Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Problem Generating Certificate for CSR

September 29, 2016, 4:53 am
$
0
0

Hi,

I am trying get a certificate generated for my Linux box, I don't own the CA so I need to send the CSR I generate to the CA owner to create the certificate for me.

The CA is a Windows Server 2012 R2 Certificate Authority.

When they try to generate a Cert for my CSR they are getting the following error:

"Certificate Request Processor:

Error Parsing Request. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146763495)

"

I have uploaded the CSR to various online CSR validators and they report it to be fine.

Anybody have any idea what the issue is and where do I go from here?

Thanks

Search

Generate certificate for mobile device

September 29, 2016, 9:01 am
$
0
0

Hello,

We are trying to test out an 802.1x solution that will also apply to our Wifi. For some devices we would like to limit them using client certs. We are trying to generate a client cert for testing from our internal CA. We currently do not have a MDM or anything of that sort that can request the cert for us.

Is there any way to do this manually using some method with Certificate Services? Using a web request or otherwise? We tries but the iOS device did not like the cert we tried to give it.

Thank you

Smart card logon - RDP NLA - User does not exist

March 13, 2015, 3:50 am
$
0
0

I have issued a smart card certificate for my user and try to connect via RDP.

I get an error when I try to logon:

"The specified user name does not exist. Verify the username and try logging in again. If the problem continues, contact your system administrator or technical support. "

But if I disable NLA on that server I can login??

Found that information in this post:
https://social.technet.microsoft.com/Forums/en-US/bb739b02-44df-45da-8ae5-fdf9e4edf210/cant-use-smartcard-logon-through-rdgateway-server?forum=winserverTS

Anyone now why NLA does not seem to work?

Other info:
All server 2012 (not R2). Certificate can be verified from the client and the server. And since logon works without NLA I cant think that is related to the certificate?

Upgrading from sha1 sha2

September 21, 2016, 11:48 pm
$
0
0
We are running Windows 2008 R2 servers for our PKI CA with alogarthim Sha1, what is the procedure of upgrading this servers to handout SHA2

Kerberos ktpass problem

June 29, 2011, 2:22 am
$
0
0

Hi all,

I have a problem with generating keytab file for mcafee EWS applience. I used this command on DC Win2008 R2 server , but it always fails with error "Password set failed! 0x00000032"

C:\Windows\System32>ktpass -princ HTTP/mcafeeews.my.domain.com@MY.DOMAIN.COM -mapUser ews@my.domain.com -pass * -ptype KRB5_NT_PRINCIPAL -out ews.keytab
Targeting domain controller: DC01.my.domain.com
Successfully mapped HTTP/mcafeeews.my.domain.com to ews.
Type the password for HTTP/mcafeeews.my.domain.com:
Type the password again to confirm:
Password set failed! 0x00000032
Aborted.

Do you have any ideas please?

Thanks

How to publish third party root CA with ADCS in the Windows AD domain

December 8, 2011, 3:39 am
$
0
0

Hello,

I need import a third party root CA certificate from our partner because we need access applications which are hosted on our partner's servers with certificates.

There is a private network link between my company and our partner. We have our own ADCS PKI infrastructure which is integrated with our Windows AD domain - that is our root CA has been published to our Windows AD domain.

I want that our users in the AD domain can access our partner's applications without certificate security warning.

I think that our partner's root CA will be imported into our ADCS PKI infrastructure such that our partner's root CA will be available on our domain PCs - the root CA should be available in either Trusted Root Certification Authoritiesor Third-party Root Certification Authoritiesin the Certificatesplug-in console.

I have used the following command to publish our own root CA to our Windows AD domain:

certutil –f –dspublish “My Company Root Certificate.crt” CA

But this command add entries to a lot of AD domain containers.

For the third party root CA, I just want it available on all domain PCs in eitherTrusted Root Certification Authoritiesor Third-party Root Certification Authoritiesin the Certificatesplug-in console. For example, Thawte Server CA is available in bothTrusted Root Certification Authoritiesand Third-party Root Certification Authoritiesin the Certificatesplug-in console.

How this can be done?

Thanks in advance.

SJJ123

External OSCP Checking for Mobile Devices

September 30, 2016, 5:38 am
$
0
0

Hi

I'm currently designing a Windows AD-CS PKI solution for my company and I'm a little confused about whether I need to make the OSCP responder externally available.

We use AirWatch SaaS MDM to manage company owned iPhones and this is going to be leveraged with its onprem cloud connector to issue certificates to the mobile devices for connecting to the corporate WiFi.  

The goal is to be able to use device authentication to our Cisco Wireless AP's to prevent BYOD from connecting.

What I'm not certain about is whether during the authentication process of the phones to the AP, whether the devices will try to perform an OSCP check on the certificates issued to the NPS/RADIUS server and if so, whether there is some kind of pre-auth that will allow the phones to connect to an internal OSCP responder or if not, do the phones revert to mobile network and try and verify over the internet?  Or does it just fail completely?  Is it possible to disable the OSCP check?

Essentially I want to know whether I need to make OSCP externally accessible because all other clients that will have certiifcates will be connected to the domain and on the corpoartte network either directly or via VPN so aside from this scenario with the phones, I don't believe I need an external OSCP.

Certificate Services, install on domain controller?

September 6, 2010, 7:31 am
$
0
0

We have three domain controllers all running Win Server 2008 R2. We have about 30 member servers running all type of services including Exchange 2007, SQL 2005, etc. I want to install Microsoft Active Directory Certificate Services (AD DS) so I can generate self signed certificates. I have a number of services on campus that need self signed certificates so I can get rid of the annoying messages about services not being trusted.

What is best practice for where certificate services should be installed? On my primary domain controller? On one of the other domain controllers? On a separate member server dedicated to this service? I have found the following articles on installing this service but it does not mention where it should be installed.

http://araihan.wordpress.com/2009/10/05/windows-server-2008-active-directory-certificate-services-ad-cs/

http://aaronwalrath.wordpress.com/2010/04/16/install-an-enterprise-certificate-authority-in-windows-2008-r2/

http://d3planet.com/rtfb/2009/11/10/install-certificate-services-on-windows-server-2008-r2/

Search

Security Update for Windows Server 2012 R2 (KB3042553)

April 29, 2015, 2:44 am
$
0
0

Hello,

Security Update for Windows Server 2012 R2 (KB3042553) has been advised to be critical update to deal with Vulnerability in HTTP.sys which could allow remote code execution.

However due to some reason I am unable to apply the patch to any of the Windows 2012 R2 servers. It errors - The update is not applicable to your computer, when tried to install manually / locally.

I tried to push it via WSUS and the patch is not getting detected by the servers.

Regional language settings are set to match Windows display language (Which is English).

Is anyone else experiencing this issue too? If so is there way to get this deployed please.

Thank you.

Kumar G

Enrolling for computer certificates On Behalf of...

September 28, 2016, 5:21 am
$
0
0
Greetings to the Wizards,

I hope someone can help me with my problem or point me in the right direction:

we have a security system (authenticator) enforcing 802.1X restriction on wireless access. The authenticator uses our domain controllers / Active Directory as authentication servers. For credentials a digital certificate is used and the authenticator compares the certificate shown by the supplicant (e.g. a notebook) with the certificate stored in AD for the entity in a field (SAN, ...whatever... - configurable) of the supplicant's certificate.

While duplicating and using the Workstation Authentication template and setting it up for auto enrollment succeeded for Windows based domain members, I stumbled over finding the right process for Linux based computers.

These Linux computers need to have an computer account in AD, if we like to handle them the same way (same policies on the authenticator) as the Windows machines. OK, this could be achieved by using PowerShell's New-ADComputer.

But now those Linux clients need a certificate and need this stored in their own computer account object. Two requirements for this:

a) the Linux computer can't create the certificate request (and hence the private key) itself - just take it as it is, because it's a special thing for our deployed Linux System; of course one can import private key and certificate on the Linux computer for use in 802.1X authentication

b) the process should be streamlined to prevent as much work as possible on the CA admins / agents shoulders ;-))

First I thought of this as a perfect scenario for an Enrollment Agent, because we already have Enrollment agents in place for assigning code signature software certificates to IT staff, for we have an AD (Linux computer) account, the requestors data (Linux computer name) could be taken from AD and storing the certificate with the AD object is just a template setting. But then the headaches began:

I can't access a duplicated Workstation Authentication template from a user account with an Enrollment Agent (User) certificate. But I can't enroll for an Enrollment Agent (Computer) certificate as a user either. I could do it as a computer (e.g. the CA server itself), but I won't get "Enroll on behalf of..." if I open mmc with certificate snap-in for Local Computer on the CA.

Yes, it could be done with a CSR, where the Enrollment agent has to manually fill in the computer name, etc. But it seems so right to think of it as an Enrollment agent process - alas, how to set it up?

Kind regards
Carsten

RDP (NtLmSsp) logon timeout - LoginGraceTime

September 19, 2016, 9:02 am
$
0
0

Hello.

Is it possible to set the value of logon timeout for NtLmSsp, like LoginGraceTimein ssh?

The issue is simple: some host opens a connection to server and waits. I want NtLmSsp to close connection after specific timeout.

Add-KDSRootKey fails with "Request not supported" error

October 2, 2013, 7:37 am
$
0
0

I'm trying to create a group Managed Service Account (gmsa) on a newly installed Win2012 DC (first computer on domain). Creating the gMSA requires you to first create a KDS Root Key. I launch the Active Directory Module for Windows Powershell using Run as Administrator and issue the following:

Add-KDSRootKey -EffectiveTime ((get-date).addhours(-11))

I get an error "The request is not supported". If I change it to -EffectiveImmediately, I get the same error.

Add-KDSRootKey : The request is not supported. (Exception from HRESULT: 0x80070032)... Exception from HRESULT: Microsoft.KeyDistributionService.Cmdlets.AddKDSRootKeyCommand

The KDS cmdlets are installed (I can query/use with get-help KDS) and I can use them to list keys (empty) and view configuration - I just can't seem to add a KDS root key. When I look in my AD Sites and Services at the Services\Root Key, it's empty. I've struggled with this for two days now - any suggestions?

Event ID 36887, how to resolve

October 1, 2016, 4:27 pm
$
0
0

please help me....

Regards, Pradhap P

Deleting Built-in Administrator account

September 27, 2016, 11:36 pm
$
0
0
Now, ive done some heavy modifications on a little blackbox/ish laptop, and i would like to make it as secure as possible, and since i allow a command prompt to open on the login screen, whoami reports it running as NT-system user, I understand that much. What i want to know, is if i delete the built-in Administrator account, will that cause underlying processes to fail, or will it cause other problems? whats your take on this?

Windows 10 Pro firewall rules changing every week with windows update

October 3, 2016, 8:45 am
$
0
0

My windows 10 pro firewall rules are changing pretty much every week where there is a windows update. Once the windows update my pc, I have to manually make all the firewall rules back to how it was to begin with which waste my time, roughly 1 hour every week. 

Why is this and what is root cause and how to fix it. 

Search

certutil -key does not reveal the CA key when decommissioning a Windows 2012 R2 CA

April 22, 2015, 8:56 am
$
0
0

I cannot seem to be able to fully decommission a Windows 2012 R2 CA by deleting the keys using certutil -delkey "name_of_ca".

Using certutil -key does not reveal the AD CS key in which to delete when I am decommissioning my server. Am I missing something? I have tried to reveal the keys on a fully functioning 2012 R2 CA as well as a server in which the CA Role was removed. I do see some keys but nothing that is related to the CA itself.

How can I show the keys for the CA role in order to securely delete them?

Brian

critical errors and warning in eventvwr

October 20, 2011, 8:53 am
$
0
0

Just had acall from someone asking me to go into eventvwr, then told me I had hundreds of error messages and warnings coming up, she wanted me to renew my warranty so I politely rang off.

 

How do I get rid of these warnings and errors by myself

Case :scenario 6-3:Assigning Permission

August 6, 2013, 7:18 am
$
0
0
You are working the help desk for a corporate network and you receive a 
call from a user named Leo, who is requesting access to the files for a new 
classified project called Trinity. The Trinity files are stored in a shared 
folder on a file server, which is locked in a secured underground data 
storage facility in New Mexico. After verifying that the user has the 
appropriate security clearance for the project, you create a new group on 
the file server called TRINITY_USERS and add Leo’s user account to that 
group. Then, you add the TRINITY_USERS group to the access control list 
for the Trinity folder on the file server, and assign the group the following
NTFS permissions…

how to get both Server and Client Authentication in Enhanced key Usage from windows CA

October 4, 2016, 12:40 am
$
0
0

Hi, 

I'm trying to generate a certificate from a windows server 2012 CA. After providing CSR to CA, CA is providing certificate which is having only Server Authentication in "Enhanced Key Usage" because of which my TLS handshake failing. 

I'm able to get both Server and client authentication if i get the certificate from a global certificate provider like Godaddy.com.

I need to have both Server Authentication and Client Authentication in my certificate.

How i can get it from a windows server CA?

Thanks and Regards, 

Ankit


Multiple failed guest logins from exchange server on multiple servers

October 3, 2016, 1:17 pm
$
0
0

I have a mystery that I am unable to solve.

The exchange server at a customer is making multiple failed attempts to connect to other servers on the network using the guest account.

I only have the security logs, no application nor systemlogs give any clue. I have no other accounts that seems to be attempted used for login.

It is very annoying! I have 1140 login failures on each target a day due to this.

I also have the exact same error on the Exchange server with itself as source (but only 1140 a day as the other servers)

Any good idea as how to troubleshoot this would be much appreciated!

Pasted below are the 2 entries I have in the security log (anonymized)

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          03-10-2016 21:57:32
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      "Target"
Description:
An account failed to log on.

Subject:
 Security ID:  NULL SID
 Account Name:  -
 Account Domain:  -
 Logon ID:  0x0

Logon Type:   3

Account For Which Logon Failed:
 Security ID:  NULL SID
 Account Name:  guest
 Account Domain:  

Failure Information:
 Failure Reason:  Account currently disabled.
 Status:   0xc000006e
 Sub Status:  0xc0000072

Process Information:
 Caller Process ID: 0x0
 Caller Process Name: -

Network Information:
 Workstation Name: \\"Exchange"
 Source Network Address: "ExchangeIP"
 Source Port:  27129

Detailed Authentication Information:
 Logon Process:  NtLmSsp
 Authentication Package: NTLM
 Transited Services: -
 Package Name (NTLM only): -
 Key Length:  0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
 - Transited services indicate which intermediate services have participated in this logon request.
 - Package name indicates which sub-protocol was used among the NTLM protocols.
 - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2016-10-03T19:57:32.051164700Z" />
    <EventRecordID>239098</EventRecordID>
    <Correlation />
    <Execution ProcessID="592" ThreadID="3876" />
    <Channel>Security</Channel>
    <Computer>"Target"</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x0</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">guest</Data>
    <Data Name="TargetDomainName">
    </Data>
    <Data Name="Status">0xc000006e</Data>
    <Data Name="FailureReason">%%2310</Data>
    <Data Name="SubStatus">0xc0000072</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">NtLmSsp </Data>
    <Data Name="AuthenticationPackageName">NTLM</Data>
    <Data Name="WorkstationName">\\"Exchange"</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x0</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">"ExchangeIP"</Data>
    <Data Name="IpPort">27129</Data>
  </EventData>
</Event>

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          03-10-2016 21:57:32
Event ID:      4776
Task Category: Credential Validation
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      "Target"
Description:
The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: guest
Source Workstation: \\"Exchange"
Error Code: 0xc0000072
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4776</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14336</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2016-10-03T19:57:32.051164700Z" />
    <EventRecordID>239097</EventRecordID>
    <Correlation />
    <Execution ProcessID="592" ThreadID="3876" />
    <Channel>Security</Channel>
    <Computer>"Target"</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
    <Data Name="TargetUserName">guest</Data>
    <Data Name="Workstation">\\"Exchange"</Data>
    <Data Name="Status">0xc0000072</Data>
  </EventData>
</Event>

Best Regards Brian

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>