ADCS - Autoenrollment Through Web Enrollment & Policy Services with Client Certificate Auth Only

June 7, 2019, 10:49 am

≫ Next: 2008 R2 & Blue Keep

≪ Previous: Autoenrollment of certificates not working error of RPC Server Unavailable

Hello everyone,

I'm working on a Windows Server 2016 PKI and wanted to set up web services for renewal of certificates outside the internal network. Here is the ideal scenario:

1. Computer retrieves enrollment policy via GPO, policy contains both LDAP and the ADPolicyProvider_CEP_Certificate CEP URL.

2. Computer is auto-enrolled through LDAP/DCOM/RPC when connected to the domain

3. Once outside the network boundary, the computer can renew the same certificate against CES & CEP using the certificate as authentication.

No administrator approval should be required for the initial enrollment or renewal because these are domain-joined machines only.

I've followed a few guides from Microsoft but I don't see this specific architecture being configured, these include:

https://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx#Client_Certificate_Authentication

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj590165(v=ws.11)

They reference configuring key-based renewal which means issuance and renewal must be approved by administrators, and the subject information must be supplied in the request, based on my testing. This means auto-enrollment won't work.

I've tried configuring a few templates which enroll fine through LDAP/DCOM/RPC, but when trying to renew through CEP/CES I get the error "Certificate template is not supported by the CA".

Is what I'm trying to do possible?

Thanks!

↧

2008 R2 & Blue Keep

June 7, 2019, 2:12 pm

≫ Next: WebEnrollment Services For Windows Server 2012 R2 ADCS For PKI

≪ Previous: ADCS - Autoenrollment Through Web Enrollment & Policy Services with Client Certificate Auth Only

Having trouble finding answers to a couple questions.

Can Server 2008 Std R2 SP1 be patched to protect against Blue Keep, the vulnerability to RDP? Even though this (support.microsoft.com/en-us/lifecycle/search/1163) says patches continue through this year.

If such a server is only accessible by RDP in house (no outside access, no port forward etc) can a Blue Keep attack even get to it? Assuming no other systems on the lan are so old or out of date as to be vulnerable to Blue Keep themselves?

If I turn off RDP in such a server, only access it by its own monitor or 3rd party program (logmein or some such) is it no longer vulnerable?

Everything I read about this sort of attack, Blue Keep, Wannacry, even on sites of security software vendors, implies that security software won't stop it since they all seem to rely on getting the latest MS patches, if you're not on too old of an edition.

Thanks

↧

WebEnrollment Services For Windows Server 2012 R2 ADCS For PKI

June 7, 2019, 10:21 pm

≫ Next: Microsoft Certificate Management REST API

≪ Previous: 2008 R2 & Blue Keep

Hi,

I'm trying to build a java web application to interact with Enterprise CA Hosted on Windows Server 2012 R2 for following operations:

1. Fetching Templates

2. Submission Certificate Request (#PKCS10).

3. Downloading The Certificate Based On Request Id.

4. Suspension Of Certificates.

5. Revocation Of Certificates.

6. Adding New Templates Using Predefined Templates.

Somehow using certreq, web-enrollment Certsrv hosted on Enterprise CA i'm able to perform first 3 operation like fetching templates, Submission of #PKCS10 request and Download Of Certificate Using Request Id, But how can i achieve remaining functionalities.?

↧

Microsoft Certificate Management REST API

June 7, 2019, 11:21 pm

≫ Next: Retpoline

≪ Previous: WebEnrollment Services For Windows Server 2012 R2 ADCS For PKI

Is it possible to develop complete certificate life cycle management(i.e Generation of CSR, Certificate Signing Request, Cert Revocation/Suspension, Template creation etc) application in JAVA by using Certificate Management REST API services where the developed application will interact with ADCS using the Certificate Management REST API services ? . I searched through the microsoft documentation and i found that such REST API is available. But where can i get the complete documentation with list of all the APIs for complete functionality of Certificate life cycle management and sample examples as it is mentioned above.

Any immediate lead in this regard will be of great help.

Thanks

↧

Retpoline

June 4, 2019, 2:01 am

≫ Next: Encryption Supported in Windows server 2012

≪ Previous: Microsoft Certificate Management REST API

Hi,

I want to implement additional security mitigations on top of Retpoline like in below article.

https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Mitigating-Spectre-variant-2-with-Retpoline-on-Windows/ba-p/295618

To do so I need bitwise OR'd into FeatureSettingsOverride and FeatureSettingsOverrideMask like in below example:

Example: Feature settings values for enabling SSBD (speculative store bypass) system wide:
FeatureSettingsOverride = 0x8 and FeatureSettingsOverrideMask = 0
To add Retpoline, feature settings value for Retpoline (0x400) should be bitwise OR'd:
FeatureSettingsOverride = 0x408 and FeatureSettings OverrideMask = 0x400

In my scenario I have added below settings according to:
https://support.microsoft.com/en-in/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Now I made bitwise OR and receive:

FeatureSettingsOverride: 9288 (decimal)
FeatureSettingsOverrideMask: 1027 (decimal)

If I understood correctly this values in registry give me protection for all latest vulnerabilities with Retpoline enabled.
Of course I have checked support hardware and updated microcode. I am curious if someone implement this solution.

↧

Encryption Supported in Windows server 2012

May 28, 2019, 11:36 pm

≫ Next: no write permission on a shared folder

≪ Previous: Retpoline

Which among following was not supported encryptions in server 2012?

	RC4
	DES
	SHA1
	MD5

↧

no write permission on a shared folder

June 10, 2019, 10:21 am

≫ Next: Access denied configuring ADCS Role Services

≪ Previous: Encryption Supported in Windows server 2012

I have a new windows 2016 server in a workgroup setting. I shared a folder to everyone with full control. on the workstation, I can read access to the folder, but can't create any new files with a permission error. the user on workstation has the same username and pwd as the one on the server. in win2008, that was enough to access the shared folder.

please help! I am sure it is a simple setting somewhere on the server. thx. in advance

↧

Access denied configuring ADCS Role Services

June 10, 2019, 9:36 pm

≫ Next: Separate Admin Account & Machine

≪ Previous: no write permission on a shared folder

Hi, I am stepping through post deployment configuration on an enterprise issuing CA.

After clicking "Next" on the Credentials page, I selected "Certification Authority" on the Role Services page and got the following error: ccertsrvsetup::InitializeDefaults:Access is denied. 0x80070005 (WIN32:5 ERROR_ACCESS_DENIED)

Lab Environment:

VMWare VMs running Windows Server 2016

Two tier CA

HSM protecting the Root and Issuing CA private keys (KSP installed)

Please advise.

Thanks.

↧

Separate Admin Account & Machine

June 10, 2019, 7:03 am

≫ Next: Certificate Authority using KSP.

≪ Previous: Access denied configuring ADCS Role Services

I know it's best practice to separate your administrator account and your regular user account into two accounts. I also know it's best practice to separate your administrator computer from your regular computer. Question. Is it OK if the administrator computer runs as a virtual machine on your regular computer? In other words, i would have my regular computer logged in with my regular (non-admin) account. When i need to do admin tasks, i would start my virtual admin computer on the same hardware as my regular physical computer. I would log into the virtual admin computer with my admin account, do my admin tasks, and then logoff and shut off the virtual admin computer.

Is this approach OK? or does the virtual computer need to be hosted somewhere else besides my regular computer?

↧

Certificate Authority using KSP.

June 10, 2019, 5:20 am

≫ Next: NDES trust relationship

≪ Previous: Separate Admin Account & Machine

Hello,

I've moved my certificate authority from a CSP to a KSP so I can issue SHA-2 certs but I'm unable to select the KSP from the certificate enrolment web client and issue SHA-2 certificates.

A little more detail:

In the root CA properties, the Cryptographic settings do show "Microsoft Software Key Storage Provider" as the provider and SHA256 as the Hash.

I have renewed the CA certificate and is using SHA-256 (Certificate #3)

The CSP registry files show the correct settings and the encryption algorithm is using ALG_SID_3DES

I created a new certificate template and was able to use SHA256 and the KSP but this doesn't show in the web portal when trying to create a new certificate.

On the web portal > Advance Certificate Request under Key Options the CSP drop down doesn't show the KSP which I'm assuming is the issue. The same shows when trying to make a request via IIS.

Has anyone come across this before?

Thanks :)

↧

NDES trust relationship

June 9, 2019, 10:51 pm

≫ Next: Windows Defender in Server 2016 slowed sequential writes to a crawl

≪ Previous: Certificate Authority using KSP.

Hello, I am going to configure an NDES server role within my domain.

I have an existing NPS server within the same domain.

My question is, will my NPS server automatically trust the EAP-TLS certificates issued by my new NDES server ?

If not, what do I have to do to ensure trust ?

Thank you kindly.

↧

Windows Defender in Server 2016 slowed sequential writes to a crawl

June 4, 2019, 9:48 pm

≫ Next: Optional TPM Key Attestation failing ERROR_BAD_ARGUMENTS

≪ Previous: NDES trust relationship

We have an application which automates excel with data from our application reports. To speed things up when the the volume of the report is relatively high, we write a sequential csv file and then import it into the spreadsheet.

This file write process takes a few seconds on Windows Server 2012R2 - but when we upgraded to Server 2016 it was running over 5 minutes and slowed to a crawl.

On a guess we disabled Windows Defender on both Windows Server Standard 2016 systems - and the speed returned to a few seconds.

What is going on here? I wouldn't expect the AV to slow things down by a factor of 100 or more???

Glenn Barber

↧

Optional TPM Key Attestation failing ERROR_BAD_ARGUMENTS

June 5, 2019, 2:17 am

≫ Next: Change Event log path location, empty folder

≪ Previous: Windows Defender in Server 2016 slowed sequential writes to a crawl

We have a range of Windows 10 computers in our estate - some with no TPM chip, some with TPM 1.2, and some with TPM 2.0.

I want to configure a certificate template to optionally perform TPM Key Attestation if the client is capable, to enable clients that support TPM Key Attestation to do so whilst we phase out non-capable devices.

AD CS exposes the certificate template option "Required, if client is capable":

Allows users on a device that does not support TPM key attestation to continue enrolling for that certificate. Users who can perform attestation will be distinguished with a special issuance policy OID. Some devices might not be able to perform attestation because of an old TPM that does not support key attestation, or the device not having a TPM at all.

The certificate template is configured as follows:

Compatibility Settings
- Certification Authority: Windows Server 2016
- Certificate recipient: Windows 8.1/Windows Server 2012 R2
Request Handling
- Purpose: Signature and encryption
- Allow private key to be exported: No
- Archive subject's encryption private key: No
Cryptography
- Provider category: Key Storage Provider
- Algorithm name: RSA
- Minimum key size: 2048
- Providers:
  - Microsoft Platform Crypto Provider
  - Microsoft Software Key Storage Provider
- Request hash: SHA1
Key Attestation
- Required, if client is capable
- Perform attestation based on:
  - User credentials
- Perform attestation only (do not include issuance policies)

When enrolling for this certificate template on a computer without a TPM chip, the request fails with error:

An error occurred while enrolling for a certificate. A certificate request could not be created.
Url: ad1.corp.contoso.com\Contoso Root CA
Error: One or more arguments are not correct. 0x800700a0 (WIN32/HTTP: 160 ERROR_BAD_ARGUMENTS)

If Key Attestation is turned off (Required, if client is capable > None), the enrollment succeeds. The PKI is otherwise healthy (CDP/AIA accessible, CRLs valid etc), and there is no block on Issuance Policy issuance (e.g. 'Endorsement Key Certificate Verified' can be manually issued into a certificate).

↧

Change Event log path location, empty folder

June 10, 2019, 11:51 pm

≫ Next: Enabling TLS 1.2 on Windows Server 2012 & 2016

≪ Previous: Optional TPM Key Attestation failing ERROR_BAD_ARGUMENTS

I'm trying to change event log location for my servers , i did the changed to the gpo and i can see the policy is applied and on the event log properties the location in change to the new location but the folder is empty !!

SE.Mohammed

↧

Enabling TLS 1.2 on Windows Server 2012 & 2016

December 17, 2018, 4:47 am

≫ Next: Question on PAM

≪ Previous: Change Event log path location, empty folder

I'm trying to establish TLS1.2 connections with SQL Server 2012 & 2016 (on Windows Server 2012 & 2016). I've read that you must enable SCHANNEL support for TLS1.2 for both host types AND I've read that it is enabled by default. When inspecting the registry on Windows Server 2016... there are no entries for TLS1.2 support for SCHANNEL. Does this mean it is NOT supported OR is it supported but without any specific registry entries to enable it?

↧

Question on PAM

April 16, 2018, 8:14 am

≫ Next: Microsoft Certificate Management REST API

≪ Previous: Enabling TLS 1.2 on Windows Server 2012 & 2016

Hello!

You are planning to deploy PAM solution for you Contoso.com Priv.Contoso.com domains.

The forest functional level of priv.contoso.com is Windows Server 2012 R2.
The forest functional level of contoso.com is Windows Server 2012.

All servers run Windows Server 2016.

Wich two actions should you take?

A. Raise the forest functional level of contoso.com.
B. Raise the forest functional level of priv.contoso.com.
C. Deploy Microsoft Identify Management (MIM) 2016 to priv.contoso.com.
E. Configure admin.contoso.com to trust contoso.com.
F. Configure contoso.com to trust admin.contoso.com.

I failed to find the information on which CORPORATE (Contoso.com) forest functional level should be (the Priv.Contoso.com must be 2016): the only article on the matter I've seen is this: https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/deploy-pam-with-windows-server-2016

- it says that you can use Windows Server 2012R2 as a corporate domain but there was no evidence of Windows Server 2012 in this document so I would choose A, B and C, but the question asks about only 2 actions... - Have anyone seen the information on the corporate forest functional level requirements???

Thank you in advance,
Michael

↧

Microsoft Certificate Management REST API

June 7, 2019, 11:21 pm

≫ Next: WebEnrollment Services For Windows Server 2012 R2 ADCS For PKI

≪ Previous: Question on PAM

Any immediate lead in this regard will be of great help.

Thanks

↧

WebEnrollment Services For Windows Server 2012 R2 ADCS For PKI

June 7, 2019, 10:21 pm

≫ Next: 2008 R2 & Blue Keep

≪ Previous: Microsoft Certificate Management REST API

Hi,

I'm trying to build a java web application to interact with Enterprise CA Hosted on Windows Server 2012 R2 for following operations:

1. Fetching Templates

2. Submission Certificate Request (#PKCS10).

3. Downloading The Certificate Based On Request Id.

4. Suspension Of Certificates.

5. Revocation Of Certificates.

6. Adding New Templates Using Predefined Templates.

↧

2008 R2 & Blue Keep

June 7, 2019, 2:12 pm

≫ Next: Retpoline

≪ Previous: WebEnrollment Services For Windows Server 2012 R2 ADCS For PKI

Having trouble finding answers to a couple questions.

If I turn off RDP in such a server, only access it by its own monitor or 3rd party program (logmein or some such) is it no longer vulnerable?

Thanks

↧

Retpoline

June 4, 2019, 2:01 am

≫ Next: Certificate enrollment not happening for Windows 2016 servers

≪ Previous: 2008 R2 & Blue Keep

Hi,

I want to implement additional security mitigations on top of Retpoline like in below article.

Example: Feature settings values for enabling SSBD (speculative store bypass) system wide:
FeatureSettingsOverride = 0x8 and FeatureSettingsOverrideMask = 0
To add Retpoline, feature settings value for Retpoline (0x400) should be bitwise OR'd:
FeatureSettingsOverride = 0x408 and FeatureSettings OverrideMask = 0x400

In my scenario I have added below settings according to:
https://support.microsoft.com/en-in/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Now I made bitwise OR and receive:

↧