Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Authentication Mechanism Assurance (AMA) + RBAC != true?

November 14, 2016, 6:47 am
$
0
0

Hi!
We have a setup with Authentication Mechanism Assurance but we have hit a problem with RBAC and system center products.

Systems that uses RBAC eg. Exchange and S4B denys login via smartcard (S4B control panel, and powershell modules) it looks like it does not pick up the universal dynamic group membership.

Systemcenter (SCOM) consoles is not accessible either.

If we add the user to a ordinary security group the login works.

All other access via RDP, Shares, IIS for a smartcardlogged on user works.

Shouldnt AMA work for these systems? 

Search

Server 2012 R2 has been infected tomas.anderson@india.com.xtbl (ransomware) how can I recover?

November 11, 2016, 3:00 am
$
0
0

Hi,

Server 2012 R2 has been infected tomas.anderson@india.com.xtbl (ransomware) how can I recover?

Any idea?

Can shadow copies work?

Regards

CRL Locations and new Enterprise SubCA filename

November 30, 2016, 10:43 am
$
0
0

Hello All,

I needed to update my CDPs in order to allow devices on a different network to check the CRLs.  I have updated my offline root CA with this new information.  I select "renew ca certificate" on my enterprise subca in the Certificate Authority snapin and use that request to generate a new certificate from my offline root.  When I then select "install ca certificate" and use the newly generated certificate it gets added correctly.  The CDPs are reflected accurately in the new certificate.

My problem is that now the Enterprise SubCA has a new crt file in the system32\certsrv\certenroll folder with the same name as the old one with a (1) appended to it.  Because my crl files are based on the variable names all of the crl files now have a (1) appended to them as well.

Is it possible to change this?  Can I just issue a new certificate to the enterprise SubCa and delete the references to the old one.  (I have played around with this a bit and the result is that the Service won't start and it wants me to re-run the wizard). 

Or am I going about this completely wrong?  The only thing I am trying to do is update the certificate with the new crl AIA locations.


invalid algorithm specified when backing up CA

November 21, 2016, 3:57 am
$
0
0
I have a win 2008 root CA server running KSP/SHA256. It works fine, and now I wish to migrate to server 2012. To do so I first need to backup the CA authority but I kepp getting "invalid algorithm specified" when trying to backup root ca. Can anyone assist

Cannot create a Shielded Virtual Machine template disk using PowerShell or the Template Disk Wizard

November 30, 2016, 6:14 pm
$
0
0

Operating System = Windows Server 2016 Datacenter

VM created with Windows Server 2016 DC and with STD as well

Generation 2 2 vCPUs 2048 Memory Disk Size 55GB Bitlocker tools installed on OS

Sysprepped using the following command: sysprep /generalize /shutdown /oobe

RSAT and Shielding tools installed on host being used to create shielded VM template

Using the following process in PowerShell, I try to create to create Shielded Virtual Machine Template

$Certificate = New-SelfSignedCertificate -Dnsname publisher.secvbsfabric.com -CertStoreLocation $certStoreLocation -KeyExportPolicy Exportable

Also tried just $Certificate = New-SelfSignedCertificate-DnsNamepublisher.secvbsfabric.com (made no difference)

$TemplatePath = 'C:\Temp\Shldtmpl01.vhdx'

$TemplateName = 'WS2K16'

$Version = '1.0.0.0'

Protect-TemplateDisk -Path $TemplatePath -TemplateName $TemplateName -Version $Version -Certificate $Certificate

This command fails with the error : The system cannot find file specified

Also try using Template Disk Wizard and I get the same error, the PowerShell error is:

PS C:\> Protect-TemplateDisk -Path $TemplatePath -TemplateName $TemplateName -Version $Version -Certificate $Certificate

Protect-TemplateDisk : The system cannot find the file specified
At line:1 char:1
+ Protect-TemplateDisk -Path $TemplatePath -TemplateName $TemplateName  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Microsoft.Windo...lateDiskCommand:ProtectTemplateDiskCommand) [Protect-TemplateDisk], NativeMethodException
    + FullyQualifiedErrorId : OutputGenerationError,Microsoft.Windows.HardenedFabric.Cmdlets.ProtectTemplateDiskCommand

Root CA shorten lifetime

November 21, 2016, 3:37 am
$
0
0

Hello

As part of SHA256 update project i want to shorten Root CA validity. I already configured a CAPolicy.inf file with desired validity:

[Version]
Signature="$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=15
CRLPeriodUnits = 2
CRLPeriod=Years
CRLDeltaPeriodUnits=0
CRLDeltaPeriod=Days
AlternativeSignatureAlgorithm=0

When i renew certificate with new key, it's validity is same as orginal? Not 15 years which i configured to CAPolicy.inf.

Any ideas?

Delete a pending Certificate Enrollment request

February 5, 2010, 2:59 am
$
0
0
Hi

I'm working on a project where I have to simulate the SSL certificate request and installation for website as done in IIS. I need this to work both on Windows 2003 Server with IIS6 and Windows 2008 server with IIS7. I'm currently invoking certutil.exe and certreq.exe with command line options to perform most of the steps. I have been able to generate a CSR and install a certificate against a CSR using certreq.exe but i've not been able to find any command line option that could allow me to delete a certificate enrollment request using any of these utilities. Since I can manually delete it using IIS manager, so I'm sure the option would be there in any of the utility to delete it given the CN as an argument.

Regards

Usman

Server Vulunerability issue

November 30, 2016, 8:02 pm
$
0
0

One of our server disclosing the server host name and netbios details to the public users.

When they try to ping our public ip, its disclosing some information.

Kindly provide your support how to fix this.

Regards

Sundar S

Search

SHA1 to SHA2 Migration

October 19, 2016, 5:31 am
$
0
0

Hi Everyone,

I have a very limited understanding of the Microsoft CA and have been requested to prepare plan to migrate current CA from SHA1 to SHA2

What we have:

  1. 1x Offline Root CA with SHA1
  2. 1xIssuing CA with SHA1

Templates:

  1. BYOD devices
  2. EFS
  3. WebServer

Plan is to introduce a new Issuing CA with SHA2 and gradually migrate clients/devices to new CA? is there a step-by-step guide which can be referred?

Few questions:

  1. How to migrate gradually from SHA1 to SHA2 considering if there are some devices/clients using SHA1?
  2. Post migration can a device/client supporting SHA1 renew certificate from SHA2 Issuing CA?
  3. Post migration can if a new device/client supporting SHA1 generate a newcertificate from SHA2 Issuing CA (I guess not) how to go about this?

Could you please help addressing above queries

In the cert MMC what are the Remote Desktop cert used for?

November 14, 2016, 9:14 am
$
0
0
I know that certs are examined for RDP to take place, but when i remote into a PC, am I using that PC's RDP-cert (as opposed to its personal-cert) to verify its identity and does it use my RDP-cert to verify me?  And why does it not just use the cert that is in my personal-certs folder?

does AD DNS set configuration still make sense if we use 3rd party DNS?

November 17, 2016, 7:13 pm
$
0
0

does AD DNS set configuration still make sense if we use 3rd party DNS?

thank u

Need help to delete a certficate from personal certificates with "Certutil"

September 29, 2008, 4:15 am
$
0
0
Hi,

I want to delete a certificate from personal certificate store in my local machine store. I used following command.

certutil -delstore -enterprise -user My <certificate_name>

But I got following error.
CertUtil: -delstore command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

Can any body pls give a solution? I am working with urgent work.

Thanks
Buddhika Priyadarshana

asa

NPS server with wildcard certificate and PEAP MS-CHAP v2 authentication

August 16, 2010, 9:31 am
$
0
0

I've read through many threads in the forums, and looked at various design guides and configuration instructions, including the technet article often referenced, PEAP-MS-CHAP v2-based Authentication, but I am still stuck...

 

I have a NPS setup on Windows Server 2008 R2.  I have a policy setup and working and clients can authentication (Windows XP, Vista, 7) if the client configuration is changed to remove the setting for "Validate server certificate".

 

I have a wildcard certificate "*.southplainscollege.edu" installed on the RPS server issued from Verisign.  I created it with the server authentication role.  The certificate is working for LDAPS and IIS/SSL connections without any problems from clients.  But, I can't get the Windows PEAP clients to work.  I do not want to join the clients to the domain as these are not college owned computers, but personal computers for students and employees.

 

The only thing that might be missing is the certificate was not issued with the "SubjectAltName" tag.  I just came across that option in an old technet article discussing IAS on Windows 2000/2003.

 

How can I do troubleshooting on the clients to find out where this is failing.  As stated, authentication works when "Validate server certificate" is unchecked, but when it is checked, client authentication fails (the user is continuously prompted for their username and password).

Tim Winders | Associate Dean of Information Technology | South Plains College

Smart Card Login Fails After Certificate Update

August 9, 2016, 6:50 am
$
0
0

We have recently experienced a couple users that were unable to login to their own personal Windows 7 machines after they got their certificates updated on their smart cards.  These same users could login to a different workstation successfully using their smart cards after the certificate update.  We are using the native Windows middleware.  The smart card certificates are issued by a third party (Entrust), and we have the proper root and intermediate certificates deployed to all workstations.  We did not encounter this problem until users started to get their old certificates which were not expired, but pending expiration, updated to new certificates.

The error message presented to the end user is:

"This smart card could not be used. Additional details may be available in the system event log. Please report this error to your administrator."

And there’s this error corresponding in the Application event log:

An error occurred while signing a message using the inserted smart card: Invalid Signature.

If we switch the user over to username/password authentication, he is able to login to the machine.  However if he inserts his smart, only the “old” certificates from the card show up in the personal store.  What makes it more odd is that another smart card user can successfully login to the machine, and if another user logs in, and the machine owner inserts his own smart card, he can now see the new certificates in the personal store and subsequent logins are successful for him again with smart card.  So it almost seems to us like something is caching the old certificates and the machine is not seeing the new ones until a new user logs in and he inserts his card.  Has anybody ever experienced this issue before?  It does not appear to happen to every user that has their smart card certificates updated. 

Thanks, Josh.



A question about NDES and SCEP proxying

December 1, 2016, 9:12 am
$
0
0

Hello

Can someone please help me with the following question.

Here is the background.

We have one Active Directory Domain with an AD CS Enterprise CA (domain joined), in this domain we have the usual Windows computers, users, groups etc.

We also have a 'separate' Linux/Unix environment which has its own 'Kerberos realm' (no trust between this realm and our AD Kerberos realm)

We want to issue certificate 'automatically' to our Linux/Unix clients from our AD CS. We realise there are a number of comcercial solutions available but we are not looking at this right now.

The UNIX guys can setup a SCEP Server (Proxy), this SCEP Server uses Kerberos to authenticate the Linux client requesting a certificate via this SCEP proxy (to check they are allowed to request a certificate via SCEP or not)

The problem is interfacing this UNIX SCEP proxy to AD as a trusted RA (registration authority), more over the SCEP Server would need to issue DCOM requests to the CA (to request and retrieve certificates for example, we are not looking at using certificate enrolment policy/web services)

Therefore we was thinking about trying the following configuration and my question is, is the following a possible/plursiable configuration (as I have not setup NDES before).

Set and NDES Server to service SCEP requests to/from the AC CS (in the usual way up to now).

However rather than letting 'any' SCEP client to request certificates from the NDES Server; lock it down so only the UNIX SCEP proxy can proxy SCEP requests via the NDES Server.

With the above configuration I was thinking of possibly using https or IPsec to secure the communication between the UNIX SCEP proxy and the NDES Server in such a way that no other host can talk/make SCEP requests for certs to the NDES Server.

But then I am thinking what about the SCEP challenge the Linux client needs to present to the NDES Server (I have not setup NDES before and understand NDES by default issues and expects back a SCEP challenge),

Can I turn this SCEP challenge off completely. The reason I want to turn off the SCEP challenge is to make the automation of issuing certificates to these Linux clients easier and these Linux clients have already been 'authenticated' (via their own Kerberos realm). Although the AD domain does not have trust setup with the Unix Kerberos realm we trust in, therefore happy to setup an IPsec or https tunnel to it to proxy the requests through.

Any advice/help would be most welcome

Thanks all

Ernie

Search

Password Must Meet Complexity Requirements when using Ctrl+Alt+Del

December 1, 2016, 12:41 pm
$
0
0

At lease we have two computers have this issue. Whenever the users try to change the password by using Ctrl+Alt+Del, they receive this message: Password Must Meet Complexity Requirements.

We are sure the password meets the Complexity Requirements. Also, if we force the users to change the password and restart the computer, they can change the password without any issues. Any ideas?

Bob Lin, MCSE & CNE Networking, Internet, Routing, VPN Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net How to Install and Configure Windows, VMware, Virtualization and Cisco on http://www.HowToNetworking.com

Multiple certsrv pointed to different CA:s?

December 1, 2016, 11:00 pm
$
0
0

Hi!
Is it possible to setup a IIS and add multiple Cert Web enrollmentsites (certsrv) and point them to two different CA:s?

I want for example:

https:/getcert.com/servercertsrv

https:/getcert.com/clientcertsrv

Certificate Authority - Autoenrol

November 29, 2016, 10:46 pm
$
0
0
When you enable the autoenrol feature and certificates and renewed automatically 6 weeks before, how they are propagated on the client machine ? Do they need to revisit the CA web url and the certificate will be available for download from there ? I can't find documentation how the automatic renewal process works.

Glenn Camilleri

NDES Best Design

December 2, 2016, 12:21 am
$
0
0

Dear Team

We currently have one Issuing CA, we need to add NDES in a separate server, what is the best approach

1. Install CA in a new server along with NDES

2. Install NDES only and use the existing CA

Regards,

CaPolicy.inf can't use

December 1, 2016, 2:12 am
$
0
0

Hello together,

i try to install a two tier pki. I put the CApolicy.inf under C:\windows but after the install from the rolls i can't see me configuration from the capolicy.inf. Have someone an idea where the problem is and can somebody tell me where i can manuell insert the OID? Thanks

This Capolicy.inf i have created:

[Version]
Signature= "$Windows NT$"

[PolicyStatementExtension]
Policies = LegalPolicy
Critical = 0

[LegalPolicy]
OID = xxx
Notice = xxx
URL = xxx

[AuthorityInformationAccess]
REM ;URL = %WinDir%\System32\CertSrv\CertEnroll\%1_%3%4.crt
REM ;URL = http://xxxt/aia/%3%4.crt
Empty= true

[CRLDistributionPoint]
REM ;URL = %WinDir%\System32\CertSrv\CertEnroll\%3%8%9.crl
REM ;URL = http://xxx/crl/%3%8%9.crl
Empty= true

[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=30

CRLPeriod = months
CRLPeriodUnits = 13
CRLOverlapPeriod = months
CRLOverlapUnits = 2
CRLDeltaPeriod = hours
CRLDeltaPeriodUnits = 0

LoadDefaultTemplates=0

DiscreteSignatureAlgorithm=1
EnableKeyCounting=1

[BasicConstraintsExtension]
PathLength = 2
Critical = true

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>