Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Kerberos Error 52 (Response too big) on MacOS

August 9, 2018, 10:14 pm
$
0
0

Hello Everyone,

For one of the Mac machines Kerberos authentication fails with the following error.

Client sends  AS-REQ

DC responds with PreAuthRequired

Client Sends AS-REQ again with encrypted time stamp.

This time the DC responds with the KRB error : KRB5KRB_ERR_RESPONSE_TOO_BIG

I have gone through some of the article and found that this can be fixed by forcing the client to use to TCP instead of UDP. However, I am not finding much luck on how to do that. Most of the articles, point to some or the other conf file which are not present on the machine.

Some details around the setup.

MacOS:  10.13.6

Active directory joined

Any help is appreciated.

Deepak Sidhpura


Search

Event ID 10028 - DCOM Error while installing web enrollment

August 28, 2018, 5:39 am
$
0
0

Hi,

I have encountered the following error while installing Certificate Authority Web enrollment:

Active Directory Certificate Services setup failed with the following error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)

This error appeared when Im trying to specify my Sub CA (which is on another server) during the installation.

I have tried to ping to the actual server (Sub CA) and it can be ping successfully from my web enrollment server. So I went to system event log of my web enrollment server and found this (Event ID 10028):

DCOM was unable to communicate with the computer (Sub CA FQDN) using any of the configured protocols; requested by PID XXX (C:\Windows\System32\wsmprovhost.exe)

Suspecting that Windows firewall might have blocked some services so I turned it off on both Sub CA and Web enrollment servers but the issue was not solved. There's no external firewalls between these 2 servers. 

Went to Component Services and right click to My Computer Properties and have confirmed thatEnable Distributed COM on this computer was selected.

Have tried the command Certutil -ping on both my Sub CA and web enrollment servers respectively, Sub CA server can ping to my CA but web enrollment server shows the RPC error as shown above.

May I know is there any services or options that I should have enabled but I have missed it ?

 

Upgradation of Windows Server 2008 Enterprise Root CA and Subordinate CA to Server 2016 PKI Infra

August 28, 2018, 5:48 am
$
0
0

Is it possible to upgrade a Windows Server 2008 Enterprise Root CA and Subordinate CA directly to Server 2016 and is there any special thing that needs to be taken care of before upgrading the PKI Infra to 2016. 

Any best practices or any help with the upgrade of the PKI Infra from 2008 to 2016 would be really helpful

Pallab Chakraborty

Multiple SmartCard Certificate Chaining

August 28, 2018, 6:04 am
$
0
0
Hello,
I've observed a strange behavior of smart card certificates.
I use my SmartCard on different virtual machines. In the certificate store I can find my SmartCard certificate, which is identical on all systems.
But what I can't understand is that there are different certification chains for the certificate.

One is chained via the Internal Issuing CA 01 -> Internal Root CA.
The other is linked via a Internal Issuing CA 02 -> External Issuing CA -> External Root CA.
I thought the certificate chain is always fixed and can't have multiple paths? Could someone here please explain the possible setup for such behavior?

Thank you!

New-PAMRequest: Cannot validate argument on parameter 'Role'. The argument is null or empty

August 28, 2018, 7:18 am
$
0
0

Hello, I am trying to configure PAW scenario from this link: https://docs.microsoft.com/pl-pl/microsoft-identity-manager/pam/step-7-elevate-user-access

I stuck on the moment, when I have to run following powershell commands:

Import-module MIMPAM
$r = Get-PAMRoleForRequest | ? { $_.DisplayName –eq "CorpAdmins" }
New-PAMRequest –role $r
klist purge

I have following error:

PS C:\Users\Administrator.priv> $pr = New-PAMRole -DisplayName "CorpAdmins" -Privileges $pg -Candidates $sj
New-PAMRole : Role 'CorpAdmins' already exists in MIM.
At line:1 char:7
+ $pr = New-PAMRole -DisplayName "CorpAdmins" -Privileges $pg -Candidates $sj
+       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-PAMRole], InvalidOperationException
    + FullyQualifiedErrorId : GeneralServerError,Microsoft.IdentityManagement.AdminPamCmdlets.NewPAMRoleCommand


I have following role in my system, which I've validated running following command:

PS C:\Users\Administrator.priv> $pr = New-PAMRole -DisplayName "CorpAdmins" -Privileges $pg -Candidates $sj
New-PAMRole : Role 'CorpAdmins' already exists in MIM.
At line:1 char:7
+ $pr = New-PAMRole -DisplayName "CorpAdmins" -Privileges $pg -Candidates $sj
+       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-PAMRole], InvalidOperationException
    + FullyQualifiedErrorId : GeneralServerError,Microsoft.IdentityManagement.AdminPamCmdlets.NewPAMRoleCommand

What can be the reason of such situation?

S/MIME Email Encryption and Signing Using Internal Microsoft Enterprise Root CA

August 28, 2018, 10:33 am
$
0
0

Is it possible to encrypt and digitally sign emails using Microsoft Internal Enterprise Root CA or a Third Party Certificate Services has to be implemented to do this job?

Also, if anyone can let me know the method to implement this and what needs to be done at the client end apart from the Certificate Server Configuration.

Our Exchange is on Server 2010 and CA Server is running Server 2008

Pallab Chakraborty

How to enable support for Authenticated encryption (AEAD) cipher suites on Windows Server

March 5, 2018, 1:16 am
$
0
0

Dear contributors,

Qualys SSL LABS are reporting that an https portal running on a Windows Server does not have Authenticated encryption (AEAD) cipher suites enabled. I have not managed to get a Microsoft reference about how to do that so could you please advise on how this could be enabled?

This posting is provided AS IS with no warranties or guarantees , and confers no rights.

Ahmed MALEK

My Website Link

My Linkedin Profile

My MVP Profile

Permissions error during Cross-Forest Cert enrollment

April 3, 2015, 9:58 am
$
0
0

Hello,

When attempting to manually enroll for a Cert on a 2012 R2 server, I get the 'Certificate types are not available' msg with the 'You cannot request a cert at this time because no certificate types are available' msg.  When I click the 'Show all templates' box, all the cert types are shown with a Status: Unavailable and the msg 'The permissions on the certificate template do not allow the current user to enroll for this type of cert'.

In this instance, the CA infrastructure is in the Resource forest with the server attempting a cert enroll in the Account forest.  Both Forests are 2008 R2 with a two-way Forest Trust.  We followed all steps in the 'Cross-forest Certificate Enrollment with Windows Server 2008 R2' doc published by Microsoft with no issues.  The PKISync worked fine and we do see the Root and SubCA1 certs on the machine we are trying to manually enroll a cert on.  We implemented all the steps to ensure this machine receives a cert the same way machines in the Resource forest receive certs.  We've validated the base Trust/Network infrastructure and all checks out.  However, the Resource root forest and domain is all one and on the same domain controllers whereas the Account forest has the classical Forest root with two separate domain controllers and then a child domain with a number of domain controllers.  The child domain is where the server lives which we are trying to manually enroll a cert.

As a point of clarification, the server computer account was added to a Global Security group in the Account Forest.  This group was added to a Domain Local Security group in the Resource Forest which has the Read/Enroll/AutoEnroll permissions on the Cert Template.

Any suggestions on what could be causing the permissions errors?

Thanks for your help! SdeDot


Search

CN=MS-Organization-P2P-Access [2018] expired

August 14, 2018, 6:02 am
$
0
0
We have got the below SCOM alert from couple of Windows 2016 standard servers

Kindly suggest a fix for this issue, else is there any best practice to cleanup from registry



The certificate expires in 0 days on 08/13/2018 08:55:30 UTC.
Certificate Subject: CN=748cb722-a179-40ea-b34a-ab29dfc854a8, DC=8da49d14-e54e-453a-95c2-2185582c7233
Certificate Issuer: CN=MS-Organization-P2P-Access [2018]
Serial number: 492550EE1F480C1290390BB0D7E9E7D0
Store Name: Personal

Store Key: My
Store Provider: SystemRegistry
Store Type: LocalMachine
Monitoring User: NT AUTHORITY\SYSTEM

Using PS to generate INF file from cert

August 29, 2018, 6:18 am
$
0
0

Howdy all,

I am more of a Linux guy and got thrown into trying to figure out what to do about an ldap certificate that is expiring on a windows box because our windows guy quit. The windows server doesn't have a gui which is what most of my windows experience is in so I'm struggling.

I'm to the point where I think I can do a "certreq -new <INF File> <Outfile>" but I don't know what to put in the INF file. Is there a way to generate one based on the cert that's about to expire?

Enroll Certificate from Domain Computer with Local User?

August 29, 2018, 12:20 pm
$
0
0

Is it possible to manually enroll a computer certificate on a domain joined computer while logged on as LOCAL\Administrator?

I've tried through MMC and PowerShell using Get-Certificate, but both methods look as though I don't have rights to the templates authorized to this computer's AD Group while logged on as LOCAL\Administrator. (Works fine with DOMAIN\User)

I've tried with various RunAs methods (MMC RunAs DOMAIN\User, Get-Certificate -Credential, etc.) with no change in behavior.

If I enable Auto-Enroll for the AD Group containing the Computer (instead of just Read/Enroll) the certificate is provisioned fine, but for the scripted process I'm using, I only want this certificate enrolled one time so I can export it with it's private key, then delete it from the CertStore.

My process (in case I'm going about this all wrong) is to enroll and export the SCCM Distribution Point certificates as part of a MDT Task Sequence to build SCCM Distribution Points.  I have %99 of this complete scripted now, except this one last piece that only works when a DOMAIN\User is logged on.

I don't see anything in the template security that would prevent a local\Administrator from provisioning the COMPUTER certificate.

It is possible one of the other admins added some kind of security to the CA or a GPO exists that is preventing this but I'm not sure where to look.

Anyone have any ideas?

There's no place like 127.0.0.1


User cannot create connection when using windows10

August 29, 2018, 9:21 pm
$
0
0
My company has 2 servers with implemented kerberos . The first server is SSAS, SQL Server (version 2008 and no firewall) and the second server  is SSRS (version 2008 and no firewall). Last month user A changed to new PC A with windows 10 and Internet 11, then he cannot access reporting server because it has error as following:

MR A. connect SSRS with PC A (windows 10 and Internet 11), it has error as below.

-------------------------------------------------------------------------------------------------------------------------------

An error has occurred during report processing. (rsProcessingAborted)
Cannot create a connection to data source 'XXXX'. (rsErrorOpeningConnection)
The connection either timed out or was lost.
Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
An existing connection was forcibly closed by the remote host

-------------------------------------------------------------------------------------------------------------------------------

Whe use connects SSRS with PC B (windows 10 and Internet 11)  or PC C(windows 7), then he can access reporting server without error. Every user have no problem to access reporting server when their PCs are windows 7.  There is problem for some PCs wtih windows 10 and Internet 11.  Please suggest how to fix it.  Thank in advance.

mrt.exe/_p WTF (Stands for: "Why The Frustration) Is this file good or bad????

August 29, 2018, 9:44 pm
$
0
0

Where do I find the signature for this as yet unidentified file so I can see if it has a MS signature?

mrt.exe/_p

What antivirus software do I run to protect Server2012 ?

February 1, 2018, 6:30 pm
$
0
0

I have files running on a desktop instance of Server 2012 ... and when I transfer the files to my Windows 10 workstation ... Windows Defender flags than as containing a virus.  I now realize I am not scanning an of the files on my Server2012 Desktop for virus ... No Essentials ... No Defender.

Pretty simple question ... what do I do ?

Stuart McColl

Windows Server 2012R2 | Windows Event Forwarder Issues (Event: 102 / Code: 5004)

August 23, 2018, 9:21 am
$
0
0

Hey all,

I'm currently trying to implement Event collection in our environment but, I cannot get WEF working.  The following are things I've done:

1. Configured winrm on the client and collector machines
2. Deployed a GPO that pointed the client machines to the collector for event forwarding
3. created a subscription on my WEF machine and selected:
   1. Destination: Forwarded Events
   2. Source Computer initiated
   3. Computer groups: Domain Computers
   4. Select Events: Critical, warning
4. Then selected OK and activated the subscription.  

I currently have all my source computers checking in but, I'm still getting the same error (Event 102 / Code 5004). I've added the WEF to the domain group Event Reader and confirmed winRM connection. 

What am I doing wrong?

Search

Hardening of windows server 2012 and 2016

September 1, 2018, 8:54 am
$
0
0
please suggest me for hardening of windows server 2012 and 2016

System Services Template in local server security settings

September 1, 2018, 2:43 pm
$
0
0

Can anybody confirm whether microsoft has removed the system services from server local security settings for windows server 2012.

When opening secpol.msc, it is not showing.

how and where can i get it.

I want o deploy bit-locker on My file server in domain environment and multiple client will be access file serve.

September 2, 2018, 2:36 am
$
0
0

Hi Support,

I want o deploy bit-locker on My file server in domain environment and multiple client will be access file serve.  

1. How to protect organization data.

2. How to deploy on client machine.


 

AT command in 2008 Standard R2 broken after recent security updates

March 7, 2018, 6:50 pm
$
0
0
Did anyone noticed that after the Spectre and Meltdown patches recently released, any newly scheduled tasks, created using the AT command are broken? The task is created, but when you open Task Scheduler it reports an error in the Task XML file and the task does not execute at the scheduled time. Updates that are breaking the AT command task creation are: KB4056894, KB4056897, KB4074598, KB4074736, KB4074587 and possibly others as well.

SSL for Web Enreoll server.

September 2, 2018, 5:59 pm
$
0
0

We have a root CA and the same server has NPS feature installed. This root CA also has a
Certificate Authority Web Enrollment role installed. The SSL cert has expired for this Web enroll server.

Domain controller cert is being used by the NPS.

Can we bind the Domain Controller certificate to the  Web Enroll website?

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>