Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Lightweight Directory Services binary data

April 15, 2013, 12:24 pm
$
0
0

Hi Everyone,

I am trying to import a certificaterevocationlist into an LDS partition in binary format, I have been able to import the CRL but when I use ldifde to output the LDS partition contents the ;binary is not in the LDIF.

For example the input ldif reads:

dn: CN=CA,OU=PKI,O=Utopia,C=gb

changetype: modify

replace: certificateRevocationList

certificateRevocationList;binary::

 MIICKTCCARECAQEwDQYJKoZIhvcNAQEFBQAwQjELMAkGA1UEBhMCZ2IxEDAOBgNVBAoTB2VudHJ1c3

 QxDDAKBgNVBAsTA1BLSTEBHY==01UEAxMKRW50cnVzdCBDQRcNMTAwMzE4MjAzNzA5WhcNMTAwMzE5

 MDMzNzA5WqCBmjCBlzBoBgNVHRwBAf8EXjBcoFegVaRTMFExCzAJBgNVBAYTAmdiMRAwDgYDVQQKEw

 dlbnRydXN0MQwwCgYDVQQLEwNQS0kxEzARBgNVBAMTCkVudHJ1c3QgQ0ExDTALBgNVBAMTBENSTDGC

 Af8wCgYDVR0UBAMCAQYwHwYDVR0jBBgwFoAUhl9OBiplNjiRp/by0sEq4aYGP9YwDQYJKoZIhvcNAQ

 EFBQADggEBACTKHGU/5ASSDZ0uT29tsV+QR/LkSsUskNO9tzdfz+f/B3EGAnOdpbsZg5EbpArrEeef

 Qo3GqMWzIwtfRMykvI+ctS4Tkm+r2S6hhYKrerYYte/5ozxhBvJs6Ja8RWeympLyUFN3xrdL09MZ1i

 +UcVawqScFeBK9qJd5s6VxSLNGsyslkFb169ehUAO/QZIiKk0uHfSIauy/GDTpWeYPfax1OZSHL9TF

 RW8b99Lk7RZqC1uzhn95OQ3Nzs8WZl+yR2AUkbVkRv9DRqbXPrRbPp3E4jyZZd4ZtPkk80x5jQZ7oN

 YUl7HO+SUbBO2+zEARrsnwXAw5rJB8gzHekVvKwLI=

-

However when I export I get the following, note the ;binary missing???

dn: CN=CA,OU=PKI,O=Utopia,C=gb
changetype: add
authorityRevocationList::
 MIICPzCCAScCAQEwDQYJKoZIhvcNAQEFBQAwTTELMAkGA1UEBhMCR0IxEDAOBgNVBAoTB0VudFG1c3
 QxGTAXBgNVBAsTEEVNRUEgRGV2ZWxvcG1lbnQxETAPBgNVBAMTCENvLU9wIENBFw0xMzA0MTUxMjA4
 NTRaFw0xMzA0MTUxOTA4NTRaoIGlMIGiMHMGA1UdHAEB/wRpMGegYqBgpF4wXDELMAkGA1UEBhMCR0
 IxEDAOBgNVBAoTB0VudHJ1c3QxGTAXBgNVBAsTEEVNRUEgRGV2ZWxvcG1lbnQxETAPBgNVBAMTCENv
 LU9wIENBMQ0wCwYDVQQDEwRDUkwxggH/MAoGA1UdFAQDAgEXMB8GA1UdIwQYMBaAFKzUItvDx7WYGW
 SBQ4PlnMgFJgeJMA0GCSqGSIb3DQEBBQUAA4IBAQBTB/LEuofNuQYzP+dDBqh2nuAlM3iXwcmzSW2g
 JMOiSOrbZ7a4LqCqJuXVxiiR7VswE9mWbhqDLkYRM9Ahd3nhWOOhk9FQTO/1OBWaXumVmj3eqeFzwf
 Gj1fyJmVcHAQFeRyc+OV5Dq1wbF06vh7mvn2CbsaljzwDwAtO+Z6kk6SS0JdKlESyPQZ8ve/FKsbLR
 Pw9q1IziFCsAPcA3nmEPTEwutmOXpwLC1hCpsee9LzJi+v+xXU5jOwJDnsCqGEGh123clxxGqW9owU
 o9dYhPtalWjhV15CaHHkigohHnCLKaN6w4oV47E63ef/WjE5Q3rpxf/emJ+MdKUKv9nuB6

Any thoughts or suggestions welcome.

Cheers

MIke

Search

Windows Server 2008 R2 bitlocker System Volume Drive letter - can it be changed?

April 16, 2013, 1:33 pm
$
0
0
Can I use a different drive letter (other than S:) for the System Volume when using bitlocker? I have an application that already uses S: by default but when I enable bitlocker, it forces me to use S: as the System Volume

Windows firewall: Allow inbound file and printer sharing doesn't allow ping

April 16, 2013, 3:37 pm
$
0
0

I have a 2008 R2 SP1 server that has a GPO applied to it with the following setting:

Computer config/Admin templates/Network/Network Connections/Windows Firewall/Domain Profile/Windows firewall: Allow inbound file and printer sharing exception - Enabled

I can access the shares on this server from a member of the domain, but can't ping the server. Reading the explanation of that setting though, enabling it should allow me to ping the server as well. I have verified the server is using the domain profile.

Any ideas?


Website Connection Software

April 16, 2013, 8:57 pm
$
0
0
I have my own web server and I was wondering what software I can install or implement into my website to record any IP addresses and devices that connect to it?  I am running Windows Server 2012.

User is issued Multiple User Certificates

November 18, 2010, 7:50 pm
$
0
0

I've been responsible for setting up a PKI using Certificate Services to be used for Wireless Authentication.  I've created I guess what you'd call a "stock standard" two-tier hierarchy based on Windows Server 2008 R2.  I have a Standalone Root CA, which has issued a Root Certificate to an Enterprise Subordinate CA (the issuing CA) - this second server is Enterprise Edition.

I've duplicated both the Computer and User templates (using Server 2003 Enterprise Templates) and for the respective certificates I have enabled READ, ENROL and AUTOENROLL permissions for Domain Computers and Domain Users groups.  I've enabled these two templates for issuing and removed all others (not completely, just from issuing).  I've then created a GPO which is ONLY enabling the Autoenrollment of the certificate (one GPO for computer, one for user).  These are only linked to test OUs with one computer and two users.

The computer I am testing on is a Windows XP SP3 computer in the domain (same domain as the CAs).  The computer certificate I created has correctly issued a single certificate to this PC (and re-issued another certificate after testing revocation).  All happy with this.

BUT - the user account I have been using to test seems to be generating multiple certificates for a single user.  I believe some of this has happened cause I've used this user to log into machines that the computer certificate GPO is not applied to (so another computer cert, but not another computer cert).  But 2 certificates were issued in the middle of the night when I was not around.  When NO ONE was around.

So, I wanting to ask two things:

1. Is it OK for the CA to show multiple user certificates for the same user based on it having actually logged into multiple machines (certificate template says to store in AD)?

2. Is there anyway to tell where the request for these user certificates came from? i.e. maybe someone has used the account for some service or something like that.

I hope this is somewhat clear.  Certificate Services installations is not something that you do very often, so I've not really had a lot of experience with it (yet!!).  Hoping someone might have some ideas.

 

Thanks

Matthew

Certificate authority decomission

April 10, 2013, 12:33 am
$
0
0

2 things, I need to decommission a enterprise root CA. I have the kb for this already so don't think I need help there.

However, Looking at the issued certificates there are only 4 still that haven't expired, 2 domain controller ones for the DC the CA is installed on (I never installed it!) 1 Subordinate Certification Authority (was for another CA on a child domain which has since been decommissioned) and the final one is and EFS Recovery Agent which the requester name is an admin account on the child domain.  Apart from the type of certificate, can anyone tell me why this has been issued and where from?

Secondly, checking Group Policy for a Data Recovery Agent, the agents on both domains have expired (long ago!) issued to a user on domain controllers that no longer exist. Are these now useless?  Do I need to create new ones?

Thanks in advance

George

Autoenroll fails with: "DNS name does not exist"

November 7, 2012, 10:33 pm
$
0
0

"Active Directory Certificate Services denied request 7054 because DNS name does not exist. 0x800725f2 (WIN32: 9714).  The request was for DOMAIN\COMPUTER$.  Additional information: Denied by Policy Module"

I would appriciate some help here. I have already searched the forums but found not exact match. We have been issuing computer certificates for about a year with our 2K8r2 Enterprise CA successfully. As far as I know the only thing that matches this behaviour is that we have migrated our win7 clients from a child domain in to the primary domain. The child domain had full trust and DNS suffix on the clients are correct after the migration, they even had got certificates renewed matching the correct domain when the migration occured. This problem happend a couple of days ago, when a renew process started. 

Template settings: 



 Further info: 

Manual request does not work either.

I can request from templates with Common name as subject. (Wireless TLS does not work for me this way..) 

If I look at the computer object dNSHostName is correct

We have added a third DC running Server 2012.

Audit log:

"Certificate Services denied a certificate request.

Request ID:7118
Requester:<Domain\COMPUTER$>
Attributes:
cdc:<dc.domain.com>
rmd:<COMPUTER>

ccm:<COMPUTER>

Dis"Apple-tab-span" style="white-space:pre;"> -2147015182
SKI:4f e5 d6 93 8c 1e 70 17 84 38 cb 52 1x e3 d6 2c e5 3x f0 0d
Subject:"

-- Domain Computers have enroll and autoenroll rights.

I havent seen anything strange in our DNS servers --- 

I hope this confuses you a bit less. Looking forward for some answers. 

CA Certificate with new keys and CrossCA Signing

April 16, 2013, 8:05 pm
$
0
0

Hi

I am just looking for some guidance for renewing Issuing Certificate Authority keys... The conversation at work at the moment is that we need to "revoke" all existing issues certificates as soon as we renew the keys, and I just don't see how that would be practical.

I also seen in this wiki http://social.technet.microsoft.com/wiki/contents/articles/2016.root-ca-certificate-renewal.aspx that you can do CrossCA certificate signing. I have got this working in the LAB but I wanted to check... But I was wondering if this is and RFC standard or just something that Microsoft does in ADCS?

Also can anyone point me to more official usage case for the certutil -CrossCA option in TechNet or else where other than just this wiki?

Thanks

Alan Burchill

Alan Burchill (MVP)
http://www.grouppolicy.biz

@alanburchill

Search

Enterprise Subordinate Root CA Request

April 17, 2013, 9:36 am
$
0
0

Hello everyone,

     I'm attempting create a CSR for an AD CS Subordinate Root.  The Root CA will be a linux openssl ran by our security department.  I walk through all the steps outlined at (http://technet.microsoft.com/en-us/library/cc784465(v=WS.10).aspx).  The problem is that it only populates the CN and DC information in the request.  How do I populate E, OU, State, Location, Country, etc?  Thanks in advance.

PJudt

Can certutil restrict commonname field

April 17, 2013, 4:53 am
$
0
0

: -view -restrict

Can certutil be used to '-restrict' the commonname, or other fields using wildcards?

The below command will only return the field headers:

certutil -config MyServer.mycompany.com\My-CA -restrict "Request.CommonName = *Hudson*"

The below command will return Hudson's certificate information:

certutil -config MyServer.mycompany.com\My-CA -restrict "Request.CommonName = KurtHudsonProduction"

Possible Kerberos bug in Server 2003 R2 x86 SP2 - client time (ctime) is random

February 6, 2013, 12:17 am
$
0
0

Hello. I'm trying to get a stand-alone Windows 2003 R2 system to authenticate users against an MIT Kerberos V5 (v1.10) server. I've set up the host principal on the KDC, used ksetup on the Windows machine to set the realm, KDC location, machine password, and user mapping, and rebooted. When I try to authenticate using a Kerberos user principal, Windows replies that the username or password is bad, yet the KDC shows that it issued a ticket. (If I deliberately enter an incorrect password, the KDC instead shows that the PREAUTH_FAILED.) So I enabled Kerberos logging in the registry and discovered that the ctime being reported is random:

Testing with 'runas /user:username@REALM.COM cmd.exe' while logged in as a local administrative user, here is an example of what I see at the command prompt:

C:\>runas /user:username@REALM.COM cmd.exe
Enter the password for username@REALM.COM:
Attempting to start cmd.exe as user "username@REALM.COM" ...
RUNAS ERROR: Unable to run - cmd.exe
1326: Logon failure: unknown user name or bad password.

C:\>

I ran that command twice, two seconds apart and the ctime on the first is 7:35:13 10/5/2019 Z, and on the second it's 8:42:26 2/14/2020 Z! (Both times the server time was correct at 21:15:5 2/5/2013 Z and21:15:6 2/5/2013 Z respectively.) According to WireShark running on the Windows system in question, the bogus ctime is indeed what's in the packet, pointing to the Windows client as being the problem. (It looks like the client is reading an internal timestamp backwards or an uninitialized variable or something.) Since Kerberos depends on the server and client times being very close, I suspect this is the reason I can't authenticate. (Nothing is logged for the reception of Kerberos tickets, but WireShark shows that it did arrive.)

I also tested with MIT's Kerberos for Windows v4.0.1 on the same machine and that works perfectly. I have also been successful in getting a Windows Server 2008 R2 machine to authenticate against the same KDC without issue.

I also tested with a second recently freshly installed Windows 2003 R2 x86 SP2 system with the exact same results.

So all of this points to a flaw in the integrated Kerberos client shipped with Windows Server 2003.

Please let me know what I should do next as I need this resolved.



Certificate Authority Issue

April 17, 2013, 9:28 am
$
0
0

I'm trying to renew an Exchange 2010 certificate but when I navigate to http://CAservername/certsrv and click "Request a certificate" then "Submit a certificate request......" to get to the renewal screen I get a message window that says "No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory". I verified that all of the information was correct viahttp://support.microsoft.com/kb/811418 and am logged in with an account that has rights to do this.

During my research I found once instance of someone mentioning that you can't renew cert's via the webpage anymore as of 2008 R2 which is the server version of my CA.

I do see that if I right click on the CA server name in the "Certification Authority" mmc and choose all tasks then submit new request I get a dialog box looking for a certificate request. I believe this is for the CA itself and not the Exchange certificate I'm trying to renew.

group membership

April 17, 2013, 8:00 am
$
0
0

Hi,

I have user with access to a folder.

I wanted to remove the user group membership to the folder. I removed user from all AD groups which had access to that folder but still the user had RX permissions. I am unable to find through which AD group the user getting rights to that folder.

Please help me to completely remove the user access to that particular folder.

Thanks.

Windows 2008r2 CA

April 17, 2013, 11:26 am
$
0
0
We currently are running the Enterprise CA on 2008r2 and it is issuing certs as SHA256 but the CA itself is still SHA1.  Is there a way to make the CA SHA256.  Our root CA was upgraded from 2003 to 2008 but the issuing CA is a new build on 2008r2. I was thinking that we only need to update the signature but not sure.  Any help would be appreciated.
Thanks,
Lori

Lori Gilleland

2008 R2 user certificate autoenrollment notre triggered with gpupdate on XP

April 17, 2013, 2:06 pm
$
0
0

Hi

I'm trying to deploy user certificate auto enrollment with Win7 and Xp computers.

I'm using a 2008 R2 intermediate enterprise CA, have created both templates and autoenrollment GPO and all is working almost fine :

On win7, autoenrollment works fine after winlogin. When I delete the user certificate from the store (mmc), and run a gpupdate, a new certificate is automatically delivered (I allow several certificates per user)

On WinXP, it seems that autoenrollment works when user first logs in (I'm not sure of that I was able to test on 2 computers only), but after certificate deletion and gpupdate /force (or new session login), no request is done from the computer (no autoenrollment logs in event viewer and no request seen on the CA, even after 10 minutes)

I've read that gpupdate or new login should trigger autoenrollment process when no certificate is present in the user store but It seems that's not true for XP users

I've although read about an internal timer for autoenrollment to occurs, maybe this timer is used prior to gpupdate ?

I didn't try to delete AEDirectoryCache registry entry, It seems to be related to third party root ca or cross certificate, not for auto enrolled user certificates

Thanks for your help

Search

Adding EKU/Application Policy to IPSECIntermediateOffline on Standalone CA?

April 4, 2013, 2:17 pm
$
0
0

I have a Standalong CA installed with NDES (SCEP) to issue Certs for Firewalls, VPN, etc. It is installed on a Member server that is connected to an AD Domcin.

I'd like to add some Extended Key Usage attributes to the Certificate that is issued.   When I look at the Cert in Cert Authority, it says that the template is: IPSECIntermediateOffline

The only way I can see those templates is to fire up MMC and go to Certificate Templates and connect to a Domain Controller. I can see the template I want and can Duplicate it and change its template name and say that it superceeded the previous template. Though when I request a new Cert I get the old template name.

How can I add a template to a Stand-alone CA?  Or how can I add the EKU to the Existing template?

Thanks!

Installing Certificate Server in a child domain

April 5, 2013, 6:44 am
$
0
0

Hello all,

I need to install a Microsoft Certificate Server in a child domain. We have several users that will need to autehticate via PKI. I dont wish to involve the parent domain in any way as we do not administer that domain. Is it possible to install the Certificate Server only in the child domain and have it only provide certificates for a select group of users?  If we decide later on to remove the Certificate Server, what would be the implications and impact?  Thanks

Cross Site CA redundancy for secure AD

April 9, 2013, 5:40 am
$
0
0

Hi All

I have a scenario where a Windows 2008 R2 domain spans two disparate sites, over a WAN.  I need my domain controllers to talk secure i.e. port 636.  This involves me placing a certificate in the "Active Directory Domain Services" service> Personal certificates folder (NTDS/Personal), on each Domain Controller.

I have two Enterprise Certification Authorities in my domain, one at each site, for redundancy.  (I can not cluster a single CA across sites as per Microsoft's recommendation)

My question is this:

I can install a certificate from each subordinate enterprise CA into the Domain Controllers store, (so there are two).  Should one CA fail, will my domain controllers continue to talk secure?  

I am aware that the Revocation List is stored in AD so the certificate will remain valid for a period of time.  What would happen if this period expires?  Will the Domain Controller automatically use the certificate from the other CA? or will it all go wrong?

This is a very hard thing to test, so any advice would be gratefully received.

Thanks

NDES service doesnt work when linked CA is restarted

April 16, 2013, 1:56 am
$
0
0

We restart the Issuing CA for maintenance purpose regularly...

After CA is restarted, the NDES service that is linked to it in another server, loose the capacity to make requests to this CA...

So, we need to manually restart the NDES service, computer also.

Someone knows about this behavior, and how to handle it, in order to provide a continuous service ??

Many thanks

JOSELITO


How to renew the root CA and increase key length to 2048 for window 2003 standard edition?

April 14, 2013, 11:21 pm
$
0
0

How to renew the root CA and increase key length to 2048 for window 2003 standard edition?

I have checked the installation of window 2003 CA server does not using CApolicy.inf. So I am not sure the renewal root CA process is the same as normal practice. Also if I create a CApolicy.inf to increase the key length. Is it workable to do that?


Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>