Running cmd with elevated privileges (i.e. right-click "Run As Administrator") and then running the following uninstall command:

C:>runas /user:domain\user "msiexec.exe /quiet /uninstall {936DDA62-6793-4713-999 7-E249CD61D3CB} /l*v \"C:\msiClientInstallLog.log\""

fails to execute after supplying the credentials when requested.

Attempting to automate the process using the c# we can get the process to at least execute and provide logging details which resulted in the following output (the failing part):
MSI (s) (80:3C) [11:01:00:674]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (80:3C) [11:01:00:674]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (80:3C) [11:01:00:674]: MSI_LUA: Elevation prompt disabled for silent installs
MSI (s) (80:3C) [11:01:00:674]: Note: 1: 1730 Action start 11:01:00: InstallInitialize.
MSI (s) (80:3C) [11:01:00:674]: Product: Client Software -- Error 1730. You must be an Administrator to remove this application. To remove this application, you can log on as an Administrator, or contact your technical support group for assistance.

Running with a domain user which is an administrator on the target pc, results in nothing happening. Only if you use the main <domain>\administrator credentials does this go through successfully
(i.e. the resulting verbose log output looks something like this and continues to successfully uninstall the target software:)

MSI (s) (6C:18) [12:38:15:327]: MSI_LUA: Credential prompt not required, user is an admin

Other settings we attempted to change which result in successful un-installations is when we change the registry setting: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA to 0. However the point is not to disable the UAC but rather to use the correct channels to bypass the UAC. Specifying the main network admin password though does not fall part of that strategy. An administrator account with such privileges should suffice.

There must be a GPO setting which will allow silent installations for the specified admin account credentials.

Does anyone have any suggestions for alternative attempts or a solution to this issue?
Also see this post for more detail on: http://stackoverflow.com/questions/37458449/msiexec-uninstall-using-elevated-privileges-and-admin-user-credentials-from-c-sh

(I hope I have the correct category and Forum selected. Apologies if incorrect. Let me know which category to put this in and if possible after posting, I can edit the correct target forum category and forum.)

Hi All,

I trying to understand what happening in the router logs, it seems that a lot of windows client is contacting to DC via port 88 (kerberos)

How often should these clients contact the DC actually? Could be this a sign of malware?

Thanks

Hello,

when implementingapublic keyinfrastructureEFSencryptionwithadcsandI meta problem thatbotheredmea lot, I configuredaGPOforautomatic registrationofpersonalized certificateEFS,the problem isthecryptographicsignature in ashared(fileserver)of a member of thisgroupare not thesame as thecertificate issued byGPO.

when I searchonuser certificates"mmc", I find just the certificat issued byGPO.

what is the problem?

Thank you.

i'm requesting certificates from an internal windows 2012 R2 certificate authority, from the certificates mmc snap-in for a machine account. the "Subject" is empty on the certificate produced, even if I add CN=something.domain.com, O=Some Company, etc. is that expected?

I'm running MBSA on an offline PC. I put wsusscn2.cab in the /system32 folder.

Running MBSA then gives me the error "failed to download security update databases". How may I correct this error? Thanks!

Michael

using certutil or any other means , is it possible to 1) revoke all cert issued by a CA   2) remove the revoke cert from local computer store on all PC

Hi,

We recently setup a new ADCS. When I try certsrv web enrollment for requesting my first certificate, I can't seem to be able to do so.

Here is what I've seen: After I successfully authenticate with certsrv, the first welcome page asks to select a task:

Request a certificate/ View the status of a pending certificate request / Download a CA certificate, certificate chain, or CRL.

I choose "request a certificate", then the next page brings me:

Select the certificate type: User certificate, or, submit an advanced certificate request.

If I choose "submit an advanced certificate request", it brings me the page: Submit a certificate request or renewal request. Here, I can only paste a saved request. But all I want to do is to create a custom request including key size, template and etc.

I compare the newly setup ADCS with one of the old ADCS. I can't find any difference but old one allows me to create a custom request via certsrv.

Can someone shed some light on this? By the way, I am requesting a enrollment agent certificate and that template is enabled.

Thanks

Jin

We are running windows 2008 R2 as DC. Whenever we create a group or a user in Active Diretory, one user named Mike will be added to the Security tab automatically as shown below.

1. It mus have some default settings to add the user automatically. How can we remove him from the default settings?

2. Is there a way to remove him from the Security without going to each group one by one?

Bob Lin, MCSE & CNE Networking, Internet, Routing, VPN Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net How to Install and Configure Windows, VMware, Virtualization and Cisco on http://www.HowToNetworking.com

Hello,

I need to create a new digital certificate from the Windows Server CA, to be installed on the desktop, the CN field must certificate put the user's full name and your Social Security number, for example: John Doe: 03354312309, got to generate new certificates in this format until even directly in Windows 7 in the certificate console in MMC, but the numbers are not in the field.

Does anyone have any tips on how I can do this?

Thank you !

Ivanildo Teixeira Galvão

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          12/14/2008 7:10:02 PM
Event ID:      4674
Task Category: Sensitive Privilege Use
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      <Computer FQDN Here>
Description:
An operation was attempted on a privileged object.

Subject:
 Security ID:  LOCAL SERVICE
 Account Name:  LOCAL SERVICE
 Account Domain:  NT AUTHORITY
 Logon ID:  0x3e5

Object:
 Object Server: Security
 Object Type: -
 Object Name: -
 Object Handle: 0x0

Process Information:
 Process ID: 0x294
 Process Name: C:\Windows\System32\lsass.exe

Requested Operation:
 Desired Access: 16777216
 Privileges:  SeSecurityPrivilege

So my question is: what should I do to get rid of these events (other then disabling auditing)? Thanks in advance.


P.S. A few links I tried but that didn't add to my understanding.

• Events and Errors Message Center Search — nothing at all.
• EventID Search — nothnig at all.
• Randy Franklin Smith's UltimateWindowsSecurity.com Wiki article on SeSecurityPrivilege— interesting, but nothing particularly helpful for this special case.
• Randy Franklin Smith's UltimateWindowsSecurity.com Wiki article on Event 4674 — nearly meaningless.

And that's all at least slightly relevant information I could find.

Hi,

New to this area, and to the subject domain. Have been looking at various answers but not sure if

1) I  understand this subject enough and the answer is staring at me in the face

2) Its a common issue/question that individuals ask

I will try to put the question in the best way that I can;

How do you enable a Linux/Unix server to download the trust chain (Root and Intermediary CA Certificate - based on a 3 tier PKI)More specifically, can you define the location that this sits within a Linux/Unix server.

From my understanding, it will be the administrators that pull the trust chain (most likely from a https) and then store this within a folder of their choice, There is no way to enforce a policy that states that it needs to be in a particular place for those that are not within active directory.

Hope that makes sense.

Hi

I have 2012 R2 Offline CA, subordinate CA enterprise CA integrated to Active directory.

I using different 2012R2 WEB server (certsrv) in order torequest a certificate.

The issues:

When I trying to request a certificate using the WEB page from a PC that is part of my domain all working and I getting my certificates.

When I trying to request a certificate using the WEB page from a PC that is NOT part of my domain I getting "RPC is unavailable" when I click "submit".

Both PC's (domain and none domain) are on the same exec network.

Is there an issues to use the WEB (CertSRV) to create Certificate Request from a none domain PC's? if not then what I should do to make it work.

Hi,

We have an standalone offline root CA and a domain joined issuing CA setup, both on Server 2012 R2. I have been asked to get EV certificates deployed internally and I saw the site below:

https://blogs.technet.microsoft.com/askds/2009/08/14/extended-validation-support-for-websites-using-internal-certificates/

At the end of the document it talks about adding the root CA to the trusted root CA on the domain and adding the OID of the certificate template created into it. The thing is we have not deployed our root CA this way, but using the command -certutil -dspublish -f <certfilename> RootCA.

Would this create duplicate certificates in all the clients trusted root container on each PC if I was to add it again? Also, I have not published the intermediate certificate at all, I assume because it is domain joined it automatically publishes itself out to the Intermediate Certification Authorities container on each PC.  What if I add this certificate as well to a global Group Policy and make the OID changes? How would this affect existing users?

Thanks a lot for reading.

I am looking for MS16-035 security update patch for .Net Framework Base version v2.0.50727 on Operating system "Windows Server 2008 R2 Enterprise 64 bit Edition Service Pack 1"

I have Windows Server 2008 R2 Enterprise 64 bit server. I got the vulnerabilities to install MS16-035. So kept base version and uninstalled all version as  .net framework is not required for my applications. . I am still getting the vulnerabilities.

I didn't find in Microsoft Security Bulletin MS16-035 page. How to get the update for this.

Hi

I'm trying to audit the domain admin password change. I've edited the Default domain controllers GPO to log events under Audit Account management (success and failure), but it's not working. No events are created in the security log when I change the password. Any ideas why that might be?

Thanks

Hi

We have two tier architecture. 

Offline CA

Subordinate CA.

I am unable to start the Subordinate CA and its giving in the error in title. The Revocation Server is on-line and I can download the Root CA Crt and CRL via the weburl configured in Subordinate Certificate.

I also issued new CRL from Root CA.. publish to domain using certutil -dspublish and then certuitl -CRL.

I am able to start the Subordinate CA but I get warning in event log about revocation server offline and I cannot renew/issue any certs.

Following is what I get from certutil

The URL for Revocation in the code below is accessible from Sub-ordinate CA. (http://rootca.internal.TESTDC.com.au/CertData/Test-ROOTCA.crl)

Any thoughts.

Thanks in advance

Issuer:
    CN=Test-ROOTCA
    DC=internal
    DC=TESTDC
    DC=com
    DC=au
  Name Hash(sha1): 4d53cf7d64e09f4f7e9c74d0bb645d350b60ac00
  Name Hash(md5): 68f20bd7fb46532428f1303a7bebc430
Subject:
    CN=Test-IssuingCA
    DC=internal
    DC=TESTDC
    DC=com
    DC=au
  Name Hash(sha1): ad248fc23f8341cc1e23824e3420372ee8996b14
  Name Hash(md5): d8d6b0425955f4ebe7ce61ee2ec3f0b1
Cert Serial Number: 7d000000048283453355011e2d000000000004

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=Test-ROOTCA, DC=internal, DC=TESTDC, DC=com, DC=au
  NotBefore: 3/4/2016 2:20 PM
  NotAfter: 3/4/2017 2:30 PM
  Subject: CN=Test-IssuingCA, DC=internal, DC=TESTDC, DC=com, DC=au
  Serial: 7d000000048283453355011e2d000000000004
  Template: SubCA
  d0485dc22b8489e8edd9f6e4ed219300952af45f
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificate AIA  ----------------
  Failed "AIA" Time: 0
    Error retrieving URL: The request is not supported. 0x80070032 (WIN32: 50 ERROR_NOT_SUPPORTED)
    file:////TESTECAWIN01/CertEnroll/TESTECAWIN01_Test-ROOTCA.crt

  Verified "Certificate (0)" Time: 0
    [1.0] http://rootca.internal.TESTDC.com.au/CertData/TESTECAWIN01_Test-ROOTCA.crt

  ----------------  Certificate CDP  ----------------
  Failed "CDP" Time: 0
    Error retrieving URL: The request is not supported. 0x80070032 (WIN32: 50 ERROR_NOT_SUPPORTED)
    file:////TESTECAWIN01/CertEnroll/Test-ROOTCA.crl

  No IDP Intersection "Base CRL (18)" Time: 0
    [1.0] http://rootca.internal.TESTDC.com.au/CertData/Test-ROOTCA.crl

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=Test-ROOTCA, DC=internal, DC=TESTDC, DC=com, DC=au
  NotBefore: 3/4/2016 8:37 AM
  NotAfter: 5/25/2018 1:04 PM
  Subject: CN=Test-ROOTCA, DC=internal, DC=TESTDC, DC=com, DC=au
  Serial: 71afec5719d43f984cf7142e6ca63c6f
  7930c20cb9dac2dd8756626ccc2f8c28412e5c90
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------

Exclude leaf cert:
  d0485dc22b8489e8edd9f6e4ed219300952af45f
Full chain:
  a0b10c0d6b498d923b0e93f89e3c7ad2c8034c33
  Issuer: CN=Test-ROOTCA, DC=internal, DC=TESTDC, DC=com, DC=au
  NotBefore: 3/4/2016 2:20 PM
  NotAfter: 3/4/2017 2:30 PM
  Subject: CN=Test-IssuingCA, DC=internal, DC=TESTDC, DC=com, DC=au
  Serial: 7d000000048283453355011e2d000000000004
  Template: SubCA
  d0485dc22b8489e8edd9f6e4ed219300952af45f
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
------------------------------------
Revocation check skipped -- server offline
Cert is a CA certificate

ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

CertUtil: -verify command completed successfully.

Hello everyone,

I have a problem when trying to deploy client certificates to W7 clients by autoenrollment group policy and CES/CEP configured. I explain my scenario to better understanding:

I have 2 Enterprise Issuing CAs in the same domain. One of them WS2008R2 that is using sha1 as the signature hash algorithm, and the other one WS 2012R2 that is using sha256. I have configured two different CES/CEP uris for both of them.

I have configured two different autoenrollment group policy objects, one for Issuing CA SHA1 and the other one for Issuing CA SHA256.

Template A is a copy of "Computer" version 1 template, and it is published on Issuing CA SHA1. Template B is a copy of "Computer" version 1 template, and it is published on  Issuing CA SHA256. Template A has configured "Windows Server 2003" Certification Authority and "Windows XP/S2003" certificate recipient compatibility settings. Template B is configured as "Windows Server 2012 R2" Certification Authority and "W7/Server 2008R2" certificate recipient compatibility settings. Templates seems to be correctly replicated through Domain Controllers.

I need to migrate client certificates from Issuing CA SHA1 to Issuing CA SHA256, replacing sha1 certificate in client side. Deploying SHA1 or SHA2 (without supersed setting enabled) certificates through autoenrollment and ces/cep is working perfectly, but the problem comes up when I try to configure "Supersed" option in Template "B" in order to replace Template "A" at the autoenrollment time for new SHA256 client certificate.

I have a W7 client with SHA1 certificate. I replace the security group that enables client side to autoenroll SHA1 certificate (by template A) with security group that enables it to autoenroll for SHA256 certificate (by template B). I run "gpupddte /force" and restart the computer for applying changes and a new pulse to take effect. After restarting, I query in machine certificate container and I see both certificates sha1 and sha256, instead of only the new one SHA256 .

I went through hours of troubleshooting but I cannot see anything wrong. I enabled "AEEventLogLevel" in the client side, but no errors or warnings seem to appear on Application event log after autoenrollment process. I reviewed CES/CEP cache on client side "C:\ProgramData\Microsoft\Windows\X509Enrollment" and I could confirm the new file enrolled by CES/CEP appears, as well as it contains the new Template information (B) with the supersededPolicy defined:

...<supersededPolicies><commonName>TemplateA</commonName></supersededPolicies>...

I tried to change the compatibility settings and configure Template B settings the same way is defined on Template A, and republished Template B and clearing CES/CEP web server and client side caches, but nothing changes.Still older SHa1 and new SHA256 present.

I would really appreaciate any help!

Thank youu.

Alberto.

Our company is getting the same security alert 100-200 times a day in the morning, can anyone please help?

An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Computer name
Account Domain: Our domain

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: Computer name
Source Network Address: computer's IP
Source Port: 58573(different every time)

Detailed Authentication Information:
Logon Process: NtLmSsp 
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

Current Environment:
Windows Server 2008 R2 Enterprise CA.  This was built many years ago and is issuing SHA-1 certificates.  We need to implement SHA-2 in our environment, which is what is bringing on this endeavor.  After doing some research, it sounds like the initial CA should have been built as a standalone server and turned down after it was brought up.  To me, it sounds as if it should have never been used to issue certs to users, computers, etc.  Is this a correct statement?  We currently have no subordinate CA.

What I am trying to do is spin up a Windows Server 2012 R2 Subordinate Certificate Authority that will issue SHA-2 certs, but not sure of its affect on the environment.  If I build this out as an Enterprise Subordinate CA, copy root.cer from the Root Certificate Authority to the C:\ on the Subordinate CA, is it going to cause any issues with any already existing SHA-1 certificate that was issued from the root CA?  By doing this, would I effectively be able to issue SHA-2 certificates moving forward?

As a phase two part of this project, if I wanted to best practicefy my environment, how might I go about doing that (assuming building a standalone root certificate authority and taking it offline is best practice).

Any help would be greatly appreciated as I am not very familiar with CA's.

--Scott

Hi All,

We want to monitor Remote Desktop failed logon attempts in our Domain environment. The Domain Controllers are Windows Server 2008 R2 latest version.  We enabled the advanced audit polices for the environment following technet article https://technet.microsoft.com/en-us/library/dn487457.aspx . But anyway we can't get RDP failed logon attempts for domain users. 

As for information , there is nothing in Security Logs about failed rdp logon events on the target servers locally. But we have pre-authentication failure event on Domain Controller Security Logs, which gives as less information about failed rdp attempt. We want to find the attempted user, source machine or ip, target server or ip.

Please , help any suggestions.