Hello Everyone,
We have situation wherein the client is stressing to disable SMB 1.0 on all the PKI W2K16 servers.
My question is -
Will there be any impact if we disable SMB 1.0 on Certificate Authority and OCSP servers ?
Is SMB 1.0 really required for PKI service ?
Thanking you in advance!!
CA is on a domain controller with Windows Server 2019 Datacenter, with domain at highest functionality level
Windows 10 1909 clients.
Following a disaster recovery, one or more components of ADCS seem to be working improperly.
If I launch the computer certificate management mmc on a domain-joined pc, I see what look like only the default list of computer certificate templates, in the certificate enrollment wizard: Computer, Domain Computer, IPSec, and Workstation Authentication.
Two problems with that:
1) None of those templates are actually enabled for issuing from our enterprise CA.
2) None of the templates that actually ARE enabled for issuing show up.
The service account that CEP and CES are running under has read permissions on all templates.
I have removed all templates from the server and ensured that they were no longer present on the CA in ADSI, and then added them back in via the GUI again, and then verified they were once again visible in ADSI on the CA.
The system has been rebooted.
If I enable one of the default templates mentioned above, a client is able to successfully enroll one of them, so enrollment DOES work.
I have also completely removed the CES and CEP roles from the server and reinstalled them, but have the same result.
This is causing autoenrollment renewals to fail, too, claiming the CA does not support the requested template (even though it does).
How do I get my templates to show up properly?
Edit to add:
I also tried to enroll a certificate using the computer certificate management MMC on the CA itself. However, when I select the policy in the enrollment wizard, I get this:
Hello team,
Could you please advise what is the exact use of " NT AUTHORITY\SYSTEM " in windows server operating systems.
We could see this object is a member of some local server groups and these are added automatically so I would like to know the function of this.
I'm trying to map a share , from a client , by authenticating via smartcard .
Tried using the file explorer interface but when I digit the smartcard pin it keep asking for credentials .
The certificate on the smartcard is vaild since we can use it for RDP to the server .
Has anyone else solved this issue ?
This might already been asked but could not find an answer to my scenario .
In an on-premise installation we'd like to enable strong authentication ( MFA ) only for a limited set of priviled users , i.e admins and some power users .
Given the computer policy " interactive logon Smart card requirement " is not possible to apply it to group of users .
Is there another way or must rely on third party software , and in the case which one can be suggested ?
thanks
I am trying to setup a 3 node Failover cluster in Azure. The below is my configuration:
Region: West Europe
VM Size: Standard D2s v3
Storage: Premium LRS
Data Disk: 2 numbers, 128 GB
OS Disk: 127 GB, Premium
OS: Windows Server 2016 DataCenter
3 nodes are domain joined. 1 DC.
Account used is in Domain Admins group. Account is also added to the Local Admins group in each of the nodes. In addition, the account and all descendants have given "Full Control" (for testing purposes) in Domain Controller -> Active Directory -> the domain -> Advanced Features - > Security.
I have tried multiple times, and followed instructions found in forums like rejoin domain, checked access, synced time etc. The weird thing is that I got it working once (though I don't remember any significant changes from other attempts), but since it was late night I stopped all the VMS (the cluster nodes and DC). Next day, I started all VMs to continue the work, only to see that it isn't working anymore. Could someone shed some light on this please?
Hi all
I'm setting up an environment for smartcard authentication but got issue with templates
I have duplicated the usual smartcard logon template and modified it with the normal field .
Even if the user I'm using has the enroll permission on it the template does not show up in the certsrv portal .
The CA is running on windows 2016 .
Any help is appreciated
Hi
I am trying to enable replcation of a VM from once forest to another forest . both hyper V host are in different forest and they have seperate CA server . when i am enabling a replication i am getting a error "Hyper-V received a digital certificate that is not valid from the Replica server "Error: The revocation function was unable to check revocation because the revocation server was offline. (0x80092013).. Is there any solution for this?
Arun Thomas Server Admin
Hey Community Friends,
Recently we have been dealing with a slew of certificates expiring on our certificatge authority server. I am pretty new to managing certificates I feel this could have been avoided of I had better oversight outside of manually creating calendar reminders.
We a Windows 2008R2 certificate authority server Do you have any recommendations or just tips in general for getting notified when certs are about to expire?
Thanks in advanced!
Phil
Phil Balderos
generally the problem and theoretical solution is answered in this thread http://social.technet.microsoft.com/forums/en-us/winserversecurity/thread/F1593BD0-1476-4772-AA5E-1C0ECA65F0A0
the problem is, that is does not work /:
environment:
w2k8 R2 ent, template with manager approval and without 'publish in AD' [but i've tested with publish as well], client on w7.
scenario:
user request for the certificate, it appears in 'pending request', manager approves the cert, in appears in issued certificates. on the client machine in 'Certificate enrollment requests' i may find the req
problem: how user may finish the request without additional cert manager action?
i know that if cert manager will export the certificate and send it to the user, (s)he may install it and it works. but it requires additional communication channel - and most important - additional information about user - phone,email or such. if the certificate template do not have email included the scenario for administator is getting hard:
- check user name
- find used in AD
- check email/phone some other
- contact user
- send certificate to the user with instructions
- user may install certificate
-o((: nExoR :))o-
Fully working IKEv2 AOVPN on mobile domain joined devices
But some users have issues with IKEv2.
Can I add an additional option to connect for this affected lot, being it SSTP AOVPN
Seb
According to the Center for Internet Security, CVE-2020-0601 affects
Windows Server 2012, 2012 R2, 2016 and 2019.
However, when I checked the security update guide on the Microsoft MSRC website, Windows Server 2012, and 2012 R2 are not listed as having an available security update. Ref.
CVE-2020-061 Windows CryptoAPI Spoofing Vulnerability.
Is there a security update for Windows Server 2012 and 2012 R2 that addresses this vulnerability?
Thanks,
Cliff
I have a Windows CA set up on Windows Server 2016. It's an Enterprise CA with CEWS running as a managed service account.
Additionally, on the same server, SCEP is running with another managed service account. The account has full control of the two MSCEP private keys, and Read and Enroll permissions on the IPSec (Offline request) certificate template.
When requesting a certificate via NDES, I receive the following error:
The Network Device Enrollment Service cannot submit the certificate request (0x80070534). No mapping between account names and security IDs was done.
I've followed the steps in the wiki, but nothing changed.
--------------------------------------
Event ID: 31
The Network Device Enrollment Service cannot submit the certificate request (%ErrorCode). %ErrorMessage
Internal Name: EVENT_MSCEP_FAIL_SUBMIT
Source: Microsoft-Windows-NetworkDeviceEnrollmentService
Description: The Network Device Enrollment Service failed while submitting a certificate request on behalf of a client device.
Diagnose: Note the error code and error message included in the event description.
Ensure that the CA is available and Certificate Services is running on the CA (certutil -ping on CA).
Ensure that the Network Device Enrollment Service can connect to the CA.
Ensure that the enrollment service has Read and Enroll permissions on the certificate template(s) configured for device enrollment. (These will be the templates identified in the registry entries "SignatureTemplate", "EncryptionTemplate", and "GeneralPurposeTemplate" under the key "HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\" on the enrollment service computer; otherwise, the default "IPSec (Offline Request)" template will be used).
Otherwise, your computer may be low on physical memory.
Resolve: Resolve any specific errors identified in the event description, as well as any connectivity or permissions problems identified previously, and try to resubmit the request.
--------------------------------------
Anybody have any more ideas?
Hello,
In the Pending Request pane of the Certificate Authority snap-in we're seeing multiple entries for user certificates based on the same template. In addition to the Request Submission Date differences, we noticed a difference between the pending certs where the Client DC Name (CDC). One certificate had dc1 as the cdc whereas the others had dc2 or dc3 (we have 3 domain controllers. Is there a way to prevent certificates from being request multiple times with multiple DCs in the mix? Would like to pare down the number of entries in our Pending Certs pane to make issuing them a little easier.
Thanks, and take good care,
Mike
Mike Gerlach
Hi,
I have configured a PKI infrastructure, and I just want to create the steps I need to publish new root CRL in one year.
So are these steps correct.
1. Boot up the RootCa and publish new crl.
2. copy the crl file from the RootCA over to my web server that acts as CDP/AIA publishing and replace the older CRL fil from the RootCa
3. (This step I am not sure if I need?). Run the command certutil -f -dspublish "d:\pki\OFFLINECA.crl" RootCA
/Regards Andreas
I have a Root CA as OpenSSL and I signed a Windows Server AD CS instance as a subca and I installed it correctly, but I can't request certificates. Each request ends up with this error:
And here's my CRL properties for the CA:
Hi,
I have two tier certificate authority which is running on 2012R and 2008R2.
Enterprise root CA in 2008R2
Subordinate CA in 2012R2.
I don't have 2012R2 Operating system license all are consumed, shall i put 2016 OS as subordinate CA ?
Please assist with your answers.
Hi,
We have a webserver that has a self signed certificate that has been distributed through GPO so every machine on the domain now has this certificate added to the local Trusted Root Certification Authorities>Certificates.
Now we have implemented a PKI infrastructure, and would like to publish a certificate to the webserver so that all the clients trust this web server. Since all the machines on the domain now have the Root certificate in the Trusted Root Certification Authorities>Certificates and the IssuingCA in the Intermediate Certification Authorities>Certificates I guess I can remove the self signed certificate and they will automatically trust the certificate that we have assigned to the webserver?. But how do I this ?
/Regards Andreas