Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Random Login issue - Username or password incorrect

August 14, 2015, 6:06 pm
$
0
0

I'm having a seemingly random login issue authenticating with a Windows 2012 R2 server.

I'll get the error "Username or password is incorrect, try again" when I absolutely know I'm using the correct username and password.

I'll log on as a local admin to my pc to investigate. I can resolved any host name I try to reach, ping everything successfully, open a remote desktop to other servers or hosts by name.

Then, after some time without having changed or rebooted anything, I can suddenly log on to the domain successfully.

This is happening and more frequently and I'm struggling to find the issue before it becomes wide spread among more users.

Anyone have any experience with this or any idea? And ideas would be appreciated, this has been happening for months and I've no idea why it happens or how it resolves.

Thank you.

Search

Event ID 4625 followed by Event ID 4776--An account failed to log on-The computer attempted to validate the credentials for an account.

July 29, 2018, 9:35 am
$
0
0
Hi experts

i am getting events flooded with 4625 and 4776 in audit failures
when i login to Server30 i can see the eventID's 4625 and 4776, Server30 is in domain xyz.com where as server20 is in domain abc.com
The account server20$ doesnot exist at all.server20 is accessing Server30 with someother account but there is no account by name server20$.
how do i troubleshoot this

Event ID 4625

An account failed to log on.
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Server20$
Account Domain:abc.com

Failure Information:
Failure Reason:Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064

Process Information:
Caller Process ID:0x0
Caller Process Name:-

Network Information:
Workstation Name:Server20
Source Network Address:192.168.1.1
Source Port: 98765

Detailed Authentication Information:
Logon Process:NtLmSsp 
Authentication Package:NTLM
Transited Services:-
Package Name (NTLM only):-
Key Length: 0
-----------------------------------------
Event ID 4776
The computer attempted to validate the credentials for an account.

Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:Server20$
Source Workstation:Server20
Error Code:0xC000006


certutil -syncWithWU = Access denied

January 13, 2019, 7:19 am
$
0
0

Hi!

d:\cert>certutil -generateSSTFromWU WURoots.sst
Access is denied. 0x80070005 (WIN32: 5) -- authrootstl.cab
CertUtil: -generateSSTFromWU command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Access is denied.

d:\cert>certutil -syncWithWU d:\cert
Access is denied. 0x80070005 (WIN32: 5) -- authrootstl.cab
CertUtil: -syncWithWU command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Access is denied.

Why?

Win7 and Win 10 (x64, not a server). Running from elevated CMD. Tried disabling UAC -> no changes.

Some KBs are not visible via get-hotfix and wmic, but are visible in Control Panel.

January 9, 2019, 5:23 am
$
0
0

Hi,

Do You know why I do not see KB4470640 (KB for .Net 4.5.2) or KB4470637 (KB for .Net 4.6-4.7.2) installed when I try to use get-hotfix command?
Also when trying to use wmic qfe command I do not see this KBs on the list.
I can see them only in Control Panel.
I'm only able to see KB4470641 (.Net 3.5) via these commands.

Server were rebooted.
OS: Windows 2008R2
I have similar situation on 50 servers.

802.1X - user and computer authentication - new user scenario

January 18, 2019, 12:15 am
$
0
0

Hi,

Hoping to get some clarification on this...

The machines are part of a GPO that configures 'user and computer authentication' on the network adaptor via certificates and when they boot up they authenticate against the radius server (Cisco ISE in this case) absolutely fine; you see the certificate authenticate against the server and it gets given access to the network, the access given at present is full access though the objective is to change this to limited access once everything is working.

Now if a user that has already logged into this machine before - and so has a certificate already installed - logs into this machine there's no issue, the user certificate is sent to the radius server as expected which authenticates and authorises it onto the network with full access.

The problem is, when a new user logs into this same machine - and so does not have a certificate yet - it no longer works. The user is meant to download a certificate at log in which i believe  it should be able to do as the machine already has been granted access, and so the port has opened up to allow communication on the network. Instead, after login i don't see any user certificate authentication against the radius server, the user doesn't seem to download the certificate and it also seems to kill of the existing machine authentication and ends up going down a MAC Address Bypass (MAB) process.

Any thoughts?

Thanks in advance 

oh, and this is on windows 10.

SmartCard - User still able to login with revoked certificate.

September 17, 2018, 11:49 pm
$
0
0
Hi everyone, 

Need your help on OCSP setup. I have setup the infrastructure accordingly. Everything are working fine, except for the client smartcard logon, apparently the user still able to login although the certificate has been revoked.

I have verified the issued certificate using URL Retriever Tool (certutil –url xxx.cer) in DC and the client machine, its shows that the certificate able to contact OCSP server and its return revoked status.

And I have verify too using certutil -url xxx.cer and its return revoked status too. Same goes to certutil –scinfo where I read the cert from the smart card, it also return the same status.

Additional of it, I have tried the same setup using VMs as I was naively thought it was due to network issue (as I’m using hotspot to connect the physical machines) and still it has the same result. Anything I miss out in the setup process?

Much appreciate if someone could help out here. Been cracking my head on this for many days.

Thanks,
Jo

NDES / SCCM - Intune Certificate Provisioning

August 17, 2015, 2:18 pm
$
0
0

Hi All,

I am running into an issue with NDES / SCCM Intune Certificate Provisioning.

My iOS device can successfully receive the Root CA payload, and the Wireless Profile. However, the SCEP certificate is not being issued to the device.

When I look in the logs on the NDES server (NDES.log), i see the following lines

<![LOG[Failed to retrieve client certificate. Error -2147467259]LOG]!><time="20:48:44.215+00" date="08-17-2015" component="NDESPlugin" context="" type="3" thread="4064" file="httprequest.cpp:240"><![LOG[Exiting VerifyRequest with 0x80004005]LOG]!><time="20:48:44.215+00" date="08-17-2015" component="NDESPlugin" context="" type="1" thread="4064" file="ndesplugin.cpp:874">

The NDES server is able to communicate with the CA, and the client is able to successfully hit the external DNS name of the NDES server on port 443.

The whole process seems to be working just fine except for the SCEP cert generation to the client.

I have verified that the CRP on the SCCM server logs are clean and all show expected results.

The NDES user is a local admin on the NDES server and I have verified that the Application Pool identity references the NDES user.

Any idea what is going on here?

TIA!


RasClient - error 1931

December 24, 2017, 6:07 am
$
0
0

Hi,

I have a VPN connection type IKEv2. This connection was working without any problem for a long time.

Now it's not working any more and I have and event viewer this error: CoId={9F462888-8B6A-4064-A54A-7FD7D1EAB9F9}: The user SYSTEM dialed a connection named XYZ which has failed. The error code returned on failure is 1931.

What this code means?

Tks,
CM

Search

Administrative Template (Office Escrow Key) Not Applying to Clients?

January 18, 2019, 12:36 pm
$
0
0

Hello,

I'm trying to implement DocRecrypt ability for all of our client computers in the event we need to unlock a password protected Office file. More documentation here:
https://docs.microsoft.com/en-us/deployoffice/security/remove-or-reset-file-passwords-in-office

So my steps have been the following:

-Install Office Security Administrative Template GPOs on domain controller.

-Create User certificate on domain controller under Administrator account.
-Created a GPO with Escrow Key #1 enabled and assigned the thumbprint of the User certificate that I created.
-Linked this GPO to my domain and forced update to all client computers

-Created a password protected test file on client computer. Moved it to domain controller and tried to un-protect using DocRecrypt.

Unfortunately, it doesn't seem like this certificate is being applied to new password protected documents on the client machine as DocRecrypt says no certificate found. Either that or it somehow can't find the certificate on the domain controller. Any ideas what I might be doing wrong here?

Since I installed the new administrative templates on the domain controller, is the issue that these templates need to be installed on the client machines as well to function once they pull from the GPO? Is there a way to remotely install these new templates to all client computers or would I have to do this manually if this is indeed the issue?

How to run application with admin privilleges ?

January 19, 2019, 7:27 am
$
0
0

Hello, 

I have software for browsing cameras in our monitoring system. All computers in my company work in the domain. To run mentioned application the standard user is prompted for admin credentials. (i don't know why)

I don't want to grant my security guys neither local nor domain admin privileges to run this application. How can i solve this problem ?

I tried to create shortcut, it doesn't seem to work though:

runas /user:DOMAIN\domain_admin /savecred "path/app.exe"

Any suggestions and alternative solutions would be welcomed.

Best Regards,

Stefan


Error when generating CSR using certreq.exe

January 20, 2019, 1:14 am
$
0
0

Good day!

I have encounter an error when trying to generate a CSR. The following is my req.inf file.

[Version]
Signature= "$Windows NT$"
[NewRequest]
Subject = "CN=DC01.Fabrikam.com"
HashAlgorithm = SHA384
KeyAlgorithm = RSA
KeyLength = 2048
ProviderName = "Microsoft Software Key Storage Provider"
KeyUsage = 0xa0
KeySpec = 1
MachineKeySet = True
RequestType = PKCS10 
SMIME = False
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=DC01.Fabrikam.com"

After that I use the following command to generate the CSR and encounter the error below

certreq.exe -new req.inf request.req

Certificate Request Processor: The data is invalid. 0x8007000d (WIN32: 13 Error_INVALID_DATA)

req.inf([NewRequest] KeyAlgorithm ="RSA") <=> KeySpec?

I did try to change KeySpec = 1 to KeySpec = AT_KEYEXCHANGE but it did not solve the issue.

But if i remove the KeyAlgorithm = RSA, the CSR can generate successfully.

Is there something I did specify wrongly regarding the KeyAlgorithm and KeySpec ? Anyone can enlighten me regarding the issue ?

SHA2 certificates can be generated from Windows 2008 PKI setup

January 20, 2019, 10:29 pm
$
0
0

Can we create SHA2 certificates from windows 2008 CA Setup? 


Active Directory logon event - source IP address multiple ?

January 20, 2019, 8:21 pm
$
0
0

Hello, I am seeing AD logon events with source multiple address as two separate IP addresses i.e. the address of the Ethernet wired LAN and the address of the wifi NIC.

How could this be happening i.e. receiving a logon event to AD with the two source IP addresses of the same machine at the same time ?

Thank you.

Example (note the two IP source addresses, one for wired and one for wifi NIC 'ip:10.100.5.103:10.90.0.184':

[RECV_EVENT_FROM_DC]packet_len:62 dcagent_ip:10.5.1.62 time:1547863053 data_len:45 data:E7440-CWMLH12.domain.forest/DOMAIN/DaveParker ip:10.100.5.103:10.90.0.184

Importing a Certificate to Users' Personal Store

January 21, 2019, 9:54 am
$
0
0

I located an article where a user wrote a bat and vbs script to silently install a certificate to their clients' machines in the Peronal store for each user:

Since Group Policy and Group Policy Preferences didn’t offer a way to import a .PFX certificate into a user’s Personal certificate store, I turned to scripting the solution.

I first placed the vendorcertificate.pfx on a network share (e.g. %LOGONSERVER%\netlogon\certificates\vendorcertificate.pfx).

Next I created a .BAT script named import-certificate.bat which runs this command:

certutil -f -user -p "CertificatePassword" -importpfx "%LOGONSERVER%\netlogon\certificates\vendorcertificate.pfx"

I then created a .VBS script named import-certificate-silently.vbs that will run the import-certificate.bat script silently (so the user does not see a flash of the CMD window when this runs):

Set oShell = CreateObject ("Wscript.Shell") 
Dim strArgs 
strArgs = "cmd /c %LOGONSERVER%\netlogon\certificates\import-certificate.bat" 
oShell.Run strArgs, 0, false

I'm testing this on my local machine before pushing it out to my clients. I'm importing a .cer file so changed the script slightly:

certutil -f -user -importcert "\\server\path\certificate.cer"

This works perfectly; it brings up the certificate installation window and I can direct it to install to for the current user and select to install in the Personal store.

However, running the VBS script above (edited path to my file, of course) yields no results. I just get a quick processing circle flash and the certificate doesn't install.

Any advice on what I'm missing or another avenue to push this certificate easily to all client users' Personal stores?


Need help with Server 2012 R2 domain controller registry warnings, Source CertificateServicesClient-AutoEnrollment, Event ID 64

January 5, 2019, 8:40 pm
$
0
0

(I asked the following question in the Server forum, someone suggested asking in this forum instead...)

I need help with a lot of registry warnings on my Server 2012 R2 domain controller, 3 per day, all the same, sample below. Can anyone help me resolve this issue?

Registry entry sample:

Log: Application
Source: CertificateServicesClient-AutoEnrollment
Event ID: 64
Description: Certificate for local system with Thumbprint _____ is about to expire or already expired. (Thumbprint removed for security purposes.)
Provider:
   [ Name]  Microsoft-Windows-CertificateServicesClient-AutoEnrollment 
   [ Guid]  {F0DB7EF8-B6F3-4005-9937-FEB77B9E1B43} 
   [ EventSourceName]  AutoEnrollment 

I started scanning my cert store for likely certs w/o success, then resorted to a full powershell dump to a text file and still couldn't find a cert with a matching thumbprint. My powershell script is:

cd CERT:\\
ls . -Recurse

I got nearly 1300 lines of output (i.e. zillions of certs), but the thumbprint in the registry warning is not listed.

Search

PKI: Unable to ping CA service

January 22, 2019, 10:53 am
$
0
0

Hi All,

We have 4 Enterprise CAs in our environment and I'm unable to ping only one CA and all other CA interfaces are reachable.I'm unable to ping the CA service using the certutil -ping command and getting the below Error. Also the CA status is showing offline or unavailable in PKIView. Checked the CA status and it's up and running. Also I've tried to issue the certificate from my client machine manually and it's working. No issues observed for CRL publishing as well. The interface was reachable till yesterday.

Error:

Server could not be reached: The permissions on this certification authority do not allow the current user to enroll for certificates. 0x80094011 (-2146877423 CERTSRV_E_ENROLL_DENIED) -- (3422ms)

CertUtil: -ping command FAILED: 0x80094011 (-2146877423 CERTSRV_E_ENROLL_DENIED)
CertUtil: The permissions on this certification authority do not allow the current user to enroll for certificates.



Checked the below settings

-------------------------------
Service is up and running.Also I'm able to issue/ request certificate manually from the CA.

Both the client and the CA have DCOM enabled and configured correctly.

Checked the RPC service and it's running.

Checked and the DCOM is enabled on the CA server.

Checked the Certificate Service DCOM Access group and I can see NT AUTHORITY\Authenticated User is part of this group.

Please let me know what can be checked further?

Thanks,

Shaan

Event Log Collector failed

January 23, 2019, 12:55 am
$
0
0

Hi,

We've deployed a windows event log forward/collector system. Currently, our DC have been forwarding Security events for almost 3 months.

Today, I've noticed that there has been a gap on forwarded events. Collector stopped collecting events 2019-1-16 and started collecting events again 2019-1-21 (At same time that the collector server was restarted).

I've noticed it in a rutinary check (found we had only 3 archived security evtx files last week).

Subscriptions are 'Source computer Initiated' with HTTP+'Minimize  latency' as advanced settings, and I'm collecting all security events there.

My questions so far are:

* How can I diagnose what happened?

* What may I do to prevent that happening again?

* DC have these logs already archived in EVTX files. Is there any way I can forward them to central log collector?

* Related to first two questions, is there any event id, log, whatever to check if that has happened previously?

Both DCs are Server 2008R2 & Event log collector is Server 2016 Datacenter

Thanks!


How to find which ports they using in exsisting Microsoft CA environment

January 23, 2019, 5:31 am
$
0
0

We are migrating Microsoft CA to AWS cloud and we need to list the ports used in Migration approach How to find which ports they using in existing Microsoft CA environment

we know the common ports used in CA and we can open all but how to find any other ports and random ports needs to be opened,

Is there anyway we can find the list of ports involved in existing environment otherthan checking in Firewall.

also let me know below ports needs to be opened in firewall?

DCOM/
RPCRandom Port
HTTP80
RPC135
UDP/TCP135
UDP389
TCP/UDP464
TCP3268 and 3269
TCP/UDP53
UDP636

Unable to use the recylcing bin

January 23, 2019, 5:47 am
$
0
0

We have a very strange issue for our users on the system, they cannot use the recycling bin, it comes up saying 'You require permissions from <current user> to make changes to this file'. 

Administrators do not have the same problem, staff can Shift + Delete to get around the issue but its not ideal. 

Useful info: 

OS: Windows Server 2016

No GPOs have been changed for the recycling bin.

Error: 



Create report for LAPS managed workstions

January 23, 2019, 5:50 am
$
0
0

Hi Team,

Event ID 4662 will be logged as part of the event and can be used for searching for the event in your logs.  Will it possible to create a report for the workstations not reporting to LAPS

Regards, Boopathi

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>