Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Can't start Certsrv

February 1, 2017, 6:42 am
$
0
0

Hi Everyone,

I am running Win2k12 R2 Standard, since I had to recover the server due to a datastore corruption, I am not able to start the Certsrv services. I am getting the following error: "Active Directory Certificate Services did not start : Unable to initialize the database connection for xxx-xxxxxxxxxx-xx. dbtime on page smaller than dbtimeBefore in record 0x0 (WIN32: 0).:

I did some digging and I found out that the database might be corrupted. I used esentutl /g on the database and it is suggesting that the database is not up-to-date. Integrity check may find that this database is corrupt because data from the log files has yet to be replaced in the database. It is strongly recommended the database is brought up-to-date before continuing!

When using the esentutl /r exxx to recover the log file to be inserted into the DB, it is always failing due to missing log file or invalid parameter.

I also tried to repair the DB even while it is not recommended and I ended up with a warning that the start or end of the DB contains an extraordinary amount of information and the DB couldn't be initialized.

The thing here, I think, is I am not using the recovery options like it should be used. Any suggestion on how to use it with the certsrv?

Most of articles are referring to the Exchange services but it is like the certsrv shouldn't be that hard to recover!

I also did a file level recovery before the datastore got corrupted but I was still ending up with: the dbtime on page samller than dbtimeBefore in record 0x0 (WIN32: 0) error.

Search

Is Microsoft Internet Authority digital certificate (serial 07:27:62:02) legitimate?

February 1, 2017, 9:16 pm
$
0
0

I have found a digital certificate "Microsoft Internet Authoriy" installed on one of our servers, installed in the administrator's Intermediate Certification Authorities" store.  I don't see a similar certificates on other servers, so I want to find out if it is legitimate.  

I have tried internet searches on various pieces of data from the cert (serial number, thumbprint, friendly name etc) but cannot find much that would indicate that this is indeed a legitimate certificate.

Can someone please tell me either whether it is legitimate, or how I could determine this for myself? NB The certificate does not contain any revocation information thatgives me confidence that this is a legitimate cert.

Certificate details follow:

Version V3
Serial number 07 27 62 02
Issuer GTE CyberTrust Global Root
Valid From 15 April 2010 4:12:26am
Valid To 15 April 2018 4:12:14am
Subject Microsoft Internet Authority
Subject Key Identifier 33 21 f0 cb fe a2 a0 44 92 de f6 3b 33 d8 5f 01 4b 97 78 5d
Thumbprint  e5 95 8d 48 fe 10 d7 34 03 11 e8 c0 3b b2 29 40 da ba 2d a3
Key Usage  Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)

Certificate (encoded) follows:

-----BEGIN CERTIFICATE-----
MIIFEjCCBHugAwIBAgIEBydiAjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MB4XDTEwMDQxNDE4MTIyNloXDTE4MDQxNDE4MTIxNFowJzElMCMG
A1UEAxMcTWljcm9zb2Z0IEludGVybmV0IEF1dGhvcml0eTCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAL30zSelStiQGduyCntgpE6PDpijnHxQduuzSoyf
GLDnmsUrgoYJKKwREjIm9Rnq8LhnaMUG/fQZrtkToNCBJwimeZwE9UgyLjYfq2sm
7KFDtJ2AsEkD6oJJXwUTxaCDX+Eq9AQZS37I2oi8tV0DvHhWoel/xWrvtv8dAVm3
H1NaX8b4kW3FfUOTGHRF7RW6snzIOjQUHqpj9+XUS8gjK4dplROZCRTvegEgTrfG
SEGuyYcBKdnChzh/tkKk8LLOLf20TFfwqNbLTvpfXf25+wncFoVk5XGc1fEzlzhn
Lpu8FzYFfhA2f37rmFpbHK2l5wkQfflKL7OPNxXWb7lbN9y3n3+OZn8jXO0Sf4wH
8P4Z+bg0Q3uy6oX7jKmq3/2RDSz1+6+XifEGiq9J9jwuI/ZEFiWREeIjw8qFVUkq
yCGvfREmhrAoRbqH7jYTgdVLRxqO2wnx0ZcpUBQymQnj8sDnU49r9PoTXDyN7lSZ
DydHTjwS848SF0bwiWpFs7U8DHdFBC+9vrWemDwFO7tBOYQgvHkE1kLNPonp53o3
SRC0zJ8kXCOmSG7749TuISmT5P2AGhs6bMH369nUTb7xEfaijkIkoU9ptdJoFInZ
n5DYH54b5m1kJSm2NEOkW/UN63QGfp/xY9xFp3w6mlxrc9jDWASOiG8T0ObQ383E
Cg4HAgMBAAGjggF3MIIBczASBgNVHRMBAf8ECDAGAQH/AgEBMFsGA1UdIARUMFIw
SAYJKwYBBAGxPgEAMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly9jeWJlcnRydXN0Lm9t
bmlyb290LmNvbS9yZXBvc2l0b3J5LmNmbTAGBgRVHSAAMA4GA1UdDwEB/wQEAwIB
hjCBiQYDVR0jBIGBMH+heaR3MHUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUg
Q29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNvbHV0aW9ucywg
SW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJvb3SCAgGlMEUG
A1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly93d3cucHVibGljLXRydXN0LmNvbS9jZ2kt
YmluL0NSTC8yMDE4L2NkcC5jcmwwHQYDVR0OBBYEFDMh8Mv+oqBEkt72OzPYXwFL
l3hdMA0GCSqGSIb3DQEBBQUAA4GBACtI85T7RMWTatZN/rQTThImF8qyWqsJuVak
b39XnmSy9eTTNe9jZcvlLBWc7874KsWSZCtJPjw2bL0Ym2Rnlz/taNAWwRM88lGg
V94kzjWraZBOKww6+bTxgPptAHmmOpaZTjpuVNCjWW6LHZVJu5XYdbjhEjOsXCe7
y1Vx1frt


ldaps

January 28, 2017, 7:06 am
$
0
0

Hi,

I have a standard CA , Need to create certificate  for ldaps  for loadbalancing purpose . 

How can i do that 

Thanks

Windows 2008r2 automatic logoff no longer works

January 23, 2017, 12:31 pm
$
0
0

Our AD server no longer goes to the logon screen after 10 minutes of inactivity. In fact the screen saver no longer works at all, nor does the power saving turn off monitor.

SHA-1 Deprecation

January 24, 2017, 12:20 am
$
0
0

I have windows 2003 SP2 Internal CA, clients are windows 7. My query regarding Microsoft deprecating SHA-1 based certs., will there be any impact for certificates which have been generated via Internal CA's. Also, any impact on Windows 7 machines whether internal certificate store of browsers will be auto-upgraded, any pre-caution needs to be taken.

Certificates autorenewal not happening

January 23, 2017, 5:36 am
$
0
0

We are less than 30 days away from the expiration of machine certificates on our network and they stubbornly refuse to renew themselves. We have a root ca and two subordinate CA's. New is that one of the subordinates is win 2012R2 the other is 2008R2. a year ago we moved to autoenrollment using GPO. 

Checked:

  • The certificate template security has Read, Enroll and Autoenroll for Domain computers (authenticated readers have just Read). Renewal period is set to 6 weeks. Cert template is published in AD.
  • The GPO for "Certificate Services Client - Auto Enrollment" is enabled and set for renew.
  • I don't seem to get any error messages on the log. After a reboot, I get "Certificate enrollment for Local system successfully load policy from policy server" amoung other informational messages.
  • I can manually renew (certmgr - renew certificate with new key)

What am I missing?

James.

Enterprise PKI: Key Attestation fails with "Error Cannot Process TPM Attestation"

February 2, 2017, 1:10 am
$
0
0

Hello Folks,

I'm currently trying to set up TPM protected computer-certificates with key attestation.

I've set up everything according to WesH's guides ("Setting up TPM protected certificates using a Microsoft Certificate Authority"), however, as soon as the "Key attestation" is enabled (be it "forced" or "force if supported by client"), issuing the certificate fails with the following error:

Log Name:      Application
Source:        Microsoft-Windows-CertificationAuthority
Date:          01.02.2017 11:00:41
Event ID:      22
Task Category: None
Level:         Error
Keywords:
User:          SYSTEM
Computer:      IssCA.xxx
Description:
Active Directory Certificate Services could not process request 25 due to an error:
The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER).
The request was for xxx\CLIENT1$.  Additional information: Error Cannot Process TPM Attestation

"Client1" in the example above is a Win10 v1607 VM with a virtual TPM (HyperV Host is also Win10 v1607), however i get the same error using a physical machine (tested with a Surface 3 Pro).

I've tested the key attestation types "user credentials" as well as "Endorsement key", both result in the same error.

When using "Endorsement key", i can successfully verify that the PKpubKey Hash is correctly available on the Issuing CA:

PS C:\> Confirm-CAEndorsementKeyInfo -PublicKeyHash d574ec599d6945c7bf7213f6820f9be4f42d0b8979dea8fa5e6005ac90666666
True

Disabling Key attestation in the Cert template results in successful requests for the same clients. The Issuing CA is a fully patch (and freshly installed) Server 2012R2, also the whole environment (domain,PKI) is freshly installed (using 2012R2 servers).

During my investigations on this fault i've found a suitable MSFT KB article, however it's only available in the google cache any longer (no links allowed, KB3154769), thus i assume it is not relevant (also because all my machines are fully patched).

I'd be thankful on any hints on this issue.

thanks in advance,

yours,

Juergen

Issuing CA's signature algorithm want to change from RSASSA-PSS to sha1RSA

January 28, 2015, 4:53 am
$
0
0

Hi,

I have one Root CA (Offline) and one subordinate CA in my environment. My all systems are getting certificate from my running SUB CA with signature algorithm RSASSA-PSS and near about 1000+ certificate has been issued from server. Now their is a new requirement from one of my application vendor that they need signature algorithm with sha1RSA. So pls confirm if i can modify signature algorithm on my running server without impacting to existing issue certificate users.

Any possible way pls suggest.

Or we need to build a new Sub-ca with requested signature algorithm. If yes then how to do that.

Search

Special Permissions

February 2, 2017, 10:05 am
$
0
0

I have a file server for one of our departments.  I have made a main user group containing all employees in that department and have set it with read & execute, list folder contents, and read rights at the root directory, so that everyone can view the files and folders, but not edit them.  I have made departmental folders for each department, with individual  department user groups (Accounting - Account Group....); each have modify rights to their departmental folders. For some reason, users in each departmental folder can create a folder with special permissions.  What ends up happening is that no one can do anything in these folders except the person that created it. I did not give them those rights.  I've looked at everything I can think of and nothing popped out at me.

I cannot figure out a) how the users keep doing this and b) how to prevent it in the future.

Any ideas?

Renewal Period for certificates

February 2, 2017, 10:54 am
$
0
0
My question is by setting my renewal period on my certificate template to 2 weeks, how often does the certificate check for renewal? I don't want my certificate checking every two weeks if a renewal is needed.

Identify LM hash password

November 20, 2016, 4:23 pm
$
0
0

Is there easy way to identify user PCs are using NTLM and not LM in domain environment?

2nd question I have been into different articles even MS KB299656

https://support.microsoft.com/en-au/kb/299656

If I apply method-1 via group policy what is the impact on user machines

Muhammad Mehdi


Strange 2008 R2 AD Login Lockout Issues

February 2, 2017, 6:43 pm
$
0
0
We are experiencing some very strange issues with a few AD users on our 2008 R2 server.

Only have (12) or so users and a few months ago one of them started finding his login locked out when he first tried to login in the morning. I think it might have been after an overnight forced WIN 10 update and his WS-1 rebooted over night. We would unlock it in AD and the first few times it was fine - happened 2-3 times in Nov & Dec. Then we couldn't unlock it - but a password reset seemed to get it unlocked. Then it was fine all of Jan. Then another WS-2 had a few random lockouts - in Jan - but those were unlocked without issue. Last week our shipping WS-3 got locked out ... we were able to unlock it, but this week - both the WS-2 and WS-3 got locked out and we can't get them unlocked???

We have talked to some of our MS tech friends but no one has a clear solution.

I am confident one of the wise MS techs on this site has the solution ... 

Thanks!

Kerberos Constrained Delegation

January 31, 2017, 2:43 am
$
0
0

I have 4 machines,

  • one machine with Domain Controller,
  • one machine with Analysis Services,
  • one machine with IIS Services,
  • one machine with the Application

The goal is to open the application and the user can be able to impersonated himself to the analysis services instance though the iis server.

I have tried this schema in two different environments, in the first environment is required to set spns for analysis services in an unattended service account in order to delegate user credentials, in the second environment the spns are not required in order to delegate the credentials.

The two environments have the same domain and forest functional level set to Windows Server 2012R2 and all machines are Windows Server 2012R2. The first environment is from a provider and the second is from Virtual Machines in a desktop computer. Also i checked that domain controller in virtual machines do not have any spn registered under the account which is set to application poll identity in the iis web server.

So is there any reason or some configuration that makes spns necessary or not?


implementing new root CA

January 31, 2017, 12:57 am
$
0
0

Hi All,

In our environment, we are having a Root CA  with following configuration RSA-SSA-PSS (4096 Bit) , SHA1 , and windows 2008. This has been configured in 2014 and the certificate will expires in 2024.  We are having 2 issuing CAs with 5 years validity. The issuing CAs will expires on 2019.

Now we are planning to implement a new root CA with RSA (4096), SHA 256 and Windows 2012, we are planning to perform the below steps to achive the impementation with impact to existing users

1) Implement new offline root CA

2) create a certificate request from the issuing CAs and generate certificate from the new root CA

3) configure the certificates to the issuing CA

4) reenroll all the end entity certificates.

5) keep the existing root CA till 2019  , because all the issuing CAs certificates will expire on 2019

6) create CRL every year from the old root CA and publish it till 2019.

Please let me know your feedback about this approach.

We are having around 25000 users using mail encryption , i would like to know any problem has been foreseen to these users with this approach

Thanks and Regards,

Hariharan

How can you show advanced firewall settings that were applied by a GPO

January 31, 2017, 6:40 am
$
0
0

I am applying advanced firewall settings thru a GPO but other than actually looking at the firewall settings on the target systems I cannot view the settings by using rsop,msc, gpedit.msc, etc. I even tried secpol and attempted to find the appropriated netsh advfirewall command to view settings with not luck. Any tricks or workarounds?

Search

New CA Cert Keeps Disappearing

December 23, 2016, 7:40 am
$
0
0

Hello Everyone,

I'm updating our internal 3-tier Server 2008 PKI to support SHA256.

I've already converted the Root and INT server to SHA256 without issues. However, every time I import my new CA/Issuing server cert it disappears after 'x' amount of time.

My process is as follows:

  1. Right click the CA -> All Tasks --> Renew CA Cert
  2. Go to my INT server and issue a new cert with the REQ --> Export the CER --> Bring it to my CA
  3. I right click the CA --> All Tasks --> Install Cert --> Cert successfully installs and I see under Properties/General "Certificate #2"
  4. I'm able to successfully issue new certs with the complete SHA256 chain
  5. I general new CRL's and import them into my CRL location from the INT and CA which fixes the "Error" in get in the PKI Enterprise

After an unknown amount of time though, Certificate #2 just disappears! I thought it might be GP throwing something back at me but I did a gpupdate and the cert was still present.

I've followed this guide: https://blogs.technet.microsoft.com/askds/2015/10/26/sha1-key-migration-to-sha256-for-a-two-tier-pki-hierarchy/

I confirmed with the author a year ago (in the comments) on a couple things. Sadly this wasn't completed back then...wasn't deemed a "high priority" even though I argued for it. Now I'm scrambling for the Jan. cutoff of SHA1.

My understanding of certs is kinda limited. It's something we rarely touch here since it just normally "works".

We're running an AD environment here.

Any help on this would be appreciated.

On a site note: As mentioned I'm running a 3-tier PKI. I wasn't the original implementer and the use of 3-tier is simply not needed here. Probably a stupid question, but if I was to say just create a new template on the Root for the CA and issue the CA's cert directly from the Root, would this "magically" turn into a 2-tier and I can decom the INT?


Sha2 Sub CA with SHA1 root CA

February 3, 2017, 8:18 am
$
0
0

Hi All,

background first

Ive inherited a root CA which was 2003 sha1 migrated to a new vm 2008 also sha1 (backup/restore migration)

I needed to replace the 2003 sub CA (sha1) with a new 2008 SubCA (sha2)

So i decided to create a new Sub and not migrate the data... leaving me with a 2008 root sha1 - a 2003 sha1 sub and a new 2008 sha2 sub. ( i may be wrong but i believe thats workable, although not a full sha2 secure environment)

Long story short i now have my 2008 sha2 subCA up and running and i can issue a sha2 cert from this.... however when i issue a cert i still get a cert warning for sha1 because my subca retrieves its cert from the root and gets a sha1. Ive renewed the cert 3 times to no avail....

i tried copying the subordinate template and tried manually requesting from the new template but it fails with an error that relates to expiration period... i guess it doesn't like the same name on the template "subca" 

is it possible to retrieve a sha2 cert for my subca from the sha1 root??? 

if so any links or advice would be greatly appreciated

Thanks Steve

Allow DMZ servers to communicate to domain controller servers.

February 3, 2017, 10:13 am
$
0
0

Hi, 

We have mixed of Windows 2012 and Windows 2008 and have Windows 2008 domain controller servers in our environment. 

We move a few domain joined servers from the LAN to the DMZ outside of the firewall and configure our firewall to allow list of ports hoping the servers can still communicate to active directory.  We follow instruction in this link 

https://technet.microsoft.com/en-us/library/ff432698.aspx and open the following ports.  I am able to RDP to the server from the LAN but authentication is very very slow.  Please advise if there are something we have missed.  Thanks. 

UDP 53 – DNS Queries

TCP 88 – Kerberos v5 over TCP

UDP 88 – Kerberos v5 over UDP

TCP 135 – Microsoft Report Procedure Call Endpoint Mapper

UDP 389 – Unsecure LDAP over UDP

TCP 389 – Unsecure LDAP over TCP

TCP 443 – WSUS Windows Updates

TCP 445 – Simple Message Block Protocol

TCP 1688 – Key Management Server

TCP 3268 – Global Catalog Requests

TCP 3389 – Remote Desktop for management purposes

TCP 135


<u5:p></u5:p><u5:p></u5:p>

Apache TomCat fails to start with Certificate Issued from a Microsoft CA

December 6, 2012, 4:28 pm
$
0
0

Hi All,

I have an issue at the moment involving Apache and a certificate issued from a Microsoft Internal CA. We have a new application that has a requirement for SSL and is Apache based. I have successfully generated a key file from Apache, as well as a corresponding CSR which I generated the certificate from.

However, when I attempt to use the certificate generated by the internal CA, the Apache service fails to start. Providing the following message:-

"Windows could not start the Apache 2.2 on local computer........... contact the vendor and refer to service-specific error code 1"

In the system event logs the following is recorded:-

"The Apache 2.2 Service terminted with service-specificed error incorrect function"

If I revert back to the self generated certificate, the service starts with no issue at all.

Has anyone got any idea what the issue could be?







you need not have administrator privileges on the server

February 3, 2017, 4:12 pm
$
0
0

I can access shared disk on this node.Please help add this node in cluster

Please Mark it as Answered if it answered your question OR mark it as Helpful if it help you to solve your problem.

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>