Hi All,
We have a local CA setup on Windows Server 2008 R2. Linux developer in the organization wants a Trusted SSL certificate signed by our CA.
I am not sure about the steps though I tried hard to get the steps on the internet. Can someone help?
Regards,
Bill
Hi,
I want to bind AD User with thin clients Mac Address so user can logon to assigned thin client or clients. Any script or 3rd party tool which can do the job, will be grateful.
Environment Details
Regards
Rox_Star
Hey, It's amazing how many "Attacks on Kerberos" articles exist out there and almost none really explains the small details.
My guess is that usually they assume it's basic knowledge and sometimes, they just don't know enough.
Anyway, here are the questions:
Thank you all.
If there is another forum similar to TechNet please let me know.
Hello,
We are currently having trouble tracing back the source of multiple failed login attempts, please help. It seems that we have a device trying to brute force its way into our network. When I check our DC Security Logs, I see multiple (1000+) Failed audits, EventID 4776 with limited information. Below is an example of Windows Security Logs and Debug Netlogon logs. I've replace any and all site specific information.
When I check the security logs on 'Server1', they don't show any failed login attempts or anything suspicious. I ran a packet capture on 'Server1' while the failed logins generated to see if I could find the source. I was unable to find any of the failed audit account names, 'administrator' in this case, in the capture results.
Can someone please assist me in finding out what might be attacking 'Server1'? Could I use 'Netsh Trace' or WireShark to determine the source of the attack and what port is being leveraged? Are there any additional logs I can enable or view to see what might be trying to authenticate against 'Server1'? The issue is still happening today and I can provide updated logs if need be.
Information Replaced
Domain Controller: ADServer (server 2012R2)
Domain Name: Domain.local
Server Name: Server1 (server 2008 R2)
Event ID from ADServer
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 12/21/2018 8:00:04 PM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: ADServer.domain.local
Description:
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Administrator
Source Workstation: MSTSC
Error Code: 0xC0000234
Verbose security logs
12/21 20:00:04 [LOGON] [2328] DOMAIN: SamLogon: Transitive Network logon of Domain\Administrator from MSTSC (via Server1) Entered
12/21 20:00:04 [LOGON] [2328] DOMAIN: SamLogon: Transitive Network logon of Domain\Administrator from MSTSC (via Server1) Returns 0xC0000234
Ps. As per best practice our 'administrator' account is disabled
I look after some communications infrastructure for a customer and it appears they have created an issue for me. A few weeks ago I was installing some new services that required SIP-SSL back to the main cluster. All servers are within the internal domain so I have in the past used the customers internal CA to create the certificates and also imported both the root and subordinate certificates to the certificate trust store of all the servers so that any created certificate was trusted.
The issue that I have now come across when adding the new devices is that the customer has updated the subordinate CA, I generated the new certificates and installed them though unfortunately the new certificates weren't trusted until I installed the new CA's cert to the trust store even though the new CA has been built using the originals credentials. This then caused the updated server to fail connection to the cluster as the clusters certs were signed by the old subordinate which was now not trusted. I went around the cluster and generated all new certificates and updated the root and Sub certs in all the trust stores and now everything is happy until now...
I have been asked to setup an SSL connection between the comms cluster to exchange EWS for calendar integration, it appears that the exchange server certificates weresigned by the old CA subordinate and I am now getting a "bad signature" error. Is there a way to have both the old CA subordinate certificate and the new CA subordinatecertificate (both the same names) in the trust store? I am thinking that it would only use one even if both could reside in the same space?
Hello, I have a test setup using Microsoft Windows OS platforms running Microsoft's IPSec with certificate services. The solution works fine, except when trying it trough a corporate VPN. Sniffing traffic from the client I can see that no ISAKMP or ESP traffic
is being established when the client is connected to the VPN. I am guessing NAT or firewall issues.
Does anyone know if there is a secure way of getting this to work without setting up a RD Gateway or some secondary parallel VPN solution. I am trying to keep it as simple as possible to support and maintain.
Hi!
Currently we have the emails archive attached to outlook, which is fine, but we want to prevent this access from OWA to minimize the risk if an account is compromised (i.e. the attackant will not have to 7 years of emails but just the revent one).
I don't know if a conditional access, or any configuraiton could help. Does anyone have any idea or workaround to achieve this? Thank you very much!
Hi!
Currently we have the emails archive attached to outlook desktop, which is fine, but we want to prevent this access from OWA to minimize the risk if an account is compromised (i.e. the attackant will not have to 7 years of emails but just the revent one).
I don't know if a conditional access, or any configuraiton could help. Does anyone have any idea or workaround to achieve this? Thank you very much!
I have searched wincrypt.h and other locations and can not find valid values for changing the default key size on requests done via the CA web enrollment from 1024 to 2048. (i.e. where is "16" defined?? objPrivateKey.Length = nGenKeyFlags >> 16;)
Has anyone done this change before? If so can you provide sample code?
Here is the Javascript code from xenrprxy.inc: (notice objPrivateKey.Length = nGenKeyFlags >> 16;)
function XEp_SetGenKeyFlags(objPrivateKey, nGenKeyFlags)
{
<%If True=bLH Then%>
// some constants defined in wincrypt.h:
var CRYPT_EXPORTABLE=1;
var CRYPT_USER_PROTECTED=2;
objPrivateKey.KeyProtection = (0 != (CRYPT_USER_PROTECTED & nGenKeyFlags)) ? XCN_NCRYPT_UI_PROTECT_KEY_FLAG : XCN_NCRYPT_UI_NO_PROTECTION_FLAG;
objPrivateKey.ExportPolicy = (0 != (CRYPT_EXPORTABLE & nGenKeyFlags)) ? XCN_NCRYPT_ALLOW_EXPORT_FLAG : 0;
objPrivateKey.Length = nGenKeyFlags >> 16;
<%End If%>
}
Patrick Henry Tronnier
Hi there,
I was visiting browsing a site I shouldn't have visited in the first place. It's a download site with all sorts of stuff, I clicked on a button that opened a new tab but it closed as soon as it opened. Is that something alarming? Or this all what it takes to infect your system?
Hello,
I read the following article
https://blogs.technet.microsoft.com/askds/2010/02/01/certificate-enrollment-web-services/
When it comes to non domain joined computers obtaining certificates from an domain joined CA (Enterprise CA). over TLS (aka SSL)
I understand the concepts of what the article says, however there is a line that reads
Step 4. CES web service impersonates the client security context to request a certificate via DCOM, and then hands the certificate back to the client.
In order to 'impersonate a client' you need a 'security context' e.g. the security context of the client (for example creating a token base do their TGT, aka delegation). However the client in this case in 'not domain joined' therefore the client will not be passing a Kerberos ticket or any SID information from Active Directory to the CES/CEP Server from which it can create a token to impersonate the client. Therefore I assume the security context for this impersonation will be based on anonymous (and possible the Everyone group, if the local security policy on the server is configured to add this everyone SID to any anonymous access request)
If that is the case (e.g. using anonymous and possible everyone) that would mean you would need to add an ACE (access control entry) for anonymous/everyone to the certificate template/s to allow a client to request a certificate based on that template.
Also does CEP/CES offer a REST API ?
Can someone please clear this up for me ?
Thank you
CXMelga
In IE11, am unable to modify the Enable Protected mode settings. It's grayed out and if i change the value in registry also it's not reflecting in IE. Is there any way to resolve this? Please advise.
It's not reflecting in all the zones.
Registry Path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
vicky
Strange Error. I have a system running server 2012 r2 datacenter, as a development environment and workstation for my use.
It is not running AD, and is not joined to the domain. It sits on its own isolated network actually, and thus has only one user. The one user I want to be the administrator account but I don't use the administrator user name. So when I
go into the Local Security Policy and change the field
Local Policies --> Security Options --> Accounts: Rename administrator account
I'm not sure what the issue is. The only reason I even have to do this is because of the (as far as <g class="gr_ gr_561 gr-alert gr_tiny gr_spell undefined ContextualSpelling multiReplace" data-gr-id="561" id="561">i</g>
can tell) unchangeable policy preventing anyone but built in administrator from burning discs...
Does anyone have any ideas here?
Thanks!
Hi everyone!
I was trying to set up key-based renewal for servers that are no-domain joined to the same domain as my PKI.
To configure my lab I followed this two articles, unlike I only set up one server with both CES/CEP services instead of two separated servers:
https://social.technet.microsoft.com/wiki/contents/articles/14715.test-lab-guide-mini-module-cross-forest-certificate-enrollment-using-certificate-enrollment-web-services.aspx?wa=wsignin1.0#top
https://technet.microsoft.com/en-us/library/jj590165(v=ws.11).aspx
All servers are running WS2012 R2. My lab has one Enterprise Issuing CA and one CES/CEP server configured with both certificate and UserPass authentication methods.
Following steps in those labs I was not able to renew by auto enrollment any certificate. When I force auto enrollment by "certutil -pulse" this errors are logged in eventvwr:
ERROR 82: Certificate enrollment for Local system failed in authentication to all urls for enrollment server associated with policy id: {93D57D92-0ACD-4F36-B8E5-614C1D46957A} (Provider could not perform the action since the context was acquired
as silent. 0x80090022 (-2146893790 NTE_SILENT_CONTEXT)). Failed to enroll for template: Test_crossforestservers2
ERROR 13: Certificate enrollment for Local system failed to enroll for a Test_crossforestservers2 certificate with request ID Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790 NTE_SILENT_CONTEXT)
from N/A ()
ERROR 80: Certificate enrollment for Local system cannot enroll for a Test_crossforestservers2 certificate because the certificate enrollment server MyCA is ROBO and only renewal is supported.
However if I simulate aut renewal manually by MMC or “certutil –renew” it works great.
Is there any issue regarding auto enrollment and key-based renewal? Or maybe my issue regards my CES/CEP is in the same server?
Thanks!!!
Alberto
Some time ago I have built a new PKI. Location of the Root and Intermediate (issuing) CA is for example: http://test.pki.com/rootca.cer and http://test.pki.com/subca1.cer (and subca2, subca3, subca4).
In my environment I have 4 Issuing Cas. All works fine. Recently I received an information that we are going to add additional location of certificates. Let’s say that this is due to policies and rules.
It means we will have new IIS with addresses http://test.second.pki.com/rootca.cer and http://test.second.pki.com/subca1.cer
And now my question: taking into account that whole PKI is ready, when we add another location, how end users and servers will be able to validate root certificate.
Let’s say that we closed network connection to test.pki.com websites so only test.second.pki.com is possible to reach. However there is no information about it in SSL certificate or any other issued already by one of the issuing CAs. I assume that even when I add new AIA location, this will be available on certificates which are issued after that change. Moreover, what about root. Information about ROOT cert is stored in AIA in Intermediate CA. Does it mean that in order to change it, I would need to enrol new certificates for Issuing CAs?
Hi All,
We have a local CA setup on Windows Server 2008 R2. Linux developer in the organization wants a Trusted SSL certificate signed by our CA.
I am not sure about the steps though I tried hard to get the steps on the internet. Can someone help?
Regards,
Bill
how can I reset the firewall settings without turning it on?
I tried:
netsh advfirewall reset
you get a message to turn it first.
help please as I need to block some IPs
Thank you.
Sawsan
Hello Everyone,
i would like to know if there is a module or an add-on Microsoft integrated in Windows server 2008 R2 or later to just enable allowing me to configure Two-factor authentication for RDP (remote access).
Please Help,
many thanks,
Rose