Web Applicaton Proxy Error 404, Windows Server 2016

June 23, 2019, 12:03 pm

I need to pass http and https traffic via Web Application Proxy, Windows Server 2016

    External URL: http://www.contoso.com/.well-known/acme/texfile
    Internal URL: http://x.server.local/.well-known/acme/texfile
    External URL: https://www.contoso.com/
    Internal URL: https://x2.server.local/

Errors:

    Wen I browse http://www.contoso.com/.well-known/acme/texfile from the internet I'm getting 404 error.
    Wen I browse http://x.server.local/.well-known/acme/texfile from intranet im getting file content response as expected.

Clues:

    Windows Server 2012R2 had IIS as integral part of WAP and it was possible to user URL rewrite and ARR. This is not the case with Windows Server 2016.
    Would anybody advise how to deal with this issue?

↧

Security Logs

July 3, 2019, 1:37 pm

≫ Next: SCCM Reports URGENT

≪ Previous: Web Applicaton Proxy Error 404, Windows Server 2016

I want to change the default security log drive to E drive. When I do that on properties pane on the event viewer for the security log, it accepts the change, and there is no error either.

However logs are never generated on the E drive, it continues on the same system drive default path.

Its windows 2016.

What could be the solution? a proper solution? and not registry tweaks.

Shahid Roofi

↧

SCCM Reports URGENT

July 3, 2019, 12:41 am

≫ Next: Delegate permission to change (not reset) a password

≪ Previous: Security Logs

Hi team,

Just today, one of our sites was forcibly attacked and some computers have been stolen. Fortunately, this happened after working hours.

Can you help me on how to produce a report to get the machine details in SCCM? We will need this report to be submitted to the Police?

↧

Delegate permission to change (not reset) a password

June 27, 2019, 12:08 pm

≫ Next: After installing the 2019-06 Monthly Quality Rollup (KB4503292) on Windows 7 Pro x64, the OS could not boot, and the Automatic Repair did not help.

≪ Previous: SCCM Reports URGENT

I have a computer used by multiple people for a process that takes days to run. To make that work, I have them use a shared account that is only allowed on that one computer. I need to modify the permissions in AD of the user object so that a specific manager can change the password but the shared account cannot. It needs to be a change (not reset) so that it enforces password history. I need to block it's ability to change it's own password so one of the end users can't press Ctrl+Alt+Del and change it which would lock out the other users. I have no problem granting "Change Password" permissions and then using the PowerShell command Set-ADAccountPassword to change the shared account's password. The problem is, as soon as I deny the shared account the ability to change it's own password, it cuts access to the delegated user. I've tried the "User cannot change password" box as well as denying "Change Password" permission to the user. How can I make this work?

↧

After installing the 2019-06 Monthly Quality Rollup (KB4503292) on Windows 7 Pro x64, the OS could not boot, and the Automatic Repair did not help.

July 8, 2019, 10:15 pm

≫ Next: ADCS: Trouble backing up CA DB from command prompt

≪ Previous: Delegate permission to change (not reset) a password

Hello,

After installing the 2019-06 Monthly Quality Rollup (KB4503292) on Windows 2008 R2 VM. The windows update was failed to install.

Please suggest.

↧

ADCS: Trouble backing up CA DB from command prompt

June 17, 2019, 9:34 am

≫ Next: Certificate Revocation Using CertUtil Utility

≪ Previous: After installing the 2019-06 Monthly Quality Rollup (KB4503292) on Windows 7 Pro x64, the OS could not boot, and the Automatic Repair did not help.

I'm attempting to take a full backup of the CA database from command line, and having no luck:

>certutil -backupdb c:\temp\cabackup
Full database backup for CAServer.contoso.com\Contoso Infrastructure Authority
Not a valid backup target directory: c:\temp\cabackup.
CertUtil: -backupDB command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Access is denied.

Here's my situation:

- Role separation is enabled.
- I am running a console window running as the CA Backup account.
- The CA Backup account has permissions to back up the CA.
- The CA Backup account has full permissions on the folder I'm specifying for the backup to be written
- I've tried pre-creating the "backup061719" subfolder
- I confirmed I can write to the directory as the CA Backup account by running break > c:\temp\cabackup\test.txt

I'm completely out of ideas. Any suggestions?

↧

Certificate Revocation Using CertUtil Utility

July 9, 2019, 3:44 am

≫ Next: Multiple Audit Failures (Server 2012)

≪ Previous: ADCS: Trouble backing up CA DB from command prompt

Hi,

Whenever I'm trying to revoke a certificate using certutil command utility its throwing following error

Input:

C:\Users\administrator> certutil -config "MachineName\CAName" -revoke certificateSerialNumber revocationReason

Error:

CertUtill : -revoke command FAILED: 0x8007007e(WIN32/HTTP:126 ERROR_MOD_NOT_FOUND)

CertUtill : The specified module could not be found

↧

Multiple Audit Failures (Server 2012)

July 9, 2019, 8:14 am

≫ Next: Delta CRL Unable to download

≪ Previous: Certificate Revocation Using CertUtil Utility

Current configuration:
Windows 7/10 terminals using a software that connects to Server 2012 Hyper-V Machine SQL Server for database.
Software is giving error for users at (seemingly) random. Looks like this happens for a few users at a time in small bursts, which resolve themselves minutes later and they can then connect normally.

Source: C:\MacolaESCode\9.7.600\e4slayer.dll\edb.cpp (line 3953)

Cannot connect with 'DRIVER={SQL Server};Server=*redacted*;Database=*redacted*;TRUSTED_CONNECTION=YES'.

[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

SQL State: 28000

DB error: 18452

EDL error: An error has occurred in the execution of the ODBC function 'SQLDriverConnect'.

Checking Security log on the server is showing multiple Audit Failures (Event 4625) for these users.

General info on the error:

An account failed to log on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		*redacted*
	Account Domain:		*redacted*

Failure Information:
	Failure Reason:		An Error occured during Logon.
	Status:			0xC000005E
	Sub Status:		0x0

Process Information:
	Caller Process ID:	0x0
	Caller Process Name:	-

Network Information:
	Workstation Name:	*computer name*
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		NtLmSsp 
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

Details on the error:

- System 

  - Provider 

   [ Name]  Microsoft-Windows-Security-Auditing 
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D} 
 
   EventID 4625 
 
   Version 0 
 
   Level 0 
 
   Task 12544 
 
   Opcode 0 
 
   Keywords 0x8010000000000000 
 
  - TimeCreated 

   [ SystemTime]  2019-07-09T14:55:17.093640400Z 
 
   EventRecordID 9850913 
 
   Correlation 
 
  - Execution 

   [ ProcessID]  600 
   [ ThreadID]  616 
 
   Channel Security 
 
   Computer *computer*.*domain*.com 
 
   Security 
 

- EventData 

  SubjectUserSid S-1-0-0 
  SubjectUserName - 
  SubjectDomainName - 
  SubjectLogonId 0x0 
  TargetUserSid S-1-0-0 
  TargetUserName *username* 
  TargetDomainName *domain*
  Status 0xc000005e 
  FailureReason %%2304 
  SubStatus 0x0 
  LogonType 3 
  LogonProcessName NtLmSsp  
  AuthenticationPackageName NTLM 
  WorkstationName *computer name*
  TransmittedServices - 
  LmPackageName - 
  KeyLength 0 
  ProcessId 0x0 
  ProcessName - 
  IpAddress - 
  IpPort -

↧

Delta CRL Unable to download

January 11, 2012, 10:22 am

≫ Next: Unable to request certificate on behalf of other user

≪ Previous: Multiple Audit Failures (Server 2012)

Hello, I am having troubles when publishing a deltaCRL file, it gets published with nameoffile+.crl - IIS 7 does not like the + sign it automatically puts in the name of the file - Anyone know how I can change the way the name is created, without the + sign? The CDP location and AIA Location files get published fine because when they are created it doesn't put the + sign at the end of the name...

IIS gives this error:

The request filtering module is configured to deny a request that contains a double escape sequence.

According to my searches, it is not recommened to allow the double escape sequence for security reasons.

If I go to Configuration Editor within IIS7 and select system.Webserver/Security/requestFiltering and set allowDoubleEscaping to TRUE for the CDP virtual directory then everything works fine.

Is this a common problem and fix? or is the way I have configured it the problem?

Thanks!

↧

Unable to request certificate on behalf of other user

July 9, 2019, 2:34 pm

≫ Next: Security Logs

≪ Previous: Delta CRL Unable to download

We need to request certificates for mobile devices that cannot access the web enrollment page due to not meeting the Internet Explorer-only requirement.

I requested a certificate though IE on the certificate server for another by using the Local Computer certificate MMC. When I try to enroll so I can download the certificate and export the key using the Local Computer MMC, it displays a message that says: Certificate Auto-Enrollment has not been enabled.

If I try to request the certificate using the user MMC, it doesn't save the customizations of Common Name etc. and instead requests a certificate with the common name of the logged in user account.

If, after requesting the certificate from the local computer MMC, I go to the User MMC and try autoenrolling, it shows a certificate with status "Enrollment pending," however, if I click the Enroll button, I get a green line that makes it look like it did something, but I don't see the certificate in the list of available certificates in the MMC

In the security properties of the certificate template, both the user and the computer account have enroll and autoenroll permissions. Autoenroll group policy is also applied to both user and computer account.

What else needs to be done to allow this to work?

↧

Security Logs

July 3, 2019, 1:37 pm

≫ Next: kb4499175 and Windows 2008 R2 Foundation SP1

≪ Previous: Unable to request certificate on behalf of other user

I want to change the default security log drive to E drive. When I do that on properties pane on the event viewer for the security log, it accepts the change, and there is no error either.

However logs are never generated on the E drive, it continues on the same system drive default path.

Its windows 2016.

What could be the solution? a proper solution? and not registry tweaks.

Shahid Roofi

↧

kb4499175 and Windows 2008 R2 Foundation SP1

July 2, 2019, 6:00 pm

≫ Next: Locate logon and logoff logs

≪ Previous: Security Logs

Hi,

Several years ago we installed a few dozen Windows 2008 R2 Foundation SP1 servers. They are located in a secure area without internet access. They have never had an update since as these are single function servers. I am required by IT to install kb4499175 on these servers. My issue is that the patch states that it has been successfully installed but does not show up in the windows update area.

There are 2 servers that were updated in 2013 and show roughly 40 security updates (not sure how) and I have successfully installed the patch on these 2.

Is there a prerequisite to kb4499175 that is not mentioned? Do I need to install a monthly rollup first? Anything that I have tried says that it is not compatible.

Connecting this to the internet is not possible at this time. I need to remote desktop to apply these updates.

Thanks

↧

Locate logon and logoff logs

July 9, 2019, 10:02 pm

≫ Next: Security Logs

≪ Previous: kb4499175 and Windows 2008 R2 Foundation SP1

Hi,

Can you please let me know where will locate logon and logoff logs in AD, other than find details in eventlog.

ITandIT

↧

Security Logs

July 3, 2019, 1:37 pm

≫ Next: Microsoft root certificate program auto-deletes third party root CA certificate

≪ Previous: Locate logon and logoff logs

I want to change the default security log drive to E drive. When I do that on properties pane on the event viewer for the security log, it accepts the change, and there is no error either.

However logs are never generated on the E drive, it continues on the same system drive default path.

Its windows 2016.

What could be the solution? a proper solution? and not registry tweaks.

Shahid Roofi

↧

Microsoft root certificate program auto-deletes third party root CA certificate

July 3, 2019, 8:20 am

≫ Next: Install Enterprise CA option is greyed out

≪ Previous: Security Logs

We have a test root certificate from a known public CA installed on our windows server. This specific test-CA certificate is not in the Microsoft root certificate program.

Windows seems to auto delete it between it's interval of updating root certificates.

Is there a way to make it stop deleting this certificate?

When installed, should a root certificate only be in the Trusted Root Cerifitate Authority/Registry store, or in Trusted Root Cerifitate Authority/Third-Party store, or on both physical stores? Would deploying the certificate by group policy adding it to the Trusted Root Store prevent Microsoft's auto update process from deleting it?

I know we can diasble the auto update root certificate function, but I've read somewhere it is not recommened.

Thomas

↧

Install Enterprise CA option is greyed out

January 24, 2011, 2:52 pm

≫ Next: Windows Server 2016 - Security GPO's for Win10Pro

≪ Previous: Microsoft root certificate program auto-deletes third party root CA certificate

I'm having issues with the "enterprise CA" option being grayed out during installation of the ADCS role for a 2008 R1 Enterprise Edition server (for a new Ent. Sub. CA). The account I was using had Enterprise Admin rights in the root domain and Domain Admin rights for the child domain that the CA will be installed into (I don't need root domain admin since I have enterprise admin, right?). The server is already joined to the domain. I verified Enterprise Admins have full control for Public Key Policy container and all child containers. I have not tried to re-create this as another CA (2003) is online within the same domain/forest - I would prefer not having to do this if at all possible. I tried moving the capolicy.inf out of windir in case it was getting in the way. I believe I have the firewall cleaned up - is there an official resource that documents how to configure the firewall for just the CA? I'm not installing web services or anything else - this is a dedicated box.

Thanks in advance...

↧

Windows Server 2016 - Security GPO's for Win10Pro

July 10, 2019, 7:13 am

≫ Next: AMSI detection

≪ Previous: Install Enterprise CA option is greyed out

I saw this option on someone's laptop and I'm trying to copy this setting but can't find the gpo

any help please?

And also, any suggestions for "Must" Security GPO's to configure in a Domain?

↧

AMSI detection

July 2, 2019, 5:26 am

≫ Next: Trying to keep challenge password for NDES/SCEP server migration

≪ Previous: Windows Server 2016 - Security GPO's for Win10Pro

Does AMSI detection work on all windows servers? Or is it just windows 10?

↧

Trying to keep challenge password for NDES/SCEP server migration

July 10, 2019, 8:36 am

≫ Next: in place upgrade server 2012 R2 certificate authority to 2016

≪ Previous: AMSI detection

Is it possible to keep the challenge password between servers? I know the password is stored HKLM\Software\Microsoft\Cryptography\MSCEP\EncryptedPassword. Is it possible to save the encrypted password and paste it to the save registry key on the new server?

↧

in place upgrade server 2012 R2 certificate authority to 2016

July 10, 2019, 10:05 am

≫ Next: Logs in Event Viewser Security: Type: Failure Audit, Source: security, category: logon/logoff

≪ Previous: Trying to keep challenge password for NDES/SCEP server migration

Hello experts, I would like to upgrade our intermediate certificate authority server from windows server 2012 R2 to 2016 and I was just curious if this is common? Will all of our certs be 'preserved' and the certificate services role be installed and enabled after the upgrade ?

↧