Hi,
How do I add a computer account as user account for folder permission for shared folder. servername$ but not as computer object, as user object.
Thanks.
↧
How to add domainname\servername$ as user account
↧
Smartcard PIN Policy
Hi guys,
is there some kind of a Windows, AD, GPO, whatever built-in method to enforce a PIN complexity and/or length?
↧
↧
Servers unable to enroll for certificates
We recently implemented a new 2012 PKI environment (offline standalone root with an enterprise issuing CA). The problem we have is that on a couple of our domain controllers we cannot request a new certificate from the new CA. When working through the Active Directory Enrollment Policy request process (via the Certificates mmc > right clicking the Personal store > request new certificate), we see only a certificate template from the old CA server that isn't even advertised anymore. Furthermore, looking in the Trusted Root Certificate and Intermediate Certificate stores, the new CA's are not there. If I run certutil from the cmd line though it all looks good. Likewise, if I open ADSIEdit from this domain controller, all the information in the PKI services is correct as well.
These two domain controllers are in a different site which replicate with our primary site (as are many other domain controllers that are working).
Any clues as to what might be going on here?
Karl
↧
Certificate import issue
To whom it may concern,
We have an issue with a secure mail certificate import on a client workstations. Basically the user reported that one fine morning, his secure mail certificate wasn't working and we found that the persona certificate disappeared from his personal store.
When trying to import the certificate in his personal store using Current User option, the following errors appear for both when Choosing Automatic store and specifically choosing Personal store:
1. An error occurred during the addition of a certificate to the Personal store.
2. The import failed because the store was read-only, the store was full, or the store did not open correctly.
The certificate successfully imports in other stores but not the Current user - Personal. User also has administrative rights and can access the subfolder in \Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\.
Can someone point out the cause of issue please? I couldn't find anything in Event viewer. Could it be the personal store is corrupted?
Thanks in advance.
↧
Renewal of Auto-enrolled certificates made through web enrollment
I have a scenario where users request certificates through web enrollment. We have certificate templates with Auto enrollment which are working fine. Users request a certificate and there is no need of an officer to issue the certificates since this is done automatically. My question is, after 80% of the validity period of the certificate, technically how does the renewal occur. Is there any need of human intervention? Will auto renewal occur?
Thanks
↧
↧
Required Permissions
Hello All,
We have a two tier PKI archtecture and an OCSP running separately on OCSP server. Our security group is not added in the Enterprise admins and Domian admins group in AD. Hence could any one please help me to understand what all permissions need to delegate to our security group (without adding to the Enterprise admins and Domian admins group in AD) to manage and adminster the PKI infrastructure completely.
Regards,
Mubasseer
↧
Certificates on Smart cards
Hi,
I would like to technically know how the embedding of end-entity certificates on smart cards occurs when the requests and certificates are being made through web services (web portal to requests and download CA certificates). Any help with guides and technical details is greatly appreciated.
Thanks in advance.
↧
Watermark feature in ADRMS
Hi,
We are using MS office 2013 in our organization and we are in need to deploy auto watermark solution for all the client computers.
The user's PC will be logged in with his badge ID ( example : 123456 ) into the domain, whenever the user prints a document, the print out should be printed with his badge ID and Display Name.
Our Setup:
Windows Server 2012 R2 ( Active Directory )
Windows 7 Desktop OS ( Client Computers )
Any solution to deploy through Active Directory Rights Managment please . ?
Thank You.
We are using MS office 2013 in our organization and we are in need to deploy auto watermark solution for all the client computers.
The user's PC will be logged in with his badge ID ( example : 123456 ) into the domain, whenever the user prints a document, the print out should be printed with his badge ID and Display Name.
Our Setup:
Windows Server 2012 R2 ( Active Directory )
Windows 7 Desktop OS ( Client Computers )
Any solution to deploy through Active Directory Rights Managment please . ?
Thank You.
Regards,Ali
↧
Frqeunt Schema Admin Account Lockout
Hello There,
we are facing a problem regarding lockout issue of our schema admin account, according to events it is locked by our DC after further analysis we found out that it is being locked from a server in our domain which has Terminal Server(remote desktop service) role installed.
Unable to pinpoint the root cause I want to know what steps can we perform next.
The steps we have already performed are given below:
- Pinpointed the server it locks out from
- reason is bad password attempt
- checked if any service or task scheduler using this account but nothing found for that server.
Awaiting your kind response as what to do next?
netlogon Logs checked and found following events.1/16 08:29:46 [LOGON] [20944] SamLogon: Network logon of (null)\Administrator from QMHSVR01 Entered
11/16 08:29:46 [CRITICAL] [20944] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)
11/16 08:29:46 [LOGON] [20944] SamLogon: Network logon of (null)\Administrator from QMHSVR01 Returns 0xC000006A
1/16 08:30:42 [LOGON] [20944] SamLogon: Network logon of (null)\ADMINISTRATOR from Entered
11/16 08:30:42 [CRITICAL] [20944] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)
11/16 08:30:42 [LOGON] [20944] SamLogon: Network logon of (null)\ADMINISTRATOR from Returns 0xC000006A
11/16 08:30:45 [LOGON] [20944] SamLogon: Network logon of (null)\ADMINISTRATOR from Entered
11/16 08:30:45 [CRITICAL] [20944] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000023
↧
↧
CA Missing Templates in Enable Certificate Templates
One of the other admins recently reinstalled our only CA server, and since then a bunch of certificates that were formerly available are no longer issuable. After going to the Enable Certificate Templates dialog, some of the certificates are not listed. The server IS running Windows Server Enterprise 2008 R2 SP1 (I verified this before posting) and the certificates have replicated to all the DCs. Some of the certificate templates in question are default certificates (Workstation Authentication templates) and others are not (The ConfigMgr certificates).
Any suggestions on what we might be missing?
↧
Kerberos-Key-Distribution-Center Error 26
We are upgrading our domain onto Windows 2012 R2 and getting lot of Kerberos-Key-Distribution-Center Errors for Linux clients with Error code 26 on Windows 2012 R2 domain controllers. How can we resolve the KDC errors?
On domain controller the key type is showing.
Session Key Type: AES-256-CTS-HMAC-SHA1-96.
below is the error message for Linux clients.
Tek-Nerd
↧
Certificate Service Exit Module Email Troubleshooting
I have setup the SMTP Exit module on my 2008 R2 PKI server as per
http://social.technet.microsoft.com/wiki/contents/articles/2004.active-directory-certificate-services-smtp-exit-module-for-windows-server-2008-r2-example.aspx however it does not seem to be sending emails. Can anyone send me details as to where I can look
to troubleshoot why it is not sending? are there any logs I can look at to see if this is a SMPT issues or just confirm the event is even triggered.
Alan Burchill (MVP)
http://www.grouppolicy.biz
@alanburchill
↧
Definitive SHA1 to SHA2 migration guidance
Hi Everyone,
I would like a definitive answer from a MVP or technical expert in regard to SHA1 to SHA2 migration of an Active Directory Root CA running on Server 2008 R2 (used for issuing certs to laptops/tablets connecting to Cisco WAPs authenitcating via NPS)
CA Type: Enterprise Root (for a small ADDS domain < 100 servers, 1,000 clients)
Usage: SCOM computers in DMZ, issuing CA certs for Cisco VPN clients
OS: Windows 2008 R2 Server running CA
CSP: RSA #Microsoft Software Key Storage Provider (KSP)
ADDS DCs: Mix of 2008 R2 and 2012 R2
Hash Algorithm: SHA1
Key Length: 2048
I have read the following kbs:
Implementing SHA-2 in Active Directory Certificate Services
http://social.technet.microsoft.com/wiki/contents/articles/31296.implementing-sha-2-in-active-directory-certificate-services.aspx
Transitioning Your PKI to SHA2
https://blogs.technet.microsoft.com/xdot509/2015/12/27/transitioning-your-pki-to-sha2/
Update Microsoft certificate authorities to use the SHA-2 hashing algorithm
http://www.cusoon.fr/update-microsoft-certificate-authorities-to-use-the-sha-2-hashing-algorithm-2/
What makes a CA capable of issuing certificates that uses SHA-2?
https://ammarhasayen.com/2015/02/04/what-makes-a-ca-capable-of-issuing-certificates-that-uses-sha-2/
CNG Key Storage Providers
https://msdn.microsoft.com/en-us/library/windows/desktop/bb931355%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
Upgrade Certification Authority to SHA256
https://blogs.technet.microsoft.com/pki/2013/09/19/upgrade-certification-authority-to-sha256/
In summary here is my plan:
Backup ADCS db and ADCS host
Using https://blogs.technet.microsoft.com/pki/2013/09/19/upgrade-certification-authority-to-sha256/
Run:
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
net stop certsvc
net start certsvc
Then using:
https://blogs.technet.microsoft.com/xdot509/2015/12/27/transitioning-your-pki-to-sha2/
Renewing the Root CA Certificate
(Renew and verify the certification authority’s SHA2 certificate)
Publish the Root CA Certificate and CRL (I'm not using AIA repo only CDPs)
Renewing the Issuing CA Certificate
(N/A Root CA is Issuing CA ???)
Publish CA Certificate
(N/A Root CA is Issuing CA ???)
Validating PKI Status
pkiview.msc
I would greatly appreciate validation of the above steps.
Thank you
Steve
↧
↧
AD CS Behavior
I am planning for a two-tier PKI. I have a simple question about high availability.
Say I have one offline Root-CA and two Enterprise Subordinate CAs with Sub-CA1 in the US and Sub-CA2 in the UK. Both Sub-CAs have the same templates.
If Sub-CA2 goes offline and it comes time for a client PC to renew their computer certificate that was issued by it, will the client wait for Sub-CA2 to come back online or will it go ahead and try to get a new certificate from Sub-CA1?
Say I have one offline Root-CA and two Enterprise Subordinate CAs with Sub-CA1 in the US and Sub-CA2 in the UK. Both Sub-CAs have the same templates.
If Sub-CA2 goes offline and it comes time for a client PC to renew their computer certificate that was issued by it, will the client wait for Sub-CA2 to come back online or will it go ahead and try to get a new certificate from Sub-CA1?
↧
Applocker will not audit events
I have Windows Server 2012 R2 installed with the latest updates. I would like to use Applocker in "audit only" mode to work through some "what if" scenarios. I have configured all Applocker rules to "Audit only". I then start the Application Identity service and restart the server. Then when I login and try to start an application the rules are enforced, not audited.
For example, if I create a single rule to allow mspaint.exe. Then I configure the EXE rules for "audit only". Then I ensure that the Application Identity service is set to start automatically and restart the server. After I login and try to run notepad.exe the server will actually enforce the rule and prevent me from running notepad.exe instead of just auditing the rules.
↧
deny share permission command line powershell
Hi,
We want to deny access to a high number of shares for a particular global group. I don't want to do this manually ofcourse :-)
On W2K12 (or higher) we can do this really quick via Block-SMBSharePermissions.
Block-SmbShareAccess -Name "sharename" -AccountName GlobalGroup -Force
Unfortunately the MSFT_SMBShare:ROOT/Microsoft/Windows/SMB/MSFT_SMBShare namespace does not exist on W2K8 server.
So I was thinking falling back on the good old NET SHARE, but in this command there is noDENY option..
Any help is welcome.
Robby
↧
AD account disable using mobile devices
Hi!
We manage a small size network and rolled out a couple of MS Surface Laptops within a local domain. The server is a Windows 2012 Sever with AD role. The Surface laptops are part of the local domain. To protect users from installing software the users have restricted user rights. In some cases we would like to provide the Surface and desktop users an temporarily user account with admin rights in case they have to install business critical software. (in consultation)
We have created a second administrator account (Temp Admin) that's disabled by default. In case a user needs to install software, we enable the temp admin account and provide a changed password (on every occasion we change the password). After the installation is completed we disable the temp admin account again.
Question is in the following senario: The Surface laptop are within range of the local network, within range of the local DC, and the laptop user logs on with the temp admin account and installs his desired software. Then the user will logoff and resume working under their own useraccount again (with user rights).
The server administrator then disables the temp admin account on the server (DC).
What happens when the user left the building with there Surface laptops out of range of the local DC and tries to logon with the temp admin account again. In this scenario the Surface laptop is unable to connect to the local DC (because
it’s out of range) and unable to notice (?) the account has been disabled. Does the user in this scenario still has access to the temp admin account using the provided temp login credentials? Because it’s also possible for a domain user to login on there laptop
even when it’s out of the range of the local DC, those this also applies to temp admin accounts? Then it’s would be a bad solution…or is it possible to force a user account that it’s only usable when a DC is in reach?(Disable cachemode?)
↧
↧
Migrate Symantec Certificates to Microsoft
My company currently uses internal and external certs from Symantec.
I would like to use a Microsoft platform for internal certs to save time and money.
There is an internal PKI infrastructure
Ho would we go about migrating all Symantec issued internal certs to internal MS CA issued cert.
Are there tools to assist?
How would we find all the internal issued Symantec certs?
Has any one done this recently.
Advise much appreciated
↧
Windows CA Cross Certification
Hello,
We have a need to set up Cross Certification between two separate Windows CA environments. I'm not having luck in finding any good procedural guidance on how to do this. Can anyone please share any links or or material that can be used for reference?
Thanks!
↧
Use client certificates to authenticate with SSTP
We use SSTP in our environment to establish VPN connections to our company. For authentication we use PEAP which uses a server certificate that we have created for this purpose. This one server certificate is used for all the VPN connections, but we wonder
if it's also possible to enforce a client certifcate on top of this certificate authentication. Then we can revoke client certificates to disallow clients from connecting to our network.
↧