I have tried to install the 2012 R2 CA with SHA256 algorithm in our environment. After the installation the issued templates with SHA256 algorithms are not reflecting in web enrollment list.
The 2012R2 is a subordinate CA for the existing 2003 CA.
Please suggest..
Regards, Dennis
Dear all,
is there any documentation on what does it mean that private key is not plain text exportable?
Please note that it is possible to export the private key using standard means into a PKCS12 (pfx) file, but using certutil I get following information
================ Certificate 1 ================ Serial Number: <Snipped> Issuer: <Snipped> NotBefore: 10.11.2015 15:31 NotAfter: 10.11.2017 15:41 Subject: <Snipped> Template: <Snipped> Cert Hash(sha1): a5 a0 d5 91 92 00 71 2b bd 0e 23 d8 26 c0 04 99 91 1f bf 4a Provider = Microsoft Software Key Storage ProviderPrivate key is NOT plain text exportable Signature test passed CertUtil: -store command completed successfully.
Kind regards
Martin Rublik
Hi,
I have tried to create VPN connection in my windows 8.1 machine. I have followed the steps mentioned. While connecting Its shows the error message as "A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 798)". How to resolve this. Thanks in advance.
Hi,
I'm trying to find how to do this. I need to export a certificate including it's private key from the user's Personal store on a Windows 7 machine.
Tried "certutil -store my" but that doesn't list anything
Would like to use Powershell's "Export-PFXCertificate" cmdlet but that isn't recognized on Windows 7. ( I tried "import-module PKIClient" but that didn't work)
Any ideas please ?
The subject describes our current configuration. We're running into an issue where apparently whoever implemented these servers went with SHA1 and we have a requirement for some SHA2 certificates. I can increase the key length to 4096, but I am unable to select SHA256.
What can we do to enable support for SHA2 and what is the impact on current certificates?
Is there a way to disable creation of the VPN "*Session" credential in Credential Manager without disabling all of Credential Manager?
I know that you can disallow storing all domain creds in Credential Manager by setting the following registry entry to 1 (but this doesn't fix my issue):
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
Value Name: DisableDomainCreds
Value Type: REG_DWORD
Value: 1
On my Windows 8 Enterprise workstation, I use mapped drives with one domain account and Outlook with a different domain account. Using the fix above fixes my issue with mapped drives (after sleep mode, reconnect to VPN and my mapped drives won't reconnect until I delete the '*Session' credential) but then I cannot use Outlook at all. Note: I do not log on to Windows 8 with either of the domain accounts mentioned above (I use a local admin account) and I do not 'save my password' in Outlook.
hi all,
struggling to understand why our DCs are not logging event 4740 (account lockout).
Domain functional level: Windows Server 2008 R2
Forest Functional Level: Windows Server 2008 R2
Basically one of our users is getting locked out randomly and event 4740 is not getting logged on our DCs.
I read this thread but even trying all permutations with the policy settings, it is still not generating 4740. Using a test account and either trying to lock it out via console or RDP. The only log I get is 4625 (failed attempt after account was locked out).
I am wondering whether I can enable any sort of debugging on the DC(s) to try to find out why event 4740 is not getting logged.
Any comments and suggestions are much appreciated.
Hi all,
A handful of our users here at the office (the three or so out-of-domain workstations) are having issues printing from a medical billing program we use. Actual printing is fine, but when a pdf writer is selected, it prints to a physical printer instead. The writer in question is Cute PDF and Adobe Acrobat.
This actually happened to me as well when I tried using the remote desktop app from my computer (in domain) but it has since stopped.
Hi to all ,
I'm trying to implement IPSEC Tunnel between two Windows 2008 R2 Server .
I have two different subnets and firewall between them
Subnet 1 : 192.168.0.0/24
Subnet 2 : 172.16.0.0/24
There is full routing between the subnets and I want access between the two servers .
Server1 is located in 192.168.0.0/24 with IP 192.168.0.200
Server2 is located in 172.16.0.0/24 with IP 172.16.0.150
There is UDP 500 port opened between the firewalls
I'm using Windows 2008 R2 and configure the Windows firewall with Server-to-Server connection and enabled IPSEC tunnel in Advanced firewall configuration.
The connection is configured with PreShared Key authentication and is working fine , but at some point it is disconnecting .I need to restart firewall service or the Connection Security Rule to restart the tunnel. Also sometimes with a Ping command from one side I can reestablish the tunnel.
Tried to create Schedule task with PING command but the same problem appears too.
Any ideas ?
Hello, I am in the process of setting up a IPSec Tunnel in Windows 2008 R2 server but having lot of difficulties to make it happen. It looks like phase-1 is successful by reaching the VPN concentrator on the other end but the connection ends there. Any help would be greatly appreciated. I can't see whether tunnel is active in my server or now. I don't know where look for and also I don't think any logs are getting generated. Please help!
Best Regards,
Hi,
I need a site-to-site VPN between an ASA and server 2008R2. I've done ASA-ASA ASA-other firewalls many times before but this is a bit confusing.
What I usually see for Server 2008 is RRAS. I don't think i need that, it's a site-to-site VPN, so please do not suggest that, there are no remote clients to connect to the Server.
IPSec Policy is configured on the ASA, I just need a guide that will explain the steps to configure the policy and enable he tunnel between the endpoints.
Thanks
Hello.
For some project I need to:
1. Dynamically create local user account (for this I'm using UserPrincipal class from .NET framework)
2. Impersonate to that user (I wrote some classes that calls native LogonUser (advapi32.dll)
3. Use DPAPI to encrypt some user data. I also have some classes that calls native CryptProtectData and CryptUnprotectData (crypt32.dll)
The problem here is that when dynamically creating user, user specific folders are not created, even when I call LogonUser.
Since DPAPI will look for those folders, and the folders are not there, the call will fail.
Now, if I manually perform user login, those folders will be created, and after that all is good. But, I need a way to create those folders automatically, without performing manual login.
Is there a way to do that?
Hi All
I have a bit of an issue with OCSP.
I've installed the OCSP service and successfully enrolled for an OCSP certificate on my Array controller. This is working fine
I've installed the OCSP role on my second server
When I try to add the second server to the array I receive the following message
"One or more errors occurred while adding the new Online Responder Array Member
The RPC server is unavailable"
A check of these forums seems to point at firewall configuration, but there are no firewalls in between these servers or the CA itself
Can anyone help
Much apprecaiated
Andy
Hi Microsoft,
I have a question regarding the security vulnerability found by Microsoft, as title above, which affecting Windows Server 2008 and above. The issue I am having is, based on Microsoft, this vulnerability can be remediate with Microsoft Windows update, however my company environment only allows third party patching tools like Altiris and SCCM due to policy restriction. The affected servers in my company are also restricted from internet connection, thus we are unable to download the patch manually to the servers. Is this vulnerability only able patch via Microsoft auto update? Or is there any other patch that can be downloaded?
We are a 98% Win7 x86 workstation environment and about to push out the LocalAdminPasswdSolution software from Microsoft. I am using Group Policy to push it out and was going to try and keep things simple and see if I could push x86 to the x64 computers because ythere are so few. It just saves me from creating multiple policies with wmi filters on each to match architecture type, etc. Does anyone know if the x86 will actually work on x64 computers? We do this all the time with Microsoft software just to keep things a lot simpler from a build/group policy mgmt. standpoint and it is usually fine.
Thanks,
Dave
Hello There,
We have 2 AD domains (Forests) connected by bi-directional AD trust. These two domains have their own PKI platforms.
We are planning to build single PKI platform which can service for both domains.
Is it possible to service two domains with single PKI platform? If so, could you please provide some design inputs?
Thanks
Mahesh
Mahi
hello guys, planning to purchase an SSL cert for a web server and ftp server.
Question is, is there a limit in connection for the SSL cert? Or in this scenario only 2 SSL cert is needed, one for web server and one for ftp server.
Or a single SSL cert can be used for 2 servers?
Thanks.
Every second counts..make use of it. Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
IT Stuff Quick Bytes
Hello Guys,
I have two domain abc.local and xyz.local in the abc.local i have the AD Certificate Server installed and i am using the certificates on many services in the same domain.
Can i use the certificates from the same certificate server for the servers and services in xyz.local?
Regards,
Maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
Hi everybody,
I have a question regarding pass the hash vulnerability on Windows computers.
I understood that some utilities can retrieve stored hashes in cache on Windows systems to "replay" them further later. Another vulnerability consists of decrypting passwords that are stored in an unsecured way (like tspkg).
Like many other companies, we have a hotline and proximity support groups that are admin on many computers. They use a dedicated admin account but they are logging on many many computers each weeks to assist users.
So, the hash of their password is stored in many computers.
How can we protect these accounts from the pass the hash attacks ? (Please dont tell me to disable the number of accounts stored (10 by default); because we cant disable this setting as we have many users that work from home, etc; and they will not be able to open a session when not connected to the lan with this setting enabled.)
Thank you
Hello,
I try to get an ECC smartcard logon certificate on an SafeNet eToken 5100 but all my tests fail (This smart card does not support the requested feature 0x80100022, -2146435038 SCARD_E_UNSUPPORTED_FEATURE). I have installed the Gemalto SafeNet Minidriver 9.
It works with RSA certificates. After this documentation from gemalto it shoud work:
http://data-protection-updates.safenet-inc.com/files/2015/05/007-012974-001_SafeNet_Authentication_Client_Minidriver-9-0_CRN_Revision-.pdf
New Features:
ECC support Algorithms and key sizes supported:
Elliptic Curve Diffie-Hellman (ECDH) P256, and P384
Secret agreement and key exchange
Elliptic Curve Digital Signature Algorithm (ECDSA) P256, and P384
Any ideas? Does anyone use a EEC smartcard (vendor?) for windows logon?
Best regards
Oliver