Hi All,

Can we create multiple NDES template with same Key usage and apply specific template to specific OU .

Thanks and Regards,

Hariharan

Hi All,

Recently there is an issue occurred. As a Domain Admin he accessed the Shared Folder and permitted full control on that shared folder to User 1. While accessing the Shared Folder, the message got that, "you do not have permission" even though he is Domain Admin and member of local admin Group of that File Server. However, the domain admin added the user 1 into shared folder and granted full permissions on it without taking any ownership on it since the local admin was the owner of the Shared Folder. The Domain Admin Cannot See any existing users into that Shared folder while he is accessing and granting permissions to User 1. Later on the File Server's Admin Complaining that the Shared Folder was created by him and had several existing Users permitted and accessed but after the Domain Admin's activity the previous / existing Users access was removed. In reality the domain admin did not remove any existing user / access.

I would like to understand the issue and requesting you to provide the list of Security EVENT IDs for File Server and in such scenario which event ID will be generated for the Domain Admin.

Does the following LOG information prove it that the domain admin has removed the existing users ? Since the domain admin did not remove any permissions nor users from the shared folder.

--------------------------------------------------------------------------------------------------------------------------------------------                                                                               

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/14/2019 7:09:35 AM
Event ID:      5143
Task Category: File Share
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      Fileserver.domain.com
Description:
A network share object was modified.

Subject:
     Security ID:         Domain\DomainAdmin
     Account Name:        DomainAdmin
     Account Domain:      Domain
     Logon ID:       0xF340904C

Share Information:
     Object Type:         Directory
     Share Name:          [file:///\\*\Folder]\\*\Folder 2019 
     Share Path:          F:\Folder 2019 
     Old Remark:          Requested by Auth Team
     New Remark:          N/A
     Old MaxUsers:        0xFFFFFFFF
     New Maxusers:        0xFFFFFFFF
     Old ShareFlags:      0x800
     New ShareFlags:      0x800
     Old SD:              O:BAG:DUD:(A;;FA;;;WD)
     New SD:              O:BAG:DUD:(A;OICI;FA;;;BA)(A;OICI;FA;;;WD)

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/14/2019 7:09:35 AM
Event ID:      5140
Task Category: File Share
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      Fileserver.domain.com
Description:
A network share object was accessed.

Subject:
     Security ID:         Domain\DomainAdmin
     Account Name:        DomainAdmin
     Account Domain:      Domain
     Logon ID:       0xF34090B5

Network Information: 
     Object Type:         File
     Source Address:      ::1
     Source Port:         58119

Share Information:
     Share Name:          [file:///\\*\Folder]\\*\Folder 2019 
     Share Path:          \??\F:\Folder 2019 

Access Request Information:
     Access Mask:         0x1
     Accesses:       ReadData (or ListDirectory)

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/14/2019 7:09:35 AM
Event ID:      5140
Task Category: File Share
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      Fileserver.domain.com
Description:
A network share object was accessed.

Subject:
     Security ID:         Domain\DomainAdmin
     Account Name:        DomainAdmin
     Account Domain:      Domain
     Logon ID:       0xF34090B5

Network Information: 
     Object Type:         File
     Source Address:      ::1
     Source Port:         58119

Share Information:
     Share Name:          [file:///\\*\Folder]\\*\Folder 2019 
     Share Path:          \??\F:\Folder 2019 

Access Request Information:
     Access Mask:         0x1
     Accesses:       ReadData (or ListDirectory)

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/14/2019 7:08:33 AM
Event ID:      5140
Task Category: File Share
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      Fileserver.domain.com
Description:
A network share object was accessed.

Subject:
     Security ID:         Domain\DomainAdmin
     Account Name:        DomainAdmin
     Account Domain:      Domain
     Logon ID:       0xF34090B5

Network Information: 
     Object Type:         File
     Source Address:      ::1
     Source Port:         58101

Share Information:
     Share Name:          [file:///\\*\Folder]\\*\Folder 2019 
     Share Path:          \??\F:\Folder 2019 

Access Request Information:
     Access Mask:         0x1
     Accesses:       ReadData (or ListDirectory)

---------------------------------------------------------------------------------------------------------------------------------------------Please advise and Thank You in Advanced.

Regards,Ali

We keep encountering various types of TLS connection issues and recently I bumped into IISCrypto too which looks pretty impressive and can help us with our troubleshooting. But we are not sure if it's an approved tool from Microsoft and doesn't cause any harm. Can you please help answer?

https://www.nartac.com/Products/IISCrypto

sharath

Hi,

I want to bring New Root CA and Subordinate Enterprise issuing CA in AD domain without shutting down the old CA infrastructure.   As per my research there is no technical limitation from Microsoft to have two Root CA in AD forest or Domain.  My goal is to bring new Enterprise CA online and revoke certificates on old Enterprise CA one by one.  AIA and CRL is LDAP so on old server. Also I would like to have different CA Name and host name on New Root CA and Enterprise issuing CA.  Following steps  will not work for me. Please google search not able to post the link. "Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One" by Amerk [MSFT] Any feedback is greatly appreciated.

Hi y'all,

I'm familiarising myself with different aspects of ADCS. I know there is RootCA, issuingCA, but what in the world is "BridgeCA"??? Does this somehow links to "cross certification"? I need some documentation, plain and simple explanation and maybe even manual how to establish one.

Any suggestions appreciated!

Hi

I am looking for some Microsoft recommendation / blacklist of software which shouldn't be installed on Windows Server.

But not sure if such list exist

I am working on an AD upgrade and need to decomission a domain controller that is also the enterprise root CA.  I'm planning on separate servers for the CA role and AD DS roles for the upgraded environment. To complicate matters I can't use the old computer for the new CA because we are changing our system naming convention.  I have read the MS migration doc (Windows_Server_2008_R2_ADCS_Migration.doc) along with many other step-by-steps and actually tested a migration to a new server/different hostname in a small test lab and I didn't like the results.  Mostly I didn't like that the CA name was still the old system name, but I also had issues with the CRL publication URLs which freaked out my Exchange certs.  I also didn't have nearly as many certs issued because the lab was very small.

What I'd like to do is setup a new second enterprise root CA in my domain and manually issue replacement certs from the new CA for the ones that are already out in my envoronment.  There's not a huge number of certs issued from our CA (<100) so it shouldn't be too bad reissuing and applying new ones, assuming I would only have to do that for Web Server certs.

So on to my questions. 

1. Is there any harm or things to be careful of with having two enterprise root (issuing) CA's?
2. How do I make auto-enrollment start happening on the new CA with the old one still up?
3. What do I do, if anything about the non-webserver certs that are issued?  There are a few Administrator certs, Domain Controller certs for all of the DCs, and quite a few EFS certs for users.  I think the EFS certs are auto-enrolled because I know most if not all of these users are not encrypting files.  I have an EFS cert issued to my user object and I have never encrypted files.

Sorry to sound so lost here, but I have very little knowledge of certificate services, and since I'm the AD guy I have to get over this CA hurdle too.

I truly appreciate any and all guidance here!

Jon

Hi!

I have two domains — with administrative accounts(ADM) and domain with resources(RES).

Domain RES trusts domain ADM, so users from ADM can login to domain RES.

ADM does not trust RES.

Our PKI servers are in RES domain.

Is there any way to give adm-users rights/ability to get certificates from RES PKI?

Hi,

I on a mission to create a scheduled task to backup a CA. I want the scheduled task to runas as a user with minimum permissions on the server. What are the minimum permissions required for this user to be able to execute "Backup-CARoleService -path<some_path> -DatabaseOnly"?

Best regards,

Jim

We have single Windows 2008 R2 Certificate server, upgraded from CSP to KSP and SHA-1 to SHA-256 in 2017. As Windows 2008 R2 is near end of support, we tried to migrate Certificate authority onto Windows 2019 server, however failed due to missed CA PFX keys.

Now we have only option to install Windows 2019 CA server in parallel to Windows 2008 R2 CA server and decommission Windows 2008 R2 CA server.

Here are my questions:

If we install Windows 2019 Standalone certificate server, is there anyway we can import existing certificates from 2008 R2 to 2019 server?

If not, do we need to maintain 2008 R2 server online or can we retire 2008 R2 and start using 2019 server as certificate issuing server?

If we retire 2008 R2 server, what happens to existing certificates deployed on client machines? Will they still valid till the end of certificate expiry date?

I appreciate your help and time for smooth transition from 2008 r2 to 2019 in our case and any best resources with step-by-step instructions much appreciated.

Thanks in advance

Tek-Nerd

We have a range of Windows 10 computers in our estate - some with no TPM chip, some with TPM 1.2, and some with TPM 2.0.

I want to configure a certificate template to optionally perform TPM Key Attestation if the client is capable, to enable clients that support TPM Key Attestation to do so whilst we phase out non-capable devices.

AD CS exposes the certificate template option "Required, if client is capable":

Allows users on a device that does not support TPM key attestation to continue enrolling for that certificate. Users who can perform attestation will be distinguished with a special issuance policy OID. Some devices might not be able to perform attestation because of an old TPM that does not support key attestation, or the device not having a TPM at all.

The certificate template is configured as follows:

• Compatibility Settings

  • Certification Authority: Windows Server 2016
  • Certificate recipient: Windows 8.1/Windows Server 2012 R2

• Request Handling

  • Purpose: Signature and encryption
  • Allow private key to be exported: No
  • Archive subject's encryption private key: No

• Cryptography

  • Provider category: Key Storage Provider
  • Algorithm name: RSA
  • Minimum key size: 2048
  • Providers:
    • Microsoft Platform Crypto Provider
    • Microsoft Software Key Storage Provider
  • Request hash: SHA1

• Key Attestation

  • Required, if client is capable
  • Perform attestation based on:
    • User credentials
  • Perform attestation only (do not include issuance policies)

When enrolling for this certificate template on a computer without a TPM chip, the request fails with error:

An error occurred while enrolling for a certificate. A certificate request could not be created.

Url: ad1.corp.contoso.com\Contoso Root CA

Error: One or more arguments are not correct. 0x800700a0 (WIN32/HTTP: 160 ERROR_BAD_ARGUMENTS)

If Key Attestation is turned off (Required, if client is capable > None), the enrollment succeeds. The PKI is otherwise healthy (CDP/AIA accessible, CRLs valid etc), and there is no block on Issuance Policy issuance (e.g. 'Endorsement Key Certificate Verified' can be manually issued into a certificate).

Hi,

How to verify Code Integrity success applied on server ? After I reboot server check on event log it still require reboot, it seem like Code Integrity not applied event reboot.

Is it normal ?



Hi, 

We have the following:

Offline Root CA - 2008r2 SHA1

Online Issuing CA - 2008r2 SHA1

Plan:

We are planning on migrating from server 2008r2 to 2019. I am following Microsoft migration document. Once this is done a week or so later we plan to change from SHA1 to SHA2. We will be migrating from 2008r2 to 2019 and not changing server name.

Questions.

1) I want to understand how certificates auto-renew themselves. I cannot find any GPO so not sure exactly how this works. Does CA control this, AD or the actual cert

2) From the above migration plan, if I am to remove the SubCA from the domain and change the computer name so that I can add this to the new 2019 server. In the case of a migration failure, what is the best way to roll back?

Thanks

Hi can you guys comment on this issue or shed some light on an issue I'm having in this scenario?  I have an ad environment with 3 domain controllers, one is a windows 2008 r2 enterprise DC (this is the current CA and I wish to remove it) another DC is a windows 2012 r2 server (this one is my RID, PDC and infrastructure master) and lastly, I have another DC, a windows 2016 standard server).  the domain is in 2008 R2 functional level.

The goal is to remove the 2008 DC server so I need to remove the CA role first.  

questions:

1 - is it as simple as installing the CA roles in both the 2012 and 2106 DCs?  is there anything that needs to be saved from the old 2008 CA server to import into the CAs being installed on the other two DCs?  or can they just be installed from scratch without any repercussions on the clients in the domain?

2- Would I need to retire the old 2008 DC before I can change the functional level of the domain?

I would appreciate it if someone could comment on Q1 as that is the most pressing right now.

What say you?

Thanks,  Wil

Hi,

We are trying to implement a PKI base security for our network infrastructure to provide certificate for RDP services. However, the RDP client still not receiving certificate from the SubCA. Our PKI infrastructure is based on YoungChou's articate on "Enterprise PKI with Windows Server 2012 R2 Active Directory Certificate Services". The RDP template we followed is from below link. Any help will be much appreciated. Thank You!

Hello!

When creating connection security rules administrators can configure various authentication options (as well as many others)...

...but not encryption - there's no such a tab in the rule's properties.

The only way to enable encryption I'm aware of is configuring IPSec defaults:

In this case all the rules that exist in the single GPO will be affected by these IPSec defaults but different rules may have different requirements in regard to encryption.

Q: Is there a way to enable/disable ESP encryption on per-rule basis?

Thank you in advance,
Michael

Hi

during the security scan the tool found that

HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\e1f3591e769865c4e447acc37eafc9e2bfe4c576 is missing

due to servers don't have access to internet and doesn't download CLT. I follow the link:

https://technet.microsoft.com/en-us/library/dn265983.aspx#BKMK_PrepServer

but it descirbes how to create subset of trusted cert and i need to create subset on UNtrusted cert.

I also tried using certutil but got the following

C:\Users\xxx>certutil -addstore Disallowed \\xxx\source\ctl\disal
lowedcert.sst
Disallowed
CertUtil: -addstore command FAILED: 0x8009310b (ASN: 267)
CertUtil: ASN1 bad tag value met.

Hello,

I have spent a considerable amount of time working on getting WHB working with On-Prem MFA.

Here is what works:

The MFA SDK

The MFA User Portal (users can login to the portal and they are 2FA authenticated)

The MFA UI: I can go in there and click test on people's profiles and it will test their 2fa

Here is what I am seeing:

I am already logged into my PC so I have no idea why it is asking me for authentication here:

Finally:

Event viewer on the AD FS server:

Does anyone know if there are other places in the logs that I can look at?

We keep encountering various types of TLS connection issues and recently I bumped into IISCrypto too which looks pretty impressive and can help us with our troubleshooting. But we are not sure if it's an approved tool from Microsoft and doesn't cause any harm. Can you please help answer?

https://www.nartac.com/Products/IISCrypto

sharath

Hi,

We are looking into configure Oracle with AD integration for login, and are following these steps. https://www.dbaplus.ca/2018/08/oracle-database-18c-password.html

Step 5 there say "Request an Active Directory Certificate for a Secure Connection" Run certutil utility on Active Directory Server to export the certificate. So we run the command "certutil -ca.cert cacert.bin"

But this fails with the information

Certutil: No local Certification Authority; use -config option

Certutil: No more data is available

We have a CA system and the domain controller have a "Domain controller authentification" certificate so what am i missing ?

Thanks for reply

/Regards Andreas