KDC Certificate Could Not Be Validated Error

September 12, 2019, 1:39 pm

≫ Next: Renew Subordinate CA (Core) Certificate

I think this is the right forum for this question, but please feel free to redirect me if it is not.

We are using Windows Hello for Business for users to sign into their computers with a PIN or Biometric. It works well for sign in 99% of the time, but every once in a while a user gets the error:

"Sign-in failed. Contract your system administrator and tell them that the KDC certificate could not be validated. Additional information my be available in the system event log."

The user gets this message on the sign in screen after using their PIN or Biometric. To resolve this, the user can sign in with their password or wait about a minute, try again, then it will work. I've also seen this work after rebooting the computer. After getting signed in again, they don't have the error message on subsequent logins.

The odd part is that this happens very intermittently...so it's tough to troubleshoot.

Windows Hello for Business does require domain controller certificates with the KDC Authentication, but I have these issued to the devices....and again, they can use it fine 99% of the time.

Googling this error didn't get me anywhere helpful, so I am hoping that someone might know why I am getting this error intermittently?

↧

Renew Subordinate CA (Core) Certificate

February 26, 2018, 1:03 pm

≫ Next: Plugin ID 51192 SSL Certificate Cannot be Trusted

≪ Previous: KDC Certificate Could Not Be Validated Error

I'm Back! :) Again.

I have feeling it's going to be Mark Cooper who answers this one.

I've been fighting with a PKI project for about a month now and it's been extremely painful for ONE major factor; CORE!

I love optimizing but in this case it has been really, really painful. Such as this bug which I've seen reported online for a long time. (Thanks Mark)

Then I had to fix a mistake I made in my Offline-Root-CA which showed a wrong CDP location in my PKI from the issued Sub-CA.

I'm actually currently working on fixing this issue and the reason for this post.

1) I first tried to simply take the existing CSR, and re-issue it, no issues on the re-issue (lol). However attempting to install the new issued cert on the Sub CA resulted in the following:

CertUtil: -installcert command FAILED: 0x8007139f (WIN32: 5023 ERROR_INVALID_STATE)
CertUtil: The group or resource is not in the correct state to perform the requested operation.

At this point I had assumed it was due to the service being up and running, So from a remote mgmt machine via the CA snap-in MMC tool, shutdown the services, as well as from the Sub-CA ran "CertUtil -Shutdown"

*SIDE QUESTION* What exactly does "CertUtil -shutdown" do? Does it simply stop the cert services on the local machine, or all AD Cert services? How do you revert this command? I couldn't find a CertUtil -Start or any equivalent command.

Having failed here due to my ignorance, I decided to google in hopes of a solution. Sadly the best I could find was this.

First thing to note is Yet more bugs in the CA Snap-in Tool remotely, on top of the "Install CA Cert" literally not doing anything, once you install the cert via "CertUtil -installCert" The SubCA services come up fine up, but will be missing context menus, in this case "Renew CA Certificate".

So I decided to try the other suggested workaround "CertUtil RenewCert ReuseKeys", However they would receive an error as follows:

CertUtil: -renewCert command FAILED: 0x80070003 (WIN32: 3)
CertUtil: The system cannot find the path specified.

I however get the following error:

CertUtil: -renewCert command FAILED: 0x80092004 (-2146885628 Crypt_E_NOT_FOUND)
CertUtil: Cannot find object or property.

I'm a bit stumped right now... How do I accomplish this task?

↧

Plugin ID 51192 SSL Certificate Cannot be Trusted

April 1, 2020, 11:23 am

≫ Next: GPO configure ldapenforcechannelbiding

≪ Previous: Renew Subordinate CA (Core) Certificate

When I got this Nessus ticket from my Cyber Security Section I said no big deal I went over to vSphere and renewed the certificate. It renewed with the date of of 20 March 20 and was good 5 years. I thought no problem. This ticket will go away. I am not sure why Nessus won't trust a self signed cert from VMWARE but it won't. So I thought super easy I will just create some of my MS CA certificate Authority.

I followed these instructions but when it came time to add the certificate to the certificate store MS did not show the template I created:

VMware Knowledge Base

The problem is these instruction talk about Windows 2003 and Windows 2008 and our CA is a Windows 2012 R2 server and the choices it gives me is on the Compatibility Tab is Certificate Authroity Windows Server 2012 R2(or Windows Server 2012) and the Certificate recipient(Windows 8.1/Windows Server 2012 R2) and ((Windows 8/Windows Server 2012).

So the final problem is when I follow step Right-click Certificate Templatesand click New > Certificate Template to Issue. The new certificate template I created is not in there not only that is does NOT show up in the web request page (https://CA/certsrv).

Any ideas?

Any possibility I can just do this as a standard web request.

↧

GPO configure ldapenforcechannelbiding

April 2, 2020, 6:04 am

≫ Next: 2020 LDAP channel binding and LDAP signing requirement for Windows

≪ Previous: Plugin ID 51192 SSL Certificate Cannot be Trusted

hello,

I want to set this configure gpo in DC server:

But after this setting, I don't see that it applies to the servers:

And the setting resutry didn't work,I added it manually :

Is this a bug just for me? Or does it happen to someone else?

↧

2020 LDAP channel binding and LDAP signing requirement for Windows

March 18, 2020, 1:11 am

≫ Next: AlwaysON VPN IKEv2 access from Apple MAC

≪ Previous: GPO configure ldapenforcechannelbiding

Hello,

March 2020 update, I wanted to know the difference between adding value here:

https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry

And change the settings with the following GROUP POLICY:

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements

What is better to do? The change in GPO or change REGISTRY ?

↧

AlwaysON VPN IKEv2 access from Apple MAC

April 2, 2020, 12:31 pm

≫ Next: AlwaysON VPN IKEv2 access from Apple MAC (Mojave)

≪ Previous: 2020 LDAP channel binding and LDAP signing requirement for Windows

Anybody has any ideas how to access IKEv2 AlwaysON VPN server (Server 2019) using Apple MAC?

Trying this:

https://www.oxcrag.net/2018/08/24/ikev2-ipsec-vpn-with-pfsense-and-apple-devices-2/

but there seems to be no way to specify anywhere -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 (which are configured on my server). Yes, I have correct certificate imported in login keychain on Mac

I only get User Authentication failed. error when trying to connect

This does not help much at all!

https://docs.microsoft.com/en-us/mem/intune/configuration/vpn-settings-ios#ikev2-settings

Seb

↧

AlwaysON VPN IKEv2 access from Apple MAC (Mojave)

April 2, 2020, 12:31 pm

≫ Next: Enterprise Intermediate CA Not Visible to IIS or Certificates Console

≪ Previous: AlwaysON VPN IKEv2 access from Apple MAC

Anybody has any ideas how to access IKEv2 AlwaysON VPN server (Server 2019) using Apple MAC?

Trying this:

https://www.oxcrag.net/2018/08/24/ikev2-ipsec-vpn-with-pfsense-and-apple-devices-2/

but there seems to be no way to specify anywhere -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 (which are configured on my server). Yes, I have correct certificate imported in login keychain on Mac

I only get User Authentication failed. error when trying to connect

This does not help much at all!

https://docs.microsoft.com/en-us/mem/intune/configuration/vpn-settings-ios#ikev2-settings

Neither did this:

https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-configuration-azure-cert

This is also of no @value@ here, because it talks about Catalina (and I do use Mojave)

https://social.msdn.microsoft.com/Forums/en-US/ed4b9407-5a6a-4155-bc94-7353bc76296d/macos-catalina-ikev2-vpn-client-to-azure-vpn-gateway-incompatibility?forum=WAVirtualMachinesVirtualNetwork

Seb

↧

Enterprise Intermediate CA Not Visible to IIS or Certificates Console

April 2, 2020, 6:16 pm

≫ Next: [Solved] AlwaysON VPN IKEv2 access from Apple MAC (Mojave)

≪ Previous: AlwaysON VPN IKEv2 access from Apple MAC (Mojave)

Standalone Root CA with an Enterprise Intermediate/Sub CA. Issue noticed when trying to "create domain certificate" from IIS Manager. When asked to select online certificate authority, the Sub CA does not show up. Also attempted to issue a certificate to a computer using the certificates MMC. Was issued by the wrong/old CA server. New Sub CA shows up in Sites and Services as an Enrollment server and also shows up when running "certutil" at the CLI. Sub CA is on a member server. Also tried to publish the Standalone Root CA certificate using "certutil -dsPublish -f ……." and it was successful but still does not solve the issue. Unable to find a solution on Google for days. Any pointers would be greatly appreciated!

↧

[Solved] AlwaysON VPN IKEv2 access from Apple MAC (Mojave)

April 2, 2020, 12:31 pm

≫ Next: How to create DocumentEncryption certificate with CS (for use with PowerShell command Protect-CmsMessage)?

≪ Previous: Enterprise Intermediate CA Not Visible to IIS or Certificates Console

Anybody has any ideas how to access IKEv2 AlwaysON VPN server (Server 2019) using Apple MAC?

Trying this:

https://www.oxcrag.net/2018/08/24/ikev2-ipsec-vpn-with-pfsense-and-apple-devices-2/

I only get User Authentication failed. error when trying to connect

This does not help much at all!

https://docs.microsoft.com/en-us/mem/intune/configuration/vpn-settings-ios#ikev2-settings

Neither did this:

https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-configuration-azure-cert

This is also of no @value@ here, because it talks about Catalina (and I do use Mojave)

https://social.msdn.microsoft.com/Forums/en-US/ed4b9407-5a6a-4155-bc94-7353bc76296d/macos-catalina-ikev2-vpn-client-to-azure-vpn-gateway-incompatibility?forum=WAVirtualMachinesVirtualNetwork

Seb

↧

How to create DocumentEncryption certificate with CS (for use with PowerShell command Protect-CmsMessage)?

May 18, 2015, 1:32 am

≫ Next: Restrict autoenrolled certificate to specific certificate templates via GPO ?

≪ Previous: [Solved] AlwaysON VPN IKEv2 access from Apple MAC (Mojave)

Hello,

we are trying to create a certificate which we can use for the PowerShell commands Protect-CmsMessage/Unprotect-CmsMessage (see https://technet.microsoft.com/en-us/library/dn807171.aspx). The description of the commands (see link) describes the usage of certreq.exe to create aself signed (!!!) certificate with the appropriate key and enhanced key usages. We do not want to create a self signed certificate but want to use our internal CA. Unfortunately we are not able to create an equivalent certificate with the Certificate Services. One of our attempts was to copy a certificate template and modify it to match the criteria. All of our created certificates does not match the template properties created with certreq.exe as described in the documentation of Protect-CmsMessage.

Best regards from Germany,

Tobias

↧

Restrict autoenrolled certificate to specific certificate templates via GPO ?

April 3, 2020, 8:13 am

≫ Next: Prohibit the unlocking of the account, but allow to enable it

≪ Previous: How to create DocumentEncryption certificate with CS (for use with PowerShell command Protect-CmsMessage)?

We had previously autoenrolled certificates to all domain-joined Windows servers using a specific certificate template (e.g. Template A). This was done by targeting the autoenroll GPO to the OU where servers reside. The autoenroll permission on Template A was granted to 'Domain Computers'.

We now have a use case for autoenrolling certificates to all domain-joined workstations (i.e. computers running a client OS - Windows 10) . We would like to use a separate certificate template (e.g. Template B) for workstations. The autoenroll permission on Template B is granted to 'Domain Computers'.

By, default, when we apply the autoenroll GPO to the workstations OU, they will receive certificates for both Template A AND Template B. We would like workstations to only receive certificates for Template A (i.e. only workstation certificate and NOT server certificate)

One way to accomplish this to maintain an AD group of server computers, and target the autoenroll permission to this group on Template A.

However, we would like to avoid the overhead of maintaining this separate AD group, if possible, since it would involve running custom PowerShell code on a schedule to populate the AD group etc.

Is there any way to specify via GPO which specific certificate templates a computer should autoenroll for ? Or any other ideas on how to accomplish what I'm looking for ?

Thanks,

Mario

↧

Prohibit the unlocking of the account, but allow to enable it

April 3, 2020, 3:14 pm

≫ Next: Subordinate CA role transition from 2008R2 to 2012R2

≪ Previous: Restrict autoenrolled certificate to specific certificate templates via GPO ?

Hi,

My task was to create a user group that can create and delete users in an Active Directory domain. At the same time, you must then log in for this new user, that is, his account must be enabled. But on the other hand, this group is prohibited from unblocking users (by task).
I know that the userAccountControl attribute is responsible for enabling the user, but with it you can unlock the user.
Unfortunately, I could not find the answer on the Internet, since most of the answers no longer apply to Windows Server 2019 (ms-DS-User-Account-Disabled) or are characteristic of some third-party extensions for Active Directory (edsaAccountIsDisabled).
Maybe need to somehow intercept attempts to unlock account? Or something related to Group Policy?
I think that someone has already implemented such access control.

I would really appreciate your help.

P.S.: Sorry for my English.

↧

Subordinate CA role transition from 2008R2 to 2012R2

April 3, 2020, 6:11 pm

≫ Next: ADFS 2016 + Azure

≪ Previous: Prohibit the unlocking of the account, but allow to enable it

Hi,

I have two PKI. Enterprise CA -2012R2 and SUB CA in 2008R2.

I am going to transition subordinate CA role from 2008R2 to 2012R2.I have only minimal knowledge in Certificate Authority.

Please assist with your answer for my query. if you know the step by step guide for SUB CA transition feel free to share.

Steps:

Exporting the Sub CA backup and import into new SUB CA server. After that any modification /changes have to be done for CRL URL
Both SUB CA are using different FQDN name. Let me know any changes have to be done after the CA database export.
what type of certificates need to exchanged between SUB CA and Enterprise CA
Post migration how do I check communication between Enterprise CA and SubCA

↧

ADFS 2016 + Azure

April 4, 2020, 7:27 pm

≫ Next: Finding artifacts related to a user added to a local group

≪ Previous: Subordinate CA role transition from 2008R2 to 2012R2

Hey all,

I've finally enabled MFA for ADFS 2016 and Azure AD (hybrid), it appears to be working great on a test application. We have one complaint however.... Every login to this app requires MFA / 2FA. I've enabled MFA cache on azure in 2 places but it still prompts. I've read there's a checkbox to 'trust my device for x days' to configure in ADFS but i cannot find that option.

Please help, what am i doing wrong?

TIA

↧

Finding artifacts related to a user added to a local group

April 4, 2020, 9:08 pm

≫ Next: Multiple HKEY_USERS (I don't believe they belong there)

≪ Previous: ADFS 2016 + Azure

Gentlemen,

I am investigating one case, where I need to identify when an user was added to a local windows group. OS is Win Server 2012. Unfortunately the event logs were archived and no longer available. I suspect the addition was happened during 2017 or 2018. The Net Backup event logs are already removed. Any suggestion, if any registry key keeps these data? Please guide. Many thanks.

Best Regards

Thanks & Regards Bedanta S Mishra

↧

Multiple HKEY_USERS (I don't believe they belong there)

April 5, 2020, 1:39 pm

≫ Next: Auto renewal of computer authentication certificate has been stopped post CA migration

≪ Previous: Finding artifacts related to a user added to a local group

So listed below is a list of HKEY_USERS. I know about the S-1-5-18, S-1-5-19, S-1-5-20, and S-1-15-21-...-500. But I'm a little unsure of the other ones. I've done Rootkit scans (Malwarebytes and Spybot) and neither one of them identify those other keys as 'malicious'. Does anyone know what these are and if they are necessary? Thanks in advance!

↧

Auto renewal of computer authentication certificate has been stopped post CA migration

April 5, 2020, 10:43 pm

≫ Next: SMB 1.0 vulberability on PKI servers

≪ Previous: Multiple HKEY_USERS (I don't believe they belong there)

Hi Everyone,

Recently we have migrated the CA service from W2k8R2 server to W2k16. Currently we are facing issue related to renewal of computer authentication certificate. By right its should renew 6 weeks before as per certificate template properties. But it didn't happen. We have manually enrolled the certificate on the server.

Could anyone help me with the reason for this?

Thanks & Regards,

Santosh Gouda

↧

SMB 1.0 vulberability on PKI servers

March 18, 2020, 4:40 am

≫ Next: Certificate web enrollment services doesn't work as expected

≪ Previous: Auto renewal of computer authentication certificate has been stopped post CA migration

Hello Everyone,

We have situation wherein the client is stressing to disable SMB 1.0 on all the PKI W2K16 servers.

My question is -

Will there be any impact if we disable SMB 1.0 on Certificate Authority and OCSP servers ?

Is SMB 1.0 really required for PKI service ?

Thanking you in advance!!

↧

Certificate web enrollment services doesn't work as expected

April 6, 2020, 12:44 am

≫ Next: Renew Subordinate CA (Core) Certificate

≪ Previous: SMB 1.0 vulberability on PKI servers

CA Web enrollment services are installed on a separate server from the CA server itself and several problems exist.

When clicking on "Download a CA certificate, certificate chain, or CRL", I receive the following error:

An unexpected error has occurred: <locid id="locSvcNotStarted" style="font-family:Arial;font-size:medium;">The Certification Authority Service has not been started.</locid>

When trying to request a new certificate, I receive the following error:

Your request failed. An error occurred while the server was processing your request.

Contact your administrator for further assistance.

Request Mode:: newreq <locid id="locModeSpacer">-</locid> <locid id="locModeNewReqIE">New Request</locid>
Dislocid id="locDispNeverSet">(never set)</locid>
Disposition message:: <locid id="locDispMsgNone">(none)</locid>
Result:: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
COM Error Info:: CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
LastStatus:: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
Suggested Cause:: <locid id="locSugCauseNotStarted1">This error can occur if the Certification Authority Service has not been started.</locid>

I googled a lot on the error, but can't find anything out of the ordinary. Running "certutil -dump", and "certutil -ping -config" based on the values from dump, it works well. The only thing I can see, is that "Web Enrollment Server" is empty at the moment.

↧

Renew Subordinate CA (Core) Certificate

February 26, 2018, 1:03 pm

≫ Next: Auto Enrollment of computer/user/domain controller certs using a different domain joined CA

≪ Previous: Certificate web enrollment services doesn't work as expected