Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Failed to renew Certificate using 'certreq'

July 12, 2019, 3:47 am
$
0
0

Hi,

I am trying to renew a certificate using certreq command but it is throwing an error message as "No certificate available". But the certificate exists.Command used is mentioned below:

C:\ certreq -enroll -machine -cert "‎6c 00 00 00 b1 e2 09 bb c1 f5 6b a6 49 00 00 00 00 00 b1" Renew

Certificate Request Processor: The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)

Please suggest me the possible reasons for this issue and how it can be resolved.

Regards,

Bhasha Agrawal


Search

Certificate autoenrollment fails on DCs - RPC server is unavailable

July 1, 2019, 2:42 am
$
0
0

Hello,

We are in the process of replacing our old SHA1 certificate authority by a new SHA2 CA. I'm having trouble enabling autoenrollment on the DCs that are not in the same AD site as the CA. For those in the same site it already works. Here's what I've checked so far:

- opened firewall ports based on https://blogs.technet.microsoft.com/pki/2010/06/25/firewall-rules-for-active-directory-certificate-services: 464/389/636/135 from the CA to the DCs; 135/49152-65565 from the DCs to the CA
- published the Kerberos Authentication certificate, which supersedes Directory Email Replication, Domain Controller, and Domain Controller Authentication
- Domain Controllers have Read and Request Certificates permissions on the CA
- Domain Controllers and Enterprise Domain Controllers have Read, Enroll, and Autoenroll permissions on the Kerberos Authentication certificate template. Authenticated Users have Read permission.
- The CA is listed in ADSIEdit.msc under CN=Configuration | CN=Services | CN=Public Key Services | CN=Enrollment Services
- The Certificate Service DCOM Access group contains the Domain Computers, Domain Controllers and Domain Users groups.
- DCOM permissions have been verified
- A GPO has been created that activates Autoenrollment on the DCs. HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\AutoEnrollment shows that AEPolicy is set to 7.
- the Certificate Service DCOM Access group has been added to Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Security Options->DCOM: Machine Launch Restrictions, and given all 4 permissions.
- Portqry from the DC to the CA on TCP/135: "TCP port 135 (epmap service): LISTENING"
- netstat -ano sais the high RPC port is 64016
- Portqry from the DC to the CA on TCP/64016: "TCP port 64016 (unknown service): LISTENING"
- certutil –config “<server_FQDN>\<CA_name>” –ping
=> Connecting to <server_FQDN>\<CA_name> ...
Server "<CA_name>" ICertRequest2 interface is alive (2000ms)
CertUtil: -ping command completed successfully.

As everything looks OK, I then force a certificate check with certutil -pulse:
=> CertUtil: -pulse command completed successfully.

This results in errors and warnings in the Application log on both sides.
- Application log on the DC:
- CertificateServicesClient-CertEnroll error event 13: Certificate enrollment for Local system failed to enroll for a KerberosAuthentication certificate with request ID 330303 from <server_FQDN>\<CA_name> (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)).
- CertificateServicesClient-CertAutoEnrollment error event 6: Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.
- Application log on the CA:
- CertificationAuthority warning event 53: Active Directory Certificate Services denied request 330303 because The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE).  The request was for domain\DC_name$.  Additional information: Denied by Policy Module

The CA now has a new line in the Failed Requests, repeating the error 

if I do a manual certificate request on the DC, I get the same error.

Certificate Enrollment Web Services are not used. The DCs and the CA are both in a child domain, with all servers on Windows 2016. I have enabled AEEventLogLevel in both HKLM and HKCU but this doesn't give me any additional events.

What am I missing?


Peter Van Gils Toa Projects

How is it possible to not track a Stolen laptop cant be traced?

July 17, 2019, 3:12 am
$
0
0

I get the whole I need a IP address and blah blah blah... I want to know why I cant use the help of all the info captured by the servers and other software and data captured for targeted marketing, taking pictures every few seconds,  the 3 mile radio frequency windows 10 emmits to be able to remotely access your computer without permission.  I feel Its complete trash and insult to my intelligence telling me it cant be located. A 1600 dollar laptop just gone??? If thats the case then say no more. I will never buy a new laptop again. Instead Ill go take susie's or bob's down the road.  I need help because I am losing it. and I dont wanna hear its not possible. I rather hear I wont help you, sir its not worth our time anything than someone insulting my intelligence....

Disable private key export while creating pfx

May 29, 2013, 11:25 pm
$
0
0

Hi,

We want to restrict the export of private key while the certificate is created at first place. We are testing to generate the certificate for a user and send the pfx file. 

While generating the private key, we can set the export flag as below 

"objPKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_NONE;

But if we use it, createPFX fails stating "CX509Enrollment::CreatePFX: Key not valid for use in specified state." This is because we have disabled the export.

Is there a way we can make private key not exportable while creating the pfx file.

If more than one enterprise CA is running in the AD DS forest, permission changes will affect all CAs.

July 18, 2019, 8:37 am
$
0
0

Hi all;

In Microsoft docs, we read:

If more than one enterprise CA is running in the AD DS forest, permission changes will affect all CAs.

Can anyone explain this sentence in more simplified technical words?

Thanks

Please VOTE as HELPFUL if the post helps you and remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

How can I create a Version 3 template from a version 1?

July 18, 2019, 9:29 am
$
0
0

Hi all;

Which compatibility combination should I use to create a Version 3 template from a Version 1, if the AD CS is running in Window Server 2016 or 2019?

Thanks

Please VOTE as HELPFUL if the post helps you and remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

PKI setup for single forest - multi domain to single forest - Single domain

July 17, 2019, 2:47 am
$
0
0

Hi All,

One of our customer , currently having Single forest - Multi domain (6 child domain) environment. The customer now plans to migrate all the users and computers to new Single Forest - Single domain. My queries are below,

The users will migrate to new domain, but resources will be in old domain. Currently the users / computers were authenticated by the existing certificates issued by ADCS. After user/computer migration, the applications will remains in the old domain, but users and computers will receive a certificate from the new domain ADCS server. How can we achieve the users with new domain certificate will work with the application in old domain.

Thanks and Regards,

Hariharan

Clients Receiving (or auto-enrolling) certificates daily)

December 14, 2018, 1:25 am
$
0
0

Hi hope some one can give me some pointers to check on this issues. We have a single domain.

  • With an offline RootCa and online CA. 
  • 2012R2 domain controllers and windows 2012R2 domain level functionality

the Clients on this domain seem to be getting a new Server/Client Certificate every day !! or sometimes 2 a day.

I don't know whats causing this, i have checked PKIView and all CRL's are correct and OK.

can anyone give me any pointers where to check.

Many thanks

Mark

Search

Duplicate Client Authentication Certificates issued by Autoenrollment after re-imaging

July 17, 2019, 1:19 am
$
0
0

Hi,

We're using Autoenrollment on a 2012R2 two tier CA to issue Client Authentication Certificates to our Domain Joined Win10 and Win7 PC estate(issued to the computer account, not the user) so the PCs use them to authenticate for .1x networking with MS NPS, and that's all working great.

However, after we re-image one of our PCs, the autoenrollment kicks in and issues a new certificate to the PC (as it should), but the old certificate is left behind on the issuing CAs "Issued Certificates", so we get one Certificate listed for each time the PC is re-imaged.

Am I missing a config somewhere to prevent this? So older certificates issued by the same template are deleted or revoked automatically when the new one is issued?

And if not, and if this is expected behaviour - is there a straightforward way to clean up the older certificates from the issuing CA if they have been superseded by a newer certificate from the same template?

Template compatibility is currently set for Server 2008 for the CA side, and vista / server 2008 for the recipient if that has any bearing.

Regards,

H.


OID of certificate

July 16, 2019, 4:56 am
$
0
0
Hi guys, I have a question about the attribute of certificates. I want to add organization identifier as a field of subject in  certificates , so I use OID:2.5.4.97 as the organization identifier attribute in my certificate template, but when I issue a certificate based on my template, the OID:2.5.4.97 will be shown in the subject of certificate instead of the organization identifier(OI). I will appreciate if you tell me how can I solve it. the attached image illustrates what I mean:)

Locate logon and logoff logs

July 9, 2019, 10:02 pm
$
0
0

Hi,

Can you please let me know where will locate logon and logoff logs in AD, other than find details in eventlog.

ITandIT

SANS

July 16, 2019, 9:11 am
$
0
0

Hi

We have an internal PKI and often we use SANS to include the device  FQDN's but recently a few device CSR include the domain name as well.

An  example a CSR request below.  it is not a wildcard certificate but do you see any  security issues adding the domainname.com in the SANS?

SAN 1: DNS Name=device.domainname.com
SAN 2: DNS Name=domainname.com

Thanks


SWEET32 Vulnerability - Script Run

July 19, 2019, 7:40 am
$
0
0

Hi All,

I am running the 'solve-sweet32.ps1 script from https://gallery.technet.microsoft.com/scriptcenter/Solve-SWEET32-Birthday-d2df9cf1

I first ran it with the '-Solve:"SWEET32"' argument to clean it up. However a subsequent scan stated that the vulnerability was still present.  I then ran it without any arguments so it will clean up all vulnerabilities found. Still, a scan showed the server as still being vulnerable. See below for output from this second run of the command. Any assistance is appreciated!

PS C:\Users\36207PA\Desktop> Set-ExecutionPolicy Unrestricted PS C:\Users\36207PA\Desktop> .\solve-sweet32.ps1 Solving vulnerability --> SWEET32 WARNING: They key already exits (HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Trip le DES 168/168) The registry entry with property enabled = 0, already exists Solving vulnerability --> TLS1.0 Create new Key (HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNE L\Protocols\TLS 1.0) Creating new property Enabled = 0 for TLS 1.0 in (HKLM:\SYSTEM\CurrentControlSet \Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client) Creating new property Enabled = 0 for TLS 1.0 in (HKLM:\SYSTEM\CurrentControlSet \Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server) Create new Key (HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNE L\Protocols\TLS 1.1) Creating new property Enabled = 0 for TLS 1.1 in (HKLM:\SYSTEM\CurrentControlSet \Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client) Creating new property Enabled = 0 for TLS 1.1 in (HKLM:\SYSTEM\CurrentControlSet \Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server) Creating 'Enabled' and 'DisabledByDefault' for TLS 1.2 in (HKLM:\SYSTEM\CurrentC ontrolSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client) New-ItemProperty : Cannot convert value "4294967295" to type "System.Int32". Er ror:"Value was either too large or too small for an Int32." At C:\Users\36207PA\Desktop\Solve-Sweet32.ps1:233 char:41 +                         New-ItemProperty <<<<  -PropertyType DWORD -Path "$cs path" -Name "Enabled" -Value 4294967295 -Force| Out-Null     + CategoryInfo          : WriteError: (HKEY_LOCAL_MACH...\TLS 1.2\Client:S    tring) [New-ItemProperty], PSInvalidCastException     + FullyQualifiedErrorId : System.Management.Automation.PSInvalidCastExcept    ion,Microsoft.PowerShell.Commands.NewItemPropertyCommand Creating 'Enabled' and 'DisabledByDefault' for TLS 1.2 in (HKLM:\SYSTEM\CurrentC ontrolSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server) New-ItemProperty : Cannot convert value "4294967295" to type "System.Int32". Er ror: "Value was either too large or too small for an Int32." At C:\Users\36207PA\Desktop\Solve-Sweet32.ps1:233 char:41 +                         New-ItemProperty <<<<  -PropertyType DWORD -Path "$cs path" -Name "Enabled" -Value 4294967295 -Force| Out-Null    + CategoryInfo          : WriteError: (HKEY_LOCAL_MACH...\TLS 1.2\Server:S    tring) [New-ItemProperty], PSInvalidCastException     + FullyQualifiedErrorId : System.Management.Automation.PSInvalidCastExcept   ion,Microsoft.PowerShell.Commands.NewItemPropertyCommand Cleaning up variables


SSL 2 and 3 is disabled still the scan (NMAP and Tenable) shows it is enabled

June 26, 2019, 1:47 pm
$
0
0
Hi We have disabled SSL 2 and 3 in the servers via registry (Typical security providers and schannel and all). Now when we scan it still shows SSL 2 and 3. What else needs to be done on the server to fix this? Let's say the server has SQL, some are simply IIS server. What else to be done?

Regards BM

EventRecordID uniqueness

March 9, 2011, 10:54 am
$
0
0
Can someone please clarify if EventRecordIDs are unique per eventlog? by Eventlog, I am referring to evtx file. In other words, are EventRecordIDs unique per event (e.g. "a system service was started") or per eventlog (Application, Security, System, Forwarded Events etc) or are these unique per host? I couldn't find any related documentation on MSDN. 
Search

Dsa.Msc access remove domain user's

July 15, 2019, 6:39 am
$
0
0

Dear Team,

I am using windows 2012 R2 Domain server. 

We create domain users in the server. But domain reset,Domain joining,computer deletion, Password option came all the permission all user's,

Still i am not set any delegate option for the particular user.

How to remove all domain user's password reset permission from DSA.MSC.

How give the permission particular user only. 

Certificate Revocation Using CertUtil Utility

July 9, 2019, 3:44 am
$
0
0

Hi,

Whenever I'm trying to revoke a certificate using certutil command utility its throwing following error

Input:

C:\Users\administrator> certutil -config "MachineName\CAName" -revoke certificateSerialNumber  revocationReason

Error:

CertUtill : -revoke command FAILED: 0x8007007e(WIN32/HTTP:126 ERROR_MOD_NOT_FOUND)

CertUtill : The specified module could not be found

Certificate Renewal Problem.

July 21, 2019, 11:27 pm
$
0
0

Hi,

I have created a user certificate(DSC) using "certreq - submit" command with#PKCS10 data as a input.

Now i'm trying to renew the same certificate using following command

certreq -Enroll -cert certificateSerialNumber -user Renew

but the above command is returning "No Certificate Found Error".

I'm Using Windows Server 2012 R2.

Thanks,

Janadhri

How to check I only have good certificates?

July 21, 2019, 1:22 pm
$
0
0
My Windows 10 came with a bunch of trusted root certificates.  How do I validate that these are real industry certificates and not malware installed certificates tyo support malware actions? I'm not talking about expired or invalid certificates, I'm talking about how to validate the list of certificates on my machine with what is normally there, so I can spot added certificates, such as those added by Fiddler or the company I work for? 

rwg

Recover encrypted files that were encrypted on old computer(windows 8.1) on my new laptop(windows 10)

July 21, 2019, 10:43 am
$
0
0
The internal hard disk of my laptop was not working, so i got the data recovered from it and tranferred to an external hard drive. When i connect my external hard drive to my new laptop, all files open except for 2 folders(which i need and are very important).. Those 2 folders are seen in green color and its contents show a lock on the thumbnail. What do i do to unlock these folders.
Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>