Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

The permissions on the certificate template do not allow the current user to enroll for this type of certificate.

August 26, 2016, 1:37 am
$
0
0

Hello everyone,

I have setup new CA, configured templates and their permissions, created auto enrollment GPO.

Some machines (about 1000) successfully auto enrolled their computer certificate but some machines don't (about 1500) and repeatedly failing with error: The permissions on the certificate do now allow the current user to enroll for this type of certificate. Denied by Policy Module The request ID is xxxx.

There is a universal group assigned to template with read, enroll and auto enroll. Inside this group there is groups Domain Computers which every computer in domain is member of.

I run into this error always when permissions were not set correctly but this doesn't seems the case.

Any ideas where is the problem?

Search

PKI - RootCA CRL Publishing Interval

August 26, 2016, 11:58 am
$
0
0

Long time reader, first time poster. Not sure where the PKI / Certificate Services forum is. Sorry!

I have a new PKI designed to take us from a flat online Enterprise CA to a 2-tier CA with an Offline Root, CNG, and SHA-2.

The offline root will never be online and will be stored externally on secure media. There is one issuing CA that will sign requests for Clients and an OCSP HA web cluster which hosts AIA / CDP.

There is one design consideration still rattling around in my head. If anyone with knowledge is willing to be a sounding board, I would greatly appreciate it.

For my issuing CA, I'm going with a 6 day CRL publishing interval and a 3 day overlap. No delta.

RootCA is SHA-2 / 2048-bit / 20-years

SubCA is SHA-2 / 2048-bit / 10-years

I want to issue some templates that are valid up to 5 years. Therefore I plan to renew the Sub-CA key with anew key every 5 years. This will allow all clients to gracefully get a cert from the new chain over the next 5 years, when the current chain expires.

The Root-CA I'll renew with the same key at 5, 10, and 15 years prior to renewing the Sub-CA. At 15 years I'll generate a new Root Key, then renew the Sub-CA. Wash, rinse, repeat.

The conundrum: Is there a good reason to bring the Root-CA online to publish a new CRL.IF I had to revoke that certificate, I'd have to re-issue all 40k+ end entities. To do so would require I bring the Root up, sign a new CA and re-issue all certs before revoking the only issuing CA cert we have.

If a compromised CA incident requires re-issuance of all end entity certificates,  how does a CRL interval on my Root CA make me more or less secure?

I could set it to 61 months and do it at key renewal intervals every 5 years, possibly increasing security by minimizing the number of key rituals that must be invoked. The Root-CA is issuing one and only one certificate: A single internal Sub-CA. If I need to revoke it, I have a lot more on my hands than how will my end entities know. They'll know. And I'll have to tell them.

That's it! I'm really on the fence with why I'd do this every 6 months. Am I talking crazy here?

Thanks!



Splitting multiple certificates sotred in one file, into separate files - URGENT

August 25, 2016, 7:48 am
$
0
0

We are running a CA, where one of our consumers exported a valid certificate with a private key and also an invalid certificate into one pfx file. The user now has moved to another workstation and when he is trying to import the certificates none of them is going to the personal store of the IE. Also the one that is supposed to have a private key is not displaying that it has a private key corresponding. To worsen the case, when the export was performed, the user ticked the "Remove private key when export is complete"

I am now looking at options mentioned in forums where they suggest that the 2 certificates stored in the single file are split using a perl script in the following link: http://gagravarr.org/code/cert-split.pl

Is this the only way to successfully extract at least the valid certificate with the private key?

Many thanks for your feedback.

SSL Cipher Suite Policies Windows Server 2016

September 5, 2016, 12:59 am
$
0
0

Hello everyone,

I'm currently preparing our "hardening" concept for Windows Server 2016 and have some questions about SSL Cipher Suite Order:

There are three different Registry Keys where you can set a Cipher Suite Order.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002!Functions]
[HKLM\Software\Policies\Microsoft\Windows\LanmanServer!CipherSuiteOrder]
[HKLM\Software\Policies\Microsoft\Windows\LanmanWorkstation!CipherSuiteOrder]

The first key is where the company I work did set it in the past on Windows Server 2012 R2.
They didn't set it in any of the LanmanServer or LanmanWorkstation keys.

Is it correct that the lanman... keys are only in connection with SMB used and the first key affects allSSL/TLS based technologies on the system?

So that would mean if you set it in the first key you dont have to specify it again in the lanman... keys?

Thanks in advance and best regards,
Ville

PKI NextUpdate question

September 4, 2016, 12:55 pm
$
0
0

Hello.

Could you please help me to understand NextUpdate and NextCRLPublish calculation?

Ok. I've got 2tier PKI.

CRL on Enterprise CA was configured as following:

 CRLPeriod                REG_SZ = Minutes
 CRLPeriodUnits           REG_DWORD = f (15)

 CRLOverlapPeriod         REG_SZ = Minutes
 CRLOverlapUnits          REG_DWORD = 1
 CRLDeltaPeriod           REG_SZ = Minutes
 CRLDeltaPeriodUnits      REG_DWORD = 0
 CRLDeltaOverlapPeriod    REG_SZ = Minutes

 CRLDeltaOverlapUnits     REG_DWORD = 0
 CRLNextPublish           REG_BINARY = 04.09.2016 22:39
 CRLDeltaNextPublish      REG_BINARY = 05.09.2016 10:16I

If I understood correctly that:

OverlapPeriod should be equal 1 min

NextPublish should be equal EffectiveDate+CRLPeriodUnits (in my case 15 min)

NextUpdate should be equal EffectiveDate+CRLPeriodUnits (15 min) + CRLOverlapUnits (1 min in my case)

But

in the picture above we can see that Effective Date is 22:29:36

Next CRL Publish is 22:54:36 and the time delta is 25 minutes, not 15 minutes as was described in CRLPeriodUnits

Next Update is equal 23:19, and the time delta about 50 minutes instead of 16 minutes according to configuration.

So, one short question. Where am I wrong?

Thanks a lot in advance!

Invalid Issuance Policy for Extended Validation Certificate Template Windows Server 2012 R2

August 11, 2016, 2:17 am
$
0
0

Hi Team,

I need assistance, i have created an extended validation CA using the link http://richardjgreen.net/extended-validation-ev-internal-certificate-authority/

Unfortunately when i try to enroll the certificate template i get below error on the CA,

Active Directory Certificate Services denied request 6 because The certificate has invalid policy. 0x800b0113 (-2146762477 CERT_E_INVALID_POLICY).  The request was for CN=pkitest.nlab.sec, OU=ICT, O=SEC, C=US.  Additional information: Error Constructing or Publishing Certificate  Invalid Issuance Policies:  1.3.6.1.4.1.311.21.8.14018552.7350061.16666553.16755177.581348.68.15095729.8851883

Regards

root CA and subordinate CA have the same OCSP?

August 27, 2016, 9:37 am
$
0
0

I'm trying to setup a two-tier PKI  

I have 1 root Certificate Authority that is offline, and another subordinate CA issuing certificates.  I know the root CA would need to have a revocation list (since it might revoke the subordinate CA certificate) and the subordinate one needs to have its own as well.

My question is, can I have both point to the same OCSP server ? 

DirectAccess Probe list error

September 5, 2016, 12:26 pm
$
0
0

Hello all

We have an error on the DirectAccess client log DcaDefaultLog saying:

"Red: Corporate connectivity is not working correctly.
The DirectAccess connectivity assistant is not configured properly."

We have already tried many tests (i.e. IPv6, networking, certificate, domain, ports check).

What sort of configuration should be made to enable the  Probe List.

Thanks,
De Lucca

Search

Cross Forest Certificates & External Companies PKI

September 1, 2016, 1:53 am
$
0
0

Hi All,

I have a couple of questions that will hopefully help me understand "if I can" or "if I can't" with PKI.

Description of Environment: A company with many physical sites, multiple forests and multiple domains connected together with Forest Trusts and External Trusts. We also have physical sites that are non-connected forests and domains.

These forests and domains either don't have or do have either a partially implemented PKI or fully implemented PKI solution using Windows.

What I would like if possible: Create a PKI solution from the "Primary Forest/Domain" to serve all other Forests and Domains.

Questions:

1. I know I can create Cross Forest PKI but do the Forests & Domains have to be connected via a Trust of some sorts? For example, how would I handle the non-connected forests and domains? Are we talking Federation?

2. If I had a domain with PKI implemented what would be the high-level steps when transferring to the NEW Cross Forest solution without taking out the existing site?

3. If we needed to run an audit on PKI what would be the best way to identify certificate servers without previously having knowledge about the site (assuming I now have access).

Thanks

Simon


Root CA - location error OCSP - working on SUBCA

August 30, 2016, 4:49 am
$
0
0

hello

have a issue with root and OCSP, its working fine with sub CA 

steps tested

revoked the cert and then command 

certutil –cainfo xchg

refresh and same error

tested the cert with certutil -url .\cert.cer  

working fine

any ideas thank you


How to offer Computer Cert via Web Enrollment on w2k8r2?

August 30, 2016, 5:01 am
$
0
0

Hello,

--I hope I choose the right forum--

I try to offer a computer certificate via Web enrollment, but it is not visible. Via mmc it is possible to get this computer certificate for every windows computer. But I want to offer this certificate Linux clients -> they have no mmc...

With a Webserver certificate web enrollment works fine.

What I have to do to see a computer template in the web enrollment?

thx for any hint.

Grüße, Jens Klein

In Internet Explorer 11, TLS 1.2 throws SChannel event error 36888

September 5, 2016, 1:40 pm
$
0
0

On our 2012 R2 servers, we see a lot of Schannel 36888 errors.

A fatel error was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 10.

Most of these servers have the RDS server role installed, but we can reproduce the errors as well on other serv er 2012 R2 memberservers.

We found out it's caused when a users is visiting certain websites.

We see the eventlog being flooded by this event, causing the website to be blocked. It becomes unavailable for some minutes.

When we turn off TLS 1.2 under the "Advanced settings" in Internet Explorer 11, the problem disappears.

Result of this action is other websites, who needs TLS 1.2, becoming unavailable.

Our rootcertificates are up to date.

I would really like to solve this problem at his root, but at this point a workaround would already make me happy.

Could someone have gotten into my computer manually?

September 5, 2016, 4:12 am
$
0
0

Hi guys, I have a few questions. I left my computer in sleep mode (I have password protected account), and I live with crazy roommates. I left it like that on 1.9. during the night.

On 2.9 during whole day I was away, left my computer in my room.

I began suspecting that they have invaded my laptop during that day due to one thing. So I checked event viewer, security log. I talked with friend of mine, he told me to look for event ID 4648, that one shows whether someone has logged in into your computer using password credentials,I have found out that nobody during that time. I am still not calm though.

I checked other security logs that happened during that day, since the moment I put my computer in sleep mode, there have been processes running in the background, at night at 2:30 I had mix of 4624+4672, and since then,  there have been always 4 system ingegrity event ids 5062 exchanging with 1x logon 4624, and 1x special logon 4672, every couple hours till the moment I came home in the evening and logged in.

So, question is:

1. If I have password protected computer, does that mean that it will require password each and every time, no exceptions, when someone opens computer and recovers it from sleep mode?

2. Is it possible for 4624 and 4672 event ids in Security log, at the moment they happen,and perhaps a few seconds/minutes later, since they mean Log on and Special log on to "break" the log in screen, and if someone opened my laptop at that moment to be actually logged in? Without need to put in the password?

3. At one suspicious time I had also in Application log event id: 1005. -  Customer Experience Improvement Program. What does it mean and does this event happen only when computer is logged in for real, or is it some background process that happened during sleep mode?

Thanks a lot. Have  a nice day.

IETF X.509 SSL Certificate Signature Collision Vulnerability

September 6, 2016, 3:43 am
$
0
0

Need to fix mentioned vulnerability in windows server 2008.

 IETF X.509 SSL Certificate Signature Collision Vulnerability,


Summary:

X.509 SSL Certificates using the SHA-1 or MD5 (or weaker MD2/MD4) algorithms may be affected by a vulnerability that can weaken security.

Details:
A vulnerability exists in X.509 certificates which, when signed via MD5, may allow for phishing attacks. Similar vulnerabilities now affect SHA-1 certificates as well.

MD5 certificates have long been deprecated. SHA-1 will be deprecated by most vendors by the end of 2015.

The flaw is specific to weaknesses in the SHA-1 or MD5 algorithm used to sign X.509 certificates. It is possible for a potential attacker to generate multiple pairs of certificates, which share like SHA-1/MD5 signatures. Typical exploration would allow the attacker to impersonate a legitimate website.

Internet Engineering Task Force (IETF) is the standards body for X.509 SSL certification.



Settings up bitlocker network unlock.

September 1, 2016, 8:26 am
$
0
0
I'm setting up bitlocker network unlock and on the wds server when a client sends a request I get two errors.

                          [WDSServer/WDSPXE/NKPPROV]NKP request processing failed while extracting key material. Remote address: ipaddress:68, Packet length: 573.

                          [WDSServer/WDSPXE/NKPPROV]Could not decrypt data with private key. HRESULT = 0x80090010.

                          Any ideas.  I verified on the client that the certificate is installed and the thumbprint matches what is installed on the wds server.
Search

Certificate Renewal

September 1, 2016, 6:18 am
$
0
0

1- We use MS certificate mapping to login to multiple AD user accounts with the same smartcard. Caroline Philie smartcard is allowed to login to the Caroline Philie AD user account and the ARole AD user account.


2- When I select the following options in the smartcard logon certificate template:

    - In the subject name tab: Build from Active Directory information, Fully distinguished name, E-mail name

    - In the Issuance Requirement tab: This number of authorized signature = 1, Application policy, Certificate Request Agent, Valid existing certificate

    • Caroline Philie smartcard can login successfully to the Caroline Philie user account and she can renew her logon certificate successfully.
    • Caroline Philie smartcard can login successfully to the ARole user account butshe cannot renew her certificate. This error message is displayed: CERTSRV_E_SIGNATURE_REJECTED One or more signatures did not include the required application or issuance policies. The request is missing one or more required valid signature.

    3- To support certificate renewal in the ARole AD user account for Caroline smartcard, I select the following options in the smartcard logon certificate template:

       

        - In the subject name tab: Supply in the request, Use subject information from existing certificates for autoenrollment renewal requests

        - In the Issuance Requirement tab: This number of authorized signature = 1, Application policy, Certificate Request Agent, Valid existing certificate

    • Caroline Philie smartcard can login successfully to the Caroline Philie user account and she can renew her logon certificate successfully.
  • Caroline Philie smartcard can login successfully to the ARole user account and she can renew her logon certificate successfully.

4- But, with this template the Enrollment Agent has to supply the subject name manually when issuing certificates. He cannot select an AD User.

5- Does a configuration exists to build the subject name from active directory when issuing certificates and use the subject information from existing certificates for autoenrollment and renewal requests?

Cross-Sign New PKI Issuing CA by Current Root CA

August 31, 2016, 9:56 am
$
0
0

I have been looking all over for an answer but just can't find a way to verify a client can build a chain with our pre-existing Root CA which cross-signed the issuing CA's cert. I have done what <g class="gr_ gr_313 gr-alert gr_tiny gr_spell gr_disable_anim_appear ContextualSpelling multiReplace" data-gr-id="313" id="313">i</g> believe is correct in cross-signing but can't absolutely verify its correct before I begin deploying these new certificates in the new Root CA hierarchy I have come to a decision on building in parallel to replace the existing.

Here is what I have (<g class="gr_ gr_884 gr-alert gr_gramm gr_disable_anim_appear Grammar multiReplace" data-gr-id="884" id="884">in</g> respect to the question):

Root CA OLD
Issuing CA1 OLD

Root CA1 NEW
Issuing CA1 NEW (Cross-Signed by Root CA OLD)

I need to verify that Issuing CA1 NEW and its issued certs can truly have a chain built if/when Root CA1 NEW and/or Issuing CA1 NEW is not available to certain devices/clients but Root CA OLD is.

2012r2 VM PDC cant logon from workstations in my LAN but can logon from a VM workstation on same VM host

September 6, 2016, 3:07 pm
$
0
0

I am setup with my

Dlink router which is doing the DHCP for the Lan

A wired workstation running win 10 pro

A Wireless laptop running win 10 pro

A server running win 2012r2 server as a hyper-V host

A VM PDC that is also doing DNS duty for the LAN

A VM Workstation running win 10 pro

A VM running a clean install of server 2012r2

The VM workstation and  the clean install 2012r2

my VMs can both connect to the domain no problems and can logon as domain users or domain administrator 

My laptop and desktop cant connect to the domain. I can add the computer to the domain then on reboot when I enter the users credential it always says password is incorrect. These machines are using only the PDC VM for thier DNS. All firewalls are turned off on all the machines. Everything on the PDC is setup as the default AD DS install with the DNS setup correctly. I cant for the life of me figure out why only the VM's will connect to the PDC and the machines on the LAN always say password is incorrect. Any ideas of what I can try?

thanks



Windows: failed logon attempts

September 7, 2016, 2:17 am
$
0
0

Hi All

I'm wondering why Windows generates so many failed logon attempts in case when user just one time types incorrect password?

For example- user wants an access to file and print server via NTLM protocol.

User mistyped its password one time and I can see in the logs, that Windows server generates a lot of failed logon attempts->4625: An account failed to log on.

The same situation takes place when user has changed its password but internet browser still had old password stored somewhere.

One attempt to proxy server also generates hundreds of failed logon attempts within one second.

I would be very grateful if someone could explain it all to me.


DNS Server Spoofed Request Amplification DDoS

September 7, 2016, 3:49 am
$
0
0

One of my Windows Server 2008 R2 Standard Service Pack 1 is running with active directory and when scan the the server i got the below mentioned vulnerability.

DNS Server Spoofed Request Amplification DDoS

Synopsis

The remote DNS server could be used in a distributed denial of service attack.

Description

The remote DNS server answers to any request. It is possible to query the name servers (NS) of the root zone ('.') and get an answer that is bigger than the original request. By spoofing the source IP address, a remote attacker can leverage this 'amplification' to launch a denial of service attack against a third-party host using the remote DNS server.

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>