Hello,
I'm trying to migrate my root CA from CSP to KSP and from SHA-1 to SHA-2 by following this guide:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn771627(v=ws.11)?redirectedfrom=MSDN
The problem I'm having is that the private key of my root CA is not exportable and it is required that I export it to do the migration.
Is there any way I can make the private key exportable?
My root CA is Windows Server 2012 R2.
Thanks !
hi
i have three tier pki environment. but when i issue cert from my template somehow on my cert under certificate properties >certificate template information > certificate display name is empty. I can tell that it was issued from correct template but somehow template information is missing from cert.
any thoughts
thanks
Hi Experts!
Can someone Please tell me if how to fix schannel error 36874 in VDI . Is this impacting the Production and it will cause the our end users or can we ignore this error?
Modifying the registry key and made changes by to disabled the additional secure channel event logging - Is this best practice to do it ? See the error logs below.
We use IIS crypto 3.0 and applied best practices server and client protocol - Is this recommended since this is requiring a reboot? .
what is your recommendation
Please see the event 36874 info below
Log Name: System Source: Schannel Date: 9/19/2019 11:49:47 AM Event ID: 36874 Task Category: None Level: Error Keywords: User: SYSTEM Computer: VDIRWM07.TRAVELLERS.PH Description: An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" /> <EventID>36874</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2019-09-19T03:49:47.055825600Z" /> <EventRecordID>213888</EventRecordID> <Correlation ActivityID="{25B73D44-6734-0009-463D-B7253467D501}" /> <Execution ProcessID="836" ThreadID="7796" /> <Channel>System</Channel> <Computer>VDIRWM07.TRAVELLERS.PH</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Protocol">TLS 1.2</Data> </EventData> </Event>
Homer Sibayan
Hi,
I on a mission to create a scheduled task to backup a CA. I want the scheduled task to runas as a user with minimum permissions on the server. What are the minimum permissions required for this user to be able to execute "Backup-CARoleService -path<some_path> -DatabaseOnly"?
Best regards,
Jim
I'm experiencing the following (apparently incorrect) behavior in Windows 10 Pro version 1903, OS Build 18362.418:
I'm importing a key/certificate from a PKCS #12 into the user certificate store, enabling strong private key protection and setting the security level to High (which asked me to provide a password to protect the private key).
Anyway, later, when I try to use this private key (from a Java program) I'm not prompted at all for the password that I set previously and I get a correct digital signature computation.
Is this a bug in this Windows version, isn't it?.
windows server 2019 certificate not being recognized by my Meraki router. if I point the router to one of my other servers, which is a 2012 server it work fine. I have certificates in the 2019 that I created in the server. The certificate is identical to the one in my 2012 box (Except the name of the server), and is also in the same location. Is there something I am missing?
Hi,
Recently we had an issue whereby the time zone was found to be changed on some Windows server.
Have already checked on the security logs for Event ID 4616, it is there but it does not have any specific details on from which ID the Time zone was changed.
Is there any way to determine the Time zone was changed by which user ID or any specific system process?
Thanks in advance,
Hi, I am trying to setup a Guarded Host with TPM mode, and I having issue on Code Integrity policy active.
When I do the command, Get-HgsTrace -RunDiagnostic -Detailed, this is the result.
For the Code Integrity Policy Active: Fail
I have Enable virtualization-based protection of code integrity apply GPO, as Host have done gpupdate /sync and verified policy been applied.
as for HGS server Get-HgsTrace result.
article I have reference
https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-tpm-trusted-attestation-capturing-hardware#create-and-apply-a-code-integrity-policy
Please guide me on resolve Code Integrity for Shielded VM.
Thank you.
Yours sincerely,
Lee Leng
While creating failover cluster on Windows 2012 R2 server and getting error "you don't have administrator privileges on the server"I have tried :
1) Rejoining machine to domain
2) Installed all windows update on machine and domain
Still the issue is there..
Please help as early as possible..
thanks in adv
Nilesh Savant
Hi
We are facing windows update issue on windows server 2016 Datacenter version.
We have installed fresh Win 2016 OS and started patching through Online, Patching is downloading but when start installing the patches its failing with following error.
""There were some problems installing updates, but we'll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x800705b4)""
We have done all the possible steps : Sfc /scannow, chkdsk DISM.exe etc.
Troubleshooting is showing "potential windows update database error detected"
We have around 100 Win 2016 servers causing same issue. I am wondering even fresh installation also getting above mentioned error.
I hope microsoft have solution.
I have downloaded ISO from Microsoft VLM
Hello,
So I am testing the implementation of CEWS with CES in renewal only mode and it is configured exactly as it should be and a manual renewal of the certificate works but letting the system attempt the renewal itself without user intervention is not happening. I am frustrated with a couple things I am seeing:
1. If the initial certificate was issued to the client using a different CEP then the renewal attempt, even the manual renewal fails with the error that no enrollment policy server can be located. This is even after the new one has been added to the local policy and validated and the local cache of the previous one deleted via certutil. If this is the expected behavior then the CEWS idea has a flaw because the whole point of us standing up the CEWS is for client to get their initial certificate via the default AD DC URI from within the trusted network but for it to be able to renew its certificate against the additional CEP URI which is accessible from public networks via our DMZ that is defiend in the policy server list once it was off the trusted network.
2. When testing getting the initial certificate from a key based CES/CEP that wasn't in renewal only mode I am able to get the clients certificate fine. I then change the CES to renewal only mode to test the auto-renew capability, while the CEP remains the
same so I do not get the error stated in "1.", and the client fails to auto-renew but the manual renewal does work. Logs are extremely vague and donot give much info even with verbose logging enabled but I will attach here if needed.
I have read all KBs and tech guides, and MS Lab examples you can probably come across and everything is setup exactly how it should so I am eager for anyone else to possibly shed some light on my situation. Thank you.
Hi fellows,
I am currently trying to re-sign a certificate on a Windows Server 2008 R2 (fully patched) system (ADCS CA):
certutil -sign <oldfile> <newfile>
Signing keys are in software (Microsoft Software Key Storage Provider), the cert was issued by this CA, is a CA itself (sub) and is not revoked
Output command
301.3561.0:<2015/11/26, 10:0:3>: 0xc0000005 (-1073741819): 0x0 @ 0x00000000FFF33864
CertUtil: -sign command FAILED: 0xc0000005 (-1073741819)
CertUtil: The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
301.3792.0:<2015/11/26, 10:0:3>: 0xc0000005 (-1073741819)
certutil.log
========================================================================
402.511.948: Begin: 11/26/2015 10:09 AM 53.224s
402.516.0: certutil
402.520.0: GMT + 1.00
301.3888.0: certcli.dll: 6.1:7601.18833 retail
301.3888.0: certutil.exe: 6.1:7601.18151 retail
301.3788.465:<2015/11/26, 10:9:53>: Command Line: CertUtil -sign \temp\sub\sub.cer \temp\sub\new.cer
301.3561.0:<2015/11/26, 10:9:53>: 0xc0000005 (-1073741819): 0x0 @ 0x00000000FFFC3864
301.3792.0:<2015/11/26, 10:9:53>: 0xc0000005 (-1073741819)
301.3807.509:<2015/11/26, 10:9:53>: Command Status: The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. 0xc0000005 (-1073741819)
402.377.949: End: 11/26/2015 10:09 AM 53.255s
certutil verify
Verified Issuance Policies: None
Verified Application Policies: All
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
Nothing interesting in the CAPI2 log, certsrv.log, etc. I can sign with the key, as I can publish a new CRL.
Installed KB2615174. (Actually the sub CA is v1.1 and I want to resign it to v2.1 manually).
Anyone has an idea? :)
Can someone please explain this to me in the simplest terms possible?
Thanks! :)
hi everyone ,
i tried to installed LAPS but its not showing the password , my steps :
1- install LAPS on my DC
2-all my PCs in one OU " computers" so i gave computer to read password.
A- set-admpwdcomputerselfpermission -orgunit 'CN=Computers,DC=DOMAIN,DC=COM'
B- find-admPwdExtendedRights -identity "CN=Computers,DC=DOMAIN,DC=COM" | Format-List -Property *
C- Set-AdmPwdReadPasswordPermission -orgunit 'CN=Computers,DC=DOMAIN,DC=COM'–AllowedPrincipals "IT Remote Desktop Servers"
3- created group policy
4- deploy LAPS for all PC
but when i run LAPS on DC to see the password it empty , did i missed something ? tried to run as administrator , tried from other admin account , how can i see logs ? is there any other software easier to use ?
one more thing ,,, Password is not changing on user PC.
please find attached Image from user register y
Osma
I'm trying to make a VPN connection to a Windows Server 2012 Essentials server. I can successfully connect using SSTP, but I want to use IKEv2 to improve performance. However, when I try to connect, I receive the following error messsage: "Error 13819: Invalid certificate type".
The message suggests to me that the certificate being used does not have the correct EKU attributes for an IKEv2 connection. However, I have issued a certificate for the server, placed in the server's Personal Store, which includes the EKUs forServer Authentication and IP security IKE Intermediate, as specified inthis tutorial (albeit for Server 2008) The certificate is self-signed, with the root authority trusted by the client computers.
What I would like to do is to find out exactly which certificate is actually being selected by the server for the IKEv2 connection. I can't see any way of verifying which is being used - I suspect the server may be selecting a different certificate without
the correct EKUs. Once I am sure of the certificate being used, I could verify it on the client computers with certutil.
Could anyone suggest how I could do that?
Thanks.
Hi all,
When a request is made against a Kerberos Authentication certificate template, I'm aware that the resulting certificate includes the DC's fqdn, the domain fqdn, and the netbios name of the domain within the SAN attributes. Could anyone explain to me how this process actually works? How are those values inserted into the certificate request to the CA?
thanks
Mike
Hello!
I configured connection security rules for my sql server computer (Require inbound ... and request outbound) and the for the client (~Request inbound and outbound...). The result:the security association gets established...
...and the client (Windows 10 Pro named Client1) can successfully connect to the SQL Server (SQL1) using SSMS or by any other means. Other clients (for which no connection security rules were applied) can not. That's all as expected. The problem is don't know 1) what information should be revealed in the captured network packets between Client1 and SQL1 and 2) how the unsuccessful network connection between any other client (say Client2) and the secure server (SQL1) must look like, for example:
1) I'm connecting from Client1 to the SQL Server on SQL1 host (successfully):
Q1: Should I see any network-related information (such as source/destination ports) in the encrypted traffic?
2) I'm connecting from Client2 to the SQL Server on SQL1 host (unsuccessfully):
Q2: Why does SQL1 "talks" to 10.1.1.23 if it should just silently drop insecure connections?
Thank you in advance,
Michael
Hi All,
Made a small error in a new ADCS User auto-enrolment certificate template which I fixed. Users accounts are now correctly being auto enrolled however, I have a large number of FAILED Requests" in my CA.
I'm trying to delete all "FAILED Requests" as of yesterday by the following command...
C:\>Certutil -deleterow 9/25/2019 Request
But it fails with...
CertUtil: -deleterow command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
CertUtil: The parameter is incorrect.
My account is enterprise admin...I also tried with date in various other formats and still get the same error?
Any help here is greatly appreciated. Thanks in advance...
durrie.
I want a local account on windows to have same priviledges as that of built-in administrator account.
There are two accounts that are very special on windows when UAC is enabled with default settings on Windows 2012 R2/ 2016 machines.
one is built-in administrator and other is built-in default domain administrator as both bypass UAC.
you can issue any type of remote powershell command to all remote computers like "get-service" or "restart-computer" and all these commands would get executed on remote machines with success. same fails if you use other admins or any other domain account (even domain admin account).
this is because these are built-in administrator accounts that bypass UAC.
is there a way I can add another local administrator account to have same level of access?
Only current option is to disable whole UAC, which no one agrees to do,
User Account Control: Turn on Admin Approval Mode
This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
Shahid Roofi