Hi Al,,
For security purpose, we have plan to disable TLS 1.0 on our active directory environment, Kindly advice on this.
AD Version : windows 2012 r2
Client version : Windows 10 and Windows 7
Thanks, Mariappan Shanmugavel
↧
Disable TLS 1.0 on Windows 2012 Active Directory
↧
New sub CA doesnt show published templates
I have installed a new enterprise sub CA. There are two existing CAs there already. When I publish the templates that this CA should issue certificates from, they will not show on the client/server. I have tried different users and I have also removed the client certificate cache, so this is not the problem.
There is also an enrollment web service policy installed in the AD. I am wondering if this has some influence on what is happening here. Should this be configured to allow templates to be published properly? You see the only templates that are shown are some internal web server certificates.
↧
↧
Does MS PKI setup supports Multitenancy
HI,
Can I use my PKI Infra (Root and Subca) to give certificates to multiple customers or basically does it support multitenancy? If yes, what are the requirements and limitations.
Regards
Neha Garg
↧
one DC not presenting its host certificate to OPENSSL calls
Hello.
We have a domain with 3 DCs and one CSA.
2 of the 3 DCs, when queried will present their correct host certificate on port 636. For example, like this:
[root@ABC123 ~]# echo | openssl s_client -quiet -connect <IPaddressofDC>:636 depth=1 DC = <domainExt>, DC = <domainName>, CN = <nameOfDomainCSA> verify return:1 depth=0 CN = <nameOfDCbeingQueried> <----- this is what SHOULD happen verify return:1 read:errno=104
On the 3rd DC, that same command, returns nothing after "depth=0" on that line.
Any ideas why its not presenting its host certificate? This is 2012 R2 if it matters.
Thank you!
↧
PKI Create User Certificate with a custom validity period
Hello together,
i want to create different User Certificates which have a manuell valditiy period.
Certificate one 10 days validity
Certificate two 13 days 12 hours
How can i create this one? Certutil?
Thanks for your help.
↧
↧
Creating a Custom Certificate Store
Hi,
Is it possible to create a Custom Certificate store in Windows
↧
Migrate to two-tier PKI (Microsoft)
Currently, I have one online enterprise root-ca (and issuing certificates - default templates) that installed on DC (yes, yes I know - worst case scenario). I set another offline not joined to a domain server, 2 IIS servers under LB and 2 enterprise issuing servers and I need few answers before I proceed:
NOTE: The final goal is to REPLACE and not migrate current set/certificates.
1) The current CA common name (not server name) is example-root-ca can I give to the new offline server CA root same common name while installing the CA role? Will it affect somehow the current certificates? Should I use the new name and why?
2) Installing multiple subordinate issuing servers, again while you configure the CA role it asks for common name also - so 2 servers should use the same common name? or its fine they have different common names (or even as far as I remember it must be unique)? - In such case, I am thinking of how the client will get the certificate? some will get from server one and some from server 2? What will happen when they will try to renew?
↧
PKI | Certificate AutoRenewal of Multiple Custom SAN Certificates
Hello,
First of all, thanks for looking over this discussion!
I have a situation where I am trying to enable certificate auto renewal and rebinding on a series of IIS servers, and preserve thier SANs. Everything works great - except in some cases where auto renewal is replacing multiple web certificates with only one.
We followed the documentation here: https://blogs.technet.microsoft.com/pki/2013/08/27/renew-web-server-ssl-certificates-automatically/
All or prereqs are done- GPO, templates, and so on. Auto-renewal works, it will execute great. The problem is that it takes several certificates and replaces them with just one, and preserving the SANs from only one.
Our Environment: A typical IIS server has 2 to 3 sites on it, each with its own certificate. Each cert has a different cname and SANs for its site. However, we setup the certificates to all be based on the same template in the CA to allow for autorenrewal and the preserving of SANs.
So here is my question: Could there be a setting causing it to merge the certificates on renewal? Is autorenewal replacing based on template, causing all certificates on a server based on that certificate to be replaced? Does it not distinguish a certificate based on cname or SANs or any other criteria?
Thank you for your time!
Bryan W.
BW IT Pro
↧
Windows Hello for Business with On-Prem MFA
Hello,
I have spent a considerable amount of time working on getting WHB working with On-Prem MFA.
Here is what works:
The MFA SDK
The MFA User Portal (users can login to the portal and they are 2FA authenticated)
The MFA UI: I can go in there and click test on people's profiles and it will test their 2fa
Here is what I am seeing:
I am already logged into my PC so I have no idea why it is asking me for authentication here:
Finally:
Event viewer on the AD FS server:
Encountered error during OAuth token request.Additional Data
Exception details:
Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthInteractionRequiredException: MSIS9452: Interaction is required by the token broker to resolve the issue. The request requires fresh authentication.
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.HandleJWTBearerAccessTokenRequest(OAuthJWTBearerRequestContext jwtBearerContext, SessionSecurityToken ssoSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.ProcessJWTBearerRequest(OAuthJWTBearerRequestContext jwtBearerContext)
Encountered error during federation passive request.
Additional Data
Protocol Name:
OAuthAuthorizationProtocol
Relying Party:
urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
Exception details:
Microsoft.IdentityServer.Web.Authentication.AuthenticationMethodUnavailableException: The selected authentication method is not available. Choose another authentication method or contact your system administrator for details.
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.ProcessContext(ProtocolContext context, IAuthenticationContext authContext, IAccountStoreUserData userData)
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Does anyone know if there are other places in the logs that I can look at?
↧
↧
Disable creation of VPN "*Session" credential in Credential Manager without disabling all of Credential Manager?
Is there a way to disable creation of the VPN "*Session" credential in Credential Manager without disabling all of Credential Manager?
I know that you can disallow storing all domain creds in Credential Manager by setting the following registry entry to 1 (but this doesn't fix my issue):
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
Value Name: DisableDomainCreds
Value Type: REG_DWORD
Value: 1
On my Windows 8 Enterprise workstation, I use mapped drives with one domain account and Outlook with a different domain account. Using the fix above fixes my issue with mapped drives (after sleep mode, reconnect to VPN and my mapped drives won't reconnect until I delete the '*Session' credential) but then I cannot use Outlook at all. Note: I do not log on to Windows 8 with either of the domain accounts mentioned above (I use a local admin account) and I do not 'save my password' in Outlook.
↧
Change the CA certificate of the subordinate CA.
Hello,
We just changed certificate authority on a linux, the problem is that our domain controller on windows server 2012 is the subordinate CA.
What we want to do is change the CA of our subordinate CA and then renew the CA subordinate with the new CA.
We tried to import the new CA by going to "Certificate Authority (Local)" -> "All Tasks" -> "Install Certificate Authority Certificate".
But he tells us that the certificate does not match the old CA (which is normal considering that we want to put a new one and not just renew it)
We also tried to generate a new certificate from our subordinate, to do this we go to "certificate authority (local)" -> "All tasks" -> "Renew certificate authority certificate"
We have reclaimed the .req on our new certification authority, then we generated a certificate, from this step we do not know where to import it.
Thank you in advance for your help.
We just changed certificate authority on a linux, the problem is that our domain controller on windows server 2012 is the subordinate CA.
What we want to do is change the CA of our subordinate CA and then renew the CA subordinate with the new CA.
We tried to import the new CA by going to "Certificate Authority (Local)" -> "All Tasks" -> "Install Certificate Authority Certificate".
But he tells us that the certificate does not match the old CA (which is normal considering that we want to put a new one and not just renew it)
We also tried to generate a new certificate from our subordinate, to do this we go to "certificate authority (local)" -> "All tasks" -> "Renew certificate authority certificate"
We have reclaimed the .req on our new certification authority, then we generated a certificate, from this step we do not know where to import it.
Thank you in advance for your help.
↧
Use Azure MFA-server to protect internal resources?
Hi,
I want to set up MFA so that admin-users are asked for MFA when accessing internal servers via RDS or other services. Can Azure MFA server on-prem be used for this? If yes, any tips on how to do this?
Br,
Thor-Egil
Thor-Egil
↧
certificate algoritm DSA
I need to generate a SSL certificate with dsa algorithm with a windows server 2012 R2 infrastructure, can it?
↧
↧
certificate with dsa algorithm
I need to generate a SSL certificate with dsa algorithm with a windows server 2012 R2 infrastructure, can it?
↧
Disabled SMBV1 and now Workstation and Netlogon services won't start
I used a GPO to disable SMBV1 by changing the following below. Once I did that I can no longer RDP into the server, I noticed Workstation and Netlogon are not started. When I go to start Workstation I get and error 2 The system cannot find the file specified, which I thought is WSService.dll and that is present in the system32 folder. Then I reversed the policy by removing the GPO and changing the registry settings back using the changes further below. Still can't start the service and get the same error. It has been rebooted after each change. This is an urgent issue for us so any help would be greatly appreciated.
Disabled SMBV1 by registry changes through GPO as explained on TechNet -
1. Create a REG_DWORD of SMB1 in HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters and set the value to 0
2. Create a REG_DWORD of Start in HKLM\SYSTEM\CurrentControlSet\Services\mrxsmb10 and set the value to 4
3. Replace REG_MULTI_SZ Value DependOnService value in HKLM\SYSTEM\CurrentControlSet\LanmanWorkstation with Browser, MRxSmb20, and NSI
Reversed GPO by disabling GPO and making the following registry changes:
1. Changed REG_DWORD SMB1 created in step 1 above to 1.
2. Changed REG_DWORD Start created in step 2 above to 2.
After trying the above and it not working, I also tried adding MRxSmb10 into the DependOnService list that was edited in step 3 above, although other servers I have that didn't have the GPO applied to don't have that in that registry entry. Still no luck.
Any ideas on what else to try?
↧
SMB V2 protocol.
HI team,
Our security Team asking me to disable SMB V2 protocol and keep only SMB V3 protocol in the windows server 2012 R2(It has AD in it) because they says SMB V2 protocol is vulnerable. I have searched everywhere not found any separate commands/article to disable SMB V2.
My question is there any option to disable SMB V2 alone in server 2012 R2. If deactivate, what are the impacts.
Please confirm asasp.
↧
Active Directory Certificate services won't start - Error 100
I've migrated my Active Directory Certificate services Enterprise CA to a new server (and from Windows 2003 R2 x86 to Windows 2008 R2 x64).
I have been having problems with checking the Certificate Revocation Lists, but I've republished the revocation lists from the Root CA and when I run certutil -urlfetch -verify I don't get any errors:
------------------------------------ Verified Issuance Policies: None Verified Application Policies: All Cert is a CA certificate Leaf certificate revocation check passed CertUtil: -verify command completed successfully.
But I still get the same errors when I try to start the CA. I get the following pop-up:
--------------------------- Microsoft Active Directory Certificate Services --------------------------- The system cannot find the file specified. 0x2 (WIN32: 2) The policy module for a CA is missing or incorrectly registered. To view or change policy module settings, right-click on the CA, click Properties, and then click the Policy Module tab. --------------------------- OK ---------------------------
and I get the following error in the log:
Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 26/06/2012 15:59:45
Event ID: 100
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: SRV112.cobbsch.cobbetts.co.uk
Description:
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. Cobbetts LLP Enterprise CA The system cannot find the file specified. 0x80070002 (WIN32: 2).
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" /><EventID Qualifiers="49754">100</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime="2012-06-26T14:59:45.000000000Z" /><EventRecordID>852</EventRecordID><Correlation /><Execution ProcessID="0" ThreadID="0" /><Channel>Application</Channel><Computer>SRV112.cobbsch.cobbetts.co.uk</Computer><Security UserID="S-1-5-18" /></System><EventData Name="MSG_E_CA_CERT_INVALID"><Data Name="CACommonName">Cobbetts LLP Enterprise CA</Data><Data Name="ErrorCode">The system cannot find the file specified. 0x80070002 (WIN32: 2)</Data></EventData></Event>I've tried rebooting the machine to see if there was some sort of cached failure that I needed to clear, and that's not made any difference.
I wondered if the SYSTEM account (which the service is running under) was lacking some permission that my domain admin account (which is the account that I'm running certutil under) has, but I've just run certutil from a SYSTEM command prompt (ie one launched with psexec -i -s cmd.exe) and I still get "CertUtil: verify command completed successfully."
↧
↧
Setting up ipsec
Hello,
Is it possible to setup ipsec to secure my networks traffic? I i only find tutorials for vpn.
Many tha ks.
↧
SCEP Update failed with hr: 0x80072f8f 0x80070002 if outside LAN
I have SCEP configured:
which works perfectly fine. Updates are downloaded by scheduled task to share daily, clients update from this share on schedule
Polices apply fine & show correctly in
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Microsoft Antimalware\Signature Updates FallbackOrder = FileShares|MicrosoftUpdateServer|InternalDefinitionUpdateServer
But if the user takes laptop home the updates do not happen. Of course they would not happen from the share (as it is not accessible), but SHOULD happen directly from MS site
I can even try to force manual update from GUI, it always error out the same.
MpCmdRun: Command Line: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1807.18075-0\MpCmdRun.exe" SignaturesUpdateService -UnmanagedUpdate Start Time: ?Sun ?Aug ?19 ?2018 14:36:21 MpEnsureProcessMitigationPolicy: hr = 0x0 Start: Signatures Update Service Update Started Search Started (MU/WU update) (Path: https://fe2.update.microsoft.com/v6/)... Search Completed Update failed with hr: 0x80072f8f Update completed with hr: 0x80072f8f End: Signatures Update Service MpCmdRun: End Time: ?Sun ?Aug ?19 ?2018 14:36:23
But I can download the full signatures mpam-fe.exe and run it (as the very user) and it updates fine
Something is just odd, any ideas anybody?
↧
Lots of expired certificates on my HyperV server
I've been having all sorts of issues with ADCS not starting and in the process of trying to figure out why (I still haven't...) I noticed that in the Certification Authority there are a ton of expired certificates going back a few years. See the picture below.
(a) why are they there?
(b) should I delete them?
(c) is there anything I should do to stop them re-appearing, ie. do I need to generate one new certificate that has a "sensible" expiration date?
Thanks in advance for your help.
↧