can i setup wsus folders to be on network share if so what will be share and security persmssion in that case?
↧
WSUS Folder on network share
↧
compromised private key - how is it used ?
Hello, if my private key becomes compromised - how do attackers actually use it ?
I am thinking that even though they have the private key, they do not have the actual certificate so how they can fake an HTTPS website without the certificate?
Thanks for any information.
↧
↧
certutil -syncWithWU = Access denied
Hi!
d:\cert>certutil -generateSSTFromWU WURoots.sst
Access is denied. 0x80070005 (WIN32: 5) -- authrootstl.cab
CertUtil: -generateSSTFromWU command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Access is denied.
d:\cert>certutil -syncWithWU d:\cert
Access is denied. 0x80070005 (WIN32: 5) -- authrootstl.cab
CertUtil: -syncWithWU command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Access is denied.
Why?
Win7 and Win 10 (x64, not a server). Running from elevated CMD. Tried disabling UAC -> no changes.
↧
Network Level Authentication still recommended for RDP connections?
Some of our terminal server users see occasional rdp connection errors to our 2016 terminal servers, usually from offsite clients. The solution suggested the most on technet and elsewhere seems to be to uncheck the box that requires NLA clients. Is that an obsolete connection setting now? If not, what factors do I need to take into consideration before considering this change? We require VPN, but we allow personally owned computers to connect, so I can't necessarily verify that they're running newer rdp clients.
We have CredSSP set through GPO on the servers, so I can tell home users to set the Oracle Encryption Level to match if that is a more secure option.
What is the recommendation these days? Thanks.
↧
Trying to backup SUB Certificate Authority and get Cannot Backup one or more private keys
When we research the private keys, the ones its complaining about are all expired from years ago. This server was migrated from 2008 to 2012 r2 about 3 years ago or so. We haven't had a need or an issue till now with it. all the current new certificates since those expired have keys that are exportable. It was also exportable then with no issues.
How can I fix this? The keys aren't valid any more since they expired anyways right? This is on the SUB CA certs it got from the Root CA. Since it was a long time ago, we probably do not have a backup. But we still do have a backup of the environment when it was converted to 2012 r2.
Which includes:
Registry
ENTSUBCA.p12
Database
↧
↧
Root Certificate Authority Migration from RSA to ECDSA - Windows 2012 R2
Hi,
Can anyone tell me if it is possible to migrate the signature algorithm/hash from RSA, on a Windows 2012 R2 Root CA, to ECDSA?
I ask as I have a device which requires the use of a ECDSA and i have managed to create a certificate template that seems to be stating the use of ECDSA for its Public Key/Parameters, however its doesn't seem to work on the device due the Root CA and Sub CA certs being signed with RSA, which is why i'm guessing the signature/hash algorithms state RSA etc?!
I'm just wondering if its even possible to migrate the CAs Signature Algorithm/Hash or if I would need to remove the ADCS role and start from scratch again?
Any advice would be appreciated on the matter?
Thanks,
StinkyP
↧
Credential Roaming - Mail Solution
Hello everyone,
First: Iam fully aware that these is not best practise or anything near it.
We enroll certificates for our users and have implemented certificate roaming. Our Users work on terminalservers. Everything works fine. Our Users have no access to mmc powershell local drives.
No the problem. We have an mail appliance what does the mail encyrption. The mailserver (no exchange) sending mails to this appliance and the mail will signed with the private key of the user. For this reason the appliance need the privatekeys of the users.
My task is now to extract the certificats of the users "somehow" out of there profile. I am not really aware of how to do this. Maybe with a startscript certutil... maybe I can extract it somehow out of active directory (but I guess its protected somehow).
If anyone has an idea how to do this... For every answer i would be grateful :=)
Best regards Andreas Ernst MCITP:EA, MCP, MCTS, MCSA 2016
↧
Crypto Provider Type
Hello Folks,
I have a quick query, under the location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider, for a crypto provider, what doesType Dword signify, for example, one of the crypto providers holds the value for Type as 1 and some 18 and 24.
If I modify the value will this going to affect in any way?
↧
looking for best method to issue certificates for multiple Linux appliances
Hello, we are wanting to move our certificate infrastructure from EJBCA to the Windows 2016 based PKI solution. I am trying to find a method
that will allow quick certificate issuance for multiple linux appliances that we are deploying. We currently use EJBCA for this purpose and the certificate agent requests a machine certificate on a behalf the client by sending a POST to a web page with
the necessary information. This seems like something easy enough that should be able to by accomplished by modifying the CA Web Enrollment request, but it apparently is not obviously supported. It may be supported in the Certificate Enrollment
Web Services, but I am still having some difficulty finding the documentation to accomplish this as well. I was considering using the Network Device Enrollment Service, but some of the security concerns regarding that may me cautious about moving to
that for a long term solution. Thank you in advance for your assistance in helping me find an acceptable solution.
↧
↧
Please suggest for Vulnerability for Windows server 2016
How to update security and cumulative update of windows server 2016 . without internet what means by some CVE like below how to resolve the vulnerability.
| CVE-2010-3190 |
| CVE-2016-3238 |
| CVE-2016-3239 |
| CVE-2016-7202 |
| CVE-2016-7278 |
| CVE-2016-7279 |
| CVE-2016-7281 |
| CVE-2016-7282 |
| CVE-2016-7283 |
| CVE-2016-7284 |
| CVE-2016-7287 |
| CVE-2016-7257 |
| CVE-2016-7272 |
| CVE-2016-7273 |
| CVE-2016-7274 |
| CVE-2016-7271 |
| CVE-2016-7259 |
| CVE-2016-7260 |
| CVE-2016-7181 |
| CVE-2016-7206 |
| CVE-2016-7279 |
| CVE-2016-7280 |
| CVE-2016-7281 |
| CVE-2016-7282 |
| CVE-2016-7286 |
| CVE-2016-7287 |
| CVE-2016-7288 |
| CVE-2016-7296 |
| CVE-2016-7297 |
| CVE-2016-7219 |
| CVE-2016-7292 |
| CVE-2017-0008 |
| CVE-2017-0009 |
| CVE-2017-0012 |
| CVE-2017-0018 |
| CVE-2017-0033 |
| CVE-2017-0037 |
| CVE-2017-0040 |
| CVE-2017-0049 |
| CVE-2017-0059 |
| CVE-2017-0130 |
| CVE-2017-0149 |
| CVE-2017-0154 |
| CVE-2017-0009 |
| CVE-2017-0010 |
| CVE-2017-0011 |
| CVE-2017-0012 |
| CVE-2017-0015 |
| CVE-2017-0017 |
| CVE-2017-0023 |
| CVE-2017-0032 |
| CVE-2017-0033 |
| CVE-2017-0034 |
| CVE-2017-0035 |
| CVE-2017-0037 |
| CVE-2017-0065 |
| CVE-2017-0066 |
| CVE-2017-0067 |
| CVE-2017-0068 |
| CVE-2017-0069 |
| CVE-2017-0070 |
| CVE-2017-0071 |
| CVE-2017-0094 |
| CVE-2017-0131 |
| CVE-2017-0132 |
| CVE-2017-0133 |
| CVE-2017-0134 |
| CVE-2017-0135 |
| CVE-2017-0136 |
| CVE-2017-0137 |
| CVE-2017-0138 |
| CVE-2017-0140 |
| CVE-2017-0141 |
| CVE-2017-0150 |
| CVE-2017-0151 |
| CVE-2017-0023 |
| CVE-2017-0072 |
| CVE-2017-0083 |
| CVE-2017-0084 |
| CVE-2017-0085 |
| CVE-2017-0086 |
| CVE-2017-0087 |
| CVE-2017-0088 |
| CVE-2017-0089 |
| CVE-2017-0090 |
| CVE-2017-0091 |
| CVE-2017-0092 |
| CVE-2017-0111 |
| CVE-2017-0112 |
| CVE-2017-0113 |
| CVE-2017-0114 |
| CVE-2017-0115 |
| CVE-2017-0116 |
| CVE-2017-0117 |
| CVE-2017-0118 |
| CVE-2017-0119 |
| CVE-2017-0120 |
| CVE-2017-0121 |
| CVE-2017-0122 |
| CVE-2017-0123 |
| CVE-2017-0124 |
| CVE-2017-0125 |
| CVE-2017-0126 |
| CVE-2017-0127 |
| CVE-2017-0128 |
| CVE-2017-0050 |
| CVE-2017-0101 |
| CVE-2017-0102 |
| CVE-2017-0103 |
| CVE-2017-0024 |
| CVE-2017-0026 |
| CVE-2017-0056 |
| CVE-2017-0078 |
| CVE-2017-0079 |
| CVE-2017-0080 |
| CVE-2017-0081 |
| CVE-2017-0082 |
| CVE-2017-0001 |
| CVE-2017-0005 |
| CVE-2017-0014 |
| CVE-2017-0025 |
| CVE-2017-0038 |
| CVE-2017-0047 |
| CVE-2017-0060 |
| CVE-2017-0061 |
| CVE-2017-0062 |
| CVE-2017-0063 |
| CVE-2017-0073 |
| CVE-2017-0108 |
| CVE-2017-0160 |
| CVE-2017-0174 |
| CVE-2017-0250 |
| CVE-2017-0293 |
| CVE-2017-8503 |
| CVE-2017-8591 |
| CVE-2017-8593 |
| CVE-2017-8620 |
| CVE-2017-8623 |
| CVE-2017-8624 |
| CVE-2017-8625 |
| CVE-2017-8633 |
| CVE-2017-8635 |
| CVE-2017-8636 |
| CVE-2017-8639 |
| CVE-2017-8640 |
| CVE-2017-8641 |
| CVE-2017-8644 |
| CVE-2017-8645 |
| CVE-2017-8646 |
| CVE-2017-8652 |
| CVE-2017-8653 |
| CVE-2017-8655 |
| CVE-2017-8656 |
| CVE-2017-8657 |
| CVE-2017-8661 |
| CVE-2017-8664 |
| CVE-2017-8666 |
| CVE-2017-8669 |
| CVE-2017-8670 |
| CVE-2017-8671 |
| CVE-2017-8672 |
↧
Where has KB968730 gone!?
Hi,
Hopefully an easy one for the experts on here.
I've been given the glorious task of trying to get SHA256 certificates working on a system that's predominantly Server 2003 and XP based.
I believe I need KB938397 to allow 2K3 to understand the SHA256 signature on certificates and KB968730 to allow a XP/2K3 device to request certificates from Server 2008 or later CAs.
I can download KB938397, but KB968730 always results in a 404 Not Found message.
Does anyone know where it's gone? Or, has it been superseded? (No comments about it being superseded by 2K8, 2K12, 2K16 please - that decision is out of my hands)
Thanks in advance.
Gareth Williams
↧
HOW (not why) are CertificateServicesClient-AutoEnrollment EventID 64 events generated?
I am expecting and receiving EventID 64, Microsoft-Windows-CertificateServicesClient-AutoEnrollment, event warnings for a certificate that is about to expire.
I understand the message, and have already created and installed a new certificate for IIS and Remote Desktop.
While I understand WHY the message is generated, I am not sure HOW. My DC is a Server 2012 machine, and the machine with the event, certificate, IIS and RD is a non-DC Server 2012R2 named REM1.
The event log for REM1 shows the autoenrollment event. But, when I go to the Local Group Policy Edit, computer Configuration/Windows Settings/Security Settings/Public Key Policies, the 2 'Certificate Services' entries are both DISABLED.
I followed instructions here on docs.microsoft.com at
/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment
to review autoenrollment settings, but when I got to "Configure server certificate auto-enrollment" step 5 which states to go to "Domains, OUs, and linked Group Policy Objects", but that isn't present (only 'Computers').
So, HOW (not why) is the REM1 machine generating this event?
Not only am I curious to know, but I would also like to make sure that my new ceritificate (already installed) will generate similar warnings near the end of it's life.
Thanks in advance.
↧
Yellow warning signs on keyUsage in Detailed certificate display
I've been unable to find any explanation for why Windows (MMC + Certificates snap-in or certmgr.msc) displays a yellow warning triangle for the keyUsage extension when the certificate is perfectly good and can be used by all Windows applications. The keyUsage only has "Digital Signature" (0x80) in it while the EKU has "Client Auth" and "Secure Email". All other extensions are green; is there an explanation for this? TIA.
↧
↧
How to change Certificate Expiration Date
Hello,
I need to change my Certificate expiration date:
The certificate used today has 200 years of validity, needs to reduce to only 20 years.
How can I do?
Thanks!
↧
New sub CA and Ndes servers
Hi
Currently we have a two tier pki offline root and sub CA's are SHA256. We are planning to upgrade all PKI servers to 2016 OS, and SHA384 however, in the interim there is an immediate need to add a new NDES server and a new CA SHA384 for intune . Later down the road we will upgrade the root CA and existing sub CA's to SHA384 as well.
My question is can we add the new sub CA SHA384 to our existing root CA SHA256? And when we upgrade the root CA do we need to resign the new CA or any other change?
Thanks
↧
Kerberos Authentication
Dear
i need to know the mathmatical function for kerberos with the following hashs.
1- kerberos : des-md5-ip address
2- kerberos : aes-md5-ip address
could you pass it to me at mh_tahboosh@hotmail.com
thanks a lot
↧
Change permission to files inside multiple folders
Hi,
I have 30 folders with different names that I've created with a script.
That script is reading a CSV file with a list of student names and creating the folders with the names of each student. Each folder was created with Full Control permission only to student that this folder is belong to. so now, each student has a folder
with Full control permissions only for him.
After it's done, i ran another script that copy 4 files to each of the student folders. those files got the full control permission as well.
I have a demand to change those files permissions to Read Only.
I found a way to do that for a group or for a user using PS or iCALCS but i cannot find a way how to do it specifically for each of those users, or even for all the users on the domain that on this ACL list.
Example for one of the folders with one test file. i need to change the selected user on the ACL from Full to Read. on each folder it's a different user:
Thanks.
↧
↧
Problem adding members from a different domain to a security group after a 2 way non transitive trust is setup
Domain A & B have an external 2 way non-transitive trust setup. I cannot add members of Domain A to security groups on Domain B and vice versa. I can select the domain but it will not resolve the names. I can go into folder security on a server on Domain B and add a member of Domain A however. Any ideas why it will not resolve names in Active Directory Users and Computers but it will through folder security?
↧
Fine Grain Password Issue
We have created a fine grain password policy using our AD Administrative Center Password settings container on Server 2012R2. We are running into an issue. When I run this command:
Get-ADUser -Identity <usrename> -Properties msDS-UserPasswordExpiryTimeComputed | Select-Object -Property "Displayname",@{name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
I get the expiration I set in the container, but when I run net user I get the default policy expiration. Also if I look in the Attribute editor of the user I also get the default expiration date in the 'badPasswordTime' field. My concern in was have a few Linux machines that we authenticate against and an email system that notifies users when their password is within 5 days of expiring and I think they are pulling the incorrect password expiration.
↧
ADCS - Automatic Subject and SAN inclusions
Hello all,
I've spent many an hour looking for an answer to this question and can't find much. I'm hoping you all can help!
I have set up a new Internal Enterprise PKI for my workplace. It consists of an offline standalone Root CA and 2 Issuing Enterprise SubCAs. Not my first rodeo there - everything is working beautifully.
However, I have a couple of questions:
- I've configured a Web Server certificate template to issue custom Common Names. This template is working, but is there a way to automatically include a matching DNS SAN? This is to satisfy Google Chrome's insistence that certificates must have a DNS SAN matching the Common Name. Ultimately, this is a small training inclusion when using the Certificate Enrollment Wizard, but a little rougher when using Certsrv (syntax). It would make life a lot better on my admins if it could be included automatically.
- For internal Web Server certificates, is it still important to include Distinguished Name fields in the Subject? This would be your typical Organization (O), Locality (L), State (S), Country (C) I'm seeing less and less and less of this out in the wild. And if it IS required/mandatory - is there a way to automatically include DN fields when using the Certificate Enrollment Wizard or Web Enrollment (Certsrv) website?
Challenge: Since these are Web Server certs with custom subjects, I can't build from AD information.
Thank you very much in advance!
↧