Hello everyone. I'm doing some research on event logs and trying to understand how they should be appearing, but my studies and what I actually see isn't lining up, and the instructor didn't really clear it up either. Any help would be greatly appreciated. I posted this in the training forum at first, but I'm not sure if that was the correct area.

What I understand:

A user logs in on a regular client with a domain account:

• 4624 log created on that client
• 4768 log created on the Domain Controller
• 4625 log created on the client if log in is unsuccessful.
• 4772 log created on the Domain Controller if authentication fails
• Logon type is 2 (interactive).

A user logs in on a client with a local account

• 4624 log created on that client
• Authentication log is on the client as well (cant recall the log number)
• Logon type is 2 (interactive).

What I see in practice

• Several 4625 logs on the domain controller with the client hostname as the account name. Logon type 3.
• Several 4624 logs on the domain controller with the client hostname as the account name. Logon type 3.
• Several 4625 logs on the domain controller from Local accounts. Logon type 3 (Network).

I read that the clients have to "logon" as well, so this is may be why I am seeing the logons with hostnames as the account name, but what exactly does that mean? And if it is unsuccessful, does that just mean it couldn't get on to the domain?

I believe I've read that when a client is connected/reconnected to the domain the local accounts attempt to authenticate to the domain. Is this true?

Thank you for the help.

Hi,

One of our servers is encrypted by ransomware and we are unable to reinstall windows by booting with ILO Media due to some unknown reason. Is it possible to format the C drive from safe mode or before starting windows without Windows installation media?

Thanks.

Hello,

I have a few 2008 R2 CA Servers that I need to decommission/remove. The CAs each have 200K + certificates (mostly auto-enrolled) that are no longer required. These CAs will not be issuing any more certs.

The typical first step in a CA decom is to revoke all active certificates. I'm wondering if there may be any risk of clients or applications attempting to use and choking on such a large CRL. Below are the general steps I would follow, but am concerned about revoking all those certs

1. Revoke all active certificates
2. Increase the CRL publication interval
3. Publish a new CRL
4. Uninstall Certificate Services
5. Remove CA objects from Active Directory

Thanks for the help!

Patrick

Hello.

I am having some "Audit Failure" events (Event ID 4653) logged under "Windows Logs / Security" in Event Viewer on my Windows Server 2008 R2 computer. Keying Module Name is sometimes "AuthIP" and sometimes "IKEv1".  I do not know what this is. I have Googled port 500 and found some references to IKE and VPN. I don't know what IKE is but VPN did ring a bell.

I am using RRAS (Routing and Remote Access) on this Windows Server 2008 R2 computer so that my LAN computers have Internet access through it (WS200R2 is acting like a router/gateway). When I installed RRAS, I selected the option for VPN but I have not yet configured or used it.

Is this event ID 4653 related to VPN ? What is the IP 105.186.164.161 trying to do ? Is it trying to connect to something?

The problem is that I cannot seem to be able to ban this (and other) IPs from constantly trying to connect (or whatever they're doing that is causing these Audit Failures). I added a "block" rule to the "Inbound Rules" in Windows Firewall but it doesn't make any difference. These events are still getting logged like they're still able to communicate with the server. What am I doing wrong? Shouldn't an Inbound Rule set to "Block the connection" put an end to all communication for a statically specified IP under "Scope -> Remote IP address" ?

Thank you for any tips and explanations of what is going on.

-------------------------

An IPsec main mode negotiation failed.

Local Endpoint:
    Local Principal Name:    -
    Network Address:    <my server IP here>
    Keying Module Port:500

Remote Endpoint:
    Principal Name:    -
    Network Address:    109.134.115.129
    Keying Module Port: 500

Additional Information:
    Keying Module Name: IKEv1
    Authentication Method: Unknown authentication
    Role:    Responder
    Impersonation State:    Not enabled
    Main Mode Filter ID:    71816

Failure Information:
    Failure Point:      Local computer
    Failure Reason:    Policy match error (when Keying Module Name: is AuthIP this says "No policy configured")

    State:        No state
    Initiator Cookie:    3543755b9040c11c
    Responder Cookie:    828e1e0e9f73f23f

Hi All

A month back 4 of our 14 sub folders under shared root folder mysteriously went missing.

On investigation we found them to be hidden with the hide attribute check box being grayed out.

We went through may forums and could not find a solution.

We even went to the extent of formatting the file server and recreating them thinking it was an undetected virus that keeps out of our Eset file server solution.

Our folder structure is as follows;

Root folder "ABCD" is shared with Everyone "full control file share permission" and NTFSpermission to Admin "full control" and Everyone "list folder contents".

We have then sub folders per Dept. name that continues with the said root permission but is not inherited.

To each Dept. folder we assign AD Security Groups for the said Dept. and provide them with NTFS "Modify" permission.

The Issue:

We were able to root cause and trace the cause to a new user JohnD. The moment we add him to any folder existing or new with NTFS"Modify" permission the folder gets hidden (does not happen with "Read & Execute" permission).

It gets worse, any domain Global security group to which he was in is also affected and stays that way even after we removed him.

Eg: when we add the said group with NTFS "Modify" permissionthe folder gets hidden (does not happen with "Read & Execute" permission).

We deleted and recreated 3 of the 4 groups he was in and assigned them to new folders and all is well.

We can delete and recreate the User but both default Domain Users and Everyone security groups are affected.

Could this have been a virus that targets such AD Users and Groups?

How do we even troubleshoot this at attribute level?

Rgds Yohan

Hi All, 

I have a domain hosted on single DC. On DC itself i have installed ent root CA . Now i am planning to upgrade CA from sha1 to sha256. I planing to follow the article - https://www.petenetlive.com/KB/Article/0001243.

Request you all to please advise me. I am not expert in CA and this test domain is used by testing teams, It is crtical resource . Please let me know if any details are required here. 

 

Hello!

https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations

1) Simultaneous Use - Adding a local user VM

Later this document explains that an administrator can use user VM (amongst other things) for internet browsing - I can't understand how it's possible to browse internet while your VM disconnected so

Q1: Is it a requirement that ALL USER (non-admin) actions (email, web...) should be made only when theuser VM is disconnected from the network?

Q2: If there's no local WSUS server is it tolerable to update a newly-deployed PAW from MS Update site?

Device guard and Credential Guard

"Device Guard must be enabled in order to configure and use Credential Guard. However, you are not required to configure any other Device Guard protections in order to use Credential Guard."

Q3: What does mean "Device Guard must be enabled" ?Device Guard is not a single option that is either enabled or not - it's a number of hardware/software settings/methods that improve computer's security. Does MS mean this setting?

Restrict Administrators from logging onto lower tier hosts

"PAW Users - Add the Tier 0 administrators with Domain or Enterprise Admin groups that you identified in Step 1 of Phase 1."

Q4: If Tier 0 administrators are Enterprise Admin and Domain Admin groups and the members of these groups should NOT log on to odinary workstations then who is supposed to do any administrative tasks on these workstations - only local admins? But - for example - to add a workstation to a domain you need a domain admin account so how should I add a workstation to a domain if my domain admin account is prevented from logging into this workstation?

Thank you in advance,
Michael

For non-problematic activity, the RRAS service should open ports in the firewall

Lab setup: Windows Server 2008RC2 running CA, DC, NDES roles.
Client: Embedded Linux device with strongSwan 5.1.1 and openssl.

I have successfully configured NDES and SCEP, and enrolled a machine certificate on the client.

On the server an IPsec policy is assigned (3DES, SHA1, DH group 2). Firewall is disabled.

IPsec transport mode is chosen and the server/client are on the same net.

Ping from server to client correctly establishes the SA. All good.

Now comes the problem: when the client sends the IKE_SA_INIT message, no response is returned (using wireshark).

On the server the audit event log lists Event 4653:
============================================
An IPsec main mode negotiation failed.

Local Endpoint:
Local Principal Name:-
Network Address:192.168.0.2
Keying Module Port:500

Remote Endpoint:
Principal Name:-
Network Address:192.168.0.3
Keying Module Port:500

Additional Information:
Keying Module Name:IKEv2
Authentication Method:Unknown authentication
Role:Responder
Impersonation State:Not enabled
Main Mode Filter ID:0

Failure Information:
Failure Point:Local computer
Failure Reason:No policy configured

State: No state
Initiator Cookie:5ac3b111d55ad243
Responder Cookie:f467fab69613cf7c


The machine certificate looks like (notice the added enhanced key usages server and client auth, which I understand is required):
============================================
# openssl x509 -text -inform DER -in /etc/ipsec.d/certs/fccCert.der 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4c:8a:98:ac:00:00:00:00:00:0c
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA
        Validity
            Not Before: Feb  3 09:33:56 2014 GMT
            Not After : Feb  3 09:33:56 2016 GMT
        Subject: C=CH, O=Linux, CN=CPB529-2
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
<cut>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                email:lmh@doms.dk
            X509v3 Subject Key Identifier: 
                A2:54:A9:A3:E3:DC:C6:F0:0D:ED:B9:87:37:42:82:6A:62:4D:E6:75
            X509v3 Authority Key Identifier: 
                keyid:DE:17:51:17:28:69:C3:10:E2:00:26:D7:0D:A8:A9:25:A0:E4:CA:3D

            X509v3 CRL Distribution Points: 
                URI:ldap:///CN=LMH-WIN2008R2-CA,CN=LMH-WIN2008R2DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lmhlab,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint

            Authority Information Access: 
                CA Issuers - URI:ldap:///CN=LMH-WIN2008R2-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lmhlab,DC=net?cACertificate?base?objectClass=certificationAuthority

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            1.3.6.1.4.1.311.21.7: 
                0-.%+.....7........Z...&...Y...d.A..m...?..d...
            X509v3 Extended Key Usage: 
                1.3.6.1.4.1.311.20.2.1, TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2, TLS Web Client Authentication
            1.3.6.1.4.1.311.21.10: 
                020..
+.....7...0
..+.......0
..+.......0
..+.......
    Signature Algorithm: sha1WithRSAEncryption
<cut>
-----BEGIN CERTIFICATE-----
<cut>
-----END CERTIFICATE-----

The IKE_SA_INIT request looks like:
============================================
No.     Time        Source                Destination           Protocol Length Info
  89550 504103.645307 192.168.0.3           192.168.0.2           ISAKMP   650    IKE_SA_INIT

Frame 89550: 650 bytes on wire (5200 bits), 650 bytes captured (5200 bits)
    Arrival Time: Feb  5, 2014 09:53:52.767787000 Romance Standard Time
    Epoch Time: 1391590432.767787000 seconds
    [Time delta from previous captured frame: 10.834437000 seconds]
    [Time delta from previous displayed frame: 409.652542000 seconds]
    [Time since reference or first frame: 504103.645307000 seconds]
    Frame Number: 89550
    Frame Length: 650 bytes (5200 bits)
    Capture Length: 650 bytes (5200 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:udp:isakmp]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: Doms_00:ab:c7 (00:50:55:00:ab:c7), Dst: CadmusCo_51:94:77 (08:00:27:51:94:77)
    Destination: CadmusCo_51:94:77 (08:00:27:51:94:77)
        Address: CadmusCo_51:94:77 (08:00:27:51:94:77)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Doms_00:ab:c7 (00:50:55:00:ab:c7)
        Address: Doms_00:ab:c7 (00:50:55:00:ab:c7)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 192.168.0.3 (192.168.0.3), Dst: 192.168.0.2 (192.168.0.2)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 636
    Identification: 0x0000 (0)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (17)
    Header checksum: 0xb71b [correct]
        [Good: True]
        [Bad: False]
    Source: 192.168.0.3 (192.168.0.3)
    Destination: 192.168.0.2 (192.168.0.2)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
    Source port: isakmp (500)
    Destination port: isakmp (500)
    Length: 616
    Checksum: 0x0043 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Internet Security Association and Key Management Protocol
    Initiator cookie: 5ac3b111d55ad243
    Responder cookie: 0000000000000000
    Next payload: Security Association (33)
    Version: 2.0
    Exchange type: IKE_SA_INIT (34)
    Flags: 0x08
        .... 1... = Initiator: Initiator
        ...0 .... = Version: No higher version
        ..0. .... = Response: Request
    Message ID: 0x00000000
    Length: 608
    Type Payload: Security Association (33)
        Next payload: Key Exchange (34)
        0... .... = Critical Bit: Not Critical
        Payload length: 352
        Type Payload: Proposal (2) # 1
            Next payload: Proposal (2)
            0... .... = Critical Bit: Not Critical
            Payload length: 40
            Proposal number: 1
            Protocol ID: IKE (1)
            SPI Size: 0
            Proposal transforms: 4
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Encryption Algorithm (ENCR) (1)
                Transform ID (ENCR): ENCR_3DES (3)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Integrity Algorithm (INTEG) (3)
                Transform ID (INTEG): AUTH_HMAC_SHA1_96 (2)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Pseudo-random Function (PRF) (2)
                Transform ID (PRF): PRF_HMAC_SHA1 (2)
            Type Payload: Transform (3)
                Next payload: NONE / No Next Payload  (0)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Transform ID (D-H): Alternate 1024-bit MODP group (2)
        Type Payload: Proposal (2) # 2
            Next payload: NONE / No Next Payload  (0)
            0... .... = Critical Bit: Not Critical
            Payload length: 308
            Proposal number: 2
            Protocol ID: IKE (1)
            SPI Size: 0
            Proposal transforms: 36
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Encryption Algorithm (ENCR) (1)
                Transform ID (ENCR): ENCR_3DES (3)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 12
                Transform Type: Encryption Algorithm (ENCR) (1)
                Transform ID (ENCR): ENCR_AES_CBC (12)
                Transform IKE2 Attribute Type (t=14,l=2) Key-Length : 128
                    1... .... .... .... = Transform IKE2 Format: Type/Value (TV)
                    Transform IKE2 Attribute Type: Key-Length (14)
                    Value: 0080
                    Key Length: 128
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 12
                Transform Type: Encryption Algorithm (ENCR) (1)
                Transform ID (ENCR): ENCR_AES_CBC (12)
                Transform IKE2 Attribute Type (t=14,l=2) Key-Length : 192
                    1... .... .... .... = Transform IKE2 Format: Type/Value (TV)
                    Transform IKE2 Attribute Type: Key-Length (14)
                    Value: 00c0
                    Key Length: 192
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 12
                Transform Type: Encryption Algorithm (ENCR) (1)
                Transform ID (ENCR): ENCR_AES_CBC (12)
                Transform IKE2 Attribute Type (t=14,l=2) Key-Length : 256
                    1... .... .... .... = Transform IKE2 Format: Type/Value (TV)
                    Transform IKE2 Attribute Type: Key-Length (14)
                    Value: 0100
                    Key Length: 256
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Integrity Algorithm (INTEG) (3)
                Transform ID (INTEG): AUTH_HMAC_MD5_96 (1)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Integrity Algorithm (INTEG) (3)
                Transform ID (INTEG): AUTH_HMAC_SHA1_96 (2)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Integrity Algorithm (INTEG) (3)
                Transform ID (INTEG): AUTH_AES_XCBC_96 (5)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Integrity Algorithm (INTEG) (3)
                Transform ID (INTEG): AUTH_AES_CMAC_96 (8)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Integrity Algorithm (INTEG) (3)
                Transform ID (INTEG): AUTH_HMAC_SHA2_256_128 (12)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Integrity Algorithm (INTEG) (3)
                Transform ID (INTEG): AUTH_HMAC_SHA2_384_192 (13)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Integrity Algorithm (INTEG) (3)
                Transform ID (INTEG): AUTH_HMAC_SHA2_512_256 (14)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Pseudo-random Function (PRF) (2)
                Transform ID (PRF): PRF_HMAC_MD5 (1)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Pseudo-random Function (PRF) (2)
                Transform ID (PRF): PRF_HMAC_SHA1 (2)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Pseudo-random Function (PRF) (2)
                Transform ID (PRF): PRF_AES128_CBC (4)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Pseudo-random Function (PRF) (2)
                Transform ID (PRF): PRF_HMAC_SHA2_256 (5)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Pseudo-random Function (PRF) (2)
                Transform ID (PRF): PRF_HMAC_SHA2_384 (6)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Pseudo-random Function (PRF) (2)
                Transform ID (PRF): PRF_HMAC_SHA2_512 (7)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Pseudo-random Function (PRF) (2)
                Transform ID (PRF): PRF_AES128_CMAC6 (8)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Transform ID (D-H): Alternate 1024-bit MODP group (2)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Transform ID (D-H): 1536 bit MODP group (5)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Transform ID (D-H): 2048 bit MODP group (14)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Transform ID (D-H): 3072 bit MODP group (15)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Transform ID (D-H): 4096 bit MODP group (16)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Transform ID (D-H): 8192 bit MODP group (18)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Transform ID (D-H): 256-bit random ECP group (19)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Transform ID (D-H): 384-bit random ECP group (20)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Transform ID (D-H): 521-bit random ECP group (21)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Transform ID (D-H): 1024-bit MODP Group with 160-bit Prime Order Subgroup (22)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Transform ID (D-H): 2048-bit MODP Group with 224-bit Prime Order Subgroup (23)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Transform ID (D-H): 2048-bit MODP Group with 256-bit Prime Order Subgroup (24)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Transform ID (D-H): 192-bit Random ECP Group (25)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Transform ID (D-H): 224-bit Random ECP Group (26)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Transform ID (D-H): Unknown (27)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Transform ID (D-H): Unknown (28)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Transform ID (D-H): Unknown (29)
            Type Payload: Transform (3)
                Next payload: NONE / No Next Payload  (0)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Transform ID (D-H): Unknown (30)
    Type Payload: Key Exchange (34)
        Next payload: Nonce (40)
        0... .... = Critical Bit: Not Critical
        Payload length: 136
        DH Group #: Alternate 1024-bit MODP group (2)
        Key Exchange Data: 488bf42e98dcb8a37e86e1a25964ed9b41948c941ad2d296...
    Type Payload: Nonce (40)
        Next payload: Notify (41)
        0... .... = Critical Bit: Not Critical
        Payload length: 36
        Nonce DATA: 5bfaeebc0a0c9f01cb6a75a8a088429b684fd7d158bec7e8...
    Type Payload: Notify (41)
        Next payload: Notify (41)
        0... .... = Critical Bit: Not Critical
        Payload length: 28
        Protocol ID: RESERVED (0)
        SPI Size: 0
        Notify Message Type: NAT_DETECTION_SOURCE_IP (16388)
        Notification DATA: 1575bc35e95f2cb05722320f7a3d5e0db6a7a58d
    Type Payload: Notify (41)
        Next payload: NONE / No Next Payload  (0)
        0... .... = Critical Bit: Not Critical
        Payload length: 28
        Protocol ID: RESERVED (0)
        SPI Size: 0
        Notify Message Type: NAT_DETECTION_DESTINATION_IP (16389)
        Notification DATA: efd4ca3ddcf8776889bbe21344e0116a0cf19784



I guess my configuration is somehow wrong, but can't figure out what is wrong. Any help is greatly appreciated.

Thanks and regards,
Lars

Hello,

I have been experiencing this issue for a while now.

When I check for Windows updates on my Windows Server 2016, it finds a update.. but takes forever to install.

Currently, the machine is "Preparing to install updates 0%" on 2018-09 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4457127).

This update has been sitting at 0% for about 30 minutes. 

This happens with every cumulative update.

Please help!

I have a W2K8 R2 Ent. Sub CA setup to issue certificates w/an W2K8 R2 Ent Standalone Root that is offline.

I have several templates loaded into the CA, however when I try to complete a request via the cert enroll website [https:\\subcaname\certsvr] website I receive the message "No certificate templates could be found..."

Likewise when I try to pass the certificate template name & request file to the sub Ca using certreq -submit -attrib "CertificateTemplate:template name" requestfilename.req I receive the message "The requested certificate template is not supported by this CA. 0x80094800 (-2146875392) Denied by Policy Module"

However! If I use the Certificates MMC snap-in & use the wizard, the templates are present & I am able to successfully enrollfor one as long as the machine/user has the correct permissions...furthermore if I tell the wizard to "show all" templates, then I see all of the unavailable templates as well.

I have tried the following:

·    using v2 & v3 templates

·    confirmed that domain computers & authenticated users have read access to the templates

·    have also made sure that the "NT Authority\Authenticated Users" and "NT Authority\Interactive" groups are a member of the "Certificate Service DCOM Access" group on the subCA.

Finally, I have tried enabling enroll\debug logging & issuing a request via certreq, but only receive a few lines:

402.511.948: Begin: 11/30/2011 1:55 PM 02.761s
402.516.0: certreq
402.520.0: GMT - 5.00
2005.208.0: certcli.dll: 6.1:7601.17514 retail
2005.208.0: certenroll.dll: 6.1:7601.17514 retail
402.377.949: End: 11/30/2011 1:56 PM 10.993s

For comparison, here is the debug output of a successful enrollment via MMC

 402.511.948: Begin: 11/30/2011 1:33 PM 21.416s
402.516.0: MMC.EXE
402.520.0: GMT - 5.00
2005.208.0: certcli.dll: 6.1:7601.17514 retail
2005.208.0: certenroll.dll: 6.1:7601.17514 retail
3000.835.0:<2011/11/30, 13:33:23>: 0x80094004 (-2146877436)
2032.4215.0:<2011/11/30, 13:33:23>: 0x80094004 (-2146877436): Fetch Id
3000.835.0:<2011/11/30, 13:33:23>: 0x80094004 (-2146877436)
3000.858.0:<2011/11/30, 13:33:23>: 0x80094004 (-2146877436)
2720.287.0:<2011/11/30, 13:34:7>: 0x800704c7 (WIN32: 1223)
3000.835.0:<2011/11/30, 13:34:9>: 0x80094004 (-2146877436)
2032.1524.0:<2011/11/30, 13:34:9>: 0x80094004 (-2146877436)
2007.195.0:<2011/11/30, 13:34:9>: 0x80091002 (-2146889726): 3DES_112
2007.195.0:<2011/11/30, 13:34:9>: 0x80091002 (-2146889726): DESX
2007.195.0:<2011/11/30, 13:34:9>: 0x80091002 (-2146889726): AES-GMAC
2032.2807.0:<2011/11/30, 13:34:9>: 0x80094012 (-2146877422): Administrator
2032.2807.0:<2011/11/30, 13:34:9>: 0x80094012 (-2146877422): ClientAuth
2032.2807.0:<2011/11/30, 13:34:9>: 0x80094012 (-2146877422): EFS
2032.2825.0:<2011/11/30, 13:34:9>: 0x80094012 (-2146877422): CAExchange
2032.2825.0:<2011/11/30, 13:34:9>: 0x80094012 (-2146877422): CEPEncryption
2032.2807.0:<2011/11/30, 13:34:9>: 0x80094012 (-2146877422): CodeSigning
2027.6875.0:<2011/11/30, 13:34:10>: 0x80094800 (-2146875392)
2032.3029.0:<2011/11/30, 13:34:10>: 0x80094800 (-2146875392): Machine
2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): CrossCA
2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): DirectoryEmailReplication
2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): DomainController
2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): DomainControllerAuthentication
2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): EFSRecovery
2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): EnrollmentAgent
2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): MachineEnrollmentAgent
2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): EnrollmentAgentOffline
2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): ExchangeUserSignature
2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): ExchangeUser
2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): CustTemplate01
2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): CustTemplate02
2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): CustTemplate03
2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): CustTemplate04
2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): CustTemplate05
2027.6875.0:<2011/11/30, 13:34:10>: 0x80094800 (-2146875392)
2032.3029.0:<2011/11/30, 13:34:10>: 0x80094800 (-2146875392): IPSECIntermediateOnline
2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): IPSECIntermediateOffline
2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): KerberosAuthentication
2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): KeyRecoveryAgent
2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): OCSPResponseSigning
2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): RASAndIASServer
2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): CA
2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): OfflineRouter
2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): SmartcardLogon
2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): SmartcardUser
2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): SubCA
2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): CTLSigning
2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): User
2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): UserSignature
2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): WebServer
2027.6875.0:<2011/11/30, 13:34:10>: 0x80094800 (-2146875392)
2032.3029.0:<2011/11/30, 13:34:10>: 0x80094800 (-2146875392): Workstation
2009.4916.0:<2011/11/30, 13:34:10>: 0x80094004 (-2146877436)
2014.3881.0:<2011/11/30, 13:34:10>: 0x80094004 (-2146877436)
2008.1048.0:<2011/11/30, 13:34:10>: 0x80094004 (-2146877436)
2014.4239.0:<2011/11/30, 13:34:10>: 0x80094004 (-2146877436)
2027.7483.0:<2011/11/30, 13:35:31>: 0x80004003 (-2147467261)
2009.4916.0:<2011/11/30, 13:35:31>: 0x80094004 (-2146877436)
2009.4621.0:<2011/11/30, 13:35:31>: 0x80094004 (-2146877436)
2009.2193.0:<2011/11/30, 13:35:31>: 0x1 (WIN32: 1): Microsoft Software Key Storage Provider
2009.2242.0:<2011/11/30, 13:35:31>: 0x1 (WIN32: 1): RSA
2009.2243.0:<2011/11/30, 13:35:31>: 0x1 (WIN32: 1): le-CustomTemplateName-c5a9c136-b359-482e-b104-6e27d0022b50
2009.2282.0:<2011/11/30, 13:35:31>: 0x800 (WIN32: 2048): RSA
419.224.0:<2011/11/30, 13:35:31>: 0x8009000b (-2146893813): Security Descr
2009.3894.0:<2011/11/30, 13:35:31>: 0x8009000b (-2146893813)
2009.3932.0:<2011/11/30, 13:35:31>: 0x8009000b (-2146893813)
452.43.0:<2011/11/30, 13:35:31>: 0x80090029 (-2146893783): SmartCardKeyCertificate
2014.3720.0:<2011/11/30, 13:35:31>: 0x80094004 (-2146877436)
2013.4507.0:<2011/11/30, 13:35:31>: 0x80094004 (-2146877436)
2021.1241.0:<2011/11/30, 13:35:35>: 0x80092004 (-2146885628)
2041.783.0:<2011/11/30, 13:35:35>: 0x80092004 (-2146885628)
2021.1241.0:<2011/11/30, 13:35:35>: 0x80092004 (-2146885628)
2041.783.0:<2011/11/30, 13:35:35>: 0x80092004 (-2146885628)
2009.3628.0:<2011/11/30, 13:35:35>: 0x80090029 (-2146893783): SmartCardKeyCertificate
2009.5246.0:<2011/11/30, 13:35:35>: 0x80090029 (-2146893783)
2027.7865.0:<2011/11/30, 13:35:35>: 0x80090029 (-2146893783)
2027.3598.0:<2011/11/30, 13:35:35>: 0x80090029 (-2146893783)
402.377.949: End: 11/30/2011 1:35 PM 38.054s

 Any help would be greatly appreciated

At present, I'm issuing machine certificates that have a Subject that consists solely of CN=FQDN.

We're looking at a means of granting differing levels of access to to a user of said machine based upon a key that we will add to a template.

A machine designated BLUE will gain  network access to the BLUE network, while a machine designated RED, will gain acces to the RED network.

I can make this decision apparently based upon a number of fields that are included as subfields within the Subject field, and am wondering if it really matters which one I use.  The obvious choices are Subject - Location, Subject - Domain Component, Subject - Organization,  and Subject - Organization Unit.

I suppose I could also use Template Name field , as two different certs would likely be identical with the exception of one being built with the BLUE template and one with the RED template.

All machines will be members of the same domain, and the same Chain will be used for all machines.

---

Dave

Hello,

Is it possible to setup ipsec to secure my networks traffic? I i only find tutorials for vpn.

Many tha ks.

I remember seeing a program that connects with Microsoft Identity/Security or AD that blocks users ability to use known hacked passwords for their own. For instance "1qaz2wsx3edc,"  "passw0rd"  and "ncc1701d" are in the top 1000 used and hacked passwords and should not be allowed. I remember seeing a program or process to add 10,000 most hacked passwords to the unacceptable password list.

It is probably not supported by MS but <g class="gr_ gr_13 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="13" id="13">am</g> interested.

Hi,

currently i am building a test-lab for Windows Hello for Business. I use Hybrid Key Trust.

My current setup:

- Windows Server 2016 + AD DS

- I installed a CA and installed the domain certificate on the server and on the client.

- GPO for Windows Hello for Business is enabled.

- I configured AAD Sync.

The client device is registered in Azure and eligible for Windows Hello

When typing

dsregcmd /status

i get the following output:

Furthermore I get the following warning in the event-log when  I log in:

Any help would be appreciated.

Best regards,

Dennis 

Currently, I have the ADCS role on my 2012 server.  I would like to move all roles to my 3 new 2016 servers. I have moved FSMO roles and only have one thing left that my 2012 server is doing, which is ADCS. 

I was going through https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486797(v=ws.11) but this says to choose the root ca > all tasks > backup and I did not see that option. 

I have a few screenshots of what my Certification Authority looks like; only two folders have contents in the snap in. 

https://1drv.ms/f/s!Ap-oFmKTDirLgRKYX8kqRLrCnADJ

For reference, DC2 is the 2012 server, Peach, Toad and Waluigi are the new 2016 servers. I would like to install the ADCS role on Waluigi and have that server take it over

Even though I am an administrator on my server, I have to give myself explicit permissions or owner rights to folders on the D: drive. 

I have UAC turned off, but that obviously must not be it. 

Can someone please let me know how to rectify this issue?

I have more rights on the C: drive than I do the D: drive, strange. 

Hi,

Currently have an offline root CA, a Sub issuing CA and a webserver that hosts the http CDP /AIA files

 In use are Webservers and users certificate to various clients  and all is working fine. However I would like to add an ocsp  server and eventually an ndes server .

I read the  ocsp install procedure but couldn't find any reference how the existing client certificates will be updated to include new ocsp url. it seems only applies to new certificates.

Does this mean I have to re-enroll all my users and webservers to get this updated ocsp url?. Any alternative approach?

Thanks

I am trying to get PEAP with secured passwords (EAP-MSCHAP v2) working for wireless clients with accounts in a trusted domain.  The trust is a two-way forest trust with selective authentication.

The local domain, which I will call LOCALDOM, has two domain controllers:  DC1, running Windows Server 2012 (not R2); and DC2, running Windows Server 2012 R2.  The RADIUS server is NPS running on DC1.

The trusted domain, TRUSTEDDOM, has several domain controllers, running Windows Server 2008 R2 Standard, 2012 R2, and 2016.  Users in TRUSTEDDOM have no problem accessing file shares in LOCALDOM, logging onto a terminal server in LOCALDOM, and accessing a linked Exchange mailbox in LOCALDOM with their TRUSTEDDOM credentials.

PEAP authentication is working for wireless clients using accounts in LOCALDOM, but not for accounts in TRUSTEDDOM.

If a wireless user tries to connect as TRUSTEDDOM\username, NPS error 4402 shows up in the System log on DC1 with the message, "There is no domain controller available for domain TRUSTEDDOM."  Microsoft Windows Security Auditing event 6274 appears in the Security log with the message, "Network Policy Server discarded the request for a user.  Contact the Network Policy Server administrator for more information."  At the bottom of the same event (6274) it shows reason code 5, "The Network Policy Server was unable to connect to a domain controller in the domain where the account is located. Because of this, authentication and authorization for the RADIUS request could not be performed."

If a wireless user tries to connect as username@trusteddom.com, Microsoft Windows Security Auditing event 6274 appears in the Security log with the message, "Network Policy Server discarded the request for a user.  Contact the Network Policy Server administrator for more information."  The reason code for this event is 4, "The Active Directory global catalog cannot be accessed."

Access to other types of resources (file shares, Terminal Server) in LOCALDOM works fine for users in TRUSTEDDOM whether they log on as TRUSTEDDOM\username or as username@trusteddom.com.

All domain controllers in both domains are global catalog servers.  LOCALDOM is the only domain in its forest, and TRUSTEDDOM is the only domain in its forest.

I had the administrator of TRUSTEDDOM add DC1 to their RAS and IAS Servers group.  I also tried temporarily changing authentication for the trust from selective to forest-wide, but that made no difference for PEAP authentication.

TRUSTEDDOM does not have a RADIUS server and I don't think I will be able to get their administrators to set one up.  Is it possible to get this working without using a RADIUS proxy?

Hi,

I am very new to this and have not seemed to catch on yet so I was hoping maybe some of you could help me? I have a digital certificate of a US SAVINGS BOND TO FIDELITY. CAN I USE THIS? and if so how do I submit it to them?

thanks,

CLA

cinpeaches01@yahoo.com