I attempted to remove AD CS from my dedicated 2008 R2 Enterprise Root CA server today in our test environment. It succeeded with the following warning (I stripped out company specific stuff):

Warning: Setup was unable to delete Certificate Enrollment Web Service information from the Certification Authority object in Active Directory Domain Services (AD DS). To complete Setup, delete the information manually using the command: certutil -config"<domain>-<server>-CA" -enrollmentServerURL https://<server.FQDN>/<domain>-<server>-CA_CES_Kerberos/service.svc/CES delete. Catastrophic failure Unexpected method call sequence. 0x8000ffff (-2147418113)

When I run that command in a cmd or ps window it get the following errors:

CertUtil: -enrollmentServerURL command FAILED: 0x80070490 (WIN32: 1168)

CertUtil: Element not found.

Permissions is not an issue (Domain admin, Enterprise admin), I've rebooted the CA server. I restored this from a backup into our isolated test environment, along with one of our DC's.

I've seen a similar post elsewhere on TechNet (Exchange forum) but in his case the recommendation was to re-install Exchange.

Hello,

I have been asked to help look at an issue with a Windows 2016 certificate server at work which is not issuing auto-enrollment user certificates. This is a new implementation of PKI which consists of a 2 tier setup utilising an offline root CA server and an online issuing CA server.

I have not been involved in the setup and apparently it has been working so something has changed to cause this issue.

When I log onto a Windows 10 client workstation, it should auto-enroll a user certificate but no error was appearing. I enabled a registry key in the User section of the registry to get verbose logging in the event log which now shows the following error.

Warning: CertificateServicesClient-CertEnroll

Event ID 47

Certificate enrollment for domain\username could not enrol for a UserCertificateNamecertificate. A valid certification authority cannot be found to issue this template.

If I use network monitor on the CA server during this process, I don't see any traffic hit the CA server from the client. If I then run the Certificates snap-in from an MMC on the workstation and go through the wizard to renew the certificate, it pops up and works. During this process I see a lot of activity in network monitor running on the server.

I think someone has made a change to the server that has casused this issue, but Certificate Authority Services is not my strong point on Windows Server 2016 and am struggling to figure out what the problem could be.

Any help or suggestions would be greatly appreciated.

Dave

Hi Guys,

Would anyone know a way to block local save of files? Desktop, Documents, Downloads... I use Windows server 2012 with W7/ W10 Park.

Thanks in Advance

Hi,

We need a secure way to have file transfer. A technical solution for transferring files between two separate network zones.

Might not be the right forum, but i hope someone can advice on anything or how you do it in your environment.

We industry system, so no office users, In this environment there is not internet, but you can connect with VPN for access. This system contains several smaller systems, that several vendors have admin access to. So for example vendor A has local admin access on 10 windows 2016 servers, and vendor B has this same on their system..... all the systems are part of one domain.

One challenge is that the vendors often need to copy files over to update the systems. As of today the users just map their laptop drive when they do RDP, and copy the files over. We need to have more control over this, so we are looking for a system that can have the following possibilities...

- No public cloud filedrop since there is no internet connectivity

- Transfer files in a secure way

- Have the possibility to log, so we can see who, when and what has been uploaded

- Ok to use 3 part tools

- Should also use the same tool inside the network, to copy files between machines, so no network mapping

Thanks for any answers.

/Regards Andreas

Dear All,

Need your advise on below,

Facing a Security alert when opening Outlook saying the Security Certificate invalid or does not exist.

The Popup Says, domain.local - Security Certificate invalid or does not exist

On the CA found its Thumbprint and Serial number Matching to Domain Controller Authentication Certificate,

My DC2 is also CA.

Issued to : DC2.domain.local

Issued By : company-DC02-CA

Subjective alternative name : DNS Name = DC02.company.local

from my assumption the outlook is looking to resolve company.local certificate but the certificate for Domain controller authentication resolves DNS Name - DC02.company.local in Subject Name Alternative.

Is there any way we can safely add company.local in SAN or better way to solve this Certificate alert while opening Outlook ?

i'm bit new to ADCS, there was a issue raised from our client saying the certificate Web enrollment page is accessible for anyone connected to network. It works this way, 1) accessing the URL https://xx.xx.xx.xx/certsrv/Default.asp, this URL doesn't have HTTPS and shows up a warning have to proceed unsafe  2) Passing through (continue to website) the HTTP connection establishes and browser asks for authentication (username , password) and 2 options,"submit" and "cancel" 3) When hit on Cancel it shows authentication denied error with error code 404. 4) At this point by hitting on refresh it lands on Web Enrollment page instead of asking for authentication again, which is a authentication by-pass. This works successfully for every user, especially on Chrome and Internet Explorer and fails on Firefox browser. What exactly could be happening?, how can this be fixed?  

Like how there's a way to extract certs from the root cert store, isn't there also a way to extract certs from the server cert store?  In my current situation I'm hard-coding the certificate into the ASIO SSL context for my app, but I want to know how to get them from the store in a loop.  I installed a new certificate just now and I want to use it, but I want to avoid having to hard-code it again if possible.

Also, if I do this, will I still have to hard-code the RSA Private Key?  There doesn't seem to be a way to install it anywhere after all.

Please note: this is not meant to be a question about Boost.  I want to know how to extract certs from a server cert store on Windows, so I think it's better to ask on a Windows forum.  

Hello

Workstation is domain member with Windows 7 Enterprise. When I connecting via VPN with some credentials, it stores automatically in Credential Manager with "*Session" marker. When I connecting to network shares on domain servers, workstation use credentials, stored in Credential Manager. So, because stored credentials is different from domain user account, workstation can't connect to network shares in domain. When I manually remove stored "*Session" credentials, workstation connecting to domain servers OK. So I need to disable storing passwords from VPN connections in Credential Manager because it different from domain user account.

P.S. I am already posted this question on "Windows 7 Security, Privacy, and User Accounts" forum, but no answers at all. May be here somebody can help me?

Hello,

I have a 2012 R2 Enterprise Issuing CA on which auto enrollment of computer certificates has been enabled for a few years. The auto enrollment was enabled by using a certificate template and setting the Domain Computers group with the allow autoenroll permission. Wanting to stop the autoenrollment on computers, I have recently unchecked the allow autoenroll permissions for this template, but still certs are being autoenrolled to computers using this template. No other groups or computers have the allow autoenroll permission set on this template, so i'm stumped as to why it is still autoenrolling.  Any thoughts?

Thank you,

Patrick

Dear Sirs,

i did not find, Restricting Active Directory RPC traffic to a specific port for windows server 2016.

i found it for server 2012, but i need it for windows server 2016.

if you have any solution please.

waiting your reply

Hello,

I have created an auto enrollment certificate via AD for users for our new Cisco Anyconnect VPN but when ever users insert a smart card it deletes the auto enrollment certificate under Certificates- Current User - Personal - Certificates. Without this certificate users can't use the VPN because it comes up with certification validation failure asks for a smart card to be inserted. It stores the certificate under the Active Directory User Object folder, the cert is setup to work for user and computer but if its not in the users personal folder it won't work.

The weird thing is that for some users even though it deletes the certificate it still works and i can't figure out how it works.

Vulnerability report says following every month even after applying latest security Patches.when I google, I don't find any KB addressing this.

I have already installed latest Security patches, Is that enough or still I need to work on the following? 

Plugin IDRiskSynopsisSolution
78447Medium "The remote host is affected by a remote information disclosure vulnerability.""Apply the client registry key workaround and the server registry key workaround suggested by Microsoft in the advisory."

63155Medium"The remote Windows host has at least one service installed that uses an unquoted service path.""Ensure that any services that contain a space in the path enclose the path in quotes."

We have a load balancer in front of these IIS-based WebAdapters. Disabling "Extended Protection" under Windows authentication, advanced settings, will allow Kerberos to authenticate and pass credentials.

Theoretically, setting this value to "Allow" should work as well, but no luck. 

Anyone have suggestions as towhy this is the case? We need double-hop to passcredentials from the load-balancer's to the services behind the Web Adapters.

I've attached PCAPs with track the client authenticating against the load balancer (lb- 10.1.9.97, client-10.1.9.87)

TFougere

Hi,

I've setup a default domain policy GPO to disable SMB1 for both server and workstation on a Windows Server 2008 R2 machine, and all attached workstations as per article https://support.microsoft.com/en-gb/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windows-and-windows-server 

My GPO looks the same as the one in the article, but when I gpupdate /force the lanmanserver registry setting on the server and other workstations is not being created. gpresult shows only the lanmanworkstation/MRxSMB10 changes are being applied, the create item which set SMB1 to 0x0 is not listed at all.

Does anyone have any suggestions as to what is failing ? 

Thanks

Tony

Hi All,

I'm looking for the next level of troubleshooting for determining the cause of bad passwords / account lockouts.  I dont see any direct issues, just looking to solve the mystery.

The domain administrator account is constantly getting bad password attempts & lockouts and the event log doesn't show enough info to go any further to troubleshoot what is causing it (from what I can see).  Any tips?

This 'administrator' is and has been disabled for ages and not used (knowingly)in our environment.

I have 6 DC's, two are affected and have this issue. "DC01" and "DC02" can have to 2000 attempts in 20 minutes +/-.  These are Server 2012 DCs in Azure.  Their purpose is mainly for ADFS and O365 integration/authentication.  The  other DCs are all on-prem and are used for the usual auth,dns,dhcp, oh, and adds :).

Sec Event Log

1. Log Name:      Security
   Source:        Microsoft-Windows-Security-Auditing
   Date:          6/22/2019 12:01:55 PM
   Event ID:      4776
   Task Category: Credential Validation
   Level:         Information
   Keywords:      Audit Failure
   User:          N/A
   Computer:      DC02
   Description:
   The computer attempted to validate the credentials for an account.
   
   Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
   Logon Account: administrator
   Source Workstation:
   Error Code: 0xC000006A
   Event Xml:
   <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
     <System>
       <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
       <EventID>4776</EventID>
       <Version>0</Version>
       <Level>0</Level>
       <Task>14336</Task>
       <Opcode>0</Opcode>
       <Keywords>0x8010000000000000</Keywords>
       <TimeCreated SystemTime="2019-06-22T18:01:55.943279100Z" />
       <EventRecordID>982653545</EventRecordID>
       <Correlation />
       <Execution ProcessID="584" ThreadID="5324" />
       <Channel>Security</Channel>
       <Computer>DC02</Computer>
       <Security />
     </System>
     <EventData>
       <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
       <Data Name="TargetUserName">administrator</Data>
       <Data Name="Workstation">
       </Data>
       <Data Name="Status">0xc000006a</Data>
     </EventData>
   </Event>
   
2. Log Name:      Security
   Source:        Microsoft-Windows-Security-Auditing
   Date:          6/22/2019 12:08:10 PM
   Event ID:      4625
   Task Category: Logon
   Level:         Information
   Keywords:      Audit Failure
   User:          N/A
   Computer:      DC01
   Description:
   An account failed to log on.
   
   Subject:
   Security ID: NULL SID
   Account Name: -
   Account Domain:-
   Logon ID: 0x0
   
   Logon Type:3
   
   Account For Which Logon Failed:
   Security ID: NULL SID
   Account Name: administrator
   Account Domain:
   
   Failure Information:
   Failure Reason:Unknown user name or bad password.
   Status: 0xC000006D
   Sub Status: 0xC000006A
   
   Process Information:
   Caller Process ID:0x0
   Caller Process Name:-
   
   Network Information:
   Workstation Name:
   Source Network Address:-
   Source Port: -
   
   Detailed Authentication Information:
   Logon Process:NtLmSsp 
   Authentication Package:NTLM
   Transited Services:-
   Package Name (NTLM only):-
   Key Length: 0
   
   This event is generated when a logon request fails. It is generated on the computer where access was attempted.
   
   The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
   
   The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
   
   The Process Information fields indicate which account and process on the system requested the logon.
   
   The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
   
   The authentication information fields provide detailed information about this specific logon request.
   - Transited services indicate which intermediate services have participated in this logon request.
   - Package name indicates which sub-protocol was used among the NTLM protocols.
   - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
   Event Xml:
   <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
     <System>
       <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
       <EventID>4625</EventID>
       <Version>0</Version>
       <Level>0</Level>
       <Task>12544</Task>
       <Opcode>0</Opcode>
       <Keywords>0x8010000000000000</Keywords>
       <TimeCreated SystemTime="2019-06-22T18:08:10.571891400Z" />
       <EventRecordID>1329387339</EventRecordID>
       <Correlation />
       <Execution ProcessID="592" ThreadID="5532" />
       <Channel>Security</Channel>
       <Computer>DC01</Computer>
       <Security />
     </System>
     <EventData>
       <Data Name="SubjectUserSid">S-1-0-0</Data>
       <Data Name="SubjectUserName">-</Data>
       <Data Name="SubjectDomainName">-</Data>
       <Data Name="SubjectLogonId">0x0</Data>
       <Data Name="TargetUserSid">S-1-0-0</Data>
       <Data Name="TargetUserName">administrator</Data>
       <Data Name="TargetDomainName">
       </Data>
       <Data Name="Status">0xc000006d</Data>
       <Data Name="FailureReason">%%2313</Data>
       <Data Name="SubStatus">0xc000006a</Data>
       <Data Name="LogonType">3</Data>
       <Data Name="LogonProcessName">NtLmSsp </Data>
       <Data Name="AuthenticationPackageName">NTLM</Data>
       <Data Name="WorkstationName">
       </Data>
       <Data Name="TransmittedServices">-</Data>
       <Data Name="LmPackageName">-</Data>
       <Data Name="KeyLength">0</Data>
       <Data Name="ProcessId">0x0</Data>
       <Data Name="ProcessName">-</Data>
       <Data Name="IpAddress">-</Data>
       <Data Name="IpPort">-</Data>
     </EventData>
   </Event>

So not a whole lot to go on, right?

• I've done a virus scan which is clean. Definitions up to date.  Used offline scanner, clean
• No suspicious tasks in the task scheduler.
• Windows updates done and current

This error also appears frequently in the System log (Event ID=12294, Source=Directory-Services-SAM)

• The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

Error Code: 

• Binary data:
  
  
  In Words
  
  0000: C00002A5    
  
  
  In Bytes
  
  0000: A5 02 00 C0
  

I've confirmed the account is locked out already.

hi everyone ,

i tried to installed LAPS but its not showing the password , my steps :

1- install LAPS on my DC

2-all my PCs in one OU " computers" so i gave computer to read password.

A- set-admpwdcomputerselfpermission -orgunit 'CN=Computers,DC=ASFDC,DC=COM'

B- find-admPwdExtendedRights -identity "CN=Computers,DC=ASFDC,DC=COM" | Format-List -Property *



C- Set-AdmPwdReadPasswordPermission -orgunit 'CN=Computers,DC=ASFDC,DC=COM'–AllowedPrincipals "IT Remote Desktop Servers"

3- created group policy

4- deploy LAPS for all PC

but when i run LAPS on DC to see the password it empty , did i missed something ? tried to run as administrator , tried from other admin account , how can i see logs ? is there any other software easier to use ?

one more thing ,,, Password is not changing on user PC.

Osma Othman

Good afternoon,
The environment is full server 2016
I have a RDS farm that has a hardening GPO on it.
The GPO is configured to apply software restriction policies.
The additional rules are applyed
But the security level is not.
In the policy I set the default to disallowed
But when running the rsop it is set to unrestricted.
In de precedence tab it says that it applyed the hardening policy and I can see that because off the data under additional rules.
If you need more information, please let me know.

PowerShell scripts seem to work in constrained language mode if we white-list some ps1 files in AppLocker.

i.e. although scripts that are not allowed by AppLocker should not execute, they execute in constrained language mode.

Very little information is available from Microsoft on this issue.

Can someone officially provide more details on this?

Amal