Hi all,

I'm trying to implement a BitLocker network unlock equipment based on this TechNet article:

https://technet.microsoft.com/en-us/library/jj574173.aspx

And at the moment I facing a problem, and I don't know how I can solve this. 

We have a quite big domain, various sides, and previous week I raised the domain and forest functional level to 2012R2 (was 2003). because this was needed for the BitLocker network unlock future. after this raise, I don't face any problem, I was pretty happy!

But the now after the domain and forest level raise I still don't see the network unlock policy. I'm pretty sure I look at the write directory:

\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption - and subdirectories 

basically, I don't have any additional BitLocker policies after the domain raise.

(yes I got some other policies after the domain raise, but not in the BitLocker section, and our DC are 100% up to date).

I'm also not sure if this is a BitLocker related problem or more a GPO / domain problem...

so did I forget something?

thanks for the help!

Scenario : Standalone root CA validity is set for 10 years, and subordinate enterprise CA validity set for 5 years. Due to a change in requirements, we need to change the enterprise CA validity to 10 years, and the root CA validity to 20 years.

Based on what I've read, I understand that this can be done with minimal impact to clients by renewing the root and subordinate enterprise CAs with the their existing public/private key pair, and specifying the new validity periods during the renewal process.

Questions:

1. When I initially setup the standalone root CA, I used certutil -dspublish to publish the root CA cert to AD, so that it would be pushed to the trusted cert store of all domain clients. If renewing root CA with same key pair, do I need to use certutil -dspublish to republish the new root CA cert to AD ?
2. If renewing subordinate enterprise CA with same key pair, will clients have 2 enterprise CA certs in their trusted root stores - one cert from before the renewal, and one cert from after renewal ?
3. I will need to overwrite the AIA crt locations for both root and subordinate enterprise CA with the newly renewed certs, correct ?
4. Renewing with same key pair should have no impact on existing or new CRLs, since the same private key is being used to sign the CRL before and after renewal, correct ?
5. I had distributed the root CA and subordinate enterprise CA certs for configuration within our MDM solution. Would I need to redistribute the new certs after renewal to the MDM solution, or would it automatically pick up the new certs from the new AIA location ?
6. Do you know of a good step-by-step guide for the process to renew a root and subordinate CA certificate with the same key pair and extend the validity period of the CAs ?

Thanks in advance for your help !

Regards,

Mario

Hi All,

we developed a third party CNG (Crypto next gen) provider and KSP. we want to configure IIS with the above provider DLL and KSP.  the provider DLL and KSP were developed using the CNG kit samples. we have the both configuration files for CNG and KSP. I registered the CNG provider DLL ( using config -register), I am getting them into the list when I use the command config -enum. but I am unable to get them using certutil -csplist. so my provider is not listing into the csplist. I can see the KSP is getting listed into the csp list. So I acnn't sign the server certificate with my cng. my questions are like

1)  How to configure IIS with third party cng?

2)  why my ksp is listing into the csp list, but cng ?

3) when I tried to sign the server certificate with KSP i am getting the error likr provider type not defined. Is this the right way to sign the certificate with the ksp ?

please share your views & thoughts.

Thanks in advance,

Mahesh

Hi guys,
I need some help with our Certificate Authority. It was set up by generations past of IT folks, so no one really knows why it is the way it is, and no one wants to touch it. We seem to have two independent Root CA servers, and seem to both have the default certificate templates, so I think certificates are issued randomly from the two CAs. They aren't in a hierarchy or subordinate role to each other (as far as I can tell, certainly open to validate that). Doesn't seem like a good set-up.

One of them went down today, and I was unable to start the ADCS service. Errors with "Object not Found" in the CA MMC. Further digging using certutil, I find that the CRL expired about the time the services stopped working. The hitch that I'm in, is I cannot generate a new CRL (certutil -crl) because the services are stopped (command errors with "RPC server is unavailable"), and I cannot start the service with the expired CRL. 

All threads I find on this topic, the resolution involved re-issuing the CRL from one of the other subordinate or Root CA servers, however in my case, I have a single server for the CA, so that's not an option. Can I force the ADCS services to start without CRL so I can then regenerate the CRL properly? Can I manually do something to extend the CRL time without the ADCS service running?

Hello folks,

in advance auditing there are 3 categories that contain the same events. I would like to know why we do have all these events and what is the reason.

You can find the same events in these categories:

Account Logon - Audit Other Account Logon Events

Audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.

• Remote Desktop Services session disconnections
• New Remote Desktop Services sessions
• Locking and unlocking a workstation
• Invoking a screen saver
• Dismissing a screen saver
• Detection of a Kerberos replay attack, in which a Kerberos request with identical information is received twice
• Access to a wireless network granted to a user or computer account
• Access to a wired 802.1x network granted to a user or computer account

4649 A replay attack was detected

4778 A session was reconnected to a Window Station

4779 A session was disconnected from a Window Station

4800 The workstation was locked

4801 The workstation was unlocked

4802 The screen saver was invoked

4803 The screen saver was dismissed

5378 The requested credentials delegation was disallowed by policy

5632 A request was made to authenticate to a wireless network

5633 A request was made to authenticate to a wired network

Account Management - Audit Other Account Management Events

Audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets:

• Remote Desktop session disconnections
• New Remote Desktop sessions
• Locking and unlocking a workstation
• Invoking a screen saver
• Dismissing a screen saver
• Detection of a Kerberos replay attack, in which a Kerberos request with identical information was received twice
• Access to a wireless network granted to a user or computer account
• Access to a wired 802.1x network granted to a user or computer account

4649 A replay attack was detected

4778 A session was reconnected to a Window Station

4779 A session was disconnected from a Window Station

4800 The workstation was locked

4801 The workstation was unlocked

4802 The screen saver was invoked

4803 The screen saver was dismissed

5378 The requested credentials delegation was disallowed by policy

5632 A request was made to authenticate to a wireless network

5633 A request was made to authenticate to a wired network

Logon/Logoff - Audit Other Logon/Logoff Events

Audit events for other logon or logoff events. These other logon or logoff events include:

• A Remote Desktop session connects or disconnects
• A workstation is locked or unlocked
• A screen saver is invoked or dismissed
• A replay attack is detected. This event indicates that a Kerberos request was received twice with identical information. This condition could also be caused by network misconfiguration.
• A user is granted access to a wireless network. It can either be a user account or the computer account.
• A user is granted access to a wired 802.1x network. It can either be a user account or the computer account.

4649 A replay attack was detected

4778 A session was reconnected to a Window Station

4779 A session was disconnected from a Window Station

4800 The workstation was locked

4801 The workstation was unlocked

4802 The screen saver was invoked

4803 The screen saver was dismissed

5378 The requested credentials delegation was disallowed by policy

5632 A request was made to authenticate to a wireless network

5633 A request was made to authenticate to a wired network

I've been trying to setup a Win 2008 CA Server in a lab to issue certificates which can be used for VPN authentication against a Cisco VPN server.  I started out by following this guide on Cisco:  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/116068-configure-product-00.html

When going through the guide I reached the "Certificate Template Registry Configuration" which describes how to edit the registry to switch the default certificates used during SCEP requests.

As soon as I make this change and reboot, however, the NDES service refuses to start.  Even after switching the values back to what they were initially for IPSec Offline requests it refuses to start.  

The only way to resolve the issue is to uninstall NDES completely and reinstall it again.  This fixed it and set the registry entries back to the same values.  But as soon as I try to change them again I run into the same thing and NDES won't start.

Is there something else I need to do to make this work?  I've looked all over for guidance but don't see many people talking about this subject.

Hi!

Are there any way to add user rights to all files with or without inheritance, in folder tree ?.

I tried different ways, but always the files without inheritance, doesn't show new rights.

Is it possible  through the GUI?, I know it can be do through icacls.

Thanks!

Looking for some advice.  We recently upgraded our Domain Controllers to Windows Server 2008 R2 and are running in the Windows Server 2008 R2 functional levels.  However; we still have XP client machines. 

I started noticing a large number of the following audit failures:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          4/27/2010 10:29:28 AM
Event ID:      4769
Task Category: Kerberos Service Ticket Operations
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:     
Description:
A Kerberos service ticket was requested.

Account Information:
 Account Name:  
 Account Domain:  
 Logon GUID:  {00000000-0000-0000-0000-000000000000}

Service Information:
 Service Name:  
 Service ID:  NULL SID

Network Information:
 Client Address:  172.16.21.44
 Client Port:  1650

Additional Information:
 Ticket Options:  0x40800000
 Ticket Encryption Type: 0xffffffff
 Failure Code:  0xe
 Transited Services: -

Doing some research I found that this is the KDC granting tickets through Kerberos. It would seem that everyone is getting their tickets with no problems however it appears that the Failure Code: 0xe is related to KDC has no support for encryption type.

What can I do to fix this?  From what I understand encryption really changed for Kerberos in Windows Server 2008 R2.  Also if this is not a issue how can I suppress these events so they will no longer fill up the event log.

Any help would be greatly appreciated.

Thank you

Hi,

I got several CA templates published in my domain. I want the PKI managers to have full control on the templates to manage access rights for other groups. My problem is, that as soon I tick "full control" the "autoenrollment" checkbox gets ticked too. Now all the CA managers get autoenrolled for certificates and popups apper on their clients to add a subject name (subject name --> supply in request is configured in some templates) . Is there a way to avoid that behaviour?

Cheers

Arno

Hi, I am trying to perform a certificate request on a server I want to use as a MSSCOM gateway server. I have created an.inf file as follows

Create an .inf file:[NewRequest]
Subject= "CN=geki.scorpius.local.com"
Exportable=TRUEKeyLength=2048KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2

When I run certreq –new –f GekiCert.inf GatewayRequest.req

I get an error "Expected INF fike selection name 0xe0000000 (INF: -536870912) GekiCert.inf"

Im not sure what I need to change

Please help

Running a SSTP and PPTP (I know its insecure!) VPN and I see in my logfiles lot of users who  is trying to connect to my VPN via invalid usernames.

The Event viewer gives not a very detailed log, with no source IP! Is it someway possible to record the IP address?

How do I best monitor VPN connections that are failing. I really want more information then the event viewing is giving me.

This is what I get:

Hi,

I wonder if it is possible to mount a VHDX for 1 user only. So goal is to have only one user which can see the mounted drive, f.e. F-drive (which has a vhdx on c:\drive.vhdx.
If other users logon to this server, they also will see this F-drive and they should not.

We enabled bitlocker already but once the drive is unlocked all other users who logon will see this F-drive.

Please advise.
J.

Jan Hoedt

Hi,

I have setup SSCEP on a linux box and requesting certificates from the NDES service of a Enterprise CA. The CA successfully issue the certificate but I am getting the following error from SSCEP, (error marked in bold)

[root@localhost sscep]# ./sscep enroll -f sscep.conf
./sscep: starting sscep, version 20081211
./sscep: hostname: 192.168.1.1
./sscep: directory: certsrv/mscep/mscep.dll
./sscep: port: 80
./sscep: new transaction
./sscep: transaction id: 367A8D271B4C548DB8F0D313AF8359D5
./sscep: generating selfsigned certificate
./sscep: SCEP_OPERATION_ENROLL
./sscep: sending certificate request
./sscep: creating inner PKCS#7
./sscep: data payload size: 415 bytes
./sscep: successfully encrypted payload
./sscep: envelope size: 840 bytes
./sscep: creating outer PKCS#7
./sscep: signature added successfully
./sscep: adding signed attributes
./sscep: adding string attribute transId
./sscep: adding string attribute messageType
./sscep: adding octet attribute senderNonce
./sscep: PKCS#7 data written successfully
./sscep: applying base64 encoding
./sscep: base64 encoded payload size: 2527 bytes
./sscep: server returned status code 200
./sscep: MIME header: x-pki-message
./sscep: valid response from server
./sscep: reading outer PKCS#7
./sscep: PKCS#7 payload size: 2216 bytes
./sscep: PKCS#7 contains 1561 bytes of enveloped data
./sscep: verifying signature
./sscep: error verifying signature
2453:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
2453:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:fips_rsa_eay.c:748:
2453:error:21071069:PKCS7 routines:PKCS7_signatureVerify:signature failure:pk7_doit.c:981:

Have anybody came across this issue? What I am doing wrong here?

Any help highly appreciated.

Thank you.

Hi,

We have had some issues with our Windows 7 clients retrieving a certificate from our Windows 2003 CA for a while now and I don't seem to know what is causing it.  We have a custom certificate which is issued to computers for access to our corporate wireless network.  Autoenrollement is set on the certificate and there is a security group applied to it that contains the computers who we would like access.  When we want to grant users access to the wireless network we simply add their PC account to an AD group which then applies a group policy which enables autoenrollment!  This group has Read, Enroll and Autoenroll permissions for the certificate.  The system works well and Windows XP clients have no problems getting a certificate, however Windows 7 clients do not seem to be able to do it.

When I try to obtain a certificate manually via the Certificates MMC on the Windows 7 clients I get the following error;

Logon failure: the user has not been granted the requested logon type at this computer.

There are some Application logs on the client as well which dhow the following information;

Event ID: 67

Source: Microsoft-Windows-CertificateServicesClient-CertEnroll

Detail:

 I am aware there is a problem with using the web cert enroll process from Windows 7 to a Windows 2003 CA as detailed inhttp://support.microsoft.com/kb/922706 but was not sure if this would affect Autoenrollment or enrollment via the MMC?

Has anyone encountered this problem or know of a possible fix?  We are in the process of evaulating W7 for rollout and have this problem on all our test machines.

Thanks in advance

Brian.

Certificate enrollment for Local system failed to load policy from policy servers with ID  {44E84A61-3DA1-4C54-985C-8F7E6CACC65E} (Logon failure: the user has not been granted the requested logon type at this computer. 0x80070569 (WIN32: 1385))

Event ID: 70

Source: Microsoft-Windows-CertificateServicesClient-CertEnroll

Detail: Certificate enrollment for Local system failed because no valid policy can be obtained from policy servers with ID

I'm trying to build an issuing CA within our DMZ, with the root server being internal. This is not going to be a AD integrated setup. As the CA in the DMZ can't connect to the root CA, how do I go about configuring the location of the CRL? I've tried changing the CRL value to file://DMZServerName/CertEnroll/RootCA.crl within the extension tab on the root CA but that doesn't work.

Any ideas, Pointers ??

Thank you

Hi Team,

I need to implement Microsoft EFS with an Active Directory Certificate Services Infrastructure.

Is there a good article you all can recommend to set this up? I am looking to implement this on Windows Server 2008 R2 Domain controller and by setting up a new ADCS. I need to know how the integration of AD and ADCS works in the EFS Scenario.

Appreciate if someone can shed some light on this.

Thanks in Advance!

Dileepa

I am looking to make a test proxy server for a project using Windows Server 2012 R2? Does the software happen to come with a proxy server? If it does not, are there any free proxy server packages out there?

Hello,

I am hoping someone may be able to assiist me. As per the MS Security advisory: https://technet.microsoft.com/en-us/library/security/3046015.aspx the mitigating factor(s) is/are: A server needs to support RSA key exchange export ciphers for an attack to be successful.

How can we determine if this is the case? Is there a single registry entry that states the server supports RSA key exchange export ciphers? Or multiple? I would like to verify this to find out the scope of the servers affected.

Thank you

Hello,

I have been trying to publish the CRL from my fresh build offline root CA (LAB-ROOTCA) to my domain joined Sub/Issueing CA.

==============================

C:\Windows\System32\certsrv\CertEnroll>certutil -dspublish -f LAB-ROOTCA-CA.crl
ldap:///CN=LAB-ROOTCA-CA,CN=LAB-ROOTCA,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DN=lab,DN=co,DN=uk?certificateRevocationList?base?objectClass=cRLDistributionPoint?certificateRevocationList

ldap: 0x1: 000020D6: SvcErr: DSID-0310081B, problem 5012 (DIR_ERROR), data 0

CertUtil: -dsPublish command FAILED: 0x800720d6 (WIN32: 8406 ERROR_DS_MISSING_SUPREF)
CertUtil: No superior reference has been configured for the directory service. The directory service is therefore unable to issue referrals to objects outside this forest.

C:\Windows\System32\certsrv\CertEnroll>

===========================

Any help with understading the error would be much appreceated.

Best regards!