Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

CIPER RSA key length

March 23, 2016, 5:08 am
$
0
0

In our envirnment, we have a requirement of create a certificate template for EFS purpose, with the below configuration,

- cipher RSA with 3072 key length

- digest : sha2

- private must not be exportable from end user device

- public key stored in AD

The current Root CA and issuing CA are having the RSA key lenght 2048. Can i set the key lenght 3072 for this certificate template (as root CA and issuing CA key lenght is 2048, will it support)

Due to some limitation currently we are not having SHA2. iff the key length with 3072 will support SHA 1 algorithm

The operating system in our environnment is Windows 2008 R2. Please provide your suggestion to proceed further.

Search

Comodo CA missing from Trusted Root Certification Authorities list

April 1, 2016, 9:26 am

Server 2012 domain controller not logging logons/failures, but is configured to do so?

April 1, 2016, 10:47 am
$
0
0

Both of our domain controllers are not logging user logons and failures.  I checked the group policy and they are configured to do so, and according to gpresult they are getting those settings:

Audit account logon events: Failure 
Audit account management: Success 
Audit directory service access: Failure 
Audit logon events: Failure 
Audit object access: Success, Failure 
Audit policy change: Success, Failure 
Audit privilege use: No auditing 
Audit process tracking: No auditing 
Audit system events: Success, Failure 

When checking the security log all I see are events 4616 for time changes and a 1100 whenever the server is restarted, so 3 log entries a month.  What am I doing wrong here? Thank you!

bsod on win server 2008 r2 std PAGE_FAULT_IN_NO_PAGED_AREA bug check code 0X50

March 25, 2016, 1:24 pm
$
0
0

Hi to everyone I have this problem:

My server gets a BSOD evrytime I try to log on, I only can open a session in safe mode.

I already saw so many pages saying that this error is caused by a hardware fault, but I haven't intall anything new on it, I guess an update caused the problem, I already run memory test without any success, also had run hard disk tools without finding anything to help solve the problem, I also update BIOS with no success, I also unistalled the latest updates but the problem persist. Can someone help me?

  • Server: DELL PowerEdge 310
  • OS: Windows 2008 R2
  • bug check string: PAGE_FAULT_IN_NONPAGED_AREA
  • bug check code: 0x00000050
  • caused by address: ntoskrnl.exe+73c00

A problem has been detected and Windows has been shut down to prevent damage
to your computer.

The problem seems to be caused by the following file: ntoskrnl.exe

PAGE_FAULT_IN_NONPAGED_AREA

If this is the first time you've seen this stop error screen,
restart your computer. If this screen appears again, follow
these steps:

Check to make sure any new hardware or software is properly installed.
If this is a new installation, ask your hardware or software manufacturer
for any Windows updates you might need.

If problems continue, disable or remove any newly installed hardware
or software. Disable BIOS memory options such as caching or shadowing.
If you need to use safe mode to remove or disable components, restart
your computer, press F8 to select Advanced Startup Options, and then
select Safe Mode.

Technical Information:

*** STOP: 0x00000050 (0xfffff8a0103af000, 0x0000000000000000, 0xfffff8000235fdff,
0x0000000000000000)

*** ntoskrnl.exe - Address 0xfffff800020c9c00 base at 0xfffff80002056000 DateStamp
0x5684191c

Thank you very much for your help!

Oscar

CAPI2 Error - Access Denied

October 18, 2012, 11:21 am
$
0
0

I am seeing tons or errors regarding CAPI2 Access Denied. I have Windows Server 2008 R2 SP1

-<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-<System>
<ProviderName="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" EventSourceName="Microsoft-Windows-CAPI2" />
<EventID Qualifiers="0">4110</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreatedSystemTime="2012-10-18T10:12:12.316910600Z" />
<EventRecordID>2516754</EventRecordID>
<Correlation/>
<ExecutionProcessID="992" ThreadID="15340" />
<Channel>Application</Channel>
<Computer>Server name removed</Computer>
<Security/>
</System>
-<EventData>
<Data />
<Data>Access is denied.</Data>
</EventData>
</Event>

Any Suggestions ?

Thanks

event ID 515

April 2, 2016, 3:22 am
$
0
0

Hello,

I found this event in a Windows XP SP3 after it was joined to a Windows 2000 domain. I don't know why this event happens.

Event ID:515

A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.

Logon process name: DCOMSCM

Could somebody explain why this event happens? I mean what application, process etc.. is producing this event.

Best Regards.

Remote Desktop Port.

April 2, 2016, 11:41 pm
$
0
0

Hello.

I want to change Remote Desktop Port to other port via below guide :

http://tweaks.com/windows/50743/change-remote-desktop-rdp-port/

But I have some questions :

1- If i change default RDP port to 22 but my sever never use Port 22 then can it cause any problem?

2- after change the port, Must i change remote desktop configuration on client for connect to server?

Thank you.

Account Locked

April 3, 2016, 6:28 am
$
0
0

Testing scenarios requires going forward and backward in date without changing the DC date.

on trying to logon to the testing server with the date difference, accounts locks.

we were able to access those testing servers from windows 2003 servers but not from newer versions.

is there any way to achieve the same from windows 10 clients?

we need to access for example a server with date July-2018 from windows 10 client without getting the account locked, is this possible?

Search

AD Certificate Services - Autoenroll Cert With CA Manager Approval and Reenroll Without CA Manager Approval

February 11, 2016, 12:42 pm
$
0
0

Hello,

I am trying to figure out how to configure a Web Server certificate template to autoenroll but have the template require CA manager approval. Once the certificate attempts to reenroll, I'd like it to not require approval again.

On the "Subject Name" tab, I selected "Supply in the request" and checked "Use subject information from existing certificates for autoenrollment renewal requests".

On the "Issuance Requirements" tab, I checked "CA certificate manager approval" and selected "Valid existing certificate" under the "Require the following for reenrollment" section.

On the "Security" tab, I granted a web server the ability to read, enroll, and autoenroll.

Now after enrolling for a certificate using that template from a web server, it goes to a pending mode, waiting for CA manager approval as expected. Once the certificate nears expiration and tries to renew, it ends up going to a pending mode again, waiting for CA manager approval which is not desired.

What am I missing in my configuration to make this work?

Thank you for all of your help.

SHA2 migration issue

April 4, 2016, 5:37 am
$
0
0

Hi,

a month ago I go thru steps into migrate our internal domain CA from SHA1 to SHA2. using:

http://www.cusoon.fr/update-microsoft-certificate-authorities-to-use-the-sha-2-hashing-algorithm-2/

we do the migrate as for many internal IIS sites are with SHA-1 and users browsers start got wornming/error

so the migrate apparently goes fine - the CA now enroll Sha2 certs & the root CA cert also renewed. also the new SHA2 certs in internal web sites seems working and no browser warnings.

until 25/03 - I noticed that 2 of my DCs on their system events are spoofed with non-stop event ID: 36887

"The following fatal alert was received: 48."

this error event logged every 5 seconds

after digging a little on cause I found that these Specific DCs had has a domain controller certificate - SHA1 - then it just got the expire date and it auto-enrolled to new one domain controller cert with SHA2 algorithm now.

it a good behavior of renewal, but i don't understand that error event - seem like something try auth my DCs and don't work OK with SHA2 cert

I am out of odds

can anyone advice suggest what to do /check next?

Thanks You!

The L2TP connection attempt failed because security policy for the connection was not found.

April 4, 2016, 6:11 am
$
0
0

This happens on all Windows L2TP connections. 3rd party VPNs work fine (Cisco, NCP, etc).

Creating new valid VPN connections also fail, and I get the error even when connecting to a dummy address, without any delay (I expect a delay as it times out).

I have disabled all HyperV switches, and even reinstalled windows (Reset keeping files and documents).

Sometimes I get this error first, but they it resorts to the message above.

L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations...but  think this is a red herring.

Any ideas?

Ax Consulant Developer

WPAD with Firefox

January 25, 2010, 2:28 pm
$
0
0
I'm having problems getting Firefox to use proxy settings that I defined in a wpad.dat file.
I have a web server that is pointing to a wpad.dat file. I created an A record in DNS that points to that file. My settings in Firefox are to automatically detect settings, but it won't go out the proxy. It is working for IE8, so I know the file is good. Is there anything that I'm missing that would prevent firefox from using using the proxy?

Thanks,
Scott

Extending CRL validity

March 29, 2016, 11:34 am
$
0
0

We have a certificate that all users have to access to log in with a smart card, and the OCSP and CRL are maintained outside of our location by a third party.  This normally works fine with one primary exception.

We recently went through an all-day internet outage.  At that point, no user could log in to their workstation with a smart card because we could not access the CRL.  Even though we had connectivity to our local resources, most users were unable to log in at all.

We are looking into setting up an OCSP responder, but in the meantime we may use the Group Policy setting to "Allow CRL and OCSP responses to be valid longer than their lifetime".  I have a couple of questions about using that setting.

Apart from the obvious problem that we might be using a revoked certificate for that period of time, what other issues might we encounter by using this setting?

Could we successfully invoke that setting only after we find that we need it?  That is, if we found ourselves with no Internet connectivity then invoked that setting, would we then be able to use the certificate again, or would this setting have needed to already be in place when the outage occurred?


Thank you very much for your help with this.

Can we use KMS server to do activation for multiple Operating systems like Windows 7 and Windows 2012?

April 4, 2016, 8:36 am
$
0
0

Hi,

I am having KMS server to activate Windows 2012 sever using Data center key. I want to use same server to activate Windows 7 and Windows 8 clients. Is it possible to achieve it for all three OS flavors?

Inhibited permissions on Folders (server 2003)

April 4, 2016, 1:26 pm
$
0
0

Good day guys,

I´m having some issues with folders (on server 2003)

The problems is in the Home Folder, the users are added in the folder correctly and permissions doen´t works, in my point of view is something similar like inhibited permissions. To fix the issue, is neccesary refresh the complete permissions and then it works, but I don't know why is happening this.

Someone who have a similar problem or knows the answer?

Thank you

Diego

Search

Installing Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service

April 4, 2016, 4:42 pm
$
0
0


I am referencing this document: Setting Up Certificate Enrollment Web Services (sorry it won't let me post the link).  The infrastructure is Windows 2008 R2.

The installation options in this document state:

  • The Certificate Enrollment Web Service and the Certificate Enrollment Policy Web Service should be installed on different computers.

Is this mandatory or can the CEWS and CEPWS be installed on the same computer?  If so, does anyone know the reason for this? 

Thanks,

Andrew



In certificate manager we have many different folders. What are they used for

April 4, 2016, 5:05 pm
$
0
0

In certificate manager we have many different folders. What are they used for?

Like as show below:

- Personal
- Trusted root certificate
- Enterprise Trusted
- Intermediate certificate
- etc

VPN revocation error?

April 4, 2016, 5:25 pm
$
0
0

I have managed to successfully configure a SSTP VPN connection on my internal client PC, but only through registry fixes. I keep getting this error relating to checking to see if the server has been revoked.......

"The revocation function was unable to check revocation because the revocation server was offline."

I've gone onto revoked certificates in my CA and clicked on publish and created a new CRL but the clients are not getting it or its not working somehow. Any idea as to how i can fix this?

Update: I have noticed that on the certificates I’m using only LDAP is being used as a method of retrieving the CRL. I dont mind this anyway because i'm not interested in HTTP at the moment, i just dont know why the domain joined users and computers cannot find the CDP through LDAP?


ldap:///CN=JEDI-CA,CN=Jedi,CN=CDP,CDP=Public Key Services,CN=Services,CN=Configuration,DC=starwars,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

^^^ That is the LDAP directory on the certificate 


Setting up LAPS Windows 2012 R2 Server

March 31, 2016, 9:17 am
$
0
0

We have been trying to configure LAPS on a windows 2012 R2 DC and have been getting the following error message.

PS C:\Users\Administrator.MCCU1> Update-AdmPwdADSchema
Update-AdmPwdADSchema : The distinguished name contains invalid syntax.
At line:1 char:1
+ Update-AdmPwdADSchema
+ ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Update-AdmPwdADSchema], DirectoryOperationException
    + FullyQualifiedErrorId : System.DirectoryServices.Protocols.DirectoryOperationException,AdmPwd.PS.UpdateADSchema

First we ran Import-module AdmPwd.PS

no error message.  Then we run the above command and receive the above error message.

We run all commands in Windows PowerShell as administrator.

From the documentation it appears we are running the correct commands.  Microsoft .NET 3.51 and 4.5 are installed.  What are we missing?

Thanks,

Kreig

Installing Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service on same computer

April 4, 2016, 4:42 pm
$
0
0


I am referencing this document: Setting Up Certificate Enrollment Web Services  

The infrastructure is Windows 2008 R2.

The installation options in this document state:

  • The Certificate Enrollment Web Service and the Certificate Enrollment Policy Web Service should be installed on different computers.

Question: Is this mandatory or can the CEWS and CEPWS be installed on the same computer?  If so, does anyone know the reason for this? 

Thanks,

Andrew





Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>