Hi,
since several months, we have a lot of event id 4776, locked account,
in the workstation source field, there is some exotical computers names (names that doesn't belong to our AD domain). associated to users accounts that doesn't exist on our AD too.
there no trace on DNS, DHCP.
We dont Know how to obtain more information to trace those exotical computers. How could we trace those computers.
thanks for your help!
How many auto enrollment certificate request a SHA1 Certificate Authority server can process/ per second under below written hardware configuration.
Processor: Quad Core
RAM: 8GB
We need to renew approx 50000 certificates within 20 days time, kindly suggest.
I think this is the right forum for this question, but please feel free to redirect me if it is not.
We are using Windows Hello for Business for users to sign into their computers with a PIN or Biometric. It works well for sign in 99% of the time, but every once in a while a user gets the error:
"Sign-in failed. Contract your system administrator and tell them that the KDC certificate could not be validated. Additional information my be available in the system event log."
The user gets this message on the sign in screen after using their PIN or Biometric. To resolve this, the user can sign in with their password or wait about a minute, try again, then it will work. I've also seen this work after rebooting the computer. After getting signed in again, they don't have the error message on subsequent logins.
The odd part is that this happens very intermittently...so it's tough to troubleshoot.
Windows Hello for Business does require domain controller certificates with the KDC Authentication, but I have these issued to the devices....and again, they can use it fine 99% of the time.
Googling this error didn't get me anywhere helpful, so I am hoping that someone might know why I am getting this error intermittently?
Hi
We have getting error in our VDI infrastructure and it will encountered on RD gateway and RD web server ? Can i just ignore the error. Is this impacting the production ?
Homer Sibayan
Hey!
I'm having some issues configuring my PKI environment.
Im trying to make custom template in the CA that has issuance requirements with 2 different issuance policies OID's.
The goal is that the signer certificate will contain one of the required issuance policies (instead of all issuance policies which is what happens currently).
Thank you in advance! ;)
We have recently implemented SharePoint workflows in O365, using AD to select user accounts. This changed our internal processes to have AD account created for all company employee's regardless of role.
I am trying to determine best practice to setup the account that will leave it as ACTIVE but NOT allow login.
Currently I am setting them to "Change Password at Next Login", they would never have received details on the account or password.
I was advised that I could also set the account to "User can not change password", but don't seem to be able to set account this way via GUI or Powershell.
Would appreciate some thoughts on best practice alternatives.
SMD
Hi, I need some clarification regarding the mandatory LDAP signing update in March 2020 that will disable LDAP non-secure and require a valid certificate.
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows
We use certificate services using a self signed cert for LDAPS. Can we continue to use the self signed cert after March 2020 update, or do we have to purchase a trusted cert?
Thank you.
Hello.
We use two-tier PKI infrastructure and now we're trying to deploy 802.1x wired computer authentication. NPS and intermediate CA are located on the same server. PKI insfrastructure is working without errors. All clients are Windows 10. When clinet tries to authenticate on port of the switch it gets error message in CAPI2 log: 80092013 The revocation function was unable to check revocation because the revocation server was offline.
AIA and CDP are inaccessible for client, because there is no network stack before 802.1x will be finished sucessfully, so we unchek "Validate the server certificate" option to prevent cerver certitifcate checking process.
Some additional information:
1. Root CA certitificate was installed on client: certutil -addstore -f Root <RootCA.cer>
2. CRL of Root CA was installed on client: certutil -addstore -f Root <RootCA.crl>
3. Intermediate CA was installed on client: certutil -addstore -f CA <IntermediateCA.cer>
What is the reason of this behavior and how I can solve this issue?
Thank's in advance!
Hive mind,
I ave an issue whereby users are running inside a Citrix session hosted on Windows Server 2016. Redirected folders are being used, set by GPO and everything is working fine for exactly 10 hours. After 10 hours, the redirected folders disconnect and the user needs to log off and on again for this to be restored.
The only error i can find up to now is the following:
Log name: System
Event ID: 32
Source: Kerberos-Key-Distribution-Center
Details: The Key Distribution Center (KDC) uses a certificate without KDC Extended Key Usage (EKU) which can result in authentication failures for device certificate logon and smart card logon from non-domain-joined devices. Enrollment of a KDC certificate with KDC EKU (Kerberos Authentication template) is required to remove this warning.
We are currently piloting the 2016 image after migrating from 2008R2, where this worked without issue. All kerberos timings are default and not amended in GPO/local policy.
klist tgt shows:
StartTime : 2/10/2020 11:23:10 (local)
EndTime : 2/10/2020 21:23:10 (local)
RenewUntil : 2/10/2020 21:23:10 (local)
TimeSkew : + 0:00 minute(s)
which is what i would expect...
Any ideas?
Hello,
I have made a custom view in Eventviewer with a modified XML file. I get to many hits on the query when I use != it works with =
Here is my XML
<QueryList>How can I solve this issue?
With kind regards,
Erwin.
Hi Guys,
Hope someone can answer this for me.
I have 3 windows 2008 R2 DC, running on a Windows 2003 domain, 2000 Forest level.
I am using a firewall authentication client that is looking for event logs 4768. Which is meant to be an Audit log from account management logon.
I do not get any event logs 4768 Generated.
I have a group policy that enforce account management
| Audit Application Group Management | No Auditing |
| Audit Computer Account Management | Success, Failure |
| Audit Distribution Group Management | No Auditing |
| Audit Other Account Management Events | Success, Failure |
| Audit Security Group Management | Success, Failure |
| Audit User Account Management | Success, Failure |
I also have tried enforcing basic Audit
| Policy | Setting |
|---|---|
| Audit account logon events | Success, Failure |
If anyone know any reason why I might not be getting event log 4768, or how to start getting them I would love to hear it.
Thanks in Advance.
Craig
Craig G
In my two-tier enterprise PKI, I am trying to install a Key Recovery Agent into my second-level, issuing CA. I am running CA on Windows 2012 R2. In templates, I copied the "Key Recovery Agent" and ascribed my domain admin account the ability to Enroll (under Security) to the new template. I also chose "Publish certificate in Active Directory", "Archive subject's encryption private key", key size =4096. All other settings are default. I then published the certificate and it shows up under certsrv, Certifificate Templates.
Now, when I right click properties on the issuing CA under certsrv, go to "Recovery Agents", select "Archive the key", 1 agent, Add the ONLY selection showing under "Key Recovery Agent Selection" is the certificate for the issuing CA certificate itself (although the serial number does not match).
It does not seem the Key Recovery AGent template is showing up in the selection. What are some suggestions on discovering what I did wrong?
I am setting up a two tier Active Directory Certificate Services PKI hierarchy with an offline standalone Root CA (Server 2019) and an online Enterprise Subordinate CA (also Server 2019).
I've configured the offline Root CA successfully (set CDP / AIA extensions) and the ADCS service starts with no issues. I then configure ADCS on the Enterprise Subordinate CA and a .req file is created inside "C:\". Copied the .req file over to the Root CA, issued the certificate, exported the *.p7b and moved back to the Sub CA. When I select "Install CA Certificate", I get the following error:
"An error was detected while configuring Active Directory Certificate Services. The Active Directory Certificate Services Setup Wizard will need to be rerun to complete the configuration. The new Certification Authority certificate cannot be installed because the CA Version extension is incorrect. The most recently generated request file should be used to obtain the new certificate: C:\CA(1).req The data is invalid. 0x800x7000d (WIN32: 13 ERROR_INVALID_DATA)
I am logged in the Enterprise Sub CA as an Domain Admin with Enterprise Admin rights added to my DA account. I have tried reinstalling ADCS on the Sub CA, creating a new .req, re-signing. I am 100% confident that I'm using the correct .req file when submitting to the Root CA and also exporting the correct Sub CA certificate.
I ran "certutil -dump *.req" on the original certificate request file, verified that the CA Version extension is V0.0. Then ran the same command on the signed Sub CA certificate exported from the Root CA and has the same exact CA Version extension.
Any ideas would be greatly appreciated. Please let me know if any additional information would be helpful.
Hello, I am an engineer in company that provide MDM solutions for clients (MobileIron in my case), I was trying to configure WIP in new Microsoft Edge on Chromium engine. I have added EXE/WIN32 Equals for microsoft edge exe file (full path to exe) as controlled application, configured WIP settings, and enabled WIP option in flags on Edge settings menu. Any other 3rd party apps are working and microsoft apps too (except old and new Edge browsers), but for Microsoft Edge (on Chromium engine) I dont see any visual indicators that WIP is enabled and working when I open secured corporate resources.
Does new Microsoft Edge support configuring WIP via any 3rd party MDM solutions?
Hi everyone,
The setup of my intermediate certificate authority (ICA) was having the role separation enabled where 4 respective AD groups each will have different security permission (Issue and Manage Certificates,Manage CA, Read and Request Certificates) and 2 Managed Service Accounts (MSA) each assignManage CA security permission. My ICA was working perfectly fine without any issue and everything was working as expected.
However, recently unforeseen action occur whereby all my AD Users and Groups which I have assign permission in ICA was deleted in the AD. I went to check my ICA security permission and all my AD groups became an unknown group as they were deleted. Although all the Groups and Users were re-created with the same name, I am not able to add the newly created Users into the ICA security permission.
Currently I am facing an issue whereby I am not able to issue new certificate as the Groups and Users were deleted. I know that my issue will be able to resolve if I am able to login to my MSA accounts (as these were not deleted) and assign the newly created Users and Groups to ICA security permission. However I am not able to do it as MSA password is managed by AD. Can someone shed some light on how can I recover my ICA back to normal operation, other than re-setup the whole new PKI services ?
Thank you in advance