Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Problem restoring CA to new server

July 10, 2018, 7:48 am
$
0
0

We have a PKI-environment consisting of an (offline) Root CA and two Issuing CA's running Windows Server 2008 R2. I want to migrate the PKI-environment to Windows Servers 2016. I backed up the Root CA and restored it without problems on the Windows Server 2016 OS. I also backed up the first issuing CA and restored it without problems on the Windows Server 2016 OS.

I backed up the second issuing CA and when I want to configure the AD CS and try to restore the backup, I get the error:The imported certificate does not match the chosen CA type and will not be used. However, the imported key can still be used.

I chose the Enterprice CA as setup type of CA. I chose a Subordinate CA as type of CA. Exactly as I did on the first issuing CA.

I tried it via the MMC CA console. I tried it via command prompt using certutil  (certutil.exe -f -resoredb <path>) but than I see CertUtil: No local Certification Authority; use -config option and CertUtil: No more data is available.

I  already made a fresh new backup but that doesn't fix it. I also tried selecting Standalone CA and Subordinate CA (which is wrong but looking at the error I tried) but this does not work either. In need for some despirate help.

Search

MSCEP Requirement F5 Load Balancer

June 16, 2017, 4:00 am
$
0
0

Hi All

There are some docs which explain the requirements of session between frontend PKI infrastructure with SCEP/NDES services and Mobile device management services (an example is AirWatch)?

For example, which is the right algorithm to set on load balancing:

1. Round Robin

2. Least connection

3. Others?

It's necessary Session persistence? If yes for how seconds?

Thanks

Fabio

Krbtgt reset failed. Check to ensure you have sufficient rights to reset the krbtgt account

July 11, 2018, 12:46 am
$
0
0

Hi Everyone,

I am using interactive krbtgt reset script (New-CtmADKrbtgtKeys.ps1) to resetkrbtgt account. I am domain admin and enterprise admin. However I got error "Krbtgt reset failed. Check to ensure you have sufficient rights to reset the krbtgt account"

I'd appreciated if you can give me suggestions.

The total duration of impact when running Mode 3 will be approximately: 00:00:00.0624976
Resetting krbtgt key and replicating krbtgt object to all reachable domain controllers...

   WARNING!!! The krbtgt key WILL BE reset AND krbtgt object replication WILL BE triggered if you proceed. Are you sure you wish to proceed?
   If you proceed, the impact duration of Mode 3 (described above) will begin and not end until all DCs obtained the new krbtgt key.
   (Enter 'Y' to proceed or any other key to exit): y

   Resetting krbtgt key.....FAILED
   Krbtgt reset failed. Check to ensure you have sufficient rights to reset the krbtgt account. Replication will be skipped


   Check if krbtgt key on all writable domain controllers was in sync with PDC emulator FAILED. One or more reachable DCs was out of sync with the PDC
 emulator.

Best regards,<br/><br/><strong>Robert Li<br/></strong>Partner Online Technical Community<br/>-----------------------------------------------------------------------------------------<br/>We hope you get value from our new forums platform! Tell us what you think:<br/><a href="http://social.microsoft.com/Forums/en-US/partnerfdbk/threads"><span style="color:#0033cc">http://social.microsoft.com/Forums/en-US/partnerfdbk/threads<br/></span></a>------------------------------------------------------------------------------------------<br/>This posting is provided &quot;AS IS&quot; with no warranties, and confers no rights.

Error - The imported certificate does not match the chosen CA type and will not be used. However, the imported key can still be used

October 6, 2016, 12:34 pm
$
0
0

After completing installation of ADCS role and features on node 1,  I was trying to install ADCS role and features on node 2 (node 1 and node 2 are in cluster)

While configuring role on node 2, at step of selecting private key, I was using option "Use existing private key". 

There were 2 options under it and I was using "Select a certificate and use its associated private key". And after importing .pfx certificate which was generated at node 1, getting below error.

"The imported certificate does not match the chosen CA type and will not be used. However, the imported key can still be used."
Why I am getting this error, I am selecting the same CA type which was selected at node 1.

Test questions

March 23, 2018, 1:07 am
$
0
0

Hello!

Help me please clarify a couple of questions:

1) You have two Hyper-V servers:

    Server1: UEFI version = 2.3.1; TPM version = 2.0; Type = Physical
    Server2: UEFI version = 2.3.2; TPM version = 2.0; Type = Generation 2 VM

On wich server(s) you can enable Credential Guard?

My answer (based on the this documentation): on Server1 and Server2.

The right answer: only on Server2.  Why???

2) You need to allow inbound tcp (port 5055) connections to PC1 for Application1 only when computer is connected to the corporate network. You add the following rule:

 New-NetFirewallRule -DisplayName "Application1" -Direction Inbound -LocalPort 5055 -Protocol TCP -Action allow -Profile Domain

Does this meet the goal?

My answer - Yes. The right answer - No. Why???

Thank you in advance,
Michael


Event 4625 help - svchost.exe and encrypted user name

July 11, 2018, 8:52 am
$
0
0

I am getting tons of these errors everyday for the past weeks, all having the same account name. I tried decoding the name using base64 but it seems that it uses another encryption.  I really do not know what is going on because the process name is ssytem32/svchost.exe which contains manyy other processes and the logon type is using a batch file. i would really appreciate any help on what to look for next.

-EventData
SubjectUserSidS-1-5-18
SubjectUserNameET01$
SubjectDomainNameWORKGROUP
SubjectLogonId0x3e7
TargetUserSidS-1-0-0
TargetUserName@@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAcDA5AgNAADAzAgMAQDABBQLAkDA4AAOAIEAtAANAMDA4AgMA0CACBAOAkDAFBQLAcDAFBgRAkDAFBARAcDAGBQRAQEA1AQRA0HA
TargetDomainName
Status0xc000006d
FailureReason%%2313
SubStatus0xc0000064
LogonType4
LogonProcessNameAdvapi
AuthenticationPackageNameNegotiate
WorkstationNameET01
TransmittedServices-
LmPackageName-
KeyLength0
ProcessId0x120
ProcessNameC:\Windows\System32\svchost.exe
IpAddress-
IpPort-


what is the meaning of supportedLDAPVersion (2):3,2

May 17, 2011, 11:34 pm
$
0
0

Using ldp.exe, we got the printed information:

....

supportedLDAPVersion (2):3,2

What's the meaning?

Does it mean that the current LDAP server is LDAP v2?

Windows 2008 SCEP Network Device Enrollment Serivce

September 19, 2008, 6:39 am
$
0
0
I was wondering if anyone knows what the prerequisites are for the Network Device Enrollment Service in W2k8?
I know it requires enterprise version of server, but that's all I can find.
I'm specifically wondering if the service can run on a W2k8 Enterprise server as a domain controller.

I have AD certificate service installed and working. I tried to install the role service for the network device enrollment and it requires a domain user account or network service to install.

Selecting Network Service gives an error "Network service account cannot send authenticated certificate request to a local enterprise CA. Specify a user account.

Selecting a user account give me this error "The account is not a member of the local machines IIS_IUSRS group?
Obviously since this is a domain controller you cannot access local users or groups.

I tried to dcpromo the server, adding the user account and dcpromo again and didn't work.
I tried installing the service on the server as a member server then dcpromo again but running dcpromo required certificate services uninstalled. Catch 22!.

I'm guessing I would have to provision another w2k8 server as a member server to use the SCEP service? But like I said I couldnt find any prereq requirements.



Search

remote desktop

July 11, 2018, 3:16 pm
$
0
0
Hello support,


I have Windows 2016 essential server.  I have set up remote access anywhere using a SSL certificate purchased from Go Daddy.  for maintenance I have port 3389 open.  My router is Sonicwall. that is how I access the server through rdp and I know it is not a good idea.  What other alternative's do you recommend?  I do not want to put Team viewer or LogMeIn on the server?  Can I access the server via dashboard?  Also if I have a backup of the server and (windows server essential backup) and I have left the external backup attached to the server in case a ransomeware hits could that backup be compromised?  For that matter if I use Windows backup of the workstation and the external usb drive is attached could that backup be encrypted by the ransomware?.   I appreciate your help.

Jamshid

Shared Local Account vs Shared Domain Account for Type-2 Interactive Logon?

July 11, 2018, 6:43 pm
$
0
0

As ideally, surely it is best to use individual accounts over shared generic accounts whenever possible for authentication.  The environment I have inherited contains instrumentation, manufacturing, scales, and research equipment controlled by specialized software used by multiple users to export test results for specific quality control components.   

If a shared account had to be used for operational purposes and the machine is attached to an Active Directory Domain for patching. Which would be the preferable option to using a shared local account or shared domain account for authentication?  Which would be the lesser of two evils? What are some of the pros and cons of each outside of individual accounts are the way to go in an enterprise environment? 

Extra note, if a shared domain account is preferable, I am going to lock the machines down with group policies, app locker, domain account only can log in to the restricted PCs during business hours.

Does Microsoft Certificate Store (MCS) support SHA 2 (256)?

July 12, 2018, 3:37 am
$
0
0

Hi there, I have a question. I have an older commercial application (IBM DOORS) that we use that we are trying to convert to use smart card authentication. DOORS can be configured to use MCS for authentication. But, the IBM support site indicates that MCS does not support SHA 2 (512). It does not say anything about SHA 2 (256). I've been searching online, but have been unable to find much information on MCS and what encryption it supports.

Does anyone know if MCS supports SHA 2 (256)?

Full disclosure: I am not an IT professional, so please bear with me.

Thanks in advance for your help!

Mike

Windows VPN

July 12, 2018, 7:24 am
$
0
0
So I have been reading the study guide of 70-411 Administering Windows Server 2012. I have reached the chapter on configuring VPN and Routing. My question is how does this configuration of VPN differs from that of Cisco (where you configure VPN policies on the router)? Can they co-exist together?

HGS Requirements

July 12, 2018, 8:05 am

PKI Monitoring events

July 12, 2018, 9:55 am
$
0
0

Hi Everyone,

Recently I had faced issue, my PKI subordinate CA certificate service went in to stopped state.

I started facing impact once after the CRL got expired. Below events also triggered.

I want to recreate the issue to and want to get the below event again.

Kindly advise what steps need to be taken.

Also advice how to achieve the below

I want to delete the Current CRL from HTTP and LDAP locations, clear the CRL cache. Want to reissue the CRL again (full and delta).

Certificate services did not come up and also received below events

Kindly advice what I can do 

==================================================

Event ID 22 — 

Log Name: Application

Source: Microsoft-Windows-CertificationAuthority

Description:  Active directory services could not process request xxxxx due to an error: The revocation function was unable to check revocation because the revocation server was offline: 0X80092013 (-2146885613). The request was for CN=XXXXX.xxx.com.





Event ID 17 -  

Log Name: Application

Source: Micorsoft-Windows-Onlineresponder-RevocationProvider

Description: for configuration issuingCA-OCSP(New) Online responder revocation either has no CRL confirmation or has stale information

Regards

Afsar

How to recover server 2012 R2 from GandCrab V4 ransomware?

July 13, 2018, 2:34 am
$
0
0

Hi,

My server 2012 R2 is attacked by GandCrab V4 ransomware. how can I recover/remove it from my Server and how do i de-crypt the important files. And how do i prevent it in future.

Even I have hardware firewall install. still how does it infect?

Thank you


Search

Can I use same users if I recreate domain and create users with same name?

July 13, 2018, 2:38 am
$
0
0

Hi,

My server is attacked my ransomware so I decided to format the system, as i have backup of the files so I want to conform if I can us same accounts after reinstalling the Server OS & domain.

Thank you

Bitlocker encryption on the D Drive with all the data

July 13, 2018, 5:22 am
$
0
0

We want to encrypt our server as we have sensitive data on there. I have no problem setting up Bitlocker as have done this before but on the server we have a D Drive for all the data and I dont think this will be encrypted unless I do it seperate which then requires a password making things more complicated regarding backups.

Has anyone run into this problem before and found a work around?

Password Expires - Office 365 / Exchange Online Outcome

July 13, 2018, 5:57 am
$
0
0
I have Office 365 Business Premium where passwords are synced to the cloud. We also have Exchange online. We have a password policy that requires users to change their password after X amount of days. What happens when someone doesn't change their password on premises and are out and about using their mobile device with email after the password expires? In my mind email should still work till they log on to their domain joined computer, correct?

aspx web page working with server name but not with ip address

July 13, 2018, 1:42 pm
$
0
0

I have an IIS webpage on a windows 2012 server with a static startpage and dynamic aspx content later.

The URL to the static web page works fine in all cases.

The aspx webpage works fine in the following cases

a.) if accessed from the server itself with the ip address

b.) if accessed from other machines with the server name

The aspx webpage does not work (displaying an application specific error which basically tells that the dynamic aspx does not work) in the following cases

c.) if accessed from the server itself with the server name

d.) if accessed from other machines with the ip address

Can you please help me find out how to make it work conistently?

On the server the hosts file contains the server name pointing to the ip address. On the other machines there is no hosts file entry.

The binding of the IIS web page shows 80 and *

My question is similar to

https://social.technet.microsoft.com/Forums/windowsserver/en-US/d54b72dd-ea16-4265-83ed-b9b67febe964/url-work-with-ip-address-but-not-server-name?forum=winserversecurity

but the solution of that page did not solve my problem.

The application pool runs under application pool identity (but I tried changing it to no avail)

What is the Best Practice for publishing Offline Root CA Cert and CRL to Active Directory?

February 22, 2015, 10:29 am
$
0
0

Hi,

I've read and seen in a few labs different approaches to what is published in Active Directory for a Offline Root CA.  I've seen just the Root Cert published to AD as well as the Root Cert and the Root CRL published to AD. 

I can understand why the Root Cert is published to AD, but why would the Root CRL need to be published to AD, especially if my Offline Root CA just issues the Cert for my Subordinate Issuing CA?  So looking for Best Practices here.

Thanks for your help! SdeDot

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>