5c 7c fa 3d 3f 20 fb 42
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
------------------------------------
Revocation check skipped -- server offline
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

And this is what 'certutil -scinfo' gave:

The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
  0: SCM Microsystems Inc. SCR3311 USB Smart Card Reader 0
--- Reader: SCM Microsystems Inc. SCR3311 USB Smart Card Reader 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
---   Card: CardOS V4.4
---    ATR:
3b d2 18 02 c1 0a 31 fe  58 c8 0d 51               ;.....1.X..Q


=======================================================
Analyzing card in reader: SCM Microsystems Inc. SCR3311 USB Smart Card Reader 0

--------------===========================--------------
================ Certificate 0 ================
--- Reader: SCM Microsystems Inc. SCR3311 USB Smart Card Reader 0
---   Card: CardOS V4.4
Provider = Microsoft Base Smart Card Crypto Provider
Key Container = le-pkiLocalSmartCardLogonSHA512-5-18734 [Default Container]

No AT_SIGNATURE key for reader: SCM Microsystems Inc. SCR3311 USB Smart Card Reader 0

Performing AT_KEYEXCHANGE public key matching test...
Public key matching test succeeded
  Key Container = le-pkiLocalSmartCardLogonSHA512-5-18734
  Provider = Microsoft Base Smart Card Crypto Provider
  ProviderType = 1
  Flags = 1
  KeySpec = 1 -- AT_KEYEXCHANGE
Private key verifies

Performing cert chain verification...
CertGetCertificateChain(dwErrorStatus) = 0x1000040
Chain on smart card is invalid
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=pkiLocalSubCA, DC=pki, DC=local
  NotBefore: 03.12.2015 11:35
  NotAfter: 02.12.2016 11:35
  Subject: CN=vilu
  Serial: 1d000000076cb29753c5f48fb9000000000007
  SubjectAltName: Other Name:Principal Name=vilu@pki.local
  Template: pkiLocalSmartCardLogonSHA512
  65 a1 30 66 13 21 8d 2e 92 03 9c b7 db c9 e4 69 59 bd 7a 2a
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 03:
    Issuer: CN=pkiLocalSubCA, DC=pki, DC=local
    b8 5e 02 f4 31 f6 18 36 80 54 84 19 6e 30 5b 8b da 62 0b c5
  Application[0] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=pkiLocalRootCA, DC=pki, DC=local
  NotBefore: 02.12.2015 15:04
  NotAfter: 02.12.2030 15:14
  Subject: CN=pkiLocalSubCA, DC=pki, DC=local
  Serial: 2800000002843fad26b2b5e72b000000000002
  Template: SubCA
  6b 31 94 de 6a 4d 65 cc d1 80 f6 b8 90 d1 b8 81 e2 ed 6f d8
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=pkiLocalRootCA, DC=pki, DC=local
  NotBefore: 02.12.2015 13:39
  NotAfter: 02.12.2045 13:49
  Subject: CN=pkiLocalRootCA, DC=pki, DC=local
  Serial: 1bb801f4dbdda5b54d6e99c06c399e7f
  e0 a6 f6 a2 d9 ae a8 a9 0b 68 48 d2 51 fa 9d 1f e3 90 c8 99
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  b2 77 c9 09 2c 45 32 00 57 67 e9 b5 b9 2d f0 77 0d b0 2a 7b
Full chain:
  8b 58 8f 0b e7 50 fc ae 01 07 95 5e 2a 63 4d 46 30 96 a0 34
  Issuer: CN=pkiLocalSubCA, DC=pki, DC=local
  NotBefore: 03.12.2015 11:35
  NotAfter: 02.12.2016 11:35
  Subject: CN=vilu
  Serial: 1d000000076cb29753c5f48fb9000000000007
  SubjectAltName: Other Name:Principal Name=vilu@pki.local
  Template: pkiLocalSmartCardLogonSHA512
  65 a1 30 66 13 21 8d 2e 92 03 9c b7 db c9 e4 69 59 bd 7a 2a
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
------------------------------------
Revocation check skipped -- server offline
Displayed AT_KEYEXCHANGE cert for reader: SCM Microsystems Inc. SCR3311 USB Smart Card Reader 0

--------------===========================--------------
================ Certificate 0 ================
--- Reader: SCM Microsystems Inc. SCR3311 USB Smart Card Reader 0
---   Card: CardOS V4.4
Provider = Microsoft Smart Card Key Storage Provider
Key Container = le-pkiLocalSmartCardLogonSHA512-5-18734


Performing  public key matching test...
Public key matching test succeeded
  Key Container = le-pkiLocalSmartCardLogonSHA512-5-18734
  Provider = Microsoft Smart Card Key Storage Provider
  ProviderType = 0
  Flags = 1
  KeySpec = 0
Private key verifies

Performing cert chain verification...
CertGetCertificateChain(dwErrorStatus) = 0x1000040
Chain on smart card is invalid
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=pkiLocalSubCA, DC=pki, DC=local
  NotBefore: 03.12.2015 11:35
  NotAfter: 02.12.2016 11:35
  Subject: CN=vilu
  Serial: 1d000000076cb29753c5f48fb9000000000007
  SubjectAltName: Other Name:Principal Name=vilu@pki.local
  Template: pkiLocalSmartCardLogonSHA512
  65 a1 30 66 13 21 8d 2e 92 03 9c b7 db c9 e4 69 59 bd 7a 2a
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 03:
    Issuer: CN=pkiLocalSubCA, DC=pki, DC=local
    b8 5e 02 f4 31 f6 18 36 80 54 84 19 6e 30 5b 8b da 62 0b c5
  Application[0] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=pkiLocalRootCA, DC=pki, DC=local
  NotBefore: 02.12.2015 15:04
  NotAfter: 02.12.2030 15:14
  Subject: CN=pkiLocalSubCA, DC=pki, DC=local
  Serial: 2800000002843fad26b2b5e72b000000000002
  Template: SubCA
  6b 31 94 de 6a 4d 65 cc d1 80 f6 b8 90 d1 b8 81 e2 ed 6f d8
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=pkiLocalRootCA, DC=pki, DC=local
  NotBefore: 02.12.2015 13:39
  NotAfter: 02.12.2045 13:49
  Subject: CN=pkiLocalRootCA, DC=pki, DC=local
  Serial: 1bb801f4dbdda5b54d6e99c06c399e7f
  e0 a6 f6 a2 d9 ae a8 a9 0b 68 48 d2 51 fa 9d 1f e3 90 c8 99
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  b2 77 c9 09 2c 45 32 00 57 67 e9 b5 b9 2d f0 77 0d b0 2a 7b
Full chain:
  8b 58 8f 0b e7 50 fc ae 01 07 95 5e 2a 63 4d 46 30 96 a0 34
  Issuer: CN=pkiLocalSubCA, DC=pki, DC=local
  NotBefore: 03.12.2015 11:35
  NotAfter: 02.12.2016 11:35
  Subject: CN=vilu
  Serial: 1d000000076cb29753c5f48fb9000000000007
  SubjectAltName: Other Name:Principal Name=vilu@pki.local
  Template: pkiLocalSmartCardLogonSHA512
  65 a1 30 66 13 21 8d 2e 92 03 9c b7 db c9 e4 69 59 bd 7a 2a
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
------------------------------------
Revocation check skipped -- server offline
Displayed  cert for reader: SCM Microsystems Inc. SCR3311 USB Smart Card Reader 0

--------------===========================--------------

Done.
CertUtil: -SCInfo command completed successfully.

But when i do an url-check, it seems fine... well, at least its there:

[pretend to have an image, im not allowed to publish an image on technet yet, but the URL retrieval tool status says: verified]

im pretty sure i did something wrong, but its disturbing being unable to find any solutions for this.

help, please? anyone?

Search

Retrieve a Recovery Key certificate from the Issuing CA

December 3, 2015, 1:24 pm
$
0
0

The certificate for my Key Recovery agent is expiring so I:

  1. Logged in as the KRA agent and requested a new certificate from the MMC console Personal store and selected the Key Recovery Agent template.
  2. Logged in as Admin and approved the certificate from the 'Pending Requests' folder

Now what am I to do to retrieve the approved certificate?  The 'Personal' store is empty.

I also used the web interface (http://server/certsrv/Default.asp) but only see three options:

  • Request a certificate
  • View the status of a pending certificate request
  • Download a CA certificate, certificate chain, or CRL.

Your thoughts? I would like to install the certificate on a special desktop and archive a copy of the certificate for safe keeping.

Thanks




Is it possible to give an RA (non MS RA using DCOM) the right to only revoke certs it issued

December 11, 2015, 3:36 am
$
0
0

Hello

We need to add a new RA into the mix of our environment (an AirWatch RA) the default documentation states give the RA 'Issue and Manage certificate role on the CA, however this would also give the RA the revoke right too

You can revoke based on Serial Number only (rather than Template Name and Serial Number) therefore the RA could revoke a cert it did not issue (e.g. we give the RA rights to a specific template only for issuing)  from another template (as I believe the template name used to create the certificate in the first instance is not relevant when it comes to revoking a certificate. 

If my statement above is correct? is there a workaround to stop the RA revoking certs it did not issue (via a given template for example). or is this option MS is thinking about adding the AD CS.

Thanks All 

Ernie

Windows Server 2012 registry keys don't exist

December 11, 2015, 3:31 am
$
0
0

hello all,

while using ESM application to check about the security policy for Windows Server 2012, while using Registry module checks it reports these 3 keys are not exist, does this normal?:

HKEY_LOCAL_MACHINE\ SOFTWARE \Wow6432Node \ Policies \Microsoft \ Windows \Safer \ CodeIdentifiers \ 0

HKEY_LOCAL_MACHINE\ SOFTWARE \ Policies \Microsoft \ Windows \Safer \ CodeIdentifiers \ 0

HKEY_LOCAL_MACHINE\ SYSTEM \CurrentControlSet \Control \ Lsa \LMCompatibilityLevel

Thanks alot in advance

Best Regards

netsh ipsec l2tp psk pap

February 29, 2012, 2:30 am
$
0
0

Security Gurus,

I need a netsh command(s) to connect/establish IPSEC/L2TP. The VPN server is linux, with radius server configured. Need to use both psk and pap with userid and password submitted in the netsh command.

If forced to choose an option, pap is a must in my case;

Can someone point me in the right direction on how to accomplish this? [yes, looking at more recent versions vista, windows7/8 desktops, where netsh is bundled with ipsec, advfirewall, etc.]

PS: Dont worry about userid, passwords from security perspective with PAP. We have a way to deal with them.

Thanks a bunch in anticipation.

ADCS templates compatibility question

December 11, 2015, 2:38 pm
$
0
0

Hello,

    I have a general question, that I hope can be answered before we start a transition to a new version of Windows.  The domain controllers are Windows 2012 R2, and some of our client computers may be going to Windows 10 here shortly.  In preparation for this the certificate templates are being updated, removing older templates.  The question arose that the in the compatibility of certificates under certificate recipient is that there is nothing for Windows 10.  Will the Windows 8.1 / 2012 R2 template work for Windows 10, or is their an update needed for the ADCS server?

Thanks 

Michael R. Mastro II

Certificate Authority in the DMZ

December 9, 2015, 1:21 pm
$
0
0

Hi,

I have some DMZ workgroup servers that require certificates installed on them. I am thinking of deploying a Windows certificate authority in the DMZ. 

However, I am not sure if this is a good idea?

 Please advise

Thanks

security baseline file for windows 2003

December 8, 2015, 6:54 pm
$
0
0

i have a security baseline inf file created for windows 2003 servers.

how can i re-used this file for newer servers like windows 2008 and 2012?

the baseline file was done many years ago.

how can I convert for use for new servers?

Security Configuration Template for Security Configuration Editor
;
; Template Name:        SSLF-Member Server Baseline.inf
; Template Version:     2.0
;

any way i can extract the configurations on the servers that is using this old baseline template?

Search

SSPI: 0x80090342 error in InitializeSecurityContext

December 13, 2015, 4:36 pm
$
0
0

Dear all,

OS platform Windows server 2012 r2 64 bit

while using dbca to create a 11.2.0.4 oracle database I encounter the following error:

ORA-12638 credential retrieval failed

when I check the listener client log it has the following error:

[11-DEZ-2015 15:04:21:759] naun5authent: SSPI: 0x80090342 error in InitializeSecurityContext
[11-DEZ-2015 15:04:21:759] naun5authent: exit
[11-DEZ-2015 15:04:21:759] naunauthent: exit
[11-DEZ-2015 15:04:21:759] nau_ccn: get credentials function failed
[11-DEZ-2015 15:04:21:759] nau_ccn: failed with error 12638

from https://docs.oracle.com/cd/E11882_01/win.112/e10845/authen.htm#NTQRF327

If you use a domain account for database administration, then that domain account must be granted local administrative privileges and ORA_DBA membership explicitly

I've check that the the domain user does have local administrative right. I'm using the following to check whether the user has local administrative right. Please tell me if I'm using the wrong command.

net localgroup administrators

C:\Users\wojciech>net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
CAMTAB\wojciech
CAMTAB\Domain Admins
The command completed successfully.


C:\Users\wojciech>


C:\Users\wojciech\oracle_trace\third_time\event_log_20151209_1451_cet>net localgroup ora_dba
Alias name     ora_dba
Comment        Oracle DBA Group

Members

-------------------------------------------------------------------------------
Administrator
CAMTAB\wojciech
NT AUTHORITY\SYSTEM
The command completed successfully.

If the command is correct, then what patch should I need to apply in order to resolve SSPI: 0x80090342 error in InitializeSecurityContext issues?

many thanks in advance!

Smart Card Logon with NLA

December 13, 2015, 5:58 pm
$
0
0

Hello everyone!

On domain-member Windows Server 2012 R2 we configured group policy "Interactive logon: Require smart card"=Enabled. Certificates issued by our internal CA. Everything works fine. Domain users successfully connect to server via RDP with their smart cards. (client pc on windows 8.1)

Now we want to enable NLA on Server. But when we doing this, users unable connect to server with a error "An authentication error has occurred. The function requested is not supported". In windows event logs on server i don't see anything interesting. What we need to configure NLA to work?




How to reset Administrator password in WS 2016 TP3?

December 13, 2015, 2:31 pm
$
0
0
I forgot my administrator password in WS 2016 TP3, how can  I reset that?

I am from PMC; planetminecraft.com/member/dr__steve You should join! I changed my username to _The_Doktor

Use RoboCopy to copy a folder structure template and retain permissions

November 17, 2015, 3:20 pm
$
0
0

We have a client that has a Shared Data area they are trying to configure that uses a very convoluted permission structure that requires certain subfolders to have different permissions from their parent folder. Parts of the folder structure they also want to be able to recreate multiple times (use a template). I know that using a simple 'copy/paste' operation kills all the permissions on the 'pasted' copy and causes all folders, subfolders and files to inherit the permissions of the parent folder they are pasted into.

I found an article online that seemed to allow me to do this using Robocopy. The command is: 

robocopy source destination /E /ZB /DCOPY:T /COPYALL /R:1 /W:1 /V /TEE

The only problem with this is that it doesn't 'update' any files that are in the folders. So if a certain user/group had only 'Read' access to files in a certain folder and you use the above command to give them 'Read/Write' within that folder they still only have 'Read' access to existing files even though, when you check their properties, they say they are inheriting from their parent. The only way I found to 'update' the permissions is to 'Save As' the file under a different name (which then has the correct permissions) and then have someone that had 'Delete' permissions to delete the old file so you can then rename the new copy to the proper name.

I'm no Robocopy expert so I'm wondering if there is a switch or something that I can add that would 'refresh' the permissions on the files in the destination to match the new permissions on the folders?

How to find the OCSP logs

November 13, 2015, 3:11 am
$
0
0

Dear All,

I have configured a Windows Server 2012 R2 Standard server to run a Certificate Authority and a Online Responder to use OCSP to check on the validity of the issued certificates (a ClearPass appliance is being used to check the certificates). From what I can see, the Online Responder is working and giving OCSP responses that the appliance is interpreting correctly when the certificate is valid, but if I revoke a certificate, OCSP persists in giving them the OK. To troubleshoot this I would like to see event logs of the operation of the Online Responder including each of the responses it gives and why.

My questions are:

1) How do I enable the Online Responder logs?

2) Once enabled, where can I find these logs in Event Viewer? And if they are in an existing Event Log, which IDs do I use to filter them?

3) Is there a cache, time-out, or similar process which is delaying the Online Responder noticing the revoked certificates?

Hoping to hear from you soon.

Yours,

FD

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>