Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Kerberos Pre-Auth Lockouts

November 9, 2019, 10:22 am
$
0
0

I have been getting locked out of my admin account every 1 hour and 1 second since changing my password. Before changing my password I enabled FIPS on the domain controllers. My account will stop locking out if I go to account settings and disable Kerberos Pre-Authentication. The funny thing is setting my password back to what it was did not fix the problem. If I turn on Kerberos Pre-Auth it doesn't lock, turn it back on and it locks every hour.

I did all the normal stuff. Checked processes, scheduled tasks, mapped drives, logons from other machines, etc. I don't have any creds stored in credential manager and I even wiped out my local profile.

I created a scheduled task that gets triggered off a 4740 lockout event. Why? So I can see if someone is brute forcing our domain. The scheduled task has my domain admin account as the author but is setup to run as a service account. I can see in the security events that it locks my account then right after the service account runs this task. I'm not logged on anywhere else in the domain and the lockouts are coming from the domain controller.

I created a second domain admin account, changed the password, and this one is not getting locked out. 

In the registry the only two credentials that are stored are for service accounts. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CredWom 

Here is the event, slightly modified by me. It doesn't tell me the process that is locking me out.



A user account was locked out.

Subject:
Security ID:  SYSTEM
Account Name:  DOMAINCONTROLLER$
Account Domain:
DOMAIN
Logon ID:  0x3E7

Account That Was Locked Out:
Security ID:  DOMAIN\joe.alves.adm
Account Name:  Joe.Alves.Adm

Additional Information:
Caller Computer Name:
DOMAINCONTROLLER

Here is one of the Kerberos Pre-Auth errors before the lockout.
Kerberos pre-authentication failed.

Account Information:
Security ID: Domain\Joe.Alves.Adm
Account Name: Joe.Alves.Adm

Service Information:
Service Name: krbtgt/mwglan01

Network Information:
Client Address:::1
Client Port: 0

Additional Information:
Ticket Options:0x40810010
Failure Code: 0x18
Pre-Authentication Type:2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Here is an example of how my scheduled tasks are setup. I am the author of these but my account is not used to run them.

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2019-02-24T12:26:17.8640552</Date>
    <Author>Domain\joe.alves.adm</Author>
    <Description>E-mails notification when account is locked out.</Description>
  </RegistrationInfo>
  <Triggers>
    <EventTrigger>
      <Enabled>true</Enabled>
      <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Security"&gt;&lt;Select Path="Security"&gt;*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4740]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
    </EventTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <RunLevel>HighestAvailable</RunLevel>
      <UserId>Domain\SVCTask SchedulerDC</UserId>
      <LogonType>Password</LogonType>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
    <UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>powershell.exe</Command>
      <Arguments>-command C:\Scripts\4740_Lockouts.ps1</Arguments>
    </Exec>
  </Actions>
</Task>








Search

Security on network drives

January 5, 2020, 8:14 am
$
0
0

I have a NAS drive (a Zyxel NSA310) on my network which I am trying to use for backup. Whenever I try to access this drive from a Windows computer connected to the same LAN (e.g. to create a new folder on the NAS) it says "you need authorisation to do that". How do I get authorisation? The Zyxel drive only seems to allow me to create permissions for local users. If I am logged onto my Windows PC as \\ROWAN_XPS8700\RowanB, and I have an account on the NAS as \\NSA310\RowanB, when I try to access the NAS, does it use the permissions that I have set for \\NSA310\RowanB, or does it treat me as an unknown user, and therefore block me? How do I access the NAS as the user \\NSA310\RowanB when I am logged into ROWAN_XPS8700?

To be honest, it would be much easier for me if the whole of Windows Security could be completely turned off. There is no-one on my network who is trying to break into anyone else's confidential information. Therefore all this security stuff which gets more and more complicated and difficult with each Windows release accomplishes absolutely nothing for me, other than prevent me doing things that I need to do (like backup my data).

Thanks - Rowan

Specify / findout the cipher family of a CA

January 13, 2020, 3:51 am
$
0
0

Hello

I have a device who accept the following ciphers.

TLS_RSA_WITH_AES_256_GCM_SHA384:
TLS_RSA_WITH_AES_128_GCM_SHA256:
TLS_RSA_WITH_AES_256_CBC_SHA256:
TLS_RSA_WITH_AES_128_CBC_SHA256:
TLS_RSA_WITH_AES_256_CBC_SHA:
TLS_RSA_WITH_AES_128_CBC_SHA:



I need to choose which one to use for encrypting these endpoints
How can I make sure my CA is using the right cipher family? Either GCM or CBC ?

the intermediate CA is  a windows server 2012 R2 and is generating sha256WithRSAEncryption.

So that would restrict the choice to 2nd only. Am I correct in saying that my CA is using CBC because that's the first one available in theSSL cipher suite order list that matches what the CA has been configured to?
(not the first one by counting the line, but because all the other are not used as the CA is generating sha256WithRSAEncryption)

Thanks

Certutil deleterow sanity check

January 13, 2020, 11:23 am
$
0
0

We recently decommissioned a VDI environment with 41 VDI clients.  Each boot, the clients would request an SCCM client certificate, so over the lifetime of the environment we had over 25,000 certificates issued.

The machines are gone, deleted, and will not be brought back.  I have revoked all the certificates.  I want to use certutil to delete the rows (in order to make our revoked cert list more manageable) however I am having trouble figuring out how to structure the certutil command.

The hostnames are of the format ORG-VDI-### so doing a wildcard hostname deletion would be best, though I don't see how that can be done in certutil.  I looked into doing things with piping in powershell, but the risk of playing with it seems to outweigh the benefit.

Is there a way to perform a bulk revoked certificate row deletion by hostname, with wildcards (if not I can run the command 41 times, no big deal).

Workstation unable to connect to DB server if weak ciphers are disabled

January 13, 2020, 6:46 pm
$
0
0

Hi Guys,

I have disabled all weak ciphers on a windwos 2012 rserver and has 2016 SQL installed.

1 application on the workstation is connecting to the DB on server. We found out that if this registry key is defined on server, the connection is being rejected.

Registry defined:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA

REG_DWORD - Enabled

value = 0x00000000

My question is:

-Was the issue n the client side? do we also need to define registry entries on the client?

Thanks in advance

PKI: ldap:// Unable to download AIA and CDP . Using PKIVIEW.msc in a SubCA

January 14, 2020, 7:24 pm
$
0
0

Hi.

I have strange problem. After a few days.....my PKI structure has (in PKI View) an error.

Environment: (in Azure)

2x DC 2016

1x RootCA (not member of the domain)

1x SubCA (Member of the Domain)

1x Webserver (Member of the Domain)

In PKIView on the SubCA there is an error for AIA Location #1 and CDP Location #1

Unable to download

The locations with http;// are both ok. (they are going to my webserver into a sperate folder)

I have tried now to "re-pulish" the crt and crl again with:

certutil -dspublish -f CRLFileName.CRL CAName (Netbiosname of my RootCA)

certutil -dspublish -f CACertFileName.crt SubCA (here I'm not sure, isSubCA correct. First time I have used RootCA.)

for both commands  I get an return withCertificate already in DS store.

What can I do now?

Best,

Lutz

Certificate Services - CES/CEP Returning Invalid Function when trying to Enroll via CES, But Can Enroll DIrectrly to the CA

September 20, 2018, 4:04 pm
$
0
0

When using ADCS CES/CEP Proxy to ENroll for a Computer Certificate, I am given the certificate template that is available, but when it goes to actually enroll I get the following error in certenroll.log in the windows directory:

Nothing is sent to the CA...it all seems to stop at the enrollment proxy....possibly a permissions issue?  This is all running on Server 2016, CAs are running 2016 Core.

========================================================================

402.478.948: Begin: 9/20/2018 6:41 PM 29.748s

402.483.0: MMC.EXE

402.491.0: GMT - 4.00

2005.228.0: certca.dll: 10.0.14393.2248 retail

2005.228.0: certcli.dll: 10.0.14393.2248 retail

2005.228.0: certenroll.dll: 10.0.14393.2248 retail

3000.838.0:<2018/9/20, 18:41:31>: 0x0 (WIN32: 0)

3000.839.0:<2018/9/20, 18:41:31>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2032.4369.0:<2018/9/20, 18:41:31>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY): Fetch Id

3000.838.0:<2018/9/20, 18:41:31>: 0x0 (WIN32: 0)

3000.839.0:<2018/9/20, 18:41:31>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

3000.875.0:<2018/9/20, 18:41:31>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY): PsPolicyID

437.633.0:<2018/9/20, 18:41:31>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): LDAPFlags

2720.294.0:<2018/9/20, 18:41:36>: 0x800704c7 (WIN32: 1223 ERROR_CANCELLED)

2007.238.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): XTS-AES

2007.238.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): SHA224

2007.238.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): curve25519

2047.644.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): curve25519

2047.781.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): Microsoft Software Key Storage Provider

2047.859.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): curve25519

2007.238.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): numsP256t1

2047.644.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): numsP256t1

2047.781.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): Microsoft Software Key Storage Provider

2047.859.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): numsP256t1

2007.238.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): numsP384t1

2047.644.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): numsP384t1

2047.781.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): Microsoft Software Key Storage Provider

2047.859.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): numsP384t1

2007.238.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): numsP512t1

2047.644.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): numsP512t1

2047.781.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): Microsoft Software Key Storage Provider

2047.859.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): numsP512t1

452.856.0:<2018/9/20, 18:41:37>: 0x80090029 (-2146893783 NTE_NOT_SUPPORTED): ECCCurveName

452.149.0:<2018/9/20, 18:41:37>: 0x80090029 (-2146893783 NTE_NOT_SUPPORTED): ECCCurveName

2047.551.0:<2018/9/20, 18:41:37>: 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)

2047.781.0:<2018/9/20, 18:41:37>: 0x80090029 (-2146893783 NTE_NOT_SUPPORTED): Microsoft Software Key Storage Provider

2047.859.0:<2018/9/20, 18:41:37>: 0x80090029 (-2146893783 NTE_NOT_SUPPORTED): curve25519

2007.238.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): numsP256t1

2047.644.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): numsP256t1

2047.781.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): Microsoft Software Key Storage Provider

2047.859.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): numsP256t1

2007.238.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): numsP384t1

2047.644.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): numsP384t1

2047.781.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): Microsoft Software Key Storage Provider

2047.859.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): numsP384t1

2007.238.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): numsP512t1

2047.644.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): numsP512t1

2047.781.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): Microsoft Software Key Storage Provider

2047.859.0:<2018/9/20, 18:41:37>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): numsP512t1

2007.238.0:<2018/9/20, 18:41:38>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): ECDSA_P224

2047.644.0:<2018/9/20, 18:41:38>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): ECDSA_P224

2047.781.0:<2018/9/20, 18:41:38>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): nCipher Security World Key Storage Provider

2047.859.0:<2018/9/20, 18:41:38>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): ECDSA_P224

2007.238.0:<2018/9/20, 18:41:38>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): ECDH_P224

2047.644.0:<2018/9/20, 18:41:38>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): ECDH_P224

2047.781.0:<2018/9/20, 18:41:38>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): nCipher Security World Key Storage Provider

2047.859.0:<2018/9/20, 18:41:38>: 0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO): ECDH_P224

452.695.0:<2018/9/20, 18:41:38>: 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY): Microsoft Platform Crypto Provider

2017.267.0:<2018/9/20, 18:41:38>: 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY): Microsoft Platform Crypto Provider

2017.1094.0:<2018/9/20, 18:41:38>: 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY): Microsoft Platform Crypto Provider

2017.1112.0:<2018/9/20, 18:41:38>: 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY): NCryptOpenStorageProvider

2017.349.0:<2018/9/20, 18:41:38>: 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY): Microsoft Platform Crypto Provider

2017.369.0:<2018/9/20, 18:41:38>: 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY): Microsoft Platform Crypto Provider

2017.1452.0:<2018/9/20, 18:41:38>: 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY): Microsoft Platform Crypto Provider

2027.3410.0:<2018/9/20, 18:41:39>: 0x0 (WIN32: 0): XXX PKISupport Center RSA Class 1 Client CA G1.1

2027.3419.0:<2018/9/20, 18:41:39>: 0x1 (WIN32: 1 ERROR_INVALID_FUNCTION)

2027.3410.0:<2018/9/20, 18:41:39>: 0x0 (WIN32: 0): XXX PKISupport Center RSA Class 1 Client CA G1.1

2027.3419.0:<2018/9/20, 18:41:39>: 0x1 (WIN32: 1 ERROR_INVALID_FUNCTION)

2027.10578.0:<2018/9/20, 18:41:39>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2710.607.0:<2018/9/20, 18:41:39>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2013.3265.0:<2018/9/20, 18:41:41>: 0x90658 (591448)

2015.3487.0:<2018/9/20, 18:41:41>: 0x90658 (591448)

2014.5082.0:<2018/9/20, 18:41:41>: 0x90658 (591448)

2014.2996.0:<2018/9/20, 18:41:41>: 0x90658 (591448)

2009.6707.0:<2018/9/20, 18:41:41>: 0x90658 (591448)

2009.6188.0:<2018/9/20, 18:41:41>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2014.5381.0:<2018/9/20, 18:41:41>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2009.5605.0:<2018/9/20, 18:41:46>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2009.1788.0:<2018/9/20, 18:41:46>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2009.6397.0:<2018/9/20, 18:41:47>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2009.6397.0:<2018/9/20, 18:41:47>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2027.10578.0:<2018/9/20, 18:42:26>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2710.607.0:<2018/9/20, 18:42:26>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2027.8410.0:<2018/9/20, 18:42:26>: 0x80004003 (-2147467261 E_POINTER)

2044.313.0:<2018/9/20, 18:42:26>: 0x80004002 (-2147467262 E_NOINTERFACE)

2009.6707.0:<2018/9/20, 18:42:26>: 0x90658 (591448)

2009.5333.0:<2018/9/20, 18:42:26>: 0x800700aa (WIN32/HTTP: 170 ERROR_BUSY)

2009.2458.0:<2018/9/20, 18:42:26>: 0x800700aa (WIN32/HTTP: 170 ERROR_BUSY)

2040.1254.0:<2018/9/20, 18:42:26>: 0x800700aa (WIN32/HTTP: 170 ERROR_BUSY)

2009.3505.0:<2018/9/20, 18:42:26>: 0x1 (WIN32: 1 ERROR_INVALID_FUNCTION): Microsoft Strong Cryptographic Provider

2009.3506.0:<2018/9/20, 18:42:26>: 0x28 (WIN32: 40): te-ENTPKI-Computer-d87ad73e-0f30-4e19-acd3-a790353430e8

2027.10578.0:<2018/9/20, 18:42:26>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2710.607.0:<2018/9/20, 18:42:26>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2027.10578.0:<2018/9/20, 18:42:26>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2710.607.0:<2018/9/20, 18:42:26>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2040.1379.0:<2018/9/20, 18:42:27>: 0x0 (WIN32: 0): te-ENTPKI-Computer-d87ad73e-0f30-4e19-acd3-a790353430e8

2044.313.0:<2018/9/20, 18:42:27>: 0x80004002 (-2147467262 E_NOINTERFACE)

2016.403.0:<2018/9/20, 18:42:27>: 0x2280000 (36175872):

2004.1422.0:<2018/9/20, 18:42:27>: 0x0 (WIN32: 0): sha1RSA

2004.1432.0:<2018/9/20, 18:42:27>: 0x0 (WIN32: 0): SHA1

2014.2136.0:<2018/9/20, 18:42:27>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2015.1302.0:<2018/9/20, 18:42:27>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2009.6686.0:<2018/9/20, 18:42:27>: 0x90658 (591448)

2014.5049.0:<2018/9/20, 18:42:27>: 0x90658 (591448)

2015.3465.0:<2018/9/20, 18:42:27>: 0x90658 (591448)

2009.6686.0:<2018/9/20, 18:42:27>: 0x90658 (591448)

2014.5049.0:<2018/9/20, 18:42:27>: 0x90658 (591448)

2007.1799.0:<2018/9/20, 18:42:27>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2015.2984.0:<2018/9/20, 18:42:27>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2015.2990.0:<2018/9/20, 18:42:27>: 0x0 (WIN32: 0): SHA1

2014.5218.0:<2018/9/20, 18:42:27>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2013.4665.0:<2018/9/20, 18:42:27>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

410.9193.0:<2018/9/20, 18:42:27>: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)

410.9198.0:<2018/9/20, 18:42:27>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

3001.279.0:<2018/9/20, 18:42:28>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED): KeyExchangeAction: FALSE

3001.438.0:<2018/9/20, 18:42:28>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)

450.198.0:<2018/9/20, 18:42:28>: 0x1 (WIN32: 1 ERROR_INVALID_FUNCTION): Error

450.199.0:<2018/9/20, 18:42:28>: 0x2710 (WIN32: 10000)

450.202.0:<2018/9/20, 18:42:28>: 0x0 (WIN32: 0): https://XXXv-CEPCES-p1.XXXoc.com/XXX%20PKISupport%20Center%20RSA%20Class%201%20Client%20CA%20G1.1_CES_Kerberos/service.svc/CES

450.202.0:<2018/9/20, 18:42:28>: 0x1 (WIN32: 1 ERROR_INVALID_FUNCTION): A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)

450.206.0:<2018/9/20, 18:42:28>: 0x0 (WIN32: 0): Log

708.1567.0:<2018/9/20, 18:42:28>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)

708.2126.0:<2018/9/20, 18:42:28>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)

708.1819.0:<2018/9/20, 18:42:28>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)

708.2141.0:<2018/9/20, 18:42:28>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)

708.891.0:<2018/9/20, 18:42:28>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)

2027.2869.0:<2018/9/20, 18:42:28>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED): https://XXXv-CEPCES-p1.XXXoc.com/XXX%20PKISupport%20Center%20RSA%20Class%201%20Client%20CA%20G1.1_CES_Kerberos/service.svc/CES

2027.253.0:<2018/9/20, 18:42:28>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED): https://XXXv-CEPCES-p1.XXXoc.com/XXX%20PKISupport%20Center%20RSA%20Class%201%20Client%20CA%20G1.1_CES_Kerberos/service.svc/CES

2027.259.0:<2018/9/20, 18:42:28>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED): The certificate request could not be submitted to the certification authority.

2027.271.0:<2018/9/20, 18:42:28>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED): A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)

3007.2408.0:<2018/9/20, 18:42:28>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)

3007.2194.0:<2018/9/20, 18:42:28>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED): A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)

3007.2212.0:<2018/9/20, 18:42:28>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED): An error occurred while enrolling for a certificate.

The certificate request could not be submitted to the certification authority.

 

Url: https://XXX-pkiXXX-XX.xxxxx.xx/XXX%20PKISupport%20Center%20RSA%20Class%201%20Client%20CA%20G1.1_CES_Kerberos/service.svc/CES

 

Error: A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)

3007.2670.0:<2018/9/20, 18:42:34>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED): https://XXXv-CEPCES-p1.XXXoc.com/XXX%20PKISupport%20Center%20RSA%20Class%201%20Client%20CA%20G1.1_CES_Kerberos/service.svc/CES

2027.2365.0:<2018/9/20, 18:42:34>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)

450.198.0:<2018/9/20, 18:42:34>: 0x1 (WIN32: 1 ERROR_INVALID_FUNCTION): Error

450.199.0:<2018/9/20, 18:42:34>: 0x825a0052 (-2108030894)

450.202.0:<2018/9/20, 18:42:34>: 0x0 (WIN32: 0): Local system

450.202.0:<2018/9/20, 18:42:34>: 0x1 (WIN32: 1 ERROR_INVALID_FUNCTION): {D13B6EE7-8B66-44FD-9987-58D7AF04E6E41}

450.202.0:<2018/9/20, 18:42:34>: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND): ENTPKI-Computer

450.202.0:<2018/9/20, 18:42:34>: 0x3 (WIN32: 3 ERROR_PATH_NOT_FOUND): A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)

450.206.0:<2018/9/20, 18:42:34>: 0x0 (WIN32: 0): Log

2027.2400.0:<2018/9/20, 18:42:34>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)

2009.3505.0:<2018/9/20, 18:42:34>: 0x1 (WIN32: 1 ERROR_INVALID_FUNCTION): Microsoft Strong Cryptographic Provider

2009.3506.0:<2018/9/20, 18:42:34>: 0x30 (WIN32: 48): te-ENTPKI-Computer-d87ad73e-0f30-4e19-acd3-a790353430e8

2027.7767.0:<2018/9/20, 18:42:34>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)

2032.3511.0:<2018/9/20, 18:42:34>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)

2027.1541.0:<2018/9/20, 18:42:34>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2032.3664.0:<2018/9/20, 18:42:34>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

2032.3668.0:<2018/9/20, 18:42:34>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)

450.198.0:<2018/9/20, 18:42:34>: 0x1 (WIN32: 1 ERROR_INVALID_FUNCTION): Error

450.199.0:<2018/9/20, 18:42:34>: 0xc25a000d (-1034289139)

450.202.0:<2018/9/20, 18:42:34>: 0x0 (WIN32: 0): Local system

450.202.0:<2018/9/20, 18:42:34>: 0x1 (WIN32: 1 ERROR_INVALID_FUNCTION): ENTPKI-Computer

450.202.0:<2018/9/20, 18:42:34>: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND): https://XXXv-CEPCES-p1.XXXoc.com/XXX%20PKISupport%20Center%20RSA%20Class%201%20Client%20CA%20G1.1_CES_Kerberos/service.svc/CES

450.202.0:<2018/9/20, 18:42:34>: 0x3 (WIN32: 3 ERROR_PATH_NOT_FOUND): N/A

450.202.0:<2018/9/20, 18:42:34>: 0x4 (WIN32: 4 ERROR_TOO_MANY_OPEN_FILES): A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)

450.206.0:<2018/9/20, 18:42:34>: 0x0 (WIN32: 0): Log

2032.2588.0:<2018/9/20, 18:42:38>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)

2032.2031.0:<2018/9/20, 18:42:38>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)

2032.5186.0:<2018/9/20, 18:42:38>: 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)

402.326.949: End: 9/20/2018 6:42 PM 38.608s


Why SSL certificate is always issued to COMPUTER_NAME

January 15, 2020, 9:31 am
$
0
0

I have a computer called COMPUTERNAME having IP 10.0.0.20 on a domain called MYDOMAIN.LOCAL

When I open Microsoft Management Console on that computer and then request a new personal certificate then no matter what I type in CN (common name) the certificate is always issued to COMPUTERNAME.MYDOMAIN.LOCAL by our AD. Even if I define SAN, it doesn't matter.

I created a new DNS entry called MySite pointing to IP 10.0.0.20 so when user types http://MySite in browser then the site which is configured in IIS opens. This is fine so far. Now I went on to request a new certificate and there I define the following:

CN = mysite.mydomain.local
subject = mysite

Then I configured the same in IIS. Now when I open that site in browser, whether I type https://mysite.mydomain.local or https://mysite, in both cases it shows error that the certificate is actually issued to COMPUTERNAME.MYDOMAIN.LOCAl. Why does it always issues certificate to computer name?


Search

NETLOGON Event ID 5816 & 5817

March 14, 2017, 3:03 am
$
0
0

Hello everyone

We're experiencing some authentication issues with a server of ours.

For a couple of weeks we are seeing failed authentication requests for what looks like generated accounts.

For example:

id 5816: "Netlogon has failed an authentication request of account CHRISTIAN in domain (null). The request timed out before it  could be sent to domain controller \\server.ourdomain.local in domain OURDOMAIN. This is the first failure. If the problem continues,  consolidated events will be logged about every 30 minutes. Please see http://support.microsoft.com/kb/2654097 for more information."

id 5817: "Netlogon has failed an additional 129 authentication requests in the last 30 minutes. The requests timed out before they could be sent to domain controller \\server.ourdomain.local in domain OURDOMAIN. Please see http://support.microsoft.com/kb/2654097 for more information."

This happens a couple of times a day with various accounts such as COSTCO, Diana, Support, MAXIME, etc..

Is there any way we can find the source of this and block it or shut it down in cause it's an infected computer?

Thanks in advance

F. Salens

The system cannot find the path specified

January 16, 2020, 2:31 am
$
0
0

I make mistake i should be type copy on the second command below but i typed MOVE 

MOVE C:\Windows\System32\cmd.exe C:\Windows\System32\Utilman.exe

Now it tell me The system cannot find the path specified

Windows Server 2016 Failover Cluster certificate

January 31, 2019, 3:33 am
$
0
0

Hi all,

As you might know, when creating a failover cluster, Windows Server 2016 generates a self-signed certificate and installs it to all nodes. 

Because these certificates expire in one year, we got monitoring alerts. To fix these alerts some certificates were removed from the cluster nodes. Since then, we've been unable to add new cluster nodes to the cluster due to schannel issues. I'm suspecting the removal of the cluster certificates to be the cause. 

Is there any way to renew or replace failover cluster certificates? I cannot find a thing on Google about this, only that Windows Server 2016 uses certificates for failover clustering. 

CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability

January 16, 2020, 4:07 pm

Add Custom RADIUS attributes

January 17, 2020, 12:24 am
$
0
0

Dear All,

I'm using pfSense firewall and I'm using MS RADIUS server for authentication and Accounting. pfSense provides RADIUS attributes dictionary as following:

VENDOR		pfSense				13644BEGIN-VENDOR	pfSenseATTRIBUTE	pfSense-Bandwidth-Max-Up		1integerATTRIBUTE	pfSense-Bandwidth-Max-Down		2integerATTRIBUTE	pfSense-Max-Total-Octets		3integerEND-VENDOR pfSense

 The Question:

How can I add this attributes ? I tried adding them as specific vendor attributes but not working !

Please Advise!

LDAPS mandatory patch in March 2020

January 17, 2020, 6:09 am
$
0
0

Hi, I need some clarification regarding the mandatory LDAP signing update in March 2020 that will disable LDAP non-secure and require a valid certificate.

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

We use certificate services using a self signed cert for LDAPS. Can we continue to use the self signed cert after March 2020 update, or do we have to purchase a trusted cert?

Thank you.

Configure domain joined server firewall to be accessed by specific IPs only

January 18, 2020, 3:09 am
$
0
0

Hi,

I would like to configure the firewall settings of a domain joined server so that it can be accessed fully by specific IPs only. I am still new to Windows firewall but cannot just test as this is a production server.

Can someone please give me some hints on how this can be done?

Thanks in advance

Search

CN=MS-Organization-P2P-Access [2018] expired on exchange server 2016

August 3, 2018, 6:48 pm
$
0
0
When I log into my exchange server ecp I get a notification that a certificate has expired and was wondering what it was. I checked the certificates and it the CN=MS-Organization-P2P-Access [2018] certificate that has expired. It is assigned to the IMAP and POP services. What should I do or is it okay to remove it.

Certificate Auto-Enrollment GPO

June 7, 2017, 5:43 am
$
0
0

Hi all,

I have an issue at the moment where none of our users can see our custom Workstation Authentication certificate when selecting 'automatically enroll and receive certificates'. Whenever they do, they simply see: "Certificate types are not available" and when we click on "show all templates", it simply says: "Status: Unavailable" against the one we want to use. 

I'm quite sure this is a V2/V3 template, and the GPO has Certificate Services Client - Certificate Enrollment Policy enabled, as well as Certificate Services Client - Auto-Enrollment enabled. 

I've also checked the permissions of the template and can confirm the Domain computers have read, enroll and auto-enroll permissions set and the GPO is definitely being applied to an OU with the computers listed. 

Is there anything else I can check? I've been through so many forums and have gone through everything I could find all to no avail. 

Any help with this would be greatly appreciated.


Issue disabling SMBv1 and Windows Server 2016

March 22, 2017, 7:38 am
$
0
0

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

We have been disabling SMBv1 on all of our Windows boxes but have run into an issue on Windows Server 2016.  We were hopeful the issue would be resolved in the March 2017 Windows Updates given there were 2 patches addressing SMB specifically, but the issue still is present. 

Prior to disabling SMBv1, we have been “hardening” SMB to prevent SMB relay attacks:
Microsoft network server: Server SPN target name validation level
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level

We configured this group policy as ‘Required from client’ across all Windows boxes in our domain without issue.

Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
Microsoft network server: Server SPN target name validation level
Off = 0
Accept if provided by client = 1
Required from client = 2

Registry:
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\smbservernamehardeninglevel

After adding the additional security step of disabling SMBv1, we had no issues on Windows 7 SP1, Windows 8.1, Windows 10, Server 2012, or Server 2012 R2.

However, when we disabled SMBv1 on Server 2016 (Remove-WindowsFeature FS-SMB1), all SMB shares broke, no shares were accessible from any Windows clients, instead of connecting to the share, a credential pop-up box is presented and even valid credentials don’t work.  The error logged is:

Log Name:      Microsoft-Windows-SMBServer/Security
Event ID:      551
Description:      SMB Session Authentication Failure
A process has requested access to an object, but has not been granted those access rights. (0xC0000022)
SPN Validation Policy: SPN required / validate full

On Server 2016, disabling (removing) SMBv1 and having Microsoft network server: Server SPN target name validation level = Required from client (2) are currently not “working together”, yet it works on the other Windows operating systems just fine.

To recreate this:
1) Test with a Domain-joined Windows Server 2016 box
2) Remove-WindowsFeature FS-SMB1 on the Windows Server 2016 box
3) GPO set or reghack on the Windows Server 2016 box: Server SPN target name validation level = Required from client (2)
4) Reboot the Windows Server 2016

Domain Admins are now unable to connect to the \\Server2016\C$ default share or any other shares from other domain-joined Windows computers.

The “temporary” fix is to configure Server SPN target name validation level = Off (0) & Reboot on Server 2016 boxes.  SMBv1 is disabled but SMB relay attacks are possible again.  :/

Has anyone else experienced this issue or is able to recreate it in their environment? 

ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing

January 20, 2020, 10:53 am
$
0
0

Hello,

Some of my clients domain controllers do not have the LdapEnforceChannelBindings key in the registry.

Does that mean there will be no impact to applications using non-secure LDAP come March 2020 patches? I am currently trying to understand the scope as it is not very clear to me that, if the key does not exist on DCs then its business as usual, or when the patch rolls out, we will start to see LDAP errors due to increased security hardening.

Reference:

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

Security on network drives

January 5, 2020, 8:14 am
$
0
0

I have a NAS drive (a Zyxel NSA310) on my network which I am trying to use for backup. Whenever I try to access this drive from a Windows computer connected to the same LAN (e.g. to create a new folder on the NAS) it says "you need authorisation to do that". How do I get authorisation? The Zyxel drive only seems to allow me to create permissions for local users. If I am logged onto my Windows PC as \\ROWAN_XPS8700\RowanB, and I have an account on the NAS as \\NSA310\RowanB, when I try to access the NAS, does it use the permissions that I have set for \\NSA310\RowanB, or does it treat me as an unknown user, and therefore block me? How do I access the NAS as the user \\NSA310\RowanB when I am logged into ROWAN_XPS8700?

To be honest, it would be much easier for me if the whole of Windows Security could be completely turned off. There is no-one on my network who is trying to break into anyone else's confidential information. Therefore all this security stuff which gets more and more complicated and difficult with each Windows release accomplishes absolutely nothing for me, other than prevent me doing things that I need to do (like backup my data).

Thanks - Rowan

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>