Hi ,

We have certificate authority running on both windows server 2012 and windows server 2016. We have a new series of windows servers 2016 which were introduced and these servers are not able to get certificates from both CAs. Both autoenrollmet and manual enrollment are getting failed.

When we have done an extensive troubleshooting and we could see that the CMC request which reaches the CA does have a blank subject field and hence CA reject the request with below error.

Certificate enrollment for Local system failed to enroll for a templatecheck certificate with request ID **** from ********\*********(The requested property value is empty. 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)).

Anybody have any idea why the subject field is blank on CMC request created by the client (windows server 2016). Is this something to do with the setting on the cryptography tab on the certificate template or is there something which needs to be done on the windows server 2016 itself.

Hi Technet,

I've been searching and reading up on renaming the Administrator account. We want to rename thedomain Administrator account. I'm not talking about the local admin account on member servers and domain joined workstations at this time.

I've seen some references to renaming the domain Administrator account via GPO and some references to just renaming it in Active Directory Users and Computers.

What is the correct way to go about it?

Thanks.

Hello Guys

I had CES and CEP installed on a server. I then changed the url in the Application Settings. I then released the url through the Web Application Gateway. From the client I can access the url and log in. However, no Certificates Templates are displayed to me. What is the problem?

I am not able understand properly How three tier CA will work?

1.From Root CA ::: It will generate the Self signed certificate , then it will generate the certificate and it will give to policy CA.

But how Root CA will know that this server(policy CA) is only an authorized CA ?

2.When Root CA gives certificate to Policy CA what are the information it will give  (will root ca will give public key to policy ca in that certificate , if it gives then Policy CA can decrypt the information coming from Root CA but how policy CA can encrypt the sending information to root CA?

I know it's best practice to separate your administrator account and your regular user account into two accounts.  I also know it's best practice to separate your administrator computer from your regular computer.  Question.  Is it OK if the administrator computer runs as a virtual machine on your regular computer?  In other words, i would have my regular computer logged in with my regular (non-admin) account.   When i need to do admin tasks, i would start my virtual admin computer on the same hardware as my regular physical computer.  I would log into the virtual admin computer with my admin account, do my admin tasks, and then logoff and shut off the virtual admin computer.  

Is this approach OK?  or does the virtual computer need to be hosted somewhere else besides my regular computer?  

Hello, I am going to configure an NDES server role within my domain.

I have an existing NPS server within the same domain.

My question is, will my NPS server automatically trust the EAP-TLS certificates issued by my new NDES server ?

If not, what do I have to do to ensure trust ?

Thank you kindly.

We have an application which automates excel with data from our application reports.  To speed things up when the the volume of the report is relatively high, we write a sequential csv file and then import it into the spreadsheet.

This file write process takes a few seconds on Windows Server 2012R2 - but when we upgraded to Server 2016 it was running over 5 minutes and slowed to a crawl.

On a guess we disabled Windows Defender on both Windows Server Standard 2016 systems - and the speed returned to a few seconds.

What is going on here?  I wouldn't expect the AV to slow things down by a factor of 100 or more???

Glenn Barber

Dear All,

Need your advise on below,

Facing a Security alert when opening Outlook saying the Security Certificate invalid or does not exist.

The Popup Says, domain.local - Security Certificate invalid or does not exist

On the CA found its Thumbprint and Serial number Matching to Domain Controller Authentication Certificate,

My DC2 is also CA.

Issued to : DC2.domain.local

Issued By : company-DC02-CA

Subjective alternative name : DNS Name = DC02.company.local

from my assumption the outlook is looking to resolve company.local certificate but the certificate for Domain controller authentication resolves DNS Name - DC02.company.local in Subject Name Alternative.

Is there any way we can safely add company.local in SAN or better way to solve this Certificate alert while opening Outlook ?

Hello,

I have been asked to help look at an issue with a Windows 2016 certificate server at work which is not issuing auto-enrollment user certificates. This is a new implementation of PKI which consists of a 2 tier setup utilising an offline root CA server and an online issuing CA server.

I have not been involved in the setup and apparently it has been working so something has changed to cause this issue.

When I log onto a Windows 10 client workstation, it should auto-enroll a user certificate but no error was appearing. I enabled a registry key in the User section of the registry to get verbose logging in the event log which now shows the following error.

Warning: CertificateServicesClient-CertEnroll

Event ID 47

Certificate enrollment for domain\username could not enrol for a UserCertificateNamecertificate. A valid certification authority cannot be found to issue this template.

If I use network monitor on the CA server during this process, I don't see any traffic hit the CA server from the client. If I then run the Certificates snap-in from an MMC on the workstation and go through the wizard to renew the certificate, it pops up and works. During this process I see a lot of activity in network monitor running on the server.

I think someone has made a change to the server that has casused this issue, but Certificate Authority Services is not my strong point on Windows Server 2016 and am struggling to figure out what the problem could be.

Any help or suggestions would be greatly appreciated.

Dave

We have a range of Windows 10 computers in our estate - some with no TPM chip, some with TPM 1.2, and some with TPM 2.0.

I want to configure a certificate template to optionally perform TPM Key Attestation if the client is capable, to enable clients that support TPM Key Attestation to do so whilst we phase out non-capable devices.

AD CS exposes the certificate template option "Required, if client is capable":

Allows users on a device that does not support TPM key attestation to continue enrolling for that certificate. Users who can perform attestation will be distinguished with a special issuance policy OID. Some devices might not be able to perform attestation because of an old TPM that does not support key attestation, or the device not having a TPM at all.

The certificate template is configured as follows:

• Compatibility Settings

  • Certification Authority: Windows Server 2016
  • Certificate recipient: Windows 8.1/Windows Server 2012 R2

• Request Handling

  • Purpose: Signature and encryption
  • Allow private key to be exported: No
  • Archive subject's encryption private key: No

• Cryptography

  • Provider category: Key Storage Provider
  • Algorithm name: RSA
  • Minimum key size: 2048
  • Providers:
    • Microsoft Platform Crypto Provider
    • Microsoft Software Key Storage Provider
  • Request hash: SHA1

• Key Attestation

  • Required, if client is capable
  • Perform attestation based on:
    • User credentials
  • Perform attestation only (do not include issuance policies)

When enrolling for this certificate template on a computer without a TPM chip, the request fails with error:

An error occurred while enrolling for a certificate. A certificate request could not be created.

Url: ad1.corp.contoso.com\Contoso Root CA

Error: One or more arguments are not correct. 0x800700a0 (WIN32/HTTP: 160 ERROR_BAD_ARGUMENTS)

If Key Attestation is turned off (Required, if client is capable > None), the enrollment succeeds. The PKI is otherwise healthy (CDP/AIA accessible, CRLs valid etc), and there is no block on Issuance Policy issuance (e.g. 'Endorsement Key Certificate Verified' can be manually issued into a certificate).

Hi, I am tying to set up an offline Policy CA an keep running into a "The revocation function was unable to check revocation because the revocation server was offline" error.

Please let me know if more info is needed.

Thanks

Environment:

VMWare Workstation 14 Pro 

Windows Server 2016 VMs

nCipher HSMs protecting the CA private keys

Offline Root  CA (already configured and running with a dedicated HSM)

Offline Policy CA - will share private key protection with Root CA HSM

2 Online Issuing CAs - will both be protected by a network HSM

DC, CDP, Webenrolment, etc.

Stephen Wexler

Hello, I have received via the url (http://cahost/certsrv/mscep/?operation=GetCACert&message=cahost) a p7b file from a Windows Server 2008 Enterprise machine which has an Enterprise CA and NDES installed on it.  When I right-click on it and select 'Open,' an mmc window with the title certmgr opens.  If I expand the 'Certificates' folder, then I see multiple columns.  Most are self-explanatory, but the 'Status' column simply displays the letter 'R.'  I have no idea what that means and I have not been able to find any documentation for the columns listed in Certmgr.  Two questions:

1)  Where are the columns for certmgr documented?

2)  If there is no answer to 1), then would someone please explain the set of possible values for 'Status' are, and what they mean?

Thank you,

Matt

I recently ran into a problem when putting a CA signed certificate for an RDP connection instead of using the self signed ones. When connecting it shows that it cannot verify whether the certificate has been revoked due to the revocation server being offline. I've been trying to troubleshoot this for a while now but to no avail.

When looking in pkiview it shows the CRL and deltacrl as OK

here is output from certutil verify command:

Issuer:
    CN=CT11-BESSY-CA
    DC=CT11
    DC=local
  Name Hash(sha1): 6ff2ab74450af9d243580e641d3186fde6921a4c
  Name Hash(md5): 47ed3c672957e7d7452ea08d6a393a33
Subject:
    CN=BESSY
    OU=Domain Controllers
    DC=CT11
    DC=local
  Name Hash(sha1): e8b13b48c021f09a969371354b7aedfc2d905662
  Name Hash(md5): ab3e04efbd1f3202f6d624fe30e85d95
Cert Serial Number: 3d00000087e205f97ecdb034b9000000000087

dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=CT11-BESSY-CA, DC=CT11, DC=local
  NotBefore: 6/7/2019 4:35 AM
  NotAfter: 6/6/2020 4:35 AM
  Subject: CN=BESSY, OU=Domain Controllers, DC=CT11, DC=local
  Serial: 3d00000087e205f97ecdb034b9000000000087
  SubjectAltName: Other Name:Principal Name=BESSY$@CT11.local, DNS Name=BESSY.CT11.local
  Template: 1.3.6.1.4.1.311.21.8.13390570.11058021.11881108.16268315.7825127.181.10424337.8794867
  Cert: c177e413f79b3260cb72b5f7d4e00fefdc53c964
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificate AIA  ----------------
  Failed "AIA" Time: 0 (null)
    Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
    ldap:///CN=CT11-BESSY-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=CT11,DC=local?cACertificate?base?objectClass=certificationAuthority

  ----------------  Certificate CDP  ----------------
  Failed "CDP" Time: 0 (null)
    Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
    ldap:///CN=CT11-BESSY-CA,CN=BESSY,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=CT11,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint

  ----------------  Base CRL CDP  ----------------
  Failed "CDP" Time: 0 (null)
    Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
    ldap:///CN=CT11-BESSY-CA,CN=BESSY,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=CT11,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
    CRL 0295:
    Issuer: CN=CT11-BESSY-CA, DC=CT11, DC=local
    ThisUpdate: 5/23/2019 6:48 AM
    NextUpdate: 5/30/2019 7:08 PM
    CRL: ca19ccf1e6a3b1295c2ccdfb93c9f4bc83aff1d2
    Delta CRL 0297:
    Issuer: CN=CT11-BESSY-CA, DC=CT11, DC=local
    ThisUpdate: 5/25/2019 6:48 AM
    NextUpdate: 5/26/2019 7:08 PM
    CRL: d8f1f25f478d8bced3a7308fa284aaa4eacdd5c1
  Application[0] = 1.3.6.1.4.1.311.54.1.2 szOID_TS_KP_TS_SERVER_AUTH

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=CT11-BESSY-CA, DC=CT11, DC=local
  NotBefore: 6/9/2017 2:52 PM
  NotAfter: 6/9/2022 3:02 PM
  Subject: CN=CT11-BESSY-CA, DC=CT11, DC=local
  Serial: 42417e8859702c9f45be819bbeb42c20
  Cert: 6c5c2e2e72e9ce704598033fee99595ea12ea4ab
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------

Exclude leaf cert:
  Chain: b8e619c1c00f4ac40c4bfc15f4f0604c63134e50
Full chain:
  Chain: 23f80d05d81f1736c7d6413931714456327d355a
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
    1.3.6.1.4.1.311.54.1.2 szOID_TS_KP_TS_SERVER_AUTH

ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

CertUtil: -verify command completed successfully.

Any help will be much appreciated.

I am reaching out to see if anyone can answer a question that I have been unable to find an answer to while searching a multitude of forums and blogs. 

When collecting event logs specific to Event ID 4624, we are seeing 2 events for each logon connection. 

For Remote Interactive Type 10 (RDP) connections, the Type 10 event is always followed by Type 2 event with the exact same date/time stamp.

For Interactive Type 2 (Console/ilo) connections, the Type 2 event is always followed by a 2nd Type 2 with exact same date/time stamp.

While it has been a while since I deep dived into event logs, I don't recall ever seeing this before.  Apparently nobody seems to be able to answer my question. 

My suspicion is that it has to do with multi factor authentication, but no matter what I search for I can't get anyone else to confirm/deny this.

Is there anyone who can address/answer/confirm this?

Attempting autoenrollment of server certificates in my domain seeing EVENT ID's 6 and 13 RPC server is unavailable 0x800706ba.  Same for domain controller autoenrollment.  I checked the security on the cert template it is set for autoenroll and enroll and read for domain computers.  Everything is Server 2016

On the AD group Certificate Service DCOM Access I added domain computers/users/controllers and authenticated users. My issuing CA computer account is listed in Cert Publishers AD group as well. 

I tried turning off the local FW that didn't help. and of course RPC service is actually running. 

The certs are not sitting in Pending requests in the CA.  And there is no old CA floating around my environment this is the first and only one. In the Event ID you can see it calling out the correct CA in the request.

I looked at registry and rsop and confirmed it is getting the Autoenrollment policy but even if you manually request a new Cert via the cert console on the server you get the same error about RPC not available. 

My issuing CA is not a domain controller but a domain joined server

I don't know where else to look

CraigB

We have an Enterprise Root CA server running 2008 R2 (no subordinates). I'd like to build a 2016 server and make it our new Root CA. I've read a number of articles on how to do this but am not clear on whether the name of the new server should match that of the old one.

Based on the article below I believe you should first decommission your "old" CA server, rename it and then rename your new one so it has the same name as your old one did (then install the CA stuff). It sounds like it saves you quite a bit of work if you do it that way (you can basically skip having to grant permissions on AIA and CDP containers in AD).

I am curious if that is the method folks have used. The article I reference below is several years old but my understanding is that this process really hasn't changed.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee126140(v=ws.10)#BKMK_GrantPermsAIA

I am trying to get a report of revoked list of certs for last 24 hours. But when i run the output time shows in powershell windows is different compare to original revocation time in CA console. Original console shows time below for the Req ID: 6

When i check in output for the cert Req ID "6" it shows below time under "Revoked When".

Attached screenshot.

Below the code i am using:

Get-RevokedRequest -CertificationAuthority $env:COMPUTERNAME -Filter "RequestID -eq 6" -Property * | Select RequestID, @{Label="RequesterName";Expression={($_."Request.RequesterName")}}, CommonName, Notafter, EMail, DistinguishedName, @{Label="Revoked When";Expression={($_."Request.RevokedWhen")}} | Format-Table -AutoSize

Is it a bud? i am running this command directly on the internal CA server itself? not remote also the timezone is Pacific time (US and Canada) even the DC also in same time zone. Not sure why the output comes with different time.

i'm bit new to ADCS, there was a issue raised from our client saying the certificate Web enrollment page is accessible for anyone connected to network. It works this way, 1) accessing the URL https://xx.xx.xx.xx/certsrv/Default.asp, this URL doesn't have HTTPS and shows up a warning have to proceed unsafe  2) Passing through (continue to website) the HTTP connection establishes and browser asks for authentication (username , password) and 2 options,"submit" and "cancel" 3) When hit on Cancel it shows authentication denied error with error code 404. 4) At this point by hitting on refresh it lands on Web Enrollment page instead of asking for authentication again, which is a authentication by-pass. This works successfully for every user, especially on Chrome and Internet Explorer and fails on Firefox browser. What exactly could be happening?, how can this be fixed?