Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Where is this root certificate coming from?

April 17, 2019, 1:30 pm
$
0
0

I haven't been able to identify the source of this certificate that appears seemingly at random in my root certificate store.  Our registry monitor shows the event as it occurs. 

event_status="(0)The operation completed successfully."
pid=4480
process_image="c:\Windows\System32\taskhostw.exe"
registry_type="CreateKey"
key_path="HKLM\software\microsoft\enterprisecertificates\root\certificates\CERTTHUMBPRINT"
data_type="REG_NONE"
data=""

It doesn't appear to be coming from Group Policy, which is my go to when this happens.  The certificate is actually an intermediate certificate that we do use, but on an NDES server, it breaks the process when an intermediate certificate is in the trusted root store.

Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator, MCITP: Enterprise Administrator

Search

Windows Server 2008 R2 Slow and disconnections

April 17, 2019, 7:06 pm
$
0
0

Hello we have a Windows Server 2008 R2 with SQL Server 2008 R2. We have. months having disconnections during certain hours, We called the ISP and since they changed the administration some problems began to occur, We used for example a primary DNS and Secondary addresses that were provided to us when we made contract with that company. Then after they changed administration they stopped working and during months we could not solve they give us new ones. Well that were not the problem really, the problem is we have disconnections and a strange unlimited number of events in the event viewer. We have months that the server is down for 10 minutes, 30 minutes, 1 minute in general is random and at certain hours. The events the 5156 and 5157 to the lsass.exe and come from China, and other parts of the world. The events are similar to this one (I deleted xxx the address of our server):

The Windows Filtering Platform has blocked a connection.

Application Information:
Process ID:1000
Application Name:\device\harddiskvolume1\windows\system32\lsass.exe

Network Information:
Direction:Inbound
Source Address:208.96.30.116
Source Port:389
Destination Address:222.186.151.237
Destination Port:16516
Protocol:17

Filter Information:
Filter Run-Time ID:1660031
Layer Name:Receive/Accept
Layer Run-Time ID:44

and this one:

The Windows Filtering Platform has permitted a connection.

Application Information:
Process ID:1000
Application Name:\device\harddiskvolume1\windows\system32\lsass.exe

Network Information:
Direction:Inbound
Source Address:208.96.30.116
Source Port:389
Destination Address:24.167.51.62
Destination Port:6865
Protocol:17

Filter Information:
Filter Run-Time ID:1717210
Layer Name:Receive/Accept
Layer Run-Time ID:44

Is supposed the ISP told us is nit the hardware because they checked but what could be causing the issue? Or how you make to filter that locations, because maybe someone is trying ti hack the server? The option is not format and clean image we did one time and that is not the issue. Also this is nit the option the help of the ISP they don't help and like you saw, just to give us 2 DNS addresses took more than 5 months. Any way to protect the server or to delineate this? Each time the server is going down than up. Weekends is ok there is more time up but is horrible because the users navigate and is crashing it time. Also we have directed to the IPs there a lot of licenses and developing hard to change, it took us several years. The server is online and we use rdp to connect to it.  Several years agi more than 6 years ago someone tried to hack us but we changed the default port of the rdp and problem solved during the years until last months we have this big problem because now there are disconnects is a big problem. What could be then the solution for the disconnects and also how you can use something to protect and eradicate something? 

adding friendlyname and extended validation extension to my root certificate

April 18, 2019, 12:04 am
$
0
0

Hi all,

I aim to set up a standalone root CA, and I want the certificate of the root contains two extensions: Friendly Name and Extended Validation, But I do not know how to add these extensions to my CApolicy.inf file. Can anyone help e?

Dot1x GPO not taking effect on Windows 7 device

April 18, 2019, 1:11 am
$
0
0

Hi guys,

I'm rolling out Cisco ISE for wired network role based access but at the same time i'm having to push out a GPO to force Windows 7 devices to authenticate using certificates. The GPO is configured to enable the use of 802.1x authentication for network access, Smart Card or certificate access and user or computer authentication mode. I've then performed a GPUPDATE /FORCE and confirmed the GPO has been applied by running a GPRESULT /SCOPE COMPUTER /R. This shows that the GPO has been applied to the machine. I then reboot just to make sure the Wired Autoconfig service starts on bootup. 

This is now when the problems arise. When i look at any of my LAN NIC's authentication settings, it is still set to EAP-PEAP and not smart card or certificate as per the GPO.

Active Directory is running on server 2008 R2, are there any known bugs for 802.1x GPO's?

Thanks in advance

Can we use single root CA for two different forests?

April 11, 2019, 6:40 am
$
0
0

Hi Guys,

I'm working on a POC kind of environment to test the application (in the current org) access from a partner organisation. We need to create trusts between ADFS servers of the two parties, can't use the AD trust, because we just need to provide access to an application with their domain accounts.

And to perform this in a lab, I need to be able to deploy the certificates which are trusted by both the parties, can't go with 3rd party SSL because of the cost restriction for the lab, your help is much appreciated in this regard.

And the application in discussion is RD Web from Windows Remote Desktop Services.


TheWinguy

What all events are comes under the Directory Service (specifically NTDS LDAP) on Windows Server 2019

April 11, 2019, 5:41 am
$
0
0

Hi,

I am able to get all the security audit events from the C:\WINDOWS\System32\adtschema.dll

The same thing I am trying to find it for all the entries in Directory Service such as NTDS LDAP, NTDS Database,..etc.

For which the Registry Editor entry is Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Directory Service\NTDS LDAP. In which the <g class="gr_ gr_362 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="362" id="362">eventMessageFile</g> entry in the right panel shows %SystemRoot%\system32\ntdsmsg.dll. 

When I'll extract the ntdsmsg.dll there is no Message Table entry in that.

From where I can get the events related to Directory Service?

Please do the needful.


One Root CA for multiple forests and LDAP

May 30, 2018, 9:13 am
$
0
0

Hi!

I have single standalone Root CA. Root CA issued certificate for enterprise intermediate CA in one forest. I also published Root CA CRL in LDAP of my first forest. Everything is nice. 

Now I want to issue intermediate server certificate from my root CA to second forest intermediate CA. And I want also publish Root CA CRL into the LDAP of second forest too. But I have configured my root CA to allow CRL publishing to first forest by defining LDAP path/registry setting with command „certutil -setreg CA\DSConfigDN CN=Configuration,DC=*DOMAIN*,DC=*NAME*“ on Root CA.

Does it mean, that every time I want to publish Root CA CRL to LDAP, I must reconfigure CA\DSConfigDN setting on Root CA to meet target domain LDAP path requirements?

Thanks,

UV


Standalone ADCS - cannot publish CRL

April 18, 2019, 8:04 am
$
0
0

We are using a standalone ADCS , but we are getting the following error when trying to push the CRL.

---------------------------
Microsoft Active Directory Certificate Services
---------------------------
The directory name is invalid. 0x8007010b (WIN32/HTTP: 267 ERROR_DIRECTORY)
---------------------------
OK   
---------------------------

Same error when we try the same with certutil

C:\Users\svc_d365>certutil -CRL

CertUtil: -CRL command FAILED: 0x8007010b (WIN32/HTTP: 267 ERROR_DIRECTORY)
CertUtil: The directory name is invalid.

Output when we request the distribution points?

C:\Users\svc_d365>certutil -getreg ca\crlpublicationurls
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA>-CA\CRLPublicationURLs:

  CRLPublicationURLs REG_MULTI_SZ =
    0: 65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl
    CSURL_SERVERPUBLISH -- 1
    CSURL_SERVERPUBLISHDELTA -- 40 (64)

    1: 8:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
    CSURL_ADDTOCRLCDP -- 8

    2: 0:http://%1/CertEnroll/%3%8%9.crl

    3: 7:file://%1/CertEnroll/%3%8%9.crl
    CSURL_SERVERPUBLISH -- 1
    CSURL_ADDTOCERTCDP -- 2
    CSURL_ADDTOFRESHESTCRL -- 4

CertUtil: -getreg command completed successfully.


We've already granted the cert publishers group permissions on the following folder:

C:\Windows\System32\CertSrv\CertEnroll

Anyone an idea how to solve this issue?



Search

Template does not show up in Web Enrollment pages.

March 23, 2010, 8:54 am
$
0
0

We duplicated the Web Server version 1 template on our Windows 2003 Server CA and published it to the CA for issuence.  Set the permissions accordingly, Domain Admins: Read, Write, Enroll  

 

Then when we go to a Windows Server 2008 R2 Enterprise server login with an account with Domain Admins and run http://OurServer/certsrv to submit an Advanced Certificate Request we can not see that template.  Days went by from the time we made the template and tried the request.  The CA was stopped and restarted.

 

Other duplicate temples do show up just not this one, any ideas?

Outlook profile cannot be opened but OWA is normal for one of users

April 18, 2019, 8:47 am
$
0
0

Dear Support, 

We find that one of users' Outlook has error message below, even though on cached mode or online mode. 
However, OWA for this problematic user mailbox is normal. 

This problematic mailbox was moved to another mailbox database for testing. 
We have re-create the Outlook profile for this problematic user but still encounter this issue. 
In fact, we can create the Outlook profile for another users on this client computer successfully. 
Could you have idea how to find the root cause?

Error:

"Cannot start microsoft outlook. Cannot open the outlook window. The set of folders cannot be opened. The file C:\Usrs\User.Name\AppData\local\microsoft\outlook\user.name@domain.com.ost is not an outlook data file (.ost)"

Thanks!

Best Regards, 
Daniel


Enable root certificate update ?

April 18, 2019, 11:30 am
$
0
0

Hi! For some reason, a previous network admin turned off the automatic root certificate update in 2012. Probably because there was an issue in 2012 when Microsoft deployed some bad certificates (https://cloudblogs.microsoft.com/windowsserver/2013/01/12/fix-available-for-root-certificate-update-issue-on-windows-server/)

Since we had a few issues in the past because root certificates were not updated/present and Ijust figured out why :), I was wondering if there could be an impact if I turned back on the automatic root certificate update for our servers. Most of them don't have access to Internet.

Thanks!

Setting up a parrallel PKI infrastructure on new CA server

April 18, 2019, 1:48 pm
$
0
0

Hi,

I have an existing CA that is running on a Windows 2012 R2 box and is issuing SHA1 certs using CSP. This CA is one that has been migrated/upgraded from when the original CA was setup way back in Windows Server 2003.

My understanding is that I can't easily change the existing CA from SHA1 to SHA256 or change from CSP to the newer KSP.  And even if I could, I think we have some applications/processes that might not work with newer KSP SHA256 certs like our TMG 2010 server (which is going away at some point this year anyways)

So I've found a couple of posts that reference setting up a parallel PKI infrastructure on a new server that uses SHA256 and KSP and then you can run both CAs in parallel and in a managed fashion slowly get rid of the older CA and certs.

So first, is this setup supported?  Second, are there any gotchas or things to watch out for when doing this?

Thanks in advance.
Nick

Certificate for local system with Thumbprint.... is about to expire or already expired.

April 12, 2019, 12:34 pm
$
0
0

My PC has been crashing a lot recently, and I think this is the cause:

"Certificate for local system with Thumbprint ee 43 5b bc 73 29 b3 8d b8 37 53 80 2c 6b 33 ad 86 a9 44 ee is about to expire or already expired."

I've tried researching this but haven't met a solution that works for me. Please advise.


AV Update Issue

April 19, 2019, 3:11 am
$
0
0
There Is A Antivirus Program Server Edition Installed On My Server 
When I Try To Update It 
It Gives Me Errors

I Found Some Of Urls Of That Antivirus Server Is Getting Blocked When I Manually Opened In My Browser Instead Of Opening The Real Url It Loads an Local Html That Tells This URL is Blocked By Your IT Department And My Department's Past Admin Has Resigned Recently
It's Confirmed It's Getting Blocked Locally not By Firewall I Have Checked All Rules in Firewall

I Want To Know From Where An URL Can Be Blocked In Windows

subordinate old CRL

April 19, 2019, 9:13 am
$
0
0

Hello everyone,

When renewing on our CA,  any old cert that was generated is pointing to the old crl file,  but newly issued certificate they are pointing to an up to date (1).crl file,  how do old certificate know what certs were revoked if they have old CRL distribution point file .crl? and how to ensure old certs have an up to date revocation list?

Thanks

Search

How to deploy certificates to standalone Windows Servers?

April 19, 2019, 11:09 am
$
0
0
Hi Technet,
Not sure if this is the right forum; can't find a 'PKI' or 'Microsoft Certificate Authority' TechNet forum
I got hit with an interview question along the lines of 'how would you install a certificate on a fleet of Windows Servers that arenot domain joined?'.  I had no idea, but I'd like to know.  So- has anyone done this?  In the environment I work in there is auto-enrollment and member servers get certs from the domain CA that way...
Thanks!

subordinate cert renewal - CRL file

April 19, 2019, 9:13 am
$
0
0

Hello everyone,

When renewing the certificate "with same key" on our CA,  any old cert that was generated to clients CRL distribution point is pointing to the old crl file, meaning they reflect the old revocation list,  but any newly issued certificates are pointing to an up to date (1).crl file,  how do clients that still have their old crl in the file CRL distribution point know what certs were revoked if they still have old CRL distribution point file .crl? and how to ensure certs issued prior to the CA renewal have an up to date revocation list?

Thanks



Revocation checking preferences

April 21, 2019, 12:53 pm
$
0
0

Hello,

Let us say both CDP and OCSP are configured, what is the prefered way clients will use for revocation checking?

Thanks in advanced

RPC server is unavailable

April 12, 2019, 2:53 am
$
0
0

Hello all, 

I installed Enterprise CA on Windows server 2016, to ensure both Smart card login and Sign/encrypt mail functions, after installation I tested the two options and it worked fine, but one day later there was an error message "This smart card couldn't be used" while trying to login, and while encrypting the mails there was another error message "This smart card cannot perform the required operation" but after multiple tries it can send the mail encrypted but can't access windows with smart card.

I went to the event viewer on both, PC machine and CA machine and I found the following errors;

On PC Machine:

1)Event ID: 6, Source: Certificate Services Client-AutoEnrollement
Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable

2)Event ID: 13, Source: Certificate enrollment for local system failed to enroll for kerberos Authentication certificate with 
request I "Request No." from CA server\CA server name (TheRPC server is unavailable. 0x800706ba (Win32:1722 RPC_S_Server_Unavailable)

3)Event ID: 10028, Source: DistributedCOM
DCOM was unable to comm. with machine using any of the configured protocols, requsted by PID 1c28 (C;\windows\system32\certutil.exe)
while activating CLSID {D99E6E74-FC88-11D0-B798-00A0C90312F3}

On CA Machine:

1)Event ID: 53, Source: CertificationAuthority
Active Directory Certificate Services denied request "Request No." because theRPC server is unavailable. 0x800706ba 
(Win32: 1722 RPC_S_Server_Unavailable). the request was for PC Machine Name. Additional info.:Denied by policy module.

I tried a lot of of solutions depending on Google search, some of my steps:

1- Enabling File printer sharing and IPV6, also making sure the RPC and Remote Assistance services are working and auto.

2- I added Domain Controller group on both Certsrv security property , and on Kerberos Authentication Template.

3- On Domain Controller "Certificate Service DCOM Access" group, I added Domain Controller, Domain Users, and Domain Computers groups.

4- I checked network connectivity and TCP/IP service.

5- I created a rule on windows firewall to pass port 135

NOTE: MY Active Directory environment is Forest (Parent and Child), CA server is joined to the parent AD

The problem still exist, and don't have any idea why it was working and now it's not, any help please!!!!!

LAPS - set expiration password does not work via DirectAccess

April 12, 2019, 12:29 am
$
0
0

I have a customer case where there is a lot of Computers using DA all the time and we are piloting LAPS solution. Everything else Works fine, I extended logs to see everything, password gets changed in internal Network, but not via DA.

With DA, AdmPwd Error 2 happends: Could not get Computer object from AD. 0x8007054b.

We are about to utilize LAPS for Service Desk use as well, so user will get temporary password (actual happenings is, that SD agent tells old PW and after a call, set the password to expire in 2 hours) = this process Works fine in LAN, but not in DA.  

MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>