Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Unwanted files getting created in Temp folder

April 3, 2019, 3:50 am
$
0
0
Hi my customer is running windows server 2012 R2 64 bit OS mainly for Data protector backup application and SAN management. of late, we have observed huge numbers of rar files containing  "cli.exe" files of around 2.5 MB each are being  created under C:\users\Administrator\AppData\Local\Temp folder. As a result, the C: drive is filling up fast. Is there any update for this? Is it a virus? 
Search

Enquiry of Firewall Port for Automatic Certificate Enrollment

April 12, 2019, 12:46 am
$
0
0

Dear Support, 

Our VM is on Azure and Certificate Authority (CA) server is on-premises. 
Could we only need follow the below web site to set Firewall port as follows? 
Could we only need to open the below incoming port on DC, CA and outgoing port on Azure VM?
Could we need to open the internal Windows Firewall port?

Could we only open the incoming port on certificate server and outgoing port on client from (49152-65535)?
Could we also need open firewall port (49152-65535) on certificate server and client?

1. Client to domain controller
      Kerberos port 88  (UDP/TCP)
      Ldap (TCP 389)
      RPC (tcp 135)
      RPC on dynamic port (>1023 TCP)
2. Client to certificate server(s) with the template available
      RPC (TCP 135)
      Dynamic RPC (TCP > 1023) for CA servers on windows 2003 and earlier
      Dynamic RPC (TCP > 49151) for CA servers on newer windows OS's

Reference:
MS - Certificate autoenrollment behind a firewall 
http://myitpath.blogspot.com/2016/07/ms-certificate-autoenrollment-behind.html

Thanks!

Best Regards, 

Daniel


Creator Owners Rights Permission on Windows 2008 R2 & Windows 2012 R2

March 28, 2019, 12:58 am
$
0
0

Hi Guys,

I got some query here.

As you know the default Creator Owners rights set in Windows 2008 R2 is "Special" (Sub folders and Files only) while in Windows 2012 R2 is "Full Control" (Sub folders and Files only).  I wanted to get rid of this permission for both OS version. However I cannot find any official documentation or knowledge base about it that it can be remove without any issue on the current security permission. Some say this is like just a template of permission, where the creator of a specific folder/s will have special / full right but not on the "Root" Directory (C; D; so on...)

Kindly share your knowledge and perhaps if you have some kind of a document from Microsoft that it can be removed or just keep it as it is, let me know. Thanks Guys in advance!

-JOf

RPC server is unavailable

April 12, 2019, 2:53 am
$
0
0

Hello all, 

I installed Enterprise CA on Windows server 2016, to ensure both Smart card login and Sign/encrypt mail functions, after installation I tested the two options and it worked fine, but one day later there was an error message "This smart card couldn't be used" while trying to login, and while encrypting the mails there was another error message "This smart card cannot perform the required operation" but after multiple tries it can send the mail encrypted but can't access windows with smart card.

I went to the event viewer on both, PC machine and CA machine and I found the following errors;

On PC Machine:

1)Event ID: 6, Source: Certificate Services Client-AutoEnrollement
Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable

2)Event ID: 13, Source: Certificate enrollment for local system failed to enroll for kerberos Authentication certificate with 
request I "Request No." from CA server\CA server name (TheRPC server is unavailable. 0x800706ba (Win32:1722 RPC_S_Server_Unavailable)

3)Event ID: 10028, Source: DistributedCOM
DCOM was unable to comm. with machine using any of the configured protocols, requsted by PID 1c28 (C;\windows\system32\certutil.exe)
while activating CLSID {D99E6E74-FC88-11D0-B798-00A0C90312F3}

On CA Machine:

1)Event ID: 53, Source: CertificationAuthority
Active Directory Certificate Services denied request "Request No." because theRPC server is unavailable. 0x800706ba 
(Win32: 1722 RPC_S_Server_Unavailable). the request was for PC Machine Name. Additional info.:Denied by policy module.

I tried a lot of of solutions depending on Google search, some of my steps:

1- Enabling File printer sharing and IPV6, also making sure the RPC and Remote Assistance services are working and auto.

2- I added Domain Controller group on both Certsrv security property , and on Kerberos Authentication Template.

3- On Domain Controller "Certificate Service DCOM Access" group, I added Domain Controller, Domain Users, and Domain Computers groups.

4- I checked network connectivity and TCP/IP service.

5- I created a rule on windows firewall to pass port 135

NOTE: MY Active Directory environment is Forest (Parent and Child), CA server is joined to the parent AD

The problem still exist, and don't have any idea why it was working and now it's not, any help please!!!!!

One Root CA for multiple forests and LDAP

May 30, 2018, 9:13 am
$
0
0

Hi!

I have single standalone Root CA. Root CA issued certificate for enterprise intermediate CA in one forest. I also published Root CA CRL in LDAP of my first forest. Everything is nice. 

Now I want to issue intermediate server certificate from my root CA to second forest intermediate CA. And I want also publish Root CA CRL into the LDAP of second forest too. But I have configured my root CA to allow CRL publishing to first forest by defining LDAP path/registry setting with command „certutil -setreg CA\DSConfigDN CN=Configuration,DC=*DOMAIN*,DC=*NAME*“ on Root CA.

Does it mean, that every time I want to publish Root CA CRL to LDAP, I must reconfigure CA\DSConfigDN setting on Root CA to meet target domain LDAP path requirements?

Thanks,

UV


Certificate for local system with Thumbprint.... is about to expire or already expired.

April 12, 2019, 12:34 pm
$
0
0

My PC has been crashing a lot recently, and I think this is the cause:

"Certificate for local system with Thumbprint ee 43 5b bc 73 29 b3 8d b8 37 53 80 2c 6b 33 ad 86 a9 44 ee is about to expire or already expired."

I've tried researching this but haven't met a solution that works for me. Please advise.


CertReq/CertUtil Not Working (Communication Problems)

June 17, 2009, 2:15 pm
$
0
0
I'm not sure this is in the right forum or not, but...

I am trying to use CertUtil and CertReq to grab the client and trusted root certificates needed for Config Manager IBCM.  The machine I tried this on is on the LAN with any/any port access but not on the domain.  The batch file I'm trying to use looks like this:

@echo off

rem Make the certs folder

mkdir c:\ClientCerts

rem Specify Variables

set subjectname=%computername%
set certpath="c:\ClientCerts"
set caserver="<IP of CA>\<CA Name>"

rem Request & install Trusted Root Certificate

certutil -f -config %caserver% -ca.cert %certpath%\CAcertificate.cer
certutil -addstore Root %certpath%\CAcertificate.cer

rem Create an INF request file with the specified computername as subject

echo ;---------------CertificateRequestTemplate.inf-------------- >> %certpath%\%subjectname%.inf
echo [NewRequest]                                                 >> %certpath%\%subjectname%.inf
echo Subject="CN=%subjectname%"                                   >> %certpath%\%subjectname%.inf
echo KeySpec=1             ;key exchange                          >> %certpath%\%subjectname%.inf
echo KeyUsage=0xf0                                                >> %certpath%\%subjectname%.inf
echo MachineKeySet=TRUE                                           >> %certpath%\%subjectname%.inf
echo [RequestAttributes]                                      >> %certpath%\%subjectname%.inf
echo CertificateTemplate="ComputerClient"              >> %certpath%\%subjectname%.inf

rem Create the a binary request file from the INF

CertReq -New -f %certpath%\%subjectname%.inf %certpath%\%subjectname%.req

rem Submit client cert request to CA

CertReq -Submit -f -config %caserver% %certpath%\%subjectname%.req %certpath%\%subjectname%.cer

rem Install client cert

certreq -accept %certpath%\%subjectname%.cer

rem Delete certs folder

RD C:\ClientCerts /S /Q

And the INF file it generates looks like this:

;---------------CertificateRequestTemplate.inf--------------
[NewRequest]                                                
Subject="CN=<NetBIOS Name>"                                  
KeySpec=1             ;key exchange                         
KeyUsage=0xf0                                               
MachineKeySet=TRUE                                          
[RequestAttributes]                                     
CertificateTemplate="ComputerClient"

This works fine on my domain workstation but won't work outside of it.  On the laptop clients I get:

"This computer was unable to communicate with the computer providing the server. 0x8000401d (-2147467235)"

What is causing this?  I have ensured that I can telnet to the CA over 443 and I'm able to access web enrollment just fine.

Thanks  




Permissions to create a Certificate Template

March 21, 2018, 12:29 pm
$
0
0

We have one offline CA and one online issuing CA and a Windows 2012 R2 Active Directory domain.

I currently must log in as domain administrator to create a new certificate template using the Certificate Authority mmc console. I would like to instead designate a separate account to handle all administrative tasks.

How can I assign another account the rights to create templates and manage the CA?

Thanks!

Search

CERTIFICATE ERROR

April 14, 2019, 9:28 pm
$
0
0

I am getting following error while starting my PC, also as a result i am not being able to use any DSC in my system:

Administrator permissions are needed to use the selected options. Use an administrator command prompt to complete these tasks. 
CertUtil: The requested operation requires elevation.
root Trusted Root Certification Authorities
Cannot open Cert store.
CertUtil: -addstore command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
CertUtil: Access is denied.
1 file(s) copied.

Kindly resolve the issue.

Additional CA in AD

April 15, 2019, 3:38 am
$
0
0

Hi

We have one Enterprise CA configured and it's working for years. Now we are preparing a new site in cloud and planning to put a new CA over there. What should be the recommended best practice to achieve this

Thanks in advance

LMS

Must I configure CDP and AIA locations on the Subordinate Issuing CA?

March 28, 2019, 4:21 am
$
0
0

Hello, (This is a lab setup..)

I have configured a root and subordinate CA according to the recommendations on this. I have configured CDP and AIA locations only on the root ca to be a web folder on a separate server. 

CDP / AIA on the issuing CA are default values

My question is, must the CDP/AIA paths be explicitly be configured for the issuing ca, since a client certificate as you see below has information about the root and issuing CA's and CDP/AIA locations are known to the domain through the authorization of the issuing CA by its certificate from the root CA?

Best regards, Tim 

 


KB4493470 is failing to install via SCCM and also manually

April 15, 2019, 10:24 am
$
0
0

SCCM is failing to install 2019-04 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4493470) and also i tried manually and its failing. Did any one faced the same issue? Please help

OS > Server 2016 64 Bit 1607 version


Regards, Santhosh B S

Compromised KRA procedure to re-protect escrowed keys / microsoft certificate services

April 15, 2019, 6:42 pm
$
0
0

For a suspected compromised KRA certificate which there is clear evidence it wasn't used to perform recovery, i would like to re-encrypt the escrowed keys with a new KRA and no longer use the potentially compromised KRA to encrypt/recover. 

I attempted an extract all of keys and then a certutil -f -importkms when the new KRA was present but it doesn't seem to re-encrypt with the new KRA.

Is this what you see?  Is there a way to resolve this issue?

GPO install software

April 15, 2019, 6:28 pm
$
0
0

We have build our AD server and setting up GPO....

and trying to setup " software installation" , but when i add the MSI , it showing" can not verify path is a network location", is there any way send the MSI to client PC instead using network path ?  because our network team blocked network loaction.

please advise.

Thanks

LAPS - set expiration password does not work via DirectAccess

April 12, 2019, 12:29 am
$
0
0

I have a customer case where there is a lot of Computers using DA all the time and we are piloting LAPS solution. Everything else Works fine, I extended logs to see everything, password gets changed in internal Network, but not via DA.

With DA, AdmPwd Error 2 happends: Could not get Computer object from AD. 0x8007054b.

We are about to utilize LAPS for Service Desk use as well, so user will get temporary password (actual happenings is, that SD agent tells old PW and after a call, set the password to expire in 2 hours) = this process Works fine in LAN, but not in DA.  

MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

Search

new install user and setup GPO

April 16, 2019, 2:36 am
$
0
0

After new setup active directory , i have created test account with user privilege and Default GPO setting ( i haven't change any setting jet )

But after join the domain and login, find the error , Soft AP user's account must have 'administrator' privilege

How to find which program get blocked and release at GPO may be ?  

https://dedpic.com/images/2019/04/16/5O8nU.png

Thanks

KB3042553 &quot;Update is not applicable to your computer&quot;

April 5, 2019, 6:09 am
$
0
0
Has KB2919355 replaced KB3042553 or is KB2919355 a prerequisite? I am having this problem "Update is not applicable to your computer" when trying to install KB3042553. There are too many threads out there that are not explicit with the information related to this issue. If KB3042553 is not applicable, and is so important, is it actually needed, and how do I apply the patch?

IPSec transport not negotiated despite of Connection Security rules

April 5, 2019, 9:21 am
$
0
0

I am trying to set up transparent IPSEC encryption between clients and servers in our domain. I've set up connection security rules for transport mode via GPO for clients and servers (transport "server-to-server" type, authentication using certificates issued by our internal Windows-hosted CA). The connection security rule has our IPv4 address space (123.4.0.0/16) configured for "Endpoint 1" and the rest of the Internet (0.0.0.0-123.3.255.255, 123.5.0.0-223.255.255.255) for "Endpoint 2". The server's definitions are set to "Require inbound and request outbound", the client's definitions are to "Request inbound and outbound". On the server's side, a single generic firewall rule is configured to "Allow connection if secure" and "require encryption" for all protocols and all addresses. 

All of servers have public IPv4 addresses, clients may either be behind a NAT device on foreign networks or have public IPv4 addresses on our network.

I can observe that in some cases a client would not start IKE negotiations with the destination server even though it is covered by the connection security rule. Example:

PS C:\Windows\system32> ping 123.4.6.61 -n 1

Ping wird ausgeführt für 123.4.6.61 mit 32 Bytes Daten:
Antwort von 123.4.6.61: Bytes=32 Zeit=82ms TTL=119

Ping-Statistik für 123.4.6.61:
    Pakete: Gesendet = 1, Empfangen = 1, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 82ms, Maximum = 82ms, Mittelwert = 82ms
PS C:\Windows\system32> Get-NetIPsecQuickModeSA | ft

Name LocalEndpoint  RemoteEndpoint TransportLayerFilterName EncapsulationMode Direction LocalPort RemotePort IpProtocol
---- -------------  -------------- ------------------------ ----------------- --------- --------- ---------- ----------
168  192.168.246.54 123.4.6.61     IPSec                    Transport         Inbound
168  192.168.246.54 123.4.6.61     IPSec                    Transport         Outbound
154  192.168.246.54 123.4.7.26     IPSec                    Transport         Inbound
154  192.168.246.54 123.4.7.26     IPSec                    Transport         Outbound
167  192.168.246.54 123.4.7.25     IPSec                    Transport         Inbound
167  192.168.246.54 123.4.7.25     IPSec                    Transport         Outbound


PS C:\Windows\system32> ping 123.4.6.62

Ping wird ausgeführt für 123.4.6.62 mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.

Ping-Statistik für 123.4.6.62:
    Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4
    (100% Verlust),
PS C:\Windows\system32> Get-NetIPsecQuickModeSA | ft

Name LocalEndpoint  RemoteEndpoint TransportLayerFilterName EncapsulationMode Direction LocalPort RemotePort IpProtocol
---- -------------  -------------- ------------------------ ----------------- --------- --------- ---------- ----------
173  192.168.246.54 123.4.7.25     IPSec                    Transport         Inbound
173  192.168.246.54 123.4.7.25     IPSec                    Transport         Outbound
174  192.168.246.54 123.4.6.61     IPSec                    Transport         Inbound
174  192.168.246.54 123.4.6.61     IPSec                    Transport         Outbound
154  192.168.246.54 123.4.7.26     IPSec                    Transport         Inbound
154  192.168.246.54 123.4.7.26     IPSec                    Transport         Outbound

In the network trace of the client machine (Windows 10 1803/1809), I can see that it is not even trying to send IKE or ESP packets to 123.4.6.62, although I usually can see a valid main mode SA to 123.4.6.62. This might affect connection to other servers after the client has been rebooted.

How could I debug this and is there any known remedy to this problem?

Kind regards,

While all servers have public IPv4 addresses, clients may either be behind a NAT device on foreign networks or have public IPv4 addresses on our network

How to check Revocation List status for issued certificates?

April 3, 2019, 6:43 am
$
0
0

Hi,

I setup a ADCS server and revoke a certificate. How can I show to users that certificate has been revoked? That's why even after issuing new CRL and I test that with OCSP but apparently that doesn't work correctly. Any help would be appreciated.

Thanks

Unable to enroll user certificates for users without e-mail address - error Active Directory Certificate Services denied request id because The EMail name is unavailable and cannot be added to the Subject or Subject Alternate name. 0x80094812

April 17, 2019, 6:03 am
$
0
0

When a user account doesn't have an e-mail (service accounts) I am unable to eroll a certificate for that user. I get the below error.

Active Directory Certificate Services denied request (id) because The EMail name is unavailable and cannot be added to the Subject or Subject Alternate name. 0x80094812. (-2146875374 CERTSRV_E_SUBJECT_EMAIL_REQUIRED).  The request was for Domain\user name.  Additional information: Denied by Policy Module.

I tried removing the check box for email from the subject name of the tab.


The original template is attached please help.

Should the subject name format be common name /Fully qualified domain name?









Viewing all 12072 articles
Browse latest View live
Search