Hi

my AD CS server wont start, certutil reports everything is fine with my CS database, the errrors I see i eventlog when trying to start is:

Active Directory Certificate Services did not start: Unable to initialize the database connection for BPLABSUBCA2.  Certificate service has been suspended for a database restore operation. 0x80094006 (-2146877434 CERTSRV_E_SERVER_SUSPENDED).

The Active Directory Certificate Services service terminated with the following service-specific error:
Certificate service has been suspended for a database restore operation.

My CS database is all fine:

PS C:\Windows\system32> .\esentutl.exe /mh "C:\Windows\System32\CertLog\BPLABSUBCA2.edb"

Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Version 6.3
Copyright (C) Microsoft Corporation. All Rights Reserved.

Initiating FILE DUMP mode...
         Database: C:\Windows\System32\CertLog\BPLABSUBCA2.edb


DATABASE HEADER:
Checksum Information:
Expected Checksum: 0x695f6ec2
  Actual Checksum: 0x695f6ec2

Fields:
        File Type: Database
         Checksum: 0x695f6ec2
   Format ulMagic: 0x89abcdef
   Engine ulMagic: 0x89abcdef
 Format ulVersion: 0x620,20
 Engine ulVersion: 0x620,20
Created ulVersion: 0x620,20
     DB Signature: Create time:04/13/2016 09:21:25.180 Rand:2349591162 Computer:
         cbDbPage: 4096
           dbtime: 6431210 (0x6221ea)
            State: Clean Shutdown
     Log Required: 0-0 (0x0-0x0)
    Log Committed: 0-0 (0x0-0x0)
   Log Recovering: 0 (0x0)
  GenMax Creation: 00/00/1900 00:00:00.000
         Shadowed: Yes
       Last Objid: 1808
     Scrub Dbtime: 0 (0x0)
       Scrub Date: 00/00/1900 00:00:00
     Repair Count: 0
      Repair Date: 00/00/1900 00:00:00.000
 Old Repair Count: 0
  Last Consistent: (0x5AB,C0,180)  03/09/2020 13:38:47.255
      Last Attach: (0x581,AD,268)  01/31/2020 15:15:05.526
      Last Detach: (0x5AB,C0,180)  03/09/2020 13:38:47.255
    Last ReAttach: (0x0,0,0)  00/00/1900 00:00:00.000
             Dbid: 1
    Log Signature: Create time:04/13/2016 09:21:25.091 Rand:4293169251 Computer:
       OS Version: (6.3.9600 SP 0 NLS ffffffff.ffffffff)

Previous Full Backup:
        Log Gen: 1409-1424 (0x581-0x590)
           Mark: (0x590,1,F2)
           Mark: 02/12/2020 15:10:58.222

Previous Incremental Backup:
        Log Gen: 0-0 (0x0-0x0)
           Mark: (0x0,0,0)
           Mark: 00/00/1900 00:00:00.000

Previous Copy Backup:
        Log Gen: 0-0 (0x0-0x0)
           Mark: (0x0,0,0)
           Mark: 00/00/1900 00:00:00.000

Previous Differential Backup:
        Log Gen: 0-0 (0x0-0x0)
           Mark: (0x0,0,0)
           Mark: 00/00/1900 00:00:00.000

Current Full Backup:
        Log Gen: 0-0 (0x0-0x0)
           Mark: (0x0,0,0)
           Mark: 00/00/1900 00:00:00.000

Current Shadow copy backup:
        Log Gen: 0-0 (0x0-0x0)
           Mark: (0x0,0,0)
           Mark: 00/00/1900 00:00:00.000

     cpgUpgrade55Format: 0
    cpgUpgradeFreePages: 0
cpgUpgradeSpaceMapPages: 0

       ECC Fix Success Count: none
   Old ECC Fix Success Count: none
         ECC Fix Error Count: none
     Old ECC Fix Error Count: none
    Bad Checksum Error Count: none
Old bad Checksum Error Count: none

  Last checksum finish Date: 00/00/1900 00:00:00.000
Current checksum start Date: 00/00/1900 00:00:00.000
      Current checksum page: 0


Operation completed successfully in 0.46 seconds.

================ Certificate 2 ================
Serial Number: 490000000756279a81b422ab71000000000007
Issuer: CN=BPLAB01 RootCA, O=bplab01, C=local
 NotBefore: 13.04.2016 08:04
 NotAfter: 13.04.2026 08:14
Subject: CN=BPLABSUBCA2, DC=BPLAB01, DC=local
CA Version: V0.0
Certificate Template Name (Certificate Type): SubCA
Non-root Certificate
Template: SubCA, Subordinate Certification Authority
Cert Hash(sha1): c4 79 16 92 a7 63 2a 21 d4 0c 6f 5b f8 98 ce 57 c3 b2 a9 83
No key provider information
  Provider = Microsoft Software Key Storage Provider
  Simple container name: BPLABSUBCA2
  Unique container name: bf34b1a149b9696b5730822c2f68b218_10170e29-a52c-44cd-b713-a935e2bc1a85
  ERROR: missing key association property: CERT_KEY_IDENTIFIER_PROP_ID
Signature test passed
Revocation check skipped -- server offline
Certificate is valid

Hi,

I am setting up a certificate system and trying to learn how to reissue a new issuingca certificate.

I have followed these steps https://www.risual.com/2014/05/renew-issuingsubordinate-ca-certificate/

And that was ok, but I still can see my old certificate on the issuingCa, if I start mmc and delete it, it comes back again after i restart the server, so why do I now have two certificates ?

To me it seems like it does not know that it has been revoked, and I have published a new crl info.

Or do I have to wait until 9 march next year before this one is gone ?

Suggestions ?

/Regards Andreas

Hi All,

I inherited the responsibility for certificates in my new company. In the month before I joined, a new PKI was developed and implemented. Sadly, the guy who planned and implemented it left the company without a lot of documentation and I have to learn as I go along.

One of the usecases is to encrypt and sign internal emails via S/MIME and I have a template called "internal email". I can request and issue the certificates. However, if I try and use it in Outlook I get a message that there is no eligible certificate.

I made a copy of the template and started to play with it. After a while I figured out that if I add the application policy "smart card logon" and put it on one of our safenet tokens, outlook recognizes it and encrypting/signing works without problems. It doesn't work if I have the copy on the local machine, though. Unfortunately, I have orders to get it to work without putting the email certificate on the smartcard. The guy who is responsible for our Outlook/Exchange says it is nothing that his machines do. so I am quite lost and would appreciate some advice.

In short:

1) I issue the certificate based on template "internal email" - Outlook doesn't recognize the certificate

2) I issue the certificate based on the customized template "Copy of internal email" and put it on the local machine - Outlook doesn't recognize the certificate

3) I put the certificate based on "Copy of internal email" on the safenet token - Outlook recognizes and accepts it without issues

Could somebody explain what is going on here and how to fix it please?

Cheers,

D

We have many users that use a company provided laptop to work both from the office and from home. For some applications it is not allowed to use them ouside of the office hourse and we need to block them for such use (be accessible in office hours, not accessible in evenings and weekends.

On top of that we need them to be accessible 24/7 for a small select group of DBA's and Sysadmins.

Restrictions therefor should not be on the login options but on application level.

Can this be done?

thanks

Dries

Hi,

I have configured a PKI system (offline root ca, and enterprise issuing ca) and now I want to enable LDAPS.

As I can see from the LDAPS guides I can duplicate the Kerberose template and issue from that, but some also mark "Allow private key to be exported", do I also need this ?

Systems that are going to use LDAPS are cisco firewalls, vmware ++

/Regards Andreas

Hi,

i assign users to their corresponding computers which affect outlook on their mobile devices and laptop which is not part of domain.

kindly assist.

We have many users that use a company provided laptop to work both from the office and from home. For some applications it is not allowed to use them ouside of the office hourse and we need to block them for such use (be accessible in office hours, not accessible in evenings and weekends.

On top of that we need them to be accessible 24/7 for a small select group of DBA's and Sysadmins.

Restrictions therefor should not be on the login options but on application level.

Can this be done?

thanks

Dries

I am trying to setup a 3 node Failover cluster in Azure. The below is my configuration:

Region: West Europe

VM Size: Standard D2s v3

Storage: Premium LRS 

Data Disk: 2 numbers, 128 GB

OS Disk: 127 GB, Premium

OS: Windows Server 2016 DataCenter

3 nodes are domain joined. 1 DC.

Account used is in Domain Admins group. Account is also added to the Local Admins group in each of the nodes. In addition, the account and all descendants have given "Full Control" (for testing purposes) in Domain Controller -> Active Directory -> the domain -> Advanced Features - > Security.

I have tried multiple times, and followed instructions found in forums like rejoin domain, checked access, synced time etc. The weird thing is that I got it working once (though I don't remember any significant changes from other attempts), but since it was late night I stopped all the VMS (the cluster nodes and DC). Next day, I started all VMs to continue the work, only to see that it isn't working anymore. Could someone shed some light on this please?

Hi All,

I am in the process of implementing the Key Recovery Agents for our Certification Authority and ran into some questions I wasn't able to find an answer to so far. I hope you guys can help me out here.

1) As far as I understand, I need to issue a Key Recovery Agent certificate for every single user that is supposed to be able to recover keys and I can't issue a certificate to a certain role, say PKI_Administrator or something? That would be weird because of the private key being on the machine of the requester, but just to make sure.

2) If I create a Key Recover Agent Nr.1 on the 1. Jan, this user Nr.1 will be able to recover every archieved key belonging to certificates I issue from 1. Jan going forward. If I create a Key Recover Agent Nr.2 on 1. Jun, the user Nr.2 won't be able to recover keys issued during the last 6 month, i.e. the keys which User Nr.1 is able to recover. Am I right?

3) So, if User Nr. 1 quits and his user account is shut down, User Nr. 2 won't be able to recover the keys of the certificates from 1. Jan to 1. Jun?

4) If I run into a situation as described in 3) how do I manage that? Is there a way to give the certificate of User Nr.1 to User Nr.2? I guess creating a .pfx file and backing it up somewhere would work, but is there a better way?

5) How would I handle a new employee who is supposed to recover existing old keys?

Looking forward to your replys and thanks a lot in advance!

Cheers

D

We have an Enterprise Root CA running on a 2008 R2 Enterprise machine. 

I noticed an oddity that raises a question. 

We have two DCs on the local network.  They hold all the FSMO roles between them.  They are the primary and secondary DNS servers for the server hosting the CA.  One of the local DCs  (based on %LOGINSERVER%) is processing authentication for the login console on the CA host.

When I first logged in and loaded the Certificate Templates Console, it connects to DC server in the MPLS cloud on the other side of the country.

I CAN home the Certificates Templates Console on one of the local DCs manually, but if I try to go back to "Default Writable Domain Controller" is always homes back on the server out west.

To be clear, either way, it works fine.  If I am connected to the remote server for template management, I have to wait for (or force) replication for the local CA to be able to actually use the modified certiticate template, but otherwise, it works as expected.

My question becomes, what determines "Default Writable Domain Controller"?  All the sites are correctly defined.  Replication is working as designed.  Why would my local server EVER connect to a server on the other side of a "slow" link when there's a DC setting on the same network (presumably zero cost)?

I'm moderately concerned that there is something amiss in the configuration that I haven't found, and that this is an innocuous symptom of the problem.

Hi,

Am doing my first Windows Server 2012 ADCS install and cannot seem to find the PKIview snapin (Enterprise PKI) that was in server manager in 2008 R2. Has this been removed? If so what is the equivalent way of obtaining the information it provided in 2012?

Thanks

Chris

Fully working IKEv2 AOVPN on mobile domain joined devices

But some users have issues with IKEv2.

Can I add an additional option to connect for this affected lot, being it SSTP AOVPN

Seb

We have a new Windows Server 2019 Server Core installation.

BitLocker was enabled on a fixed data drive (E:) with the following Powershell:

Enable-BitLocker -MountPoint "E:" -EncryptionMethod Aes256 -UsedSpaceOnly -RecoveryPasswordProtector

This works fine:

Get-BitLockerVolume -MountPoint "E:"

VolumeType      Mount CapacityGB VolumeStatus           Encryption KeyProtector              AutoUnlock Protection
                Point                                   Percentage                           Enabled    Status
----------      ----- ---------- ------------           ---------- ------------              ---------- ----------
Data            E:      4,188.14 FullyEncrypted         100        {RecoveryPassword}        False      On

I then run the following to backup the key to AD DS:

$BLV = Get-BitLockerVolume -MountPoint "E:"
Backup-BitLockerKeyProtector -MountPoint "E:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId

What if: Performing the operation "Invoke-CimMethod: GetLockStatus" on target "Win32_EncryptableVolume (DeviceID = "\\?\Volume{21318af5-1e06-4a2a-bf3a-448f...)".
Write-Error : Cannot bind argument to parameter 'Exception' because it is null.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:394 char:36+             Write-Error -Exception $ExceptionForHr+                                    ~~~~~~~~~~~~~~~+ CategoryInfo          : InvalidData: (:) [Write-Error], ParameterBindingValidationException+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.WriteErrorCommand

Windows Components/BitLocker Drive Encryption
Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)Enabled  
Require BitLocker backup to AD DS Enabled 

Windows Components/BitLocker Drive Encryption/Fixed Data Drives
Choose how BitLocker-protected fixed drives can be recovered Enabled  
Allow data recovery agent Enabled 
Configure user storage of BitLocker recovery information: 
   Allow 48-digit recovery password 
   Allow 256-bit recovery key 
Omit recovery options from the BitLocker setup wizard Disabled 
Save BitLocker recovery information to AD DS for fixed data drives Enabled 
Configure storage of BitLocker recovery information to AD DS: Backup recovery passwords and key packages 
Do not enable BitLocker until recovery information is stored to AD DS for fixed data drivesDisabled 


Windows Components/BitLocker Drive Encryption/Operating System Drives
Choose how BitLocker-protected operating system drives can be recovered Enabled  
Allow data recovery agent Enabled 
Configure user storage of BitLocker recovery information: 
   Allow 48-digit recovery password 
   Allow 256-bit recovery key 
Omit recovery options from the BitLocker setup wizard Disabled 
Save BitLocker recovery information to AD DS for operating system drives Enabled 
Configure storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages 
Do not enable BitLocker until recovery information is stored to AD DS for operating system drivesDisabled 

Hi,

I have configured a PKI system (offline root ca, and enterprise issuing ca) and now I want to enable LDAPS.

As I can see from the LDAPS guides I can duplicate the Kerberose template and issue from that, but some also mark "Allow private key to be exported", do I also need this ?

Systems that are going to use LDAPS are cisco firewalls, vmware ++

/Regards Andreas

Hi,

We have SQL Server 2017 running in our office. Our Security team provided security scanning report where they said following need to be disabled-

SSL Medium Strength Cipher Suites Supported (SWEET32)

I have no idea is there any impact on database if it is disabled from OS end. Please let me know if this is disabled will there be any impact on database?

Hi,

I have configured a PKI system (offline root ca, and enterprise issuing ca) and now I want to enable LDAPS.

As I can see from the LDAPS guides I can duplicate the Kerberose template and issue from that, but some also mark "Allow private key to be exported", do I also need this ?

Systems that are going to use LDAPS are cisco firewalls, vmware ++

/Regards Andreas

Hi everyone.

Our team is in charge to consolidate the GPO and remove what is not used anymore.

We did some research and we found the Policy Analyzer.

This tool is good but it doesn't allow us to export the file in gpo-file (admx ?) file that we can implement directly to our system.

My idea was to implement directly the baseline and then enable/disable the settings case by case to fin-tune.

what is the best approach to not enable the setting one by one ?

Regards

Lucas

Is there way to prevent the export of a certificate from the MMC. For example, today I can take a certificate from another computer, export it, and import it on my personal computer store. This is even without a Private Key.

When software will check my computer for a certificate, I can spoof another computer's certificate on another computer

Hello,

March 2020 update, I wanted to know the difference between adding value here:

https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry

And change the settings with the following GROUP POLICY:

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements

What is better to do? The change in GPO or change REGISTRY ?