Hi,

we still operate an Exchange 2010 SP3 RU 18 with Outlook 2010. I've been tasked with S/MIME certificates to sign and encrypt emails, which works for user mailboxes. I've been in trouble with the shared mailboxes.

We have a CA in place and i've configured templates for:

- Exchange User
- Exchange Signature Only
- Exchange Enrollment Agent

For the shared Mailbox, I've duplicated "Exchange Signature only" to be enrolled on behalf and an "Exchange EA" template and enrolled for both. So far everything seems to be fine: When I enrollon behalf of the shared Mailbox, i can select my EA certificate and the enrollment succeeds. I'm exporting the new certificate from the issued certs and import it (by auto select storage) on my Client, but in my Outlook's Trust Center, the certificate i've enrolled on behalf is not presented, when trying to Setup a new security Setting.

Where did I make a mistake? Do i have to pay attention to special options in the template settings, that i may have missed? Or did i store the other mailbox certificate in the wrong storage area?

Kind regards

Sascha

I created a new GPO to manage the Windows Firewall on workstations.  It uses a connection security rule, which uses Computer (Kerberos v5), and Request Inbound and Outbound.  On inbound rules, SMB and remote management rules are all set to "Allow the connection if it is secure", which in turn is just using "Allow the connection to use null encapsulation".  The allowed computers are designated management systems.

This all worked great - I could access admin shares and remote management from nothing except the designated computers.  However, I've noticed that my domain controllers Security logs began getting a ton of event ID 5152.  The full event is here:

The Windows Filtering Platform has blocked a packet.

Application Information:
	Process ID:		0
	Application Name:	-

Network Information:
	Direction:		Inbound
	Source Address:		10.0.1.133
	Source Port:		500
	Destination Address:	10.0.1.20
	Destination Port:		500
	Protocol:		17

Filter Information:
	Filter Run-Time ID:	67958
	Layer Name:		Transport
	Layer Run-Time ID:	13

The source is a workstation, the destination is the DC.  It appears they're trying to securely connect to the DC.

What's my best option here?

Hey Guys,

I have a Windows 2008R2 PKI with 1 root and 2 sub CAs. The root CA now give an error when issuing a user cert. The two Sub CAs CAN issue user certs with no problem. Below is the error I get from the CA when requesting a user cert.  I have contacted MSDN support and the could not provide me with any solution.

 Error

Your request failed. An error occurred while the server was processing your request.

Contact your administrator for further assistance.

    Request Mode:
        newreq NN - New Request (keygen) 
    Disposition:
        (never set) 
    Disposition message:
        Issued 
    Result:
        Error 0xc8000436 (ESE: -1078) 
    COM Error Info:
        CCertRequest::Submit: Error 0xc8000436 (ESE: -1078) 
    LastStatus:
        Error 0xc8000436 (ESE: -1078) 
    Suggested Cause:
        No suggestions. 

Hi all,

We've been having trouble getting one of our remote locations running Windows Server 2008R2 registered in SCCM by connecting to our management distribution point.

It seems the SSL handshake is failing, because even though the correct intermediate and root certificate are installed.
When browsing to the distribution point it results in the error that the certificate path is not found and so cannot be trusted.

When I trace the connection, I can see the ciphers required for the SSL connection, these are enabled in registery and so is TLS1.2, but still no SSL handshake. (I've used SSL Labs and Fidler for this.)

Server:
Version: 3.3 (TLS/1.2)
Ciphers:
    [003D]    TLS_RSA_WITH_AES_256_CBC_SHA256
    [0035]    TLS_RSA_AES_256_SHA

Client:
Version: 3.3 (TLS/1.2)
Cipher:        TLS_RSA_AES_256_SHA [0x0035]

I've also used a ps script to verify SSL connectivity.
That resulted in no shared (client/server) SSL protocols found.

What am I missing here?

Many thanks in advance.

Hi,

I am trying to get BitLocker Network Unlock feature to work, but with no luck. Client computer allways asks for PIN.

Symptoms on the client side are simple: Event with ID 24645 saying Bootmgr failed to obtain the BitLocker volume master key from the network key protector occures on every boot.

Symptoms on server side (WDS) are more specific:

When the server starts, it logs several events with ID 24577 covering NKPPROV initialization that is successful. There is only one warning with ID 32770

[WDSServer/WDSPXE/NKPPROV] Could not find the configuration file section corresponding to the specified certificate thumbprint. No subnet restrictions will apply to this certificate. Certificate thumbprint = 59FAB93B3986D7CBCB848CAFB720C608097F583C, HRESULT = 0x80070002.

Than WDS logs repeatedly event with ID 32769 [WDSServer/WDSPXE/NKPPROV] Change notification callback found no NKP configuration file changes. 

When client boots, WDS logs two events with ID 32769

[WDSServer/WDSPXE/NKPPROV] Received NKP IPv4 request. Remote address: 10.10.64.100:68, Packet length: 573.

followed by

[WDSServer/WDSPXE/NKPPROV] NKP request processing succeeded. Remote address: 10.10.64.100:68, Reply packet length: 316.

There is nothing more related to BitLocker Network Unlock in WDS logs.

I´ve set up the whole thing with help of this TechNet article: https://technet.microsoft.com/en-GB/library/jj574173.aspx

As mentioned in that article, or in other discussions, I´ve checked:

UEFI Network stack on client is enabled

Client can boot to UEFI PXE to the same WDS (pressing F12 during boot and enter into WDS menu)

SecureBoot is enabled and CSM is disabled - client can boot only by UEFI

Manage-bde -protectors -get C: on the client with result:

Volume C: []
All Key Protectors

    Numerical Password:
      ID: {5FD95464-29ED-4B04-9EB0-8B2C3D5758F4}
      Password:
        {PASSWORD}

    TPM And PIN:
      ID: {34405DBF-B49E-4836-9898-1FAFEF7B962F}
      PCR Validation Profile:
        0, 2, 4, 11

    External Key:
      ID: {C4B47A8F-FC53-485E-98D4-A3C9B0D216CD}
      External Key File Name:
        C4B47A8F-FC53-485E-98D4-A3C9B0D216CD.BEK

    Network (Certificate Based):
      ID: {69EC0722-A8F9-4185-9315-DAAC4D0386DF}
      PCR Validation Profile:
        0, 2, 4, 11
      Certificate Thumbprint:
        59fab93b3986d7cbcb848cafb720c608097f583c

BitLocker logs in API log on the client also warning with ID 813: BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable 'SecureBoot' is missing or invalid.and event with ID 834: BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.

Certutil -verifystore FVENKP on WDS server with result

FVENKP "BitLocker Drive Encryption Network Unlock"
================ Certificate 0 ================
Serial Number: 3e00000003db4cae7e034cbb0b000000000003
Issuer: CN=Internal CA
 NotBefore: 14.02.2017 15:50
 NotAfter: 14.02.2019 15:50
Subject: CN=BitLocker Network Unlock Certificate for domain
Non-root Certificate
Template: BitLockerNetworkUnlock, BitLocker Network Unlock
Cert Hash(sha1): 59 fa b9 3b 39 86 d7 cb cb 84 8c af b7 20 c6 08 09 7f 58 3c
No key provider information
  Provider = Microsoft Software Key Storage Provider
  Simple container name: te-BitLockerNetworkUnlock-c393e00f-96dc-46b8-8d7b-e4a13a8a7eba
  Unique container name: 7b916d8b5ba7dd1d829dda5fcd7f0e11_e7b28bda-a4b3-4265-bf49-b1de94b42c9d
  ERROR: missing key association property: CERT_KEY_IDENTIFIER_PROP_ID
Encryption test passed
Verified Issuance Policies: None
Verified Application Policies:
    1.3.6.1.4.1.311.67.1.1 BitLocker Network Unlock
Certificate is valid
CertUtil: -verifystore command completed successfully.

So I cannot figure out why network unlock fails. WDS logs says it successfuly processed the request, but I can´t find why client doesn´t use it. 

George

Hi

Servers:

Root      -Workgroup

SubCA -  Domain Join

OS : Window 2012 R2

Our SUB CA expired  , Please advise how to fix this issues

Thanks in Advance

Help.Me

Hi all,  we are seeing an error message during installation of NDES.  The role has been installed and we are running through the configuration wizard steps for NDES.  Logged on to he server as an Enterprise Admin, we reach the tab that allows us to select target CA.  We select the CA from a list and then click configure.  The following error is displayed:

CMSCEPSetup::SetMSCEPSetupProperty: Access is denied. 0x80070070005

We are not sure exactly what permissions are missing, or where from.  Could be local server or could be directory object.  Can anyone point me in the right direction to figure out whats missing, or towards a log file that might give me a clue?

Many thanks

Hey everyone,

Is it possible to generate a SCCM (Workstation Authentication) certificate for non-domain joined computers by powershell or batch ?

My SCCM setup - 

I've followed this tutorial

https://www.petervanderwoude.nl/post/how-to-install-a-configmgr-client-on-a-workgroup-computer-when-the-configmgr-site-is-in-native-mode/

The problem is that the CEP server is confgured in an other domain so certreq - new (based on INF file) gives error that he does not find the CertificateTemplate - which is logic because the current AD has no certificates.

Impossible to post printscreen - error is 0x80092004

Req file is not created !!

INF File

[NewRequest]
Subject="CN=test.users.xxx.be"
KeyLength=2048
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE
[RequestAttributes]
CertificateTemplate=SCCMPKILanservice

Without Certificatetemplate the REQ file is created and I try to issue the certificate on the CEP server with the following command 

certreq -submit -username "<FQDN>\user" -p "Password123" -PolicyServer "https://pki.FQDN/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP" -config "https://pki.FQDN/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP" -attrib "CertificateTemplate:SCCMPKILanservice" c:\xxx.req c:\xxx.cer

but I get an error

Impossible to post printscreen - error is 0x803d0011 (-2143485935 WS_E_ENDPOINT_ACTION_NOT_SUPPORTED)

If I do it manually with MMC the enrollment works

I found following thread but I can't figured out the solution

https://social.technet.microsoft.com/Forums/en-US/da2ee8f2-96f5-4799-8533-4b4325ca0ceb/how-to-stop-certreq-from-prompting-a-dialog-box-to-press-ok-or-cancel?forum=winserversecurity

Hopefully somebody can help ...

Many thanks

System administrator

I am attempting to build out a couple new SubCAs on Windows Server 2012 R2. The Root CA that issued the certificate to the SubCAs has asserted the following OIDs in the SubCA certificate:

[1]Certificate Policy:
     Policy Identifier=2.16.840.1.101.3.2.1.13.5
[2]Certificate Policy:
     Policy Identifier=2.16.840.1.101.3.2.1.13.5.1.1
[3]Certificate Policy:
     Policy Identifier=2.16.840.1.101.3.2.1.13.5.1.2

I created a Web Server template and asserted the 2.16.840.1.101.3.2.1.13.5 OID.

When I attempt actually issue a certificate based on this template, I get this error:

Your certificate request was denied.

Your Request Id is 13. The disposition message is "Error Constructing or Publishing Certificate Invalid Issuance Policies: 2.16.840.1.101.3.2.1.13.5".

The Root CA does not have these same policies asserted. Is that why I am getting the error above or am I missing something else?

The root CA is managed by our parent organization and we have no control over it. On our old SubCA, the CRL flag to ignore invalid issuance policies was configured. Do I need to do the same thing since I do not control the root?

Unable to access administrative shares on Windows Server 2012, I found below two recommendation would like to confirm which one best to select.

Recommendation 1

To disable UAC remote restrictions, follow these steps:     

1. Click Start, click Run, type regedit, and then press ENTER.
2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
3. If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps:
   1. On the Edit menu, point to   New, and then clickDWORD Value.
   2. Type   LocalAccountTokenFilterPolicy, and then press ENTER.  
4. Right-click LocalAccountTokenFilterPolicy, and then click Modify.
5. In the Value data box, type 1, and then click OK.
6. Exit Registry Editor.

Recommendation 2

You have the option to turn off UAC via registry by changing the DWORD "EnableLUA" from 1 to 0 in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system".

You will get a notification that a reboot is required. After the reboot, UAC is disabled.

Hi All,

I have enable these ports "137,138,445" on windows server 2012 r2 firewall in base server and in VM also but still this port showing blocked.

We have to open these ports for sharing purpose to mac 

but we failed again and again

server edition is datacenter  and i want to know that if we enable the port on vm so is it mandatory to enable the port on base and right now i have enable the port from base as well as VM.

please let me know if anyone knows 

Thanks and Regards

Vipin Jeswani

Hi all,

I've got a Windows 2012 r2 web dev server that I'm wanting to get up to TLS 1.2 before copying the configuration over to the production server.

I've followed the MS docs document about the TLS protocols in the registry to enable them via Schannel found here. However when I run SSLAudit on the site that is hosted on this box, it shows only TLS 1.1 is enabled, not 1.2 Other protocols have been successfully disabled (SSL3 etc) but for some reason the TLS 1.2 won't show as being supported.

Am I missing something, or is there some other reg key that needs to be applied?

Thanks,

Gareth

I have WCF service and a client accessing that service hosted on the same production machine(Windosw Server 2016 build)

) for testing purposes, but when the client pings the server, the call ends with an error: Could not establish secure channel for SSL/TLS with authority 'ServerName: Port'.

When I checked the event logs, I found the following error

An unknown connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed. (SChannel - 36874)

I tried enabling/disabling SSL, TLS security on the machine, but still not able to solve the issue.

Is there any registry key I need to set to add specific Cipher Suite to solve this issue? 

Thanks in advance

So got a weird one here that I've been beating my head against for about a day or so.

Have an internal Windows Certificate Authority infrastructure, with CRLs published to AD (LDAP), and two separate web servers (HTTP).

All CRLs are updating properly and are correct.

Running certutil.exe -URL "LDAP://address" on any server gives me a success.

Running certutil -URL "HTTP://address" on any 2012R2 server gives me a success.  Running certutil against either HTTP CRL on any 2008R2 server in the environment gives me a fail.  Pasting the HTTP address for the CRL into IE on any of the 2008R2 servers I can load the CRL no problem and look at it and everything shows green - so it's not a network/firewall problem.

I'm using the same AD account when logged into all of the servers.  I've verified the permissions on the two IIS servers at both the IIS level and the NTFS level are wide open with "everyone" having full control, anonymous access allowed, etc.  The HTTP servers are two different versions of Windows.  Everything is on the same IP subnet, all Windows firewalls are off.

Is there some 2008R2 patch or lack of patch that could do this?  I tried applying the latest 2008R2 security rollup patches, no change.  I've tried installing "fresh" 2008R2 servers and fresh 2012R2 servers, and get the same results on new servers as existing servers - 2012R2 says HTTP CRLs are fine, 2008R2 servers give a failure.

I have a client with a Windows Server 2012 r2 file server that I have been trying to update for the last few weeks. I have been seeing the following updates fail. I have tried the recommended fixes which have not worked. I uninstalled the .NET security rollup for June 2018, rebooted and tried to install the updates and have been unsuccessful. The newest version of the .NET didn't install either. I am not seeing any substantive responses from Microsoft regarding these errors and wanted to see if A) anyone else was experiencing this, and B) had anyone else developed or found a resolution.

Thanks,

Joseph

Joseph Rapoport

Hi all,

I have a corporate wifi nonbroadcated that I've setup for my company that utilizes RADIUS 802.1x "Certificate USER/Computer based" authentication.  I have also pushed out a GPO that adds this wireless network to all endpoints and sets it as the preferred network and to automatically connect when the network is available.

The endpoints are able to connect to the network just fine (and endpoints that are *not* part of our enterprise domain cannot, which is the correct behavior).  However, I have multiple endpoints, all Windows 10 machines, that are not connecting automatically.  When I open the list of wireless networks, it says "Action Needed" underneath the SSID for the enterprise network.  When I click on the network and hit "Connect" - a web browser opens and it connects just fine without any other prompts.

Any idea what might be going on here?

Thank you!

leo.gregorio@hotmail.com

On a few of our Windows Small Business Server 2011 or Windows Server 2012 R2 Essentials servers of relatively limited use (domain controller / Active Directory and DNS, Group Policy, DHCP, file server, print server, and third-party backup) ~30 to ~1,000 of the following events are logged daily:

An account failed to log on.
    Subject:
    	Security ID:		SYSTEM
    	Account Name:		SERVERNAME$
    	Account Domain:		DOMAINNAME
    	Logon ID:		0x3e7
    Logon Type:			3
    Account For Which Logon Failed:
    	Security ID:		NULL SID
    	Account Name:		
    	Account Domain:		
    Failure Information:
    	Failure Reason:		Unknown user name or bad password.
    	Status:			0xc000006d
    	Sub Status:		0xc0000064
    Process Information:
    	Caller Process ID:	0x1ec
    	Caller Process Name:	C:\Windows\System32\lsass.exe
    Network Information:
    	Workstation Name:	SERVERNAME
    	Source Network Address:	-
    	Source Port:		-
    Detailed Authentication Information:
    	Logon Process:		Schannel
    	Authentication Package:	Kerberos
    	Transited Services:	-
    	Package Name (NTLM only):	-
    	Key Length:		0
    This event is generated when a logon request fails. It is generated on the computer where access was attempted.
    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
    The Process Information fields indicate which account and process on the system requested the logon.
    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
    The authentication information fields provide detailed information about this specific logon request.
    	- Transited services indicate which intermediate services have participated in this logon request.
    	- Package name indicates which sub-protocol was used among the NTLM protocols.
    	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Based on the included information, it appears that the event is a result of a failed network ("Logon Type: 3") logon or password change ("Caller Process Name: C:\Windows\System32\lsass.exe") for a user account that does not exist ("Sub Status: 0xc0000064").

I don't understand why the server appears to be failing to logon to itself, though. There are no relevant cached credentials on the affected servers.

This event is slightly different to all of the others that I've come across but, based on those, I've ruled-out the following common causes:

1. "Date and time sync between domain controllers". There is only one domain controller in each affected environment.
2. "Outdated or incorrect SQL credentials". SQL is not installed on each affected server.
3. "Expired security certificates in IIS". IIS contains no expired security certificates on each affected server.
4. Each computer objects' "objectSid" and "SID" properties are unique.

In one of the affected environments, there is a Windows Server 2012 R2 Essentials domain controller server and a Windows Server 2012 R2 Standard terminal / remote desktop server. Interestingly, the RDS server is logging the following events which are almost the exact opposite but do not appear to be logged at the same time as each other:

An account failed to log on.

    Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

    Logon Type:			3

    Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		SERVERNAME
	Account Domain:		DOMAINNAME

    Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xC000006D
	Sub Status:		0xC0000064

    Process Information:
	Caller Process ID:	0x0
	Caller Process Name:	-

    Network Information:
	Workstation Name:	SERVERNAME
	Source Network Address:	IPv6ADDRESS
	Source Port:		25228

    Detailed Authentication Information:
	Logon Process:		NtLmSsp 
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.