Exchange Authentication Failures

June 21, 2016, 12:13 pm

≫ Next: Custom Local Administrator Groups?

≪ Previous: Reenrollment using valid existing certificate

I have an Enterprise Exchange 2010 server on a Server 2008R2 level domain. Users have personally owned devices and have been logging into Exchange with their Domain credentials. With Windows 10 computers, the users are failing authentication initially with user name = local computer login name and domain = local machine name; or user name = personal email account and domain name = microsoftaccount. Both failures result in a log event 4625 failure.

They are still getting their corporate email, so that account is set up properly. I have removed all corporate domain cached credentials in credential manager and in web browsers on the personal devices. I have also changed the Outlook account settings to "always prompt for login credentials" on the security tab for the email account settings. I cannot determine why the local computer credentials are being sent to the Exchange server.

Any ideas?

Fly Navy, Scott MCSE CEH CISSP

↧

Custom Local Administrator Groups?

June 21, 2016, 3:01 pm

≫ Next: Is it possible to make BitLocker password to sync with the domain user account password?

≪ Previous: Exchange Authentication Failures

Is it possible to create a custom local group on a Windows server that has the same, or similar, access as the local Administrator group without actually nesting the group in the existing Administrator group?

I think the answer is no, but am curious if any of the experts out there think this is possible. If it is possible, how would you do it, and more specifically, how could one audit their servers for this type of custom group?

↧

Is it possible to make BitLocker password to sync with the domain user account password?

June 16, 2010, 11:10 pm

≫ Next: "Access Denied " error occurs while users trying to change password with Ctrl+Alt+Del in Win 2k12 Domain

≪ Previous: Custom Local Administrator Groups?

Hi all,

For the removable USB data drive in our production environment, we need to use BitLocker To Go feature to encrypt it. As we konw, we will have to assign a Password to unlock the BitLocker encrypted drive when we enable it.

My question is:

is it possible to make BilLocker pasword as the same as the domain user logon account password in our domain? If it is possible, how can we do that?

Thanks in advanced for any help.

Scorprio

TechNet Software Assurance Managed Newsgroup MCTS: Windows Vista | Exchange Server 2007 MCITP: Enterprise Support Technician | Server & Enterprise Admin

↧

"Access Denied " error occurs while users trying to change password with Ctrl+Alt+Del in Win 2k12 Domain

July 5, 2016, 6:32 am

≫ Next: Online Certification Authority "Select" greyed out IIS with 2008 R2 PKI

≪ Previous: Is it possible to make BitLocker password to sync with the domain user account password?

"Access Denied " error occurs while users trying to change password with Ctrl+Alt+Del in Win 2k12 Domain

Users have sufficient rights to change their password .

Under User properties - Security - Self - Change password selected

But did not work in domain users .....Need help

↧

Online Certification Authority "Select" greyed out IIS with 2008 R2 PKI

June 11, 2010, 3:35 pm

≫ Next: Elevation on executing cmd commands

≪ Previous: "Access Denied " error occurs while users trying to change password with Ctrl+Alt+Del in Win 2k12 Domain

I have built a two tier 2008 R2 PKI with an offline Root CA and an online issuing CA. The domain is a 2008 funtional level.

From a 2008 IIS server on the same domain, I have tried to Create a "Domain Certificate" so I can implement an internally self signed web server. On the first screen, I am able to enter all the details under "Distinguished Name Properties", but when I go to the next screen, "Online Certificate Authority", the Select button is greyed out next to "specify Online Certifcation Authority" . The only online articles I have found say this indicates that something is wrong with the CA, but not what.

I have checked everything with PKIview and the CA looks healthy. I have also run the BPA for certifcate services and the BPA for DNS and no problems are shown.

I have checked that the certifcate template for Webservers I have created and looks okay and have been able to manually send a web server request to it on the CA and install it on the webserver.

I am also able to successfully autoenrol user and machine certifcates within the domain and use this for 802.1x Wireless authentication.

Any pointers in would be appreciated

Thanks

Iain

↧

Elevation on executing cmd commands

July 8, 2016, 10:09 am

≫ Next: Windows 2003 server Error

≪ Previous: Online Certification Authority "Select" greyed out IIS with 2008 R2 PKI

Hi..

I have a very strange issue where i do have two service accounts meant for two windows servers 2008

On one server when i launch cmd without running it as an Administrator and try to execute one command which starts an application service using one utility it succeeds, whereas on other server it doesn't and ends with below error..

StartService

FAIL: openservice failed [EIO*: Input/Output error OR Access is denied.]

When i try to execute command as an administrator it works whereas on other server i dont have to launch cmd in Admin mode in order to successfully execute the command

Both service accounts are having Local Admin rights on their respective servers

applied GPO's on both servers and user accounts are the same

User account control (UAC) is set to highest on both servers, but in order to execute command successfully on one server without having to launch it in admin mode i have to put the UAC level to lowest which is not desirable

Would like to know the root cause or any suggestion for this strange behavior

↧

Windows 2003 server Error

July 14, 2016, 10:22 am

≫ Next: Domain Controller Certificate disappears after reboot

≪ Previous: Elevation on executing cmd commands

I have rebooted our Windows 2003 server having Eflow application but it is not came up automatically.

When checked server status locally I have found server was in ctrl+Alt+Del screen ...Tried locally login to server...

So locally login to server & manually rebooted this server. After manual reboot server came accessible...

Checked evenviwer logs but not found any suspicious event....So help how can I avoid such issue for this server during next reboot?

↧

Domain Controller Certificate disappears after reboot

July 14, 2016, 10:39 am

≫ Next: Trouble implementing Network Unlock

≪ Previous: Windows 2003 server Error

Our domain Controller certificates expired 2 days ago and when this happened we could no longer authenticate wirelessly. We get EAP-auth failure notices on the device. All was working fine prior to the expiration of these certs. I have requested a new cert, choose Domain Controller, hit Enroll, I get a green checkmark and it says succeeded. I hit finish and it shows up in the Personal certificates folder. Then When I reboot to set changes it is gone when I log back in. Any help would be much appreciated.

*There are not any auto enroll GPO settings to cause this removal.

↧

Trouble implementing Network Unlock

July 12, 2016, 9:51 pm

≫ Next: Use of File EFS (Encryption) with VMAX and Isilon Storage on Windows

≪ Previous: Domain Controller Certificate disappears after reboot

The laptop always prompts to enter a PIN even if the laptop is wired to the network.

DHCP server logs show that the laptop is acquiring an ip address prior to the prompt to enter the PIN. Confirmed the timestamp was after the reboot and the log entry showed up before entering the PIN.
WDS server logs show that request and response with correct thumbprint for the public unlock certificate and the clients ip shows up in the log messages.
Message from Verbose log First message - Processing Request Certificate thumbprint ... Second message - Reply sent ...
Messages from Debug log (Received NKP IPV4 request ...) and NKP request processing successed Remote Address...)

Followed the instructions from https://technet.microsoft.com/en-us/library/jj574173(v=ws.11).aspx
Laptop is Lenovo Edge series 460 with TPM module and IP stack in UEFI. The UEFI is not using compatability mode.
WDS server is Windows 2012
AD and DHCP is Windows 2012

↧

Use of File EFS (Encryption) with VMAX and Isilon Storage on Windows

July 14, 2016, 8:11 am

≫ Next: WordPress on Server 2k8R2 weird permissions on WP-Content Folder

≪ Previous: Trouble implementing Network Unlock

Hello,

I have a customer who needs to encrypt sensitive HIPPA data on a Windows File system. According to best practice EFS is the best practice to encrypt files at rest. According to our engineers we are using VMAX and Isilon storage, which on sale-out will have major issues. Has anyone used this type of storage with EFS or is there a replacement system we can use to achieve file encryption/decryption without writing it in the application code.

Any thoughts would be greatly appreciated.

Thanks,

George Elder

↧

WordPress on Server 2k8R2 weird permissions on WP-Content Folder

July 14, 2016, 9:40 am

≫ Next: DNS server spoofed request amplification DDOS

≪ Previous: Use of File EFS (Encryption) with VMAX and Isilon Storage on Windows

I've installed WordPress on server 2k08R2.

The permissions on the WP- Content folder are
CREATOR OWNER - special permissions
SYSTEM - Full Control
Administrators - Full Control
Users - Read and Execute, List Folder Contents, Read
IIS_IUSRS - Full Control

From https://wordpress.org/support/topic/the-correct-permissions-for-wordpress-on-iis?replies=6

When I upload Media, picture for example, WP makes multiple sizes of the picture. All the files with diffrent sizes which WordPress creates have good permission except the original size file. The original size picture receives weird permissions which make the file not accessible in WP until I manually add the IIS_IUSRS group, then all of the inherited permission get applied to the file, thus making the original size file accessible..

Thanks all

↧

DNS server spoofed request amplification DDOS

July 15, 2016, 1:20 am

≫ Next: PKCS#10 Certificate Requests in Web Enrollment; Information on Additional Attributes field is lacking

≪ Previous: WordPress on Server 2k8R2 weird permissions on WP-Content Folder

hi

i have a windows 2012 server installed with exchange 2013

I have disable recursive in my DNS server, however when i do a vulnerability scan i still receive this :

DNS server spoofed request amplification DDOS

Description,

The remote dns server answer to any request. it is possible to query the name server of the root zone and get an answer that is bigger than original request.

it says, restrict access to your DNS server from public network or reconfigure it to reject such queries - how do i do this?

↧

PKCS#10 Certificate Requests in Web Enrollment; Information on Additional Attributes field is lacking

March 3, 2015, 2:46 pm

≫ Next: Microsoft Certificate Authority 2012 R2 - Revocation Certificate

≪ Previous: DNS server spoofed request amplification DDOS

Hello,

There is plenty of information on how to add SAN names via the "Additional Attributes" box to request unauthenticated SAN names. However, there is no information about how to format requests for any other attributes, like a country code in the SAN name. I get a lot of certificate requests where they request "UK" as the country code, when it should be "GB". I know this doesn't really matter in the grand scheme of things, but what I want to know is how to format subject information to submit in the additional attributes, and what other information can be requested there.

I did a lot of searching but all I can see is how to add in SAN names. For example:
san:dns=mywebserver.domain.local&rfcsomething=192.168.1.50&dns=stuffandthings.domain.local

Is there any information or documentation out there that has all the syntax for other attributes to request (like the subject field or EKU).

Thanks all.

↧

Microsoft Certificate Authority 2012 R2 - Revocation Certificate

July 13, 2016, 2:13 pm

≫ Next: Microsoft Certificate Services (Directory Object Not Found 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)

≪ Previous: PKCS#10 Certificate Requests in Web Enrollment; Information on Additional Attributes field is lacking

Good Afternoon,

I am in the process of setting up a new Microsoft 2012 R2 2-tier PKI environment [Root CA and 2 subordinate CA] to replace the current 1-tier CA.

I need to know whether subordinate CA revokes certificates or revocation process only take place on and by the Root CA?

Does subordinate CA publishes CRL or the CRL is only published by the Root CA?

How often do I need to publish CRL from the RootCA? I've read companies setup to publish CRL only after revoking a certificate, 3 months, 6 months, 1 year, and never.

Thank You in advance.

Raed

↧

Microsoft Certificate Services (Directory Object Not Found 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)

July 7, 2016, 7:36 am

≫ Next: Microsoft 2-Tier PKI Disk Requirements

≪ Previous: Microsoft Certificate Authority 2012 R2 - Revocation Certificate

I've recently ported an enterprise CA from Windows 2008 R2 to Windows 2012 R2 (same NETBIOS name). This is a single tier, enterprise CA integrated into Active Directory. Everything for the most part appears to be operating as per usual. However, I'm getting errors Event Log ID (75, 74, 66), all of which points to the inability of the CA to publish CRL to Active Directory.

Whenever I try to manually publish the CRL through the CA GUI I get the following error:

There appears to be two CRLs, first one succeeds while the other fails.

I've granted the computer account explicit rights to the CN=CDP,CN=Public Key Services as well as CN=AAA,CN=Public Key Services in Active Directory, but it just doesn't seem to be able to publish the CRL. Any help in resolving this issue would be much appreciated.

↧

Microsoft 2-Tier PKI Disk Requirements

July 15, 2016, 6:49 am

≫ Next: MSCEP Errors Messages

≪ Previous: Microsoft Certificate Services (Directory Object Not Found 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)

Good Morning,<o:p></o:p>

I am in the process of planning Microsoft Windows Server 2012 R2 2-Tier PKI environment. <o:p></o:p>

Both root and subordinate servers will be running as VM on Hyper-V 2012 R2. <o:p></o:p>

I need to confirm the disk space requirements for the Root CA and subordinate CA Windows Server 2012 R2. <o:p></o:p>

Also, I would like to know whether to keep the CA database on the C: drive or move it to a non-system drive [example E: rive]. My take on this is to keep it simple and keep the CA files on the default C:\Windows\System32\CertSrv folder. <o:p></o:p>

We have about 800 - 900 users, 150 servers, and about 20 various application servers required additional certificates. <o:p></o:p>

Microsoft suggest 64 KB available disk per certificate. <o:p></o:p>

My thoughts are:<o:p></o:p>

Root CA standalone Windows Server 2012 R2 to have 60 GB for the C: drive.<o:p></o:p>

Subordinate CA domain-joined Windows Server 2012 R2 to have 100 GB for the C: drive.<o:p></o:p>

Please advise on this question.

<o:p>Thank You</o:p>

<o:p>Raed</o:p>

↧

MSCEP Errors Messages

July 13, 2016, 8:58 am

≫ Next: Permission File/folder Problems

≪ Previous: Microsoft 2-Tier PKI Disk Requirements

Hi All

I have a CA Windows server 2012 R2 and two Front End server in load balancing that respond to CSR

The problem is that the mobile devices send the CSR but not receive the certificate (Certificate
Request Failed) and at the same time in the mscep.log there are this errors codes:

2906.1544.0:<2016/7/13, 8:17:45>: 0x80070585 (WIN32: 1413 ERROR_INVALID_INDEX)
2906.1397.0:<2016/7/13, 8:18:7>: 0x8007007a (WIN32/HTTP: 122 ERROR_INSUFFICIENT_BUFFER)
2905.5766.0:<2016/7/13, 8:18:7>: 0x80090005 (-2146893819 NTE_BAD_DATA)
2905.2469.0:<2016/7/13, 8:18:7>: 0x80090005 (-2146893819 NTE_BAD_DATA)
2905.1973.0:<2016/7/13, 8:18:7>: 0x80090005 (-2146893819 NTE_BAD_DATA)
2906.1544.0:<2016/7/13, 8:18:7>: 0x80070585 (WIN32: 1413 ERROR_INVALID_INDEX)
2906.1397.0:<2016/7/13, 8:18:8>: 0x8007007a (WIN32/HTTP: 122 ERROR_INSUFFICIENT_BUFFER)
2905.5766.0:<2016/7/13, 8:18:8>: 0x80090005 (-2146893819 NTE_BAD_DATA)
2905.2469.0:<2016/7/13, 8:18:8>: 0x80090005 (-2146893819 NTE_BAD_DATA)
2905.1973.0:<2016/7/13, 8:18:8>: 0x80090005 (-2146893819 NTE_BAD_DATA)
2906.1544.0:<2016/7/13, 8:34:45>: 0x80070585 (WIN32: 1413 ERROR_INVALID_INDEX)
2906.1397.0:<2016/7/13, 8:34:48>: 0x8007007a (WIN32/HTTP: 122 ERROR_INSUFFICIENT_BUFFER)
2905.5766.0:<2016/7/13, 8:34:48>: 0x80090005 (-2146893819 NTE_BAD_DATA)
2905.2469.0:<2016/7/13, 8:34:48>: 0x80090005 (-2146893819 NTE_BAD_DATA)
2905.1973.0:<2016/7/13, 8:34:48>: 0x80090005 (-2146893819 NTE_BAD_DATA)
2906.1544.0:<2016/7/13, 8:35:45>: 0x80070585 (WIN32: 1413 ERROR_INVALID_INDEX)
2906.1397.0:<2016/7/13, 8:35:46>: 0x8007007a (WIN32/HTTP: 122 ERROR_INSUFFICIENT_BUFFER)
2905.5766.0:<2016/7/13, 8:35:46>: 0x80090005 (-2146893819 NTE_BAD_DATA)
2905.2469.0:<2016/7/13, 8:35:46>: 0x80090005 (-2146893819 NTE_BAD_DATA)
2905.1973.0:<2016/7/13, 8:35:46>: 0x80090005 (-2146893819 NTE_BAD_DATA)
2906.1544.0:<2016/7/13, 8:54:48>: 0x80070585 (WIN32: 1413 ERROR_INVALID_INDEX)
2906.1397.0:<2016/7/13, 8:55:8>: 0x8007007a (WIN32/HTTP: 122 ERROR_INSUFFICIENT_BUFFER)
2905.5766.0:<2016/7/13, 8:55:8>: 0x80090005 (-2146893819 NTE_BAD_DATA)
2905.2469.0:<2016/7/13, 8:55:8>: 0x80090005 (-2146893819 NTE_BAD_DATA)
2905.1973.0:<2016/7/13, 8:55:8>: 0x80090005 (-2146893819 NTE_BAD_DATA)
2906.1544.0:<2016/7/13, 8:55:22>: 0x80070585 (WIN32: 1413 ERROR_INVALID_INDEX)
2906.1397.0:<2016/7/13, 8:55:23>: 0x8007007a (WIN32/HTTP: 122 ERROR_INSUFFICIENT_BUFFER)
2905.5766.0:<2016/7/13, 8:55:23>: 0x80090005 (-2146893819 NTE_BAD_DATA)
2905.2469.0:<2016/7/13, 8:55:23>: 0x80090005 (-2146893819 NTE_BAD_DATA)
2905.1973.0:<2016/7/13, 8:55:23>: 0x80090005 (-2146893819 NTE_BAD_DATA)

I haven't found nothing about this errors

What is the possibile cause of problem?

Thanks in advance

Fabio

↧

Permission File/folder Problems

July 14, 2016, 9:49 am

≫ Next: Asking for favour about ransomware cerber..

≪ Previous: MSCEP Errors Messages

Hello,

I've a user on my Windows Server that has Full Control Permissions but isnt able to change permissions from another user.

Folder has inheritance disabled;

Some tests i did:

Added this user to Enterprise Admins/ Domain Admins and keeps the same error;

Took ownership from that folder to the user but nothing happens;

With another user with full permissions i'm able to change permissions to that folder;

I made a copy of that user with problems and with that user i created ( copy of the one with problems ) it works!!

What can i do to solve this problem?

Thanks in advance :)

↧

Asking for favour about ransomware cerber..

July 15, 2016, 8:38 pm

≫ Next: ADCS Web Enrollment support of up-level version Templates?

≪ Previous: Permission File/folder Problems

Hi all, my name is Arianto from Indonesia
I have same problem right now, my data were attack by cerber ransomware which
cause all data named #decrypt my files#..may i ask your favour to
helping this out so all my important data could be back as
previous...if you guys dont mind i will attach my data which been
attacked..
Thank you

↧

ADCS Web Enrollment support of up-level version Templates?

July 15, 2016, 11:02 am

≫ Next: SignTool Error: File not found:

≪ Previous: Asking for favour about ransomware cerber..

Hello-

We have deployed ADCS running on 2012r2 and all is working great except for when deploying v3 or v4 templates, they fail to show as an enrollable template within WebEnrollment. The only workaround seems to be to make it a v2, but it doesn't contain some of the newer cert options. Is this something that is being worked on as a feature in future versions o server or not possible?

TIA

↧

hi

Latest Images