Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Bad Data. 0x80090005 Occasionally

August 15, 2019, 10:45 pm
$
0
0

Hi everyone,

Occasionally, I would get the following error while I was trying to submit a CSR to my subordinate CA.

Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA)

Whenever I got this error, I would just need to restart my subordinate CA service and I will be able to submit the CSR successfully without any error. My subordinate CA is integrated with an HSM and I got exactly the same setup in a test environment as well but my test environment did not encounter this error once before.

Although this error did not affect my operation, I would like to know what has caused this error but I did not see any critical error in my windows logs. Anyone can shed some light to me ? 

Thanks in advance

Search

steps to renew root, subordinate, and issuing CA certificate authority in Windows 2008 R2 PKI infrastructure

September 10, 2013, 7:48 pm
$
0
0

Hello Experts,

 

We do have a PKI infraestructure in place running Windows 2008 R2, AD Forest/Domain functional level are Windows 2008 R2. All DCs, and certificates servers are Hyper V VMs running WIndows 2008 R2

 

I would like to get some sort of high level steps, and documentation/blog/link in how renew root, subordinate and issuing CA certificate authority in a production environment

 

In addition to that, I would like to be able to perform a test by requesting a new Certificate from the renewed PROD CA environment, ensure newly issued cert is trusted by other servers

 

Your thoughts?

Franki

Disable Legacy TLS not available

November 19, 2019, 10:28 am
$
0
0

Dear security folks,

We are very happy about "Disable Legacy TLS" which is described at https://docs.microsoft.com/en-us/security/disable-legacy-tls. This hopefully ends the cipher configuration using IIS Crypto.

Unfortunately, the option isn't available on our servers. We run Windows Server 2019 version 17763.805. According to the article mentioned above, the new feature became available with version 17763.404.

In IIS UI, the checkbox is missing.

In PowerShell, "$TLS = [Microsoft.Web.Administration.SslFlags]::DisableLegacyTLS" returns 

Unable to find type [Microsoft.Web.Administration.SslFlags].
At line:1 char:8
+ $TLS = [Microsoft.Web.Administration.SslFlags]::DisableLegacyTLS
+        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Microsoft.Web.Administration.SslFlags:TypeName) [], RuntimeException
    + FullyQualifiedErrorId : TypeNotFound

Is there anything special I need to do in order to get "Disable Legacy TLS" working? As said, IIS Crypto has been used on the servers before but I was hoping that's not an issue.

Regards,
MPIDR


Setup New ADCS and My Clients Won't Auto Enroll Certificates

January 3, 2020, 7:15 am
$
0
0

I've added AD CS to one my 2016 Domain Controllers, and my clients are unable to auto enroll for their certificates with following errors:

EventID 82-Microsoft-Windows-CertificateServicesClient-CertEnroll
Certificate enrollment for Local system failed in authentication to all urls for enrollment server associated with policy id: {4DEA8FDD-7D74-4F76-816C-F91F067ACCED} (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)). Failed to enroll for template: SCCMClientCertificate

Event 13- CertificateServicesClientEnroll
Certificate enrollment for Local system failed to enroll for a SCCMClientCertificate certificate with request ID N/A from <server name>\<server CA> (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)).

Event 6- CertificateServiceClient-AutoEnrollment

Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.


Here's what I've tried far:

Checked the permissions on the Public Key Services node of ADSS.  Everything looks good there.  The ADCS server has the correct level of permissions for each of the objects.

Checked the firewall on the ADCS server.  I have a rule that allows any traffic from my subnets to any port/application/protocol on my ADCS server.  I've tested with the firewall disabled, and gotten the same results.

nltest /sc_verify:<my domain name> (used my actual domain name)

Flags: b0 HAS_IP  HAS_TIMESERV
Trusted DC Name \\<my domain name>
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully

certutil -config - -ping my CA shows up

<my CA server>\<my CA>
Connecting to <my CA server>\<my CA> ...
Server "<my CA>" ICertRequest2 interface is alive (63ms)
CertUtil: -ping command completed successfully.



Security on network drives

January 5, 2020, 8:14 am
$
0
0

I have a NAS drive (a Zyxel NSA310) on my network which I am trying to use for backup. Whenever I try to access this drive from a Windows computer connected to the same LAN (e.g. to create a new folder on the NAS) it says "you need authorisation to do that". How do I get authorisation? The Zyxel drive only seems to allow me to create permissions for local users. If I am logged onto my Windows PC as \\ROWAN_XPS8700\RowanB, and I have an account on the NAS as \\NSA310\RowanB, when I try to access the NAS, does it use the permissions that I have set for \\NSA310\RowanB, or does it treat me as an unknown user, and therefore block me? How do I access the NAS as the user \\NSA310\RowanB when I am logged into ROWAN_XPS8700?

To be honest, it would be much easier for me if the whole of Windows Security could be completely turned off. There is no-one on my network who is trying to break into anyone else's confidential information. Therefore all this security stuff which gets more and more complicated and difficult with each Windows release accomplishes absolutely nothing for me, other than prevent me doing things that I need to do (like backup my data).

Thanks - Rowan

Server 2016 / 2019 Firewall "Cast to Device" enabled by default

January 7, 2020, 9:48 am
$
0
0

So just looking through the firewall rules that are enabled by default on a clean 2016 2019 server installation and I am noticing many "cast to device" inbound rules enabled by default i.e. "cast to device streaming server", etc.  I am floored that this would be enabled by default.

Can someone tell me why why these rules would be enabled by default?  Is this tied to some required system process that I'm not aware of?

Server 2012 R2 - PKI CertSrv site missing & certdat.inc missing - Web Enrollment installed

January 7, 2020, 11:57 am
$
0
0

Hello,

While I've been working on our sub PKI Server (Issuing CA), I noticed that there was not a website for CertSrv, even though the Certification Authority Web Enrollment is installed.

I've read through a few docs that said you can use certutil -vroot to create the website and directories. I executed the command and it did indeed create the directories, but when I tried to browse to the website it gave a 403 - Forbidden: Access is Denied error.

I noticed the IIS site is pointing to c:\Windows\System32\CertSrv. 
I went and checked out this location and this is what is in the root directory:

I opened en-US and noticed that most of all the files are in that folder. However, looking at thedefault.asp file, I also noticed that it's referencing certdat.inc. I cannot find this file anywhere on the server, and it's definitely not in the en-US folder, nor the CertSrv folder as shown above.

I've also read that I need to change the IIS site to point to c:\windows\system32\certsrv\en-us as well, but I am getting an HTTP 500 Internal Server Error, and see this:

I've verified a few other things, such as changing NTLM to be the first provider for the Windows Authentication. Another suggestion said to "Enable Parent Paths" within the ASP settings on the Default Web Site.

But perhaps without the certdat.inc file, nothing will work at all regardless. I'm not sure what to do, or how to even get the certdat.inc file with the roles already installed on the server.

Any thoughts?

EDIT: Also see the default.asp file has this line at the top:

<%' certdflt.asp - (CERT)srv web - (D)e(F)au(LT).

I don't see a certdflt.asp file within en-US either.






Publish CA certificate in BASE64 ASCII format instead of DER encoded binary

January 8, 2020, 12:51 am
$
0
0

Hi,

When my ADCS CA (Windows Server 2016) publishes the CA certificate to AIA it's DER binary encoded. Is it possible to get the CA to publish in BASE64 format instead?

Best regards,

Jim

Search

Enabling LDAPS with certificate from a 3rd party CA

January 8, 2020, 8:14 am
$
0
0

Hi All

I have active directory environment in amazon, I would like to enable secure LDAP on domain controllers.

is it possible to get the LDAPS certificate from third party CA, and install it in domain controllers? will it work?

Kindly advice. Thanks!!


Windows security "more choices" prompt MISSING on all domain joined computers in all browsers - SharePoint and some AD authenticated sites

January 8, 2020, 9:10 am
$
0
0

On any computer joined to my domain (Windows 10, server 2016, server 2019) in IE, Chrome and Edge I cannot authenticate against sites associated with other Windows domains : SharePoint and Remote Desktop in particular.

In the MS browsers I do not get the "More Choices" prompt where I could put another account. In Chrome I get a login prompt but the site cannot be reached. See screen shots attached.

I have tried all sorts of combinations of SSO settings in the browsers and turned off all the possibly related. 

A non-domain joined computer in the same network (so not a firewall issue) can access all the sites and has the "more choices" prompt in the windows security dialogs. 

Here is what I want to see (from a non domain computer)

Windwos security prompt on non domain computer with "More Choices"

Here is what I get on all my domain joined systems: domain is my local domain.IE missing "More Choices" domain joined system

Thanks for any help.

CarolChi

Lateral log ons.

January 8, 2020, 2:57 pm
$
0
0

We are using Rapid7 to gather security logs from our windows servers, we are seeing lots of alerts where a user account is logged onto another workstation from theirs (event I’d 4624). The log on type is a type 3 network, but there is no reason that one user would be logging onto another’s PC by any means. I can see the detail of the log on event but what I don’t see is the application or mechanism used to initiate the log on.  Is there any way to find this? Either by way of another event ID that might be generated or some other way.

I need to confirm if this is just some normal windows type or it is a process, etc moving laterally.

Delegation control - moving Computer objects results in Access Denied

April 24, 2017, 11:44 am
$
0
0

Hi

This one is driving me around the bend, I thought I had a handle on doing delegated permissions in AD but I can't figure out what is causing this issue.

Scenario - New 2016 AD, a new OU called "Company Computers" that is been configured as the default OU where new domain joined PC will appear.  Under this OU is a child OU called "Windows 10".  All I want to do is to move the newly created computer objects from the parent OU "Company Computers" to the child OU "Windows 10".  Simple eh? humm....that's what I thought.

The delegation has been configured with a security group at the parent OU and has "Create Computer Objects" and "Delete Computer Objects" and "Write" access.  The child OU is configured exactly the same.

When I view the security of the parent OU I can see the permission is set correctly:

However if I look at the effective access on a user that is a member of that group I get this:

Which of course means if I try and move a computer object from the parent to the child OU I get an access denied message.

Looking at the effective access of the child OU both permissions are set to allowed.

Any thoughts on why this is happening?  I assume something is overriding the delegated permissions somewhere but I can't see where.

Just for info, I can move the objects around no problem when logged in a domain admin.

Cheers

Rob

The revocation provider failed with the current configuration on OCSP Sever

January 9, 2020, 1:01 am
$
0
0

Hi All,


We are having two OCSP Server  configured one is working fine and in other i am getting the error.

Error:

Type: Microsoft CRL-based revocation status provider
The revocation provider failed with the current configuration. The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE), 0x80092013

EventVWR Error: For configuration Issuing Certificate Authority 01, Online Responder revocation provider either has no CRL information or has stale CRL information.

I have checked the CRL's in both the server its updated and valid.

Could you please assist me to troubleshoot this error. Any help will be appreciated.

Thanks,

Roshan Kumar


Disable creation of VPN "*Session" credential in Credential Manager without disabling all of Credential Manager?

June 17, 2013, 8:53 am
$
0
0

Is there a way to disable creation of the VPN "*Session" credential in Credential Manager without disabling all of Credential Manager?

I know that you can disallow storing all domain creds in Credential Manager by setting the following registry entry to 1 (but this doesn't fix my issue):

 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

Value Name: DisableDomainCreds

Value Type: REG_DWORD

Value: 1

On my Windows 8 Enterprise workstation, I use mapped drives with one domain account and Outlook with a different domain account. Using the fix above fixes my issue with mapped drives (after sleep mode, reconnect to VPN and my mapped drives won't reconnect until I delete the '*Session' credential) but then I cannot use Outlook at all.  Note: I do not log on to Windows 8 with either of the domain accounts mentioned above (I use a local admin account) and I do not 'save my password' in Outlook.



ADLDS - Which encryption is used ?

January 10, 2020, 5:59 am
$
0
0

Hello all,

We use an AD-LDS instance with default installation on a Windows Server 2016.

I can't find on technet which encryption is used to store password of users.

Have you the answer ?

Thanks in advance



Search

Does Microsoft have an official timeline to distrust SHA-1 throughout Windows in all contexts?

January 10, 2020, 7:31 am
$
0
0

https://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx?PageIndex=2

My question is regarding the following statement in the "Phase 3 - Today" section of the above Microsoft article:

"Long-term, Microsoft intends to distrust SHA-1 throughout Windows in all contexts. Microsoft is closely monitoring the latest research on the feasibility of SHA-1 attacks and will use this to determine complete deprecation timelines."

I have a Windows application that supports SHA-1 and SHA-384 client certificates.  All new client certificates for the application are issued with SHA-384.  Most of my existing clients have SHA-1 certificates and as those certificates expire, I will be issuing them a SHA-384 certificate.  The SHA-1 expiration dates vary.  Some will expire this year and some a little later (not more than a couple of years).

I would like to know how long I have to get all of my SHA-1 clients updated to SHA-384.  Does Microsoft have an official timeline yet to distrust SHA-1 throughout Windows in all contexts?  The article above was last updated in September 2017, so I wonder if there is any new information regarding timelines.

Update Windows Server 2008R2

January 10, 2020, 8:52 am
$
0
0

I would like to know if Microsoft has planned to release the latest updates for Windows Server 2008R2 on Tuesday 14 January 2020, or the latest available updates are those of December.

 

Thank you

Certificate Authority Not Signing New Certificate for LDAPS

January 10, 2020, 8:58 am
$
0
0

Hello

Hoping someone has run across this issue. I have CA infrastructure I am trying to leverage to enable SSL over LDAP. My subordinate to  copy the Keberos authentication template in order to create a new. For the most part I have left all the generic settings in place. Items altered are as follows:

1. On the Subject Name tab I selected the "Supply in the request". Although prior to do this also tried The "Build  From this Active Directory information, and filled options in accordingly.

2. Altered my validity period to 10 years

3. My minimum key size under the Cryptography tab is 2048

4.Set the key to be exported

On the request side the following has been configured:

1. Subject Tab - added Common Name and other information provided here. On Alternative Name I added DNS and IP address.

2. On extensions I added Server and Client Authenticate

3. Finally the key size is 2048

Everything else is configured with the default settngs.

When I generate a request it completes but no key is added to the cert in the logs

 I do however see an shannel error 36869

I have revoked and tried reinstalling but continue to get the same error. Has anyone else run across this issue?

Phillip Mathews

Root CA Migration from 2008 R2 to 2016

June 13, 2019, 4:55 pm
$
0
0

We have an Enterprise Root CA server running 2008 R2 (no subordinates). I'd like to build a 2016 server and make it our new Root CA. I've read a number of articles on how to do this but am not clear on whether the name of the new server should match that of the old one.

Based on the article below I believe you should first decommission your "old" CA server, rename it and then rename your new one so it has the same name as your old one did (then install the CA stuff). It sounds like it saves you quite a bit of work if you do it that way (you can basically skip having to grant permissions on AIA and CDP containers in AD).

I am curious if that is the method folks have used. The article I reference below is several years old but my understanding is that this process really hasn't changed.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee126140(v=ws.10)#BKMK_GrantPermsAIA

Log in error to shared folders

January 11, 2020, 7:31 am
$
0
0

We just installed a new Windows 2019 standard server. We cannot open shared folders on a Synology NAS. Synology tech said to update the domain, and domain users, be sure time between server and NAS is the same, we did. However, we still cannot open a shared folder. Synology said it was a Microsoft Windows Security Error.

 

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>