Hi!

I was tasked with creating a root CA in a new domain. There's nothing in the environment except for four 2012r2 domain controllers, which were automatically issued certs when the CA was created. The CA is also 2012r2. Unfortunately, after I configured the CA, I was told that the encryption hash would need to changed from SHA256 to SHA512. I'm still fairly new to certificates in general so I was fumbling for a bit.

First, I used certutil to change the CNGHashAlgorithm key to SHA512, but when I went in to properties of the CA I saw that certificate #0 was still showing SHA256. I assume this was because the setting I changed meant that all FUTURE certs issued would be SHA512. That's when I right clicked on the CA and hit "Renew CA Certificate" hoping it would update cert #0 to SHA512, but instead it created a second cert. So now I have two certs with expiration days one day apart and #0 is SHA256 and #1 is SHA512. Then I went in to the personal certs store of one of the DCs and right clicked on the cert and hit renew certificate with new key. Now the hash is SHA512 on the DC, but there's an error that says "This certificate cannot be verified up to a trusted certification authority."

I probably did a million things wrong, but I'm wondering what I can do to clean up this mess. This is going to be a production environment eventually so I would like everything to be best practice if possible. I only renewed the cert on one dc and not the one with all the FSMOs because I didn't know what effect it would have. Any help would be greatly appreciated!

Hello all,

Can someone provide some guidance on the best approach to migrate my 2008r2 ADCS to a 2012r2 server. Here's what I need to do:

-Move ADCS from 2008 server to 2012 server using a different destination server name

-If possible, rename the source root certificate name

I know I can backup the CA config and database, but I think that only works if the destination server name is going to be the same? Would it be easier to setup a parallel ADCS server on 2012 with a new root certificate? If so, how can I migrate the existing clients over to the new CA with minimal impact? 

Any suggestions would be appreciated.

Thanks

This setting with a PKI, enables support for PKCS #1 V2.1 signature format for certificate requests.  It suggest that the property is ADDITIVE and in no way affects other signature algorithms. It is my understanding that this is to allow an increasing number of algorithms (hash and signature) in Cryptography Next Generation (CNG). 

1.  What current or upcoming technologies is this used for?  I am about to implement a PKI and wondering why I should or should not use it. 

2.  Is it truly additive only.  In other words, all of my machines are either Windows or Linux- I want to make sure it does not limit or make the certificate incompatible with any hosts or applications.

In essence, I am looking into why (or why not) I should be enable this feature that go beyond acronyms like PKCS (or even CNG) which mean little to me.

I am applying advanced firewall settings thru a GPO but other than actually looking at the firewall settings on the target systems I cannot view the settings by using rsop,msc, gpedit.msc, etc. I even tried secpol and attempted to find the appropriated netsh advfirewall command to view settings with not luck. Any tricks or workarounds?

Hi,

 Another systems admin disabled EFS via GPO in my organisation, I can't access my Windows 10 files now - I get access denied or error. I have access to the original files, Windows 10 laptop and the certificate being used by my user account for encryption - I found the certificate via reg key

HKCU\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys

The certificate has a purpose of Encrypting File System (1.3.6.1.4.1.311.10.3.4)

But when I view the certificate in the MMC snap-in it doesn't show the private key icon.

I've had a look at creating a new GPO and enabling EFS, but when I look at the GPO below I'm prompted to create\add a Data Recovery agent as one doesn't exist at the moment. Can I use any account for the DRA? What's the best way to decrypt my files in a scenario where EFS has been enabled and then disabled via GPO, but the files remain encrypted?

Computer Configuration\Policies\Windows Settings\Public Key Policies\Encrypting File System 

Thanks

IT Support/Everything

Hi,

I have a standard CA , Need to create certificate  for ldaps  for loadbalancing purpose . 

How can i do that 

Thanks

From a Windows 2012 R2 Server, I requested a domain certificate from IIS mgr and I rec'd this error under the CA's Failed Requests. I created a duplicate Web Server template and called it "Company Web Server 2012R2". On this template, Authenticated Users has read permissions and the account I am logged on to the requesting server has read & enroll perms. I issued the "Company Web Server 2012R2" template and deployed it so that it shows under certsrv, Issuing CA/Certificate Templates.

On my CA, I issued "Certutil -view -restrict "requested=6" and the only OIDs I see are related to SMIME,[1]SMIME Capability
             Object ID=1.2.840.113549.3.2
             Parameters=02 02 00 80
        [2]SMIME Capability
             Object ID=1.2.840.113549.3.4
             Parameters=02 02 00 80
        [3]SMIME Capability
             Object ID=2.16.840.1.101.3.4.1.42
        [4]SMIME Capability
             Object ID=2.16.840.1.101.3.4.1.45
        [5]SMIME Capability
             Object ID=2.16.840.1.101.3.4.1.2
        [6]SMIME Capability
             Object ID=2.16.840.1.101.3.4.1.5
        [7]SMIME Capability
             Object ID=1.3.14.3.2.7
        [8]SMIME Capability
             Object ID=1.2.840.113549.3.7

and there was this also in the output,

 Request Disposition Message: "Denied by Policy Module  0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: WebServer. 

Needless to say, it does not match the OID of my "Company Web Server 2012R2". 

When I made the request, for Friendly name, I used "Company Web Server 2012R2" as well as "CompanyWebServer2012R2". 

Please advise why it is failing.  Do I need also deploy the default Web Server template?

Hi:

I have a few servers that seem to default to their old domain cert enrollment policy. At some point they were on domainA. They were moved to domainB. Both domains are configured for autoenrollment policies. I know both CA's are working somewhat as other clients are getting certs. when i attempt to request a new certificate in MMC -Computer Certs and view the AD Enrollment policy, the domainA policy appears. The server is a member of domainB. it gets group policy from domainB. Please Help and Thanks,

Jason

Here is a sample of what I am deleting this week, from Security in Event Viewer on Windows 7.  Tried all kinds of msconfig variations prior to finding your website, which answered another user who asked about

Windows Security Auditing too many logs.

I also go into event viewer to track these huge numbers, under application and security.  Makes me afraid sometimes that machine being hacked, b/c only using MS Defender and MalwareBytes.

This one happened after I went into some strange websites (Isreali news) and froze in Firefox, so I had to task manage out of prog tonight b/c caught in a hung  JS script:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/31/2017 9:12:14 PM
Event ID:      4672
Task Category: Special Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      Menz-PC
Description:
Special privileges assigned to new logon.

Subject:
    Security ID:        SYSTEM
    Account Name:        SYSTEM
    Account Domain:        NT AUTHORITY
    Logon ID:        0x3e7

Privileges:        SeAssignPrimaryTokenPrivilege
            SeTcbPrivilege
            SeSecurityPrivilege
            SeTakeOwnershipPrivilege
            SeLoadDriverPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeDebugPrivilege
            SeAuditPrivilege
            SeSystemEnvironmentPrivilege
            SeImpersonatePrivilege
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4672</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12548</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2017-02-01T02:12:14.911251800Z" />
    <EventRecordID>477183</EventRecordID>
    <Correlation />
    <Execution ProcessID="748" ThreadID="852" />
    <Channel>Security</Channel>
    <Computer>Menz-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">SYSTEM</Data>
    <Data Name="SubjectDomainName">NT AUTHORITY</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
            SeTcbPrivilege
            SeSecurityPrivilege
            SeTakeOwnershipPrivilege
            SeLoadDriverPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeDebugPrivilege
            SeAuditPrivilege
            SeSystemEnvironmentPrivilege
            SeImpersonatePrivilege</Data>
  </EventData>
</Event>

This one below gave me over 14 thousand log events in one week:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/23/2017 1:55:31 PM
Event ID:      4904
Task Category: Audit Policy Change
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      Menz-PC
Description:
An attempt was made to register a security event source.

Subject :
    Security ID:        SYSTEM
    Account Name:        MENZ-PC$
    Account Domain:        WORKGROUP
    Logon ID:        0x3e7

Process:
    Process ID:    0x1658
    Process Name:    C:\WINDOWS\System32\VSSVC.exe

Event Source:
    Source Name:    VSSAudit
    Event Source ID:    0xd8f686
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4904</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13568</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2017-01-23T18:55:31.807678800Z" />
    <EventRecordID>462733</EventRecordID>
    <Correlation />
    <Execution ProcessID="748" ThreadID="784" />
    <Channel>Security</Channel>
    <Computer>Menz-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">MENZ-PC$</Data>
    <Data Name="SubjectDomainName">WORKGROUP</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="AuditSourceName">VSSAudit</Data>
    <Data Name="EventSourceId">0xd8f686</Data>
    <Data Name="ProcessId">0x1658</Data>
    <Data Name="ProcessName">C:\WINDOWS\System32\VSSVC.exe</Data>
  </EventData>
</Event>

Hi

I am using the following article to setup a 2 tier certificate services on Windows Server 2012 R2.

http://blogs.technet.com/b/yungchou/archive/2013/10/21/enterprise-pki-with-windows-server-2012-r2-active-directory-certificate-services-part-1-of-2.aspx

The Subordinate CA installed successfully with warnings: Installation is incomplete. To complete the installation use request file to obtain certificate from Parent CA.

I generated a certificate request file, successfully issued a cert for my Subordinate CA from the Root CA, and copied the .p7b certificate file issued by my Root CA to my Subordinate CA Server.

When is try to access the Certificate Authority on my Subordinate CA Server using mmc or the Certificate Authority admin tool I get the following error:

Cannot manage Active Directory Certificate Services.
The network path was not found. 0x80070035 (WIN32: 53 ERROR_BAD_NETPATH)

If it try to start the CertSvc windows service I get the following error:

Active Directory Certificate Services did not start: Hierarchical setup is incomplete.  Use the request file in C:\abc.req.req to obtain a certificate for this Certificate Server, and use the Certification Authority administration tool to install the new certificate and complete the installation.

Help!

5719, 4231 AND 4227 and the system exhaust all its tcpip port and we are forced to restart and this happens once in 3 hours to 6 hours.  We need a resolution for this

Apart from this, We are facing the netlogon failure in application servers(VM Instance hosted on ESXI Host). The below are the events which we observed from the windows event log.

 Event id 4227- TCP/IP failed to establish an outgoing connection because the selected local endpoint was recently used to connect to the same remote endpoint. This error typically occurs when outgoing connections are opened and closed at a high rate, causing all available local ports to be used and forcing TCP/IP to reuse a local port for an outgoing connection. To minimize the risk of data corruption, the TCP/IP standard requires a minimum time period to elapse between successive connections from a given local endpoint to a given remote endpoint.    Event id 4231 - A request to allocate an ephemeral port number from the global TCP port space has failed due to all such ports being in use.    After either of the logs appeared, subsequently we disconnected from network or domain.   Event id 5719- This computer was not able to set up a secure session with a domain controller in domain ESABEU due to the following:  The RPC server is unavailable. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

The below troubleshooting steps which we followed to fix the issue but still issue persists.

• Increase the TCP/IP port limit from 1024 to 64511
• Registry Level settings to allow the port level up to 65535
• Made host entry of DB Server in all Application Servers.
• Made host entry of Application Servers in DB Server
• Migrated the Application Server to different ESXI Host.
• Change the Network Card speed to Auto-Negotiation on VM Level.

Hi All,

We have a two tier PKI infrastructure and the web enrollment service is installed on the online Issuing CA server. I am unable to issue a web server certificate using the template "SSLWeb". After submitting the request with the respective CSR and template same page is coming back. Attached the screenshot. I have given permission to my id and to the computer where the web enrollment service is installed to read and enroll certificate from the template SSLWeb. Kindly provide your thoughts to resolve this issue.

Regards,

Mubasseer

Hello,

We are wanting to test MSA (Managed Service Account) configuration, but are running into some hurdles as we run through the steps. 

We have 2 separate forests (1 domain in each Forest). 
Trust relationship:  “Transitive 2-way Forest trust” enabled between both domains (with “Selective Authentication” set).

Domain A contains MSAs (for this particular example). 
Domain B contains computer accounts (for this particular example)

So, we run the following: 

From DomainA server: 
1) New-ADServiceAccount -SAMAccountName msa_Account1-Name msa_Account1 -Path “OU=MSAs,OU=Svc Accounts,OU=Project,OU=Company,DC=DomainA,DC=Local" -RestrictToSingleComputer

Step 1 runs just fine. 

From DomainA server:
2) Add-ADComputerServiceAccount -Identity “CN=SRV1,OU=Servers,OU=ENV,OU=Project,DC=DomainB,DC=local” -serviceAccount msa_Account1

Step 2 fails with:

Add-ADComputerServiceAccount : Cannot find an object with identity: 'CN=SRV1,OU=Servers,OU=ENV,OU=Project,DC=DomainB,DC=local' UNDER: 'DC=DomainA,DC=Local'.

It's trying to find the Computer account in DomainA, even though we explicitly specfy the DN of the Computer object in DomainB. 

Ideas?

Thanks in advance!

Hello,

I tried to migrate my AD CS from a 2008R2 x64 to 2012R2 x64.  Of course the migration failed for no apparent reason and could not find an answer.

The role was removed from the old server and added to the new one, thinking I could just start from new, but now all services using certificates are failing.

I still have a snapshot of the old server before I removed the AD CS role from it.  Is there a way to recover AD DS to this state and hope everything starts working again?

Hi,

http://support.risualblogs.com/blog/2014/05/13/renew-issuingsubordinate-ca-certificate/

I am following these steps to renew my subordinate CA with the same key pairs.

Steps to Renew if Root CA is offline

• Log onto your Issuing CA and open the Certificate Authority MMC
• Right click on your Issuing CA > All Tasks > Renew CA Certificate
• Press Yes to Stop AD Certificate Services
• Press No to Generate a new Public/Private Pair

I am experiencing a problem, whereby the "CA Certificate Request" dialogue box does not appear.  When I click No to generate a new public/private pair, Certificate Services simply start again, the "CA Certificate Request" dialogue box does not appear at all.

The request file location is c:\certs but no request file is generated.

I found another post that has an apparent identical issue, however the suggested fix is not available.

https://social.technet.microsoft.com/Forums/en-US/7d83f2b3-23fb-412e-9ea2-14d017c00535/subca-certificate-cannot-be-renewed?forum=winserversecurity

The account I am using has Enterprise/Domain and Schema admin permissions.

Any suggestions welcome.

Brian

hello everyone,

i'm having a bit of a hassle with a command line to enroll a certificate for a computer without user interaction,

basically i have a pki infrastructure with a CES/CEP server proxying certificate requests from non domain pcs to the subordinate authority.

those non domain clients were configured to requests certificates from the CEP server and through the normal GUI can enroll for any certificate they need.

nowwant to automate this process through a command line or a powershell and i ran this command :

certreq -submit -Username VEDOM1\USERNAME -p PASSWORD -PolicyServer "https://fr004-sca-002.dom1.xxxx.net/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP" -attrib "SAN:CertificateTemplate:ConfigMgrWorkgroupClientCertificate-xxxx&DNS=L-CZC0514VVZ.dom1.xxxx.net" -attrib "SAN:CertificateTemplate:ConfigMgrWorkgroupClientCertificate-xxxx&DNS=L-CZC0514VVZ.dom1.xxxx.net" .\sccm_cer_wkg.req C:\Temp\SCCMcertwkg.cer

however the command prompts me for the CEP server 

any ideas on what i'm doing wrong because i provided this info in the command line .... 

thanks !

Hitch Bardawil