Assigning, Auto renew of expired certificates from Enterprise CA

April 21, 2019, 11:50 pm

≫ Next: Microsoft Active Directory Certificate Service

≪ Previous: LAPS - set expiration password does not work via DirectAccess

All our applications such as SCCM are configured to communicate over HTTPS. For this purpose we already have a GPO in place to auto enroll / renew expired certificates (Computer Config->Policies->Windows Settings->Security settings->Public Key Policies->Certificate Services Client Auto Enrollment - "Configuration Model :Enabled", selected both the options "renew expired certificates, update pending certificates and remove revoked certificates" & "Update certificates that use certificate templates"). With the single Root Enterprise CA we have a template to issue certificates. Here our concerns are :-

a) When we add a second AD site and subordinate CA how this GPO works, do we need to create the same template over there with subordinate CA?

b) As of now this GPO is configured only on end-user machines, for the servers we are enrolling it manually. We want to make auto-enroll even for the servers, so shall we apply the same GPO to servers?

Thanks in advance

LMS

↧

Microsoft Active Directory Certificate Service

April 22, 2019, 1:13 am

≫ Next: Guarded Host unable to Confirm Attestation to Host Guardian Services

≪ Previous: Assigning, Auto renew of expired certificates from Enterprise CA

I have some question on Active Directory Certificate Service:

Currently, we have a Hierarchy PKI in our organization the Root of which use Microsoft Server 2003 Service. Now we want to migrate and make another parallel Hierarchy and using Windows Server 2016 service in the new root CA. But we want to set up an interoperability relationship between these two hierarchies. Thinking on using CTL or One-way Cross-Certification, we are not sure which one is more suitable for our situation. What is your suggestion?

My other question is about to include Extended Validation and Friendly Name Properties in my new Standalone Root CA's certificate which will be set up on windows server 2016. We have tried different ways to include these properties by use of CApolicy.inf, but we have not made any progress till now. Could you please help us and tell me how we can do this?

↧

Guarded Host unable to Confirm Attestation to Host Guardian Services

April 8, 2019, 11:40 pm

≫ Next: interoperability root certificate authority

≪ Previous: Microsoft Active Directory Certificate Service

Hi,

I am trying to setup a Guarded Host, and I having issue to get it to do attestation.

When I do the command, Get-HgsTrace -RunDiagnostic, this is the result.

Overall Result: Fail
    DESKTOP-123456: Fail
        Test Attestation: Fail
            Check Attestation Status:Fail
            >>> The host's code integrity policy is not present or not recognized by the server. Ensure a policy has
            >>> been installed, the host has been restarted, and the policy is registered on the server with the
            >>> Add-HgsAttestationCIPolicy command.
            >>> The remote attestation request for this host failed because IOMMU was not required by the hypervisor.
            >>> Verify that IOMMU is enabled and that it is explicitly required for Virtual Secure Mode to launch. For
            >>> help, refer to http://go.microsoft.com/fwlink/?LinkId=734842
        HGS Client Configuration: Fail
            Code Integrity Policy Installed: Pass
            Code Integrity Policy Active:Fail
            >>> The code integrity policy currently installed does not match the policy recorded at boot time. Restart
            >>> the system to finish activating the new policy.

I suspect it was the Code Integrity Policy that cause the failure, but I have already applied it on my Windows Defender Application Control, Enforced. I am unable to troubleshoot the problem as to which policy is recorded at boot time and which one is currently installed.

Please guide me on the Code Integrity activation for Shielded VM.

Thank you.

Yours sincerely,

Arik.

↧

interoperability root certificate authority

April 23, 2019, 1:08 am

≫ Next: Auto enrollment for Domain controller certificate with subject alternative name

≪ Previous: Guarded Host unable to Confirm Attestation to Host Guardian Services

if I have two Root CAs on two different versions of windows server, first one Root CA with SHA1 hashing algorithms on windows server 2003 and the second Root CA based on SHA2 on windows server 2016, in order to make an interoperability relationship between these CAs, which one is better? CTL or one-way cross-certification and why. thx

↧

Auto enrollment for Domain controller certificate with subject alternative name

February 1, 2018, 1:01 am

≫ Next: NDES Server - Intune connector certificate query

≪ Previous: interoperability root certificate authority

Hi,

We need an auto enrollment template for domain controller certificates which can have SAN also. By normal method the auto enrollment for domain contoller certificate will contain only the FQDN name of the server. We need to inculde SAN also in the domain controller certificate. Is there any way we could accomplish the same.

Thanks and Regards

↧

NDES Server - Intune connector certificate query

April 23, 2019, 5:45 am

≫ Next: how to Publish CERTSRV on WEBSERVER

≪ Previous: Auto enrollment for Domain controller certificate with subject alternative name

Hi All,

NDES server contains one certificate, 1xSSL Cert withClient and Server Auth for Intune Connector/Intune Tenancy.

Currently the NDES setup is working fine, down the line if the mentioned certificate gets expired, while renewing do we need to re install the intune connector?

Kindly advise.

Regards

Afsar

↧

how to Publish CERTSRV on WEBSERVER

April 23, 2019, 11:21 am

≫ Next: Certsrv not showing up in IIS

≪ Previous: NDES Server - Intune connector certificate query

Hi All,

I followed https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx?Redirected=true to setup Certificate Server. I followed the document step by step.

The problem is my webserver does not have the certsrv folder hence I am unable to publish the same in IIS and not able to get the certificates issued using the website like http://pki.domain.local/certsrv.

My certsrv folder exists on the Issuing CA, how can I publish the same on my webserver to request certificates?

Any help will be appreciated.

↧

Certsrv not showing up in IIS

September 26, 2014, 12:36 pm

≫ Next: Domain user keeps getting locked out almost immediately after unlocking

≪ Previous: how to Publish CERTSRV on WEBSERVER

On my Subordinate CA Certsrv is not showing up as an available site in the virtual list in IIS, However on my Root CA it is there. this is a brand new server and I had no issues in my test environment. all roles of the ADCS except for Devices are enabled on the Subordinate server. any idea why the CERTSRV site is not appearing?

Thanks

↧

Domain user keeps getting locked out almost immediately after unlocking

April 23, 2019, 5:00 pm

≫ Next: SMB Null Sessions

≪ Previous: Certsrv not showing up in IIS

I have one user that keeps getting locked out of their machine.

User is currently having this error below:

I have removed her credentials from the credential manager. the only other place she logs into is using a rdp to the machine.

any suggestions or help. this lockout would happen seconds after I have unlocked their account.

<Channel>Security</Channel>

<Computer>rcidc01.rcidomain.loc</Computer>

</System>

<Data Name="ServiceName">krbtgt/RCIDOMAIN.LOC</Data>

</EventData>

</Event>

↧

SMB Null Sessions

April 24, 2019, 12:48 am

≫ Next: What all events are comes under the Directory Service (specifically NTDS LDAP) on Windows Server 2019

≪ Previous: Domain user keeps getting locked out almost immediately after unlocking

Hi.

I have run an vulnerability test on my server, Windows Server 2008 R2 (not a domain controller). The test flagged for SMB Null Sessions Enabled.

I have tried to fix this by doing:

changed the register locally on server
changed the security policy locally on server
Create an GPO as below

Step 1 : Apply below group policy settings to Default Domain Controller policy object or to the GPO object that is applied to your domain controllers.

Edit GPO- Go to Computer configuration\Policies\Windows settings\Security Settings\Local Policies\SecurityOptions

Enable:
Network access: Restrict Anonymous access to Named Pipes and Shares
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Shares that can be accessed anonymously
Disable:
Network access: Let Everyone permissions apply to anonymous users
Network access: Allow anonymous SID/Name translation

Step 2 : Update the registry key values to restrict null session as below:

HKEY\SYSTEM\CurrentControlSet\Control\Lsa:
RestrictAnonymous = 1
Restrict AnonymousSAM = 1
EveryoneIncludesAnonymous = 0

The test is still giving me the SMB Null Sessions vulnerability. I can confirm it by cmd net use \\IP_ADDRESS\ipc$ "" /user:"" and it worked.

What am I missing?

Zorky HPC

↧

What all events are comes under the Directory Service (specifically NTDS LDAP) on Windows Server 2019

April 11, 2019, 5:41 am

≫ Next: Certreq with SafeNet Key Storage Provider / ProviderType?

≪ Previous: SMB Null Sessions

Hi,

I am able to get all the security audit events from the C:\WINDOWS\System32\adtschema.dll

The same thing I am trying to find it for all the entries in Directory Service such as NTDS LDAP, NTDS Database,..etc.

For which the Registry Editor entry is Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Directory Service\NTDS LDAP. In which the <g class="gr_ gr_362 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="362" id="362">eventMessageFile</g> entry in the right panel shows %SystemRoot%\system32\ntdsmsg.dll.

When I'll extract the ntdsmsg.dll there is no Message Table entry in that.

From where I can get the events related to Directory Service?

Please do the needful.

↧

Certreq with SafeNet Key Storage Provider / ProviderType?

March 12, 2015, 1:29 pm

≫ Next: LAPS Computers in OU

≪ Previous: What all events are comes under the Directory Service (specifically NTDS LDAP) on Windows Server 2019

Hi folks,

I want to generate a keypair and request in a CNG provider from SafeNet. I am using a certreq.inf (certreq -new certreq.inf), that contains the following lines (among others):

HashAlgorithm=SHA256

KeyAlgorithm=RSA

Provider="SafeNet Key Storage Provider"

Unfortunately the certreq fails with "Invalid provider type specified". I thought that CNG providers had no provider type (or 0), as certutil -csplist indicates. I cannot add the ProviderType as it will fail too. So w/o it fails - with: it also fails :( Is there any trick, or is it just a badly programmed KSP? (The whole process works like a charm with the Microsoft Software Key Storage Provider and NO ProviderType).

System is a fully patched Windows Server 2008 R2 Enterprise.

And last but not last - Key Usage is always critical, but I do not explictly state it to be critical. A CA certificate generated by ADCS does not sport the critical Key Usage. Can I prevent this automatism?

Thanks,

MMF

↧

LAPS Computers in OU

April 24, 2019, 8:54 am

≫ Next: GMSA managed service account password change

≪ Previous: Certreq with SafeNet Key Storage Provider / ProviderType?

I just went through the steps to setup LAPS and everything worked except all my PCs are in an OU with sub OUs (depending on where they are). Do I need to extend the Schema for that OU?

↧

GMSA managed service account password change

April 24, 2019, 9:18 am

≫ Next: IPSec transport not negotiated despite of Connection Security rules

≪ Previous: LAPS Computers in OU

Hello,

We are facing an issue with the applications using gmsa , We are receiving a lot of service disconnection issues due to MSA password not updated on the server, and it happens randomly during the day.

Can we make all the make the gmsa accounts change password at specific time (like 2 am daily)?

↧

IPSec transport not negotiated despite of Connection Security rules

April 5, 2019, 9:21 am

≫ Next: Certificate Authority - What is the URL/path to my CRL?

≪ Previous: GMSA managed service account password change

I am trying to set up transparent IPSEC encryption between clients and servers in our domain. I've set up connection security rules for transport mode via GPO for clients and servers (transport "server-to-server" type, authentication using certificates issued by our internal Windows-hosted CA). The connection security rule has our IPv4 address space (123.4.0.0/16) configured for "Endpoint 1" and the rest of the Internet (0.0.0.0-123.3.255.255, 123.5.0.0-223.255.255.255) for "Endpoint 2". The server's definitions are set to "Require inbound and request outbound", the client's definitions are to "Request inbound and outbound". On the server's side, a single generic firewall rule is configured to "Allow connection if secure" and "require encryption" for all protocols and all addresses.

All of servers have public IPv4 addresses, clients may either be behind a NAT device on foreign networks or have public IPv4 addresses on our network.

I can observe that in some cases a client would not start IKE negotiations with the destination server even though it is covered by the connection security rule. Example:

PS C:\Windows\system32> ping 123.4.6.61 -n 1

Ping wird ausgeführt für 123.4.6.61 mit 32 Bytes Daten:
Antwort von 123.4.6.61: Bytes=32 Zeit=82ms TTL=119

Ping-Statistik für 123.4.6.61:
    Pakete: Gesendet = 1, Empfangen = 1, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 82ms, Maximum = 82ms, Mittelwert = 82ms
PS C:\Windows\system32> Get-NetIPsecQuickModeSA | ft

Name LocalEndpoint  RemoteEndpoint TransportLayerFilterName EncapsulationMode Direction LocalPort RemotePort IpProtocol
---- -------------  -------------- ------------------------ ----------------- --------- --------- ---------- ----------
168  192.168.246.54 123.4.6.61     IPSec                    Transport         Inbound
168  192.168.246.54 123.4.6.61     IPSec                    Transport         Outbound
154  192.168.246.54 123.4.7.26     IPSec                    Transport         Inbound
154  192.168.246.54 123.4.7.26     IPSec                    Transport         Outbound
167  192.168.246.54 123.4.7.25     IPSec                    Transport         Inbound
167  192.168.246.54 123.4.7.25     IPSec                    Transport         Outbound


PS C:\Windows\system32> ping 123.4.6.62

Ping wird ausgeführt für 123.4.6.62 mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.

Ping-Statistik für 123.4.6.62:
    Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4
    (100% Verlust),
PS C:\Windows\system32> Get-NetIPsecQuickModeSA | ft

Name LocalEndpoint  RemoteEndpoint TransportLayerFilterName EncapsulationMode Direction LocalPort RemotePort IpProtocol
---- -------------  -------------- ------------------------ ----------------- --------- --------- ---------- ----------
173  192.168.246.54 123.4.7.25     IPSec                    Transport         Inbound
173  192.168.246.54 123.4.7.25     IPSec                    Transport         Outbound
174  192.168.246.54 123.4.6.61     IPSec                    Transport         Inbound
174  192.168.246.54 123.4.6.61     IPSec                    Transport         Outbound
154  192.168.246.54 123.4.7.26     IPSec                    Transport         Inbound
154  192.168.246.54 123.4.7.26     IPSec                    Transport         Outbound

In the network trace of the client machine (Windows 10 1803/1809), I can see that it is not even trying to send IKE or ESP packets to 123.4.6.62, although I usually can see a valid main mode SA to 123.4.6.62. This might affect connection to other servers after the client has been rebooted.

How could I debug this and is there any known remedy to this problem?

Kind regards,

While all servers have public IPv4 addresses, clients may either be behind a NAT device on foreign networks or have public IPv4 addresses on our network

↧

Certificate Authority - What is the URL/path to my CRL?

April 24, 2019, 10:17 am

≫ Next: Pass-the-Hash / Pass-the-Ticket

≪ Previous: IPSec transport not negotiated despite of Connection Security rules

Hi,

I setup a PKI (Offline Root CA, Enterprise CA, and PKI to use mscep.) I'm using this to get client certificates to laptop users, which then connect to the Wi-Fi via a Network access server.

It's all working except the CRL. The NAS has a section where I can enter URL for revocation list.

How would I find the URL or path for my CRL?

I'm obviously not to familiar with PKI, so as much detail as possible would be appreciated.

↧

Pass-the-Hash / Pass-the-Ticket

April 24, 2019, 12:05 pm

≫ Next: Domain Admin doesn't have all permission on member server 2019

≪ Previous: Certificate Authority - What is the URL/path to my CRL?

Hy. One simple question.

If I have two different users ("Alice" who is Domain User and "Bob" who is Domain Admin) that have the same Domain password (and somehow I found out they have the same password for Domain login), and I have stolen the hash of the "Alice" account ("mimikatz"), could I use that same hash for the Pass-the-Hash attack on "Bob" (to gain access to Domain Controller as "Bob").

What I'm asking is how exactly is hash generated? Does "Alice" and "Bob" have the same hash that could be used in Pass-the-Hash attack?

Does the same apply for the Pass-the-Ticket attack?

Thank you.

↧

Domain Admin doesn't have all permission on member server 2019

April 24, 2019, 12:39 pm

≫ Next: Certsrv not showing up in IIS

≪ Previous: Pass-the-Hash / Pass-the-Ticket

HI Team, on Windows Server 2019 when I login as (domain admin) I can’t make some changes like edit a NIC settings. But if I login as the user who created the machine, servername\administrator, I can make ALL changes like NIC adapter changes. On the 2019 server in computer management, under Administrator Group, I do have domainname\Administrator and domainname\Domain Admins as members.

I also notice this on my Windows 10 1809 clients, only the windows installation user can perform some tasks.

I do know the forest domain functional level is windows server 2008R2 and not sure if this is the root cause.

Any help would be greatly appreciated.

Thank you

Tom...

Tom Karpowski...

↧

Certsrv not showing up in IIS

September 26, 2014, 12:36 pm

≫ Next: Timing of obsoleting an old CA to bringing up a new CA

≪ Previous: Domain Admin doesn't have all permission on member server 2019

Thanks

↧

Timing of obsoleting an old CA to bringing up a new CA

April 24, 2019, 4:50 pm

≫ Next: WSUS怎么使用

≪ Previous: Certsrv not showing up in IIS

All,

I've got an active two-tier CA running on 2008 R2. I've configured a new two-tier CA, running on 2016. It seems to be functioning correctly - at the very least, pkiview.msc shows no errors for either CA.

The new CA has no templates, so I'm seeing a lot of failed requests. That's all good.

However, I believe I have a timing problem, in three areas.

- We use a cert from the old CA for ssl inspection at our firewalls

- We use certs from the old CA for 802.1x authentication for wireless

- Our DirectAccess infrastructure depends on certs from our old CA, and we have staff in the field at customer sites that require pretty much 24x7 access to corporate resources

Complicating this is that we're in a bit of a growth spurt, and are enabling new machines and users frequently

How do I handle turning off the old one and issuing templates to the new one, so that I have minimal or (ideally) no impact on user experience?

Thanks,

Kurt

↧