Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

What is it all about AD PKI certificates and Exchange/Outlook keys

July 31, 2018, 12:45 am
$
0
0
Hello,
we run a Win2008R2-based AD-integrated PKI and Exchange 2016 on-premise. Due to an user-autoenroll certificate policy, an email-signing and encryption certificate is issued and published in AD. From what I understand these certificates are also finally linked to the user in GAL and OAB of Exchange/Outlook.
I have some questions re. this:
- why are expired certificates still kept in AD. Actually I feel like only one expired and the valid one are kept, so I have usually 2 certificates for each user (except the user is quite new). Am I right?
- Recently, but still about one week ago, I have deleted some certificates from my AD user account in order to only keep eon certificate which is valid and the right one. I have had some issues with mail encryption while I played around with requesting certificates to my own user account, and once I was done I deleted all published certificates from my AD account,hoping that in the GAL/OAB only my one and only valid certificate will apply. But if I now have a look to the Exchange Address Book and import my contact to Outlook, I still always have two certificates there, the correct one and the previous one, which is even set as default. This issue is discussed here https://social.technet.microsoft.com/Forums/en-US/88dd81be-d077-41c0-a268-2d62239f3aa2/messed-up-email-security-certificate-information-with-adpkiexchange-for-an-user?forum=Exch2016MFSM
- All the other users which really have two certificates published in AD, but one is expired, also have this expired one set as default in GAL/OAB (I can actually only figure this out if I start importing the Exchange Address Book User as a contact into Outlook). Why is always the expired certificate still there and why is it always set as the default one?
- shouldn't GAL/OAB 1:1 reflect the AD-published user certificates re. email-signing and encryption, in GAL/OAB? How can I tell which public key of an user I am using from GAL/OAB in order to sign an email message?
- can anyone tell me how user certificate auto-enrollment renewal works? Does the user only get a new certificate based on the existing private key? Or is a whole pair re-issued? I am asking, because I wonder what will happen with messages one has received 3 years ago if he now has a new private key (and has not baked up the old one)?

kind regards,
Dieter Tontsch
Search

Problem restoring CA to new server

July 10, 2018, 7:48 am
$
0
0

We have a PKI-environment consisting of an (offline) Root CA and two Issuing CA's running Windows Server 2008 R2. I want to migrate the PKI-environment to Windows Servers 2016. I backed up the Root CA and restored it without problems on the Windows Server 2016 OS. I also backed up the first issuing CA and restored it without problems on the Windows Server 2016 OS.

I backed up the second issuing CA and when I want to configure the AD CS and try to restore the backup, I get the error:The imported certificate does not match the chosen CA type and will not be used. However, the imported key can still be used.

I chose the Enterprice CA as setup type of CA. I chose a Subordinate CA as type of CA. Exactly as I did on the first issuing CA.

I tried it via the MMC CA console. I tried it via command prompt using certutil  (certutil.exe -f -resoredb <path>) but than I see CertUtil: No local Certification Authority; use -config option and CertUtil: No more data is available.

I  already made a fresh new backup but that doesn't fix it. I also tried selecting Standalone CA and Subordinate CA (which is wrong but looking at the error I tried) but this does not work either. In need for some despirate help.

[Edit:]
I tried restoring the backup from the first issuing CA and this works without problems. There is something wrong with the backup from the second issuing CA. I already made a new backup (as I said) but the new backup from the second issuing CA is still not working. What can I do now?

Ports required to Connect to ADCS Server from workstations using MMC

July 17, 2018, 12:48 am
$
0
0

i'm currently struggling to connect to the CA server from my workstation using MMC. My workstation is on a different network with firewall inbetween.

Looking a the logs on my workstations. Port 135 to the CA server was successful but that is it. No other information.

I have checked online but cant find any information regarding firewall access from workstation to CA servers using MMC.

I was wondering if anyone can help.

I am using ADCS on server 2016 which is hosted in Azure.

Revocation of certificates issued through NDES/SCCM/Intune

February 13, 2018, 2:31 am
$
0
0

We have a Microsoft PKI implementation that uses NDES and a unified SCCM/Intune configuration to deploy SCEP profiles and device certificates to mobile devices.  This article  implies that certificate revocation should be automatic after events such as device wipes or users dropping out of the SCEP profile target group.

Would it be possible to confirm the expect behaviour and point me towards any supporting information please?

Many thanks

CEP - CES non domain joined computers

July 31, 2018, 5:32 am
$
0
0

Hey everyone,

I have followed following https://vincenttechblog.com/install-configuring-cepces-online-responders-ndes-ca-security/ for issuing a computer certificate for non-domain joined machines - SCCM clients PKI.

The list for issuing certificates stays empty ...


Can anyone point me out ...

Renewal period for certificate

July 31, 2018, 5:58 pm
$
0
0

We have a root CA which is issuing the certificates. The root CA,s validation period is about to expire and i renewed it today for another five years.

My problem is all the computer certificates are showing the expiry date by end of the months since they were issue prior to today's date.

The certificate renewal period is about 6 weeks and certificate valid for 1 year on the template. The reason all will be expired by end of the month because of the root CA's cert. I have now renewed it any new cert will be valid for an year.

i have to find the way to renew the issued certificates.

Will it trigger the renewal if i change the renewal period from 6 weeks to 2 weeks?

Question: How to create a sub ca with issuance policies purposes/permissions?

August 1, 2018, 12:24 am
$
0
0

Hi there,

i configured my two-tier pki hierarchy with the guide in myitworld. (sorry can't post the link)

Everything works fine, till i want to add an Issuance Policy to a certificate.

It doesn't matter wich issuance policy i choose (High Assurance, Medium Assurance or an new created Policy).

I'm getting this error by trying to enroll the certificate:

"The certificate has invalid policy.

Error Constructing or Publishing Certificate  Invalid issuance Policies: <OID>

The certificate has invalid policy. 0x800b0113 (-2146762477 CERT_E_INVALID-POLICY)."

My Root CA has an Certificate with issuance and application purposes.

My Issuing CA has an Certificate with only application purposes.

I am new in PKI and read some guides and blog, but can't finde the answer of my problem.

Hope anybody here can help me.

Thanks

PKI CRL deletion

July 14, 2018, 5:51 am
$
0
0

Hi Everyone,

Please let me know how to delete the CRL from LDAP and HTTP location

Just to clarify, I am not looking to delete the CDP and AIA configured links.

I want to know how to delte the CRL from LDAP and HTTP location.

Regards

Afsar

Search

Enrolling Kerberos Authentication certificate from a new CA

July 4, 2018, 9:10 am
$
0
0
Hello guys,

We have an old 1-tier Enterprise Root CA (running on Windows Server 2008R2). It has several certificate templates published. One of them is a duplicate from Kerberos Authentication certificate template. This CA is using SHA1 hash algorithm on its own certificate, meaning it signs all certificates and CRLs it issues with a SHA1 hash.

We have a single-domain AD forest with two Domain Controllers (WS2012R2). Both DCs have enrolled a custom Kerberos Authentication certificate from our current CA.

Our end users use smartcards to log on their domain workstations. Certificates on the smartcards are issued from a 3rd party organization CA. This is something I've heard from our managers, but I haven't seen these cards personally.

Now I've setup a new 2-tier PKI with offline standalone root and two issuing CAs. CRL/AIAs are published to HTTP only. All CAs are using SHA256 hash algorithm. New PKI infrastructure is sound.

My concern is those Kerberos Authentication certificates issued from our current CA. I want to replace those certs on our DCs with a new ones signed by our new SHA256 Issuing CA.

To accomplish this, should I create a new Kerberos Authentication template to the new Issuing CA from a scratch or should I instead delete template first from the current CA and then publish the same template from a new Issuing CA?

Help would be appreciated!

Event ID 4625 not being logged in Security Logs

August 1, 2018, 4:46 am
$
0
0

Hello

We recently had a Service account locked out, and when I went to check the security logs to check where the failed logons had come from, I couldn't see any "Audit Failure" events, specifically ID 4625.

When I checked the Domain Controllers GPO, I could see that Audit Logon Events was set to just Success, so have added in Failure and given sufficient time for group policy to update - no change.

I've also looked at Advanced Audit Policy Configuration - Audit Policies - Logon/Logoff and enabled success and failure for Audit Logon there - no change.

Running this at a command prompt shows the right settings

C:\Windows\system32>auditpol /get /category:Logon/Logoff
System audit policy
Category/Subcategory                      Setting
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  No Auditing
  Account Lockout                         Success
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           No Auditing
  Other Logon/Logoff Events               Success and Failure
  Network Policy Server                   No Auditing
  User / Device Claims                    No Auditing
  Group Membership                        No Auditing

We have 4 DCs spread across three AD sites, all running Server 2016 and we get the same behaviour on all of them.

Any suggestions as this is quite odd.

Cannot export private key: "key not valid for use in specified state"

May 29, 2014, 7:12 am
$
0
0

Hi,

This is a bit of a long story but I hope someone can give us some guidance.

We use authentication certificates issued from our own Enterprise CA to control user and machine authentication via RADIUS/NPS for our wireless network.  Certificates are deployed via group policy/autoenrollment. In general this works well but we have an intermittent problem where user authentication stops working for a user who was fine before. The user certificate looks OK via Certmgr (shows as valid, shows that there is a private key associated with the certificate).  The NPS server logs show that the machine has been authenticated and granted access, but the user in this situation doesn't show up in the server logs at all. 

The only solution in this case is to connect to the wired network and request a new certificate for the user (either via certmgr or just by deleting the duff cert and logging off/on again to get the cert via autoenrollment).

The interesting thing is that while a "working" certificate can be exported with no problem, a duff certificate cannot be exported with its private key, giving the error "key not valid for use in specified state". (Obviously the certificates come from the same template, and the key is not marked unexportable).  The key files are present in %userprofile%\Appdata\Roaming\Microsoft\Crypto\RSA and the user permissions on these files look correct.

After much searching of the forums I tried running certutil-repairstore on the duff certificate and that also returned the same error.  I also tried an undocumented switch Certutil -user -key -v and again, got a very similar error "Loadkeys returned key not valid for use in specified state. 0x8009000b (-2146893813)".

I'm assuming that the fact that the key is unexportable/corrupt is also the reason why the certificate can no longer be used for authentication.

Does anyone have any clues as to what might be causing this, and/or if a certificate with a key in this state can be repaired?

Thanks!

Certificate Enrollment - The RPC Server is unavailable

August 1, 2018, 10:48 am
$
0
0

I recently took over responsibilities to finish the configuration of the Certificate Authority Web Enrollment. I have a standalone CA with subordinate CAs, and then I have a separate server that deals with the Web services and Web Enrollment.  When I test requesting a certificate on the Web Enrollment server I have no issues and I can get a certificate and install it. But when I try to access the Web Enrollment site from another computer or even from the other Web Enrollment server to the first server I put all my information in for the request and click submit I get this error. I tried to telnet to 135 to the subordinate CA and that worked. So I am not sure where else to look for this issue.


When running CertUtil from the either Web Server I get this C:\Windows\system32>certutil -ping -config "server.domain.com\domain-server-ca"
Connecting to server.domain.com\domain-server-ca ...
Server "domain-server-ca" ICertRequest2 interface is alive (172ms)
CertUtil: -ping command completed successfully.


Your request failed. An error occurred while the server was processing your request.

Contact your administrator for further assistance.

<input id="locBtnDetails" type="Button" value="Details >>" />

Request Mode:
newreq - New Request
Dis
Disposition message:
(none)
Result:
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
COM Error Info:
CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
LastStatus:
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
Suggested Cause:
This error can occur if the Certification Authority Service has not been started.

PKI - Root CA - CDP Location #1 Unable to Download

August 1, 2018, 12:17 pm
$
0
0

I'm running into an issue during the PKI setup. Running PKIView health checks, the CDP Location#1 for LDAP is returning 'Unable To Download' for the offline root.

The same CDP Location #1 on the two Issuing CA's however are reporting as healthy. They are the exact same path and I can browse to that fine and see the entry created within ADSI.

What are some troubleshooting steps I can take, and are there any more verbose logs located somewhere that I can review?

Cannot delete Connection Security Rule on Windows Server 2012

August 1, 2018, 12:25 pm
$
0
0
One of our developers created a Connection Security Rule to apply to the local firewall on a server. It cannot be modified through Windows Firewall with Advanced Security "This rule has been applied by the system administrator and cannot be modified." I have an admin account on this server. We also asked the person who created it to delete it, but he could not either. I managed to find it in Local Security Policy and removed it from there, but it is still showing up on the firewall. How can I remove this for good?

Is the TLS 1.0 being disabled or not?

August 2, 2018, 12:31 am
$
0
0

I tried to disable TLS 1.0 in the Microsoft server 2012 R2 using the method recommended by Microsoft.(link: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs)

However, when I scan the servers, some of the ports are still using TLS 1.0.

Does anyone know whether the TLS 1.0 is disabled or not?

Search

Vulnerability Scan Found - DCE/RPC and MSRPC Services Enumeration Reporting

August 2, 2018, 12:48 am
$
0
0

Dear Sir, Madam,

I am scanning some Windows Server 2012 r2 by using OpenVAS in the same network. The following vulnerability found in the result:

DCE/RPC and MSRPC Services Enumeration Reporting

Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) or MSRPC services running on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries.

I would like to ask if I can fix the vulnerability, or just ignore it because it is an internal scan and we cannot fix it?

Thank you for your help.

Regards,

Dennis


Disable 3DES in Windows 2016

July 27, 2018, 1:26 pm
$
0
0
I wnat to disbale TLS 1.0 and weak ciphers like RC4, DES and 3DES. I want to make sure i will be able to RDP to Windows 2016 server after i disable them? Please advise.

CES Enrollment Error (INET 500) - 0x8007054b (WIN32: 1355 ERROR_NO_SUCH_DOMAIN) Cross Forest

August 2, 2018, 5:30 am
$
0
0

Hello Everyone,

I have a CEP/CES Deployment running. CEP, CES and CA reside in the same Forest (A). Clients I want to enroll certificates on reside in a diffrent Forest (B).

CEP and CES are configured on the same machine. The user of both IIS app pools is: "Application Pool Identity"

Appropriate SPN for HOST and HTTP are set on the computer account hosting the CEP and CES. A constrained kerberos delegation is configured for HOST and RPCSS to delegate kerberos credentials to our CA.

A full two way external Forest-Trust exists between the Forests (A & B).

Certificate Enrollment request are working if I enroll cer0xificates on Clients in Forest (A). If I try it on a client in Forest (B), the enrollment fails with: WS_E_Endpoint_FAULT_RECEIVED (0x803d0013) .

Requesting the policy from the CEP Server runs successfully and Templates are displayed which I granted the client enroll rights.

On the CES/CEP Server I can see a INET 500 in IIS Log and in the tracing of the CES there is a error message:

CCertRequest::Submit: The specified domain either does not exist or could not be contacted. 0x8007054b (WIN32: 1355 ERROR_NO_SUCH_DOMAIN)

Anyone who has an idea about what I am missing?

Thanks

IP Security IKE Intermediate (Intended Purposes) Certificate issued by Internal Certificate server is expiring. What to do?

August 2, 2018, 10:13 am
$
0
0

Hi,

I discovered that under Personal Certificates of our Exchange Server 2010 there is an "IP Security IKE Intermediate" (Intended Purposes) Certificate issued by our Internal Certificate server is expiring. What to do?

Will this auto renew by itself or this needs a manual renewal? What will happen if this lapse? Please help.

Thanks!

A question about 802.1x authentication and User certificates

December 7, 2017, 12:51 pm
$
0
0

Can someone please help me with the following question

if I have a network with EAP-TLS and a Microsoft CA with auto-enrolment for domain joined computers (both computer and user certificates)

Lets say I have two laptops LAPTOP-01 and LAPTOP-02  and a user called Fred (AD user)

Fred normally uses LAPTOP-01 and has a user certificate in his HKCU hive

the 802.1x system has a wireless access point a Cisco ISE policy server (I believe the Cisco ISE is acting as the AAA/Radius server in this setup) and an AD domain and enterprise CA

the Cisco ISE policy is setup to valid both the computer (computer cert) and user (user cert)

now Fred goes and logs on to LAPTOP-2 for the first time (and therefore does not have a user certificate in the laptop at this time)

there seems to be a chicken and egg situation here, (unless I am missing something)

as the supplicant (laptop-02) cannot present a user certificate for Fred when requested by the Cisco ISE Server (I am assuming it is the Cisco ISE Server asking for the user certificate so it can look up the user, by checking the user principle details in the SAN on the users cert against the certificate stored in AD against that users object (or perhaps it just checks its signed by a trusted CA)

well if Fred does not have a cert to present (as he does not have on in HKCU) how can he be authenticate to then go through to the CA to request a user certificate for that laptop (not using credential roaming)

Any advice most welcome

Thanks

__AAnotherUser

AAnotherUser__

Viewing all 12072 articles
Browse latest View live
Search