Hi
I have got password is grayed , what GPO will fixed that?
I have that GPO settings,
Please help ;-)
----- S-O-K-O-B-A-N -----
↧
LAPS - Cannot set the password
↧
LAPS - A practical Question
Hi
About LAPS
I am thinking about what is the practical solution to use LAPS.
What happen if DHCP Service is down and you need to login locally to the client.
if the local admin password is changed and you did'nt know the password.
What will I do to fix that ? Save the password autmatically to the text file?
Thanks ;-)
----- S-O-K-O-B-A-N -----
↧
↧
Trusted Root CA Certificate purposes is been changed alone
Hi everyone!
I have a Windows 2012 Server that a Trusted Root CA Certificate property is been changed alone everyday.
The Brazilian Root CA has been installed e all purposes were set. Certificate purpose is been changed everyday to "Enable only the following purposes" as you can see in the image bellow.
There is no policy set. The server has Symantec Endpoint Protection. I don't know why those settings are been changed everyday.
I've tried to search, but there are few information about this issue...
Any ideias?
Thanks!
↧
Dsa.Msc access remove domain user's
Dear Team,
I am using windows 2012 R2 Domain server.
We create domain users in the server. But domain reset,Domain joining,computer deletion, Password option came all the permission all user's,
Still i am not set any delegate option for the particular user.
How to remove all domain user's password reset permission from DSA.MSC.
How give the permission particular user only.
↧
Delay in the autoenroll and renewal of the certificate
Hi,
I am configuring the AutoEnroll of certificates for which this process is done at the same time that the certificate expires or after 4 hours. Is it possible that it can be done before the certificate expires?
Because when I set up certificate validation for 5 hours and renewal period 1 hour, this delay in renewing and enrolling 4 hours and when configuring validation of 1 day and 8 hours of renewal period, the process is given
immediately or in 40 minutes then expire the certificate.
I'm using User Template
↧
↧
Import a CA-certificate into issuing Enterprise CA error
Hello,
I am deploying two-tier hierarchy (Root CA - Standalone Root, Issuing CA - Enterprise CA on Active Directory).
Root CA CAPolicy.inf
[Version]
Signature= "$Windows NT$"
[certsrv_server]
RenewalKeyLength=4096
RenewalValidityPeriodUnits=20
RenewalValidityPeriod=years
CRLPeriod=weeks
CRLPeriodUnits=26
CRLOverlapPeriod=weeks
CRLOverlapUnits=2
CRLDeltaPeriodUnits=0
CRLDeltaPeriod=days
Sub CA CAPolicy.inf
[Version]
Signature = "$Windows NT$"
[PolicyStatementExtension]
Policies = SomeCompany
Critical = FALSE
[SomeCompany]
Notice=SomeCompany Certification Practice Statement
URL = http://cert.companydomain/pki/policies
OID = 2.5.29.32.0 ; All Issuance Policy
[certsrv_server]
RenewalKeyLength = 4096
RenewalValidityPeriodUnits = 5
RenewalValidityPeriod = years
CRLPeriodUnits = 1
CRLPeriod = weeks
CRLOverlapUnits = 1
CRLOverlapPeriod = days
CRLDeltaPeriodUnits = 12
CRLDeltaPeriod = hours
Root CA Config Script
certutil -setreg CA\DSConfigDN CN=Configuration,DC=<domain>
certutil -setreg CA\CRLPublicationURLs "65:%WINDIR%\system32\CertSrv\CertEnroll\%3%8%9.crl\n2:http://cert.companydomain/pki/<name>%8.crl"
certutil -setreg CA\CACertPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:http://cert.companydomain/pki/<name>%%4.crt\n32:http://cert.companydomain/ocsp"
certutil -setreg CA\ValidityPeriodUnits 20
certutil -setreg CA\ValidityPeriod "Years"
certutil -setreg CA\CRLPeriodUnits 26
certutil -setreg CA\CRLPeriod "Weeks"
certutil -setreg CA\CRLDeltaPeriodUnits 0
certutil -setreg CA\CRLDeltaPeriod "Days"
certutil -setreg CA\CRLOverlapUnits 2
certutil -setreg CA\CRLOverlapPeriod "Weeks"
certutil -setreg CA\AuditFilter 127
certutil -v -setreg policy\editflags +EDITF_ENABLEOCSPREVNOCHECK
net stop certsvc & net start certsvc
certutil –CRL
I then copied the root CA certificate and CRL to Issuing CA and using the following commands
certutil –addstore –f Root rootca.crt
certutil –addstore –f Root rootca.crl
certutil -dspublish -f rootca.crt RootCA
certutil -dspublish -f rootca.crl RootCA
All steps to deploying looks fine but if we trying to install CA certificate on Issuing CA *.p7b (early successfully issued and exported on Root CA) when appears error:
"The new Certification Authority certificate cannot be installed because the CA Version extension is incorrect.The most recently generated request file should be used to obtain the new certificate:
C:\****-CA(1).req The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)"
and application error event 27:
"Active Directory Certificate Services did not start: Hierarchical setup is incomplete. Use the request file in C:\***-CA.req.req to obtain a certificate for this Certificate Server, and use the Certification Authority administration tool to install
the new certificate and complete the installation."
Part of request file:
.........
Request Attributes: 2
2 attributes:
Attribute[0]: 1.3.6.1.4.1.311.13.2.3 (OS Version)
Value[0][0], Length = d
6.3.9600.2.
Attribute[1]: 1.2.840.113549.1.9.14 (Certificate Extensions)
Value[1][0], Length = 129
Unknown Attribute type
Certificate Extensions: 6
1.3.6.1.4.1.311.21.1: Flags = 0, Length = 3
CA Version
V0.0
2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
7e 17 22 b1 40 7c 24 f3 4b 8f d1 f5 5f 04 d0 23 43 f5 c1 cd
2.5.29.32: Flags = 0, Length = b0
Certificate Policies
[1]Certificate Policy:
Policy Identifier=All issuance policies
[1,1]Policy Qualifier Info:
Policy Qualifier Id=User Notice
Qualifier:
Notice Text=SomeCompany Certification Practice Statement
[1,2]Policy Qualifier Info:
Policy Qualifier Id=CPS
Qualifier:
http://cert.companydomain/pki/policies
1.3.6.1.4.1.311.20.2: Flags = 0, Length = c
Certificate Template Name (Certificate Type)
SubCA
2.5.29.15: Flags = 0, Length = 4
Key Usage
Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)
2.5.29.19: Flags = 1(Critical), Length = 5
Basic Constraints
Subject Type=CA
Path Length Constraint=None
...............
If I trying to start Certification Authority service on Issuing CA appears error: "The certificate for the CA "Company Sub CA" on domainhostname is missing. Do you want to install this certificate?" and when after selecting the certificate appears error with incorrect CA version.
So, if anyone can help me to resolve the problem I would be very grateful.
Many thanks in advance. Have a nice day)
↧
kb4499175 and Windows 2008 R2 Foundation SP1
Hi,
Several years ago we installed a few dozen Windows 2008 R2 Foundation SP1 servers. They are located in a secure area without internet access. They have never had an update since as these are single function servers. I am required by IT to install kb4499175 on these servers. My issue is that the patch states that it has been successfully installed but does not show up in the windows update area.
There are 2 servers that were updated in 2013 and show roughly 40 security updates (not sure how) and I have successfully installed the patch on these 2.
Is there a prerequisite to kb4499175 that is not mentioned? Do I need to install a monthly rollup first? Anything that I have tried says that it is not compatible.
Connecting this to the internet is not possible at this time. I need to remote desktop to apply these updates.
Thanks
↧
"untrusted publisher" even though .ps1 script is signed by valid MS certs
Hello,
I just installed a fresh Windows 2012 R2 server and wanted to install the OpenSSH-Win64 server available here: https://github.com/PowerShell/Win32-OpenSSH/releases
Can somebody clarify why this warning shows up even though the .\install-sshd script is signed and timestamped by valid Microsoft-trusted entities? Why doesn't Microsoft Windows trust it??
Thanks,
Chris.
↧
OID of certificate
Hi guys, I have a question about the attribute of certificates. I want to add organization identifier as a field of subject in certificates , so I use OID:2.5.4.97 as the organization identifier attribute in my certificate template, but when I issue
a certificate based on my template, the OID:2.5.4.97 will be shown in the subject of certificate instead of the organization identifier(OI). I will appreciate if you tell me how can I solve it. the attached image illustrates what I mean:)![]()
↧
↧
Event 4776 Error Code: 0xC0000234 but account not actually locked out
I am coming across several instances where a user will get the error code 0xC0000234 for event 4776 and Failure Reason: Account Locked Out for event 4625 but the account never actually locks out. I cannot find a corresponding event 644 (windows 2003) or 4740 (Server 2008 and up) on any of our AD servers.
Any idea why this would register as an account being locked out, but not actually lock the account out?
Thanks!
↧
SANS
Hi
We have an internal PKI and often we use SANS to include the device FQDN's but recently a few device CSR include the domain name as well.
An example a CSR request below. it is not a wildcard certificate but do you see any security issues adding the domainname.com in the SANS?
SAN 1: DNS Name=device.domainname.com
SAN 2: DNS Name=domainname.com
Thanks
↧
The old root CA still work after renew root CA
Hi all experts,
Our company root CA will expired next month. I just want to confirm if current root CA still work after renew root CA before it expired. Since our employees use WIFI with PEAP-MSCHAPv2 which require root CA to authentication. It's hard to push new root CA if the WIFI cannot connected. Thanks in advance and I appreciate any suggestion.
Rick Tan
↧
Windows Server 2016 - Security GPO's for Win10Pro
I saw this option on someone's laptop and I'm trying to copy this setting but can't find the gpo
any help please?
And also, any suggestions for "Must" Security GPO's to configure in a Domain?
↧
↧
Security Update for Microsoft Windows (KB4503267) Problem
Good day Experts
Just want to make you and Microsoft aware of the problem with Security Update for Microsoft Windows (KB4503267) Problem.I installed the update on my Backup Server connected directly to my Dell storage using Iscsi and the update disconnected the Iscsi.I removed the update and Iscsi started working again.
Is there some solutions that one is aware to have the update and still have my Storage working,Is Microsoft resolving the problem?
↧
PEM Key Login
Hello everyone
Clear me this...Is PEM key login possible in windows?
If yes , help me with the procedure.
↧
smartcard login and revoke question
I have a question about using smartcard login, i have purchase a few smartcard for testing, after installing a AD Certificate service. I enroll an user certificate on behalf of an user on a smartcard
With the smartcard i can login as the user without problem.
But when i revoke the certificate on the Certificate server, somehow i can still login with the smartcard (Even on a new computer where the smartcard never been use before).
And only after 3 days i got an error message state that the certificate has been revoke and i cant longer login with the smartcard.
My assumption is that the computer will ALWAYS check with the revoke list before allowing the user to login with smartcard, so should i not?
I was wondering if anyone can help me with this?
my testing environment has
2DC, 1 AD CS and several windows 10 client pc.
CDP is publish to ldap
↧
Certificates for Single forest Single domain to Single forest Multi domain
Hi All,
Currently we are having Single Forest and Single Domain AD environment. We are having 3 issuing CA and one offline Root CA. All the 25000 users and computers are getting certificates from these CAs.
Now our customer is having a plan to introduce new child domain in the forest. Is it possible to use the existing Issuing CA for issue certificate to the new child domain.
The existing templates are using Display name, domain name and SPN for using the subject name and Subject Alternative Name in each certificates.
Can i use the existing CA for issue certificate to the new child domain users and computers.
Thanks and Regards,
Hariharan
↧
↧
PKI CA- NPS with existing CA
I am building CA PKI from scratch and existing CA are installed on DC & NPS - I have removed from DC - no problems. I have removed from NPS - radius stopped working. CA does not have to be installed on NPS - correct?
Also,I wasI able to setup standalone CA root - but could not setup CA SUB enterprise using this
I dont know what I am missing. We use Aerohive with radius.
ME
↧
Certificate autoenrollment fails on DCs - RPC server is unavailable
Hello,
We are in the process of replacing our old SHA1 certificate authority by a new SHA2 CA. I'm having trouble enabling autoenrollment on the DCs that are not in the same AD site as the CA. For those in the same site it already works. Here's what I've checked so
far:
- opened firewall ports based on https://blogs.technet.microsoft.com/pki/2010/06/25/firewall-rules-for-active-directory-certificate-services: 464/389/636/135 from the CA to the DCs; 135/49152-65565 from the DCs to the CA
- published the Kerberos Authentication certificate, which supersedes Directory Email Replication, Domain Controller, and Domain Controller Authentication
- Domain Controllers have Read and Request Certificates permissions on the CA
- Domain Controllers and Enterprise Domain Controllers have Read, Enroll, and Autoenroll permissions on the Kerberos Authentication certificate template. Authenticated Users have Read permission.
- The CA is listed in ADSIEdit.msc under CN=Configuration | CN=Services | CN=Public Key Services | CN=Enrollment Services
- The Certificate Service DCOM Access group contains the Domain Computers, Domain Controllers and Domain Users groups.
- DCOM permissions have been verified
- A GPO has been created that activates Autoenrollment on the DCs. HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\AutoEnrollment shows that AEPolicy is set to 7.
- the Certificate Service DCOM Access group has been added to Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Security Options->DCOM: Machine Launch Restrictions, and given all 4 permissions.
- Portqry from the DC to the CA on TCP/135: "TCP port 135 (epmap service): LISTENING"
- netstat -ano sais the high RPC port is 64016
- Portqry from the DC to the CA on TCP/64016: "TCP port 64016 (unknown service): LISTENING"
- certutil –config “<server_FQDN>\<CA_name>” –ping
=> Connecting to <server_FQDN>\<CA_name> ...
Server "<CA_name>" ICertRequest2 interface is alive (2000ms)
CertUtil: -ping command completed successfully.
As everything looks OK, I then force a certificate check with certutil -pulse:
=> CertUtil: -pulse command completed successfully.
This results in errors and warnings in the Application log on both sides.
- Application log on the DC:
- CertificateServicesClient-CertEnroll error event 13: Certificate enrollment for Local system failed to enroll for a KerberosAuthentication certificate with request ID 330303 from <server_FQDN>\<CA_name> (The
RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)).
- CertificateServicesClient-CertAutoEnrollment error event 6: Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.
- Application log on the CA:
- CertificationAuthority warning event 53: Active Directory Certificate Services denied request 330303 because The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE). The request was for domain\DC_name$.
Additional information: Denied by Policy Module
The CA now has a new line in the Failed Requests, repeating the error
if I do a manual certificate request on the DC, I get the same error.
Certificate Enrollment Web Services are not used. The DCs and the CA are both in a child domain, with all servers on Windows 2016. I have enabled AEEventLogLevel in both HKLM and HKCU but this doesn't give me any additional events.
What am I missing?
Peter Van Gils Toa Projects
↧
Duplicate Client Authentication Certificates issued by Autoenrollment after re-imaging
Hi,
We're using Autoenrollment on a 2012R2 two tier CA to issue Client Authentication Certificates to our Domain Joined Win10 and Win7 PC estate(issued to the computer account, not the user) so the PCs use them to authenticate for .1x networking with MS NPS, and that's all working great.
However, after we re-image one of our PCs, the autoenrollment kicks in and issues a new certificate to the PC (as it should), but the old certificate is left behind on the issuing CAs "Issued Certificates", so we get one Certificate listed for each time the PC is re-imaged.
Am I missing a config somewhere to prevent this? So older certificates issued by the same template are deleted or revoked automatically when the new one is issued?
And if not, and if this is expected behaviour - is there a straightforward way to clean up the older certificates from the issuing CA if they have been superseded by a newer certificate from the same template?
Template compatibility is currently set for Server 2008 for the CA side, and vista / server 2008 for the recipient if that has any bearing.
Regards,
H.
↧