Hi
I want to issue certificates that the subjects of which contain organizationIdentifier attribute (2.5.4.97). As this is not a registered attribute in Windows database i have to register it as part of subject template on my own, but whenever I try to do so, I can not start the CA any more and I face an error says the process terminated unexpectedly. how i can solve this issue?
Dear All,
I am hosting the CRL Distribution point in seperate server and i always had doubt we need to open the firewall ports oneway or two way, i am sure we need rule for port 80 from the client to the CDP servers and just want to make sure do we need rule from the CDP servers to client?
Small system with a single WS2012 AD-Integrated Root CA. CA Cert expires in a few days; trying to renew.
User account is currently a member of Enterprise Admins.
Supposedly, it's as easy as right-clicking the old cert and clicking renew using the same key. But I get this message: "The permissions on the certificate template do not allow the current user to enroll for this type of certificate. You do not have permissions to request this type of certificate."
If I add the computer account to the ACL of the "Root Certificate Authority" template with Read/Write/Enroll, the message changes to "The requested certificate template is not supported by this CA. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted."
FWIW, the Certificate Template type is shown as "CA", but there is no template by that name. I am also unable to add "Root Certificate Authority" as a Certificate Template.
I have duplicated the "Root Certificate Authority" template and attempted to request a new CA cert from that via Certificates MMC. I can create the cert, but after approving issuance, the cert is issued (a) with the same expiration date as the outgoing CA cert, (b) chained from it, and (c) it never appears in the Certificates MMC--at least I couldn't find it. But that doesn't matter because the cert wouldn't solve the problem.
Don't have much time to troubleshoot; next visit in 2 days I'll have to set up a new CA if I don't have a magic bullet solution. What am I missing?
This “Security” Forum will be migrating to a new home on Microsoft Q&A!
We’ve listened to your feedback on how we can enhance the forum experience. Microsoft Q&A allows us to add new functionality and enables easier access to all the technical resources most useful to you, like Microsoft Docs and Microsoft Learn.
Now until July 26, 2020:
From July 27, 2019 until August 10, 2020:
August 10, 2020 onward:
We are excited about moving to Microsoft Q&A and seeing you there.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact
tnmff@microsoft.com.
still getting NTLMv1 successful login even with Group policy applied to "Send NTLMv2 response only. Refuse LM & NTLM"
We used group policy to apply "Send NTLMv2 response only. Refuse LM & NTLM" at the domain level and also at the domain controllers.
The group policy has been applied succesfully.
However we are still seeing succesfull NTLMv1 events logged in the security log. Event number 4624.
Is there something we are missing to disable the user of NTLMv1 completely within the domain?
Thanks
Winnie
Hi,
I have a Server 2019 infrastructure and I have been tasked to configure secure communication between servers.
For specific reasons, I setup a standalone Root CA and Subordinate CA. To test I selected 2 servers and from them I requested an IPSEC certficiate (web enrollment) which I then installed in the relevant computer certificate store on the 2 servers.
I configured the connection in Windows Firewall on each of the 2 servers but cannot get a ping to work with a certificate for authentication. If I set the authentication to pre-shared key on the 2 servers then all works fine but when I select the subordinate CA cert, the ping does not work.
Any ideas why this may not be working?
These days, thanks to the pandemic, we have many users working on their laptops from home (connecting to the domain through VPN once they login). Extremely rarely (it's happened a handful of times in the past 3-4 months) we have a user who suddenly can't login to their domain account using cached credentials. My instinct tells me it is related to our Interactive Logon policy limiting cached credentials to 1 account total. It has happened once to one of our senior network admins who assures me he never logged in with any other account, so I am not sure how the cached credentials are being replaced. I have read all over the place that cached credentials never expire, so I know that isn't the issue.
I am not sure what to do besides recommending to my boss that we change our cached credentials policy to save 2 accounts instead of 1. Has anyone else worked through a similar problem?
Hello,
I would like to prevent any logoff from a server windows server 2016 Standard.
I set
But still the machine is logging off the user and some processes are cancelled and failed (backups/restore)
There is no script logon/logoff
Power Options:
How to prevent this log off?
Thanks,
Dom
Security / System Center Configuration Manager Current Branch / SQL
Where can I locate a complete, step-by-step guide to implement a Standalone Certification Authority on a Windows Server 2019 or Windows Server 2016 server member of a workgroup?
I could locate serveral documents or tutorials, but none covers the complete process...
Regards
marius
How i can fix it.
SSL RC4 Cipher Suites Supported (Bar Mitzvah)"Reconfigure the affected application, if possible, to avoid use of RC4
ciphers. Consider using TLS 1.2 with AES-GCM suites subject to browser
and web server support."
How i can fix it,
SSL Medium Strength Cipher Suites Supported (SWEET32)
"Reconfigure the affected application if possible to avoid use of medium strength ciphers."How i can fix it.
"The remote service uses an SSL certificate chain that has been signed
using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5,
or SHA1). These signature algorithms are known to be vulnerable to
collision attacks. An attacker can exploit this to generate another
certificate with the same digital signature, allowing an attacker to
masquerade as the affected service.
Note that this plugin reports all SSL certificate chains signed with
SHA-1 that expire after January 1, 2017 as vulnerable. This is in
accordance with Google's gradual sunsetting of the SHA-1 cryptographic
hash algorithm.
Note that certificates in the chain that are contained in the Nessus
CA database (known_CA.inc) have been ignored."
After installing Certification services and creating a Standalone CA on a Windows Server 2016 or Windows Server 2019 server member of Workgroup what else should I do in order to allow other servers request certificates?
Should I install Certification Authority Web Enrollment, Certification Enrollment Web Services or both?
Which certificate should I use to enable HTTPS access to the certsrv site?
I found many pages describing the steps in an AD domain environment, very few for a Standalone CA in Workgroup environment.
Regards
marius
Hello,
we have a 3-TIER PKI with Offline Root and Policy CA and Online Issuing CA's in our environment spread over severall domains in different forests.
Last week we noticed that one of the Issuing CAs is not able to see any Templates in the CA MMC. Further troubleshooting showed that the pkIEnrollmentService Object in the CN=Enrollment Services was missing.
We have recreated this Object and rebooted the CA Server. Now the CA is able to see some Templates, but only the default Templates, no self created templates.
I've already checked the Security Settings but didn't find any Issues. Even new created Templates will not show up. The Eventlog of the CA is clean and there are no other Errors.
Is there anything else we can check why the CA is not able to see the Templates. All the CAs are running on Server 2012 R2 in a Domain on 2008 Functional Level.
Regards
I am attempting to RDP into multple Windows Server 2016 VMs with no success. It is joined to a domain and I am using a domain account.
The error I see is on the servers is Event ID 4625:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: XXXX
Account Domain: XXXX
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0x80090302
Sub Status: 0xC0000418
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: X.X.X.X
Source Network Address: X.X.X.X
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
I believe this may be a problem with NTLM authentication as this should have been disabled but the event log still shows NTLM as the authentication package.
The following local security policies are set on the domain controllers and servers:
The registry item HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel has been set to 5
I am able to remote into these if I disable Allow connections only from computers running Remote Desktop with Network Level Authentication although this is not a long term solution.
Hi everyone,
A customer has asked me to put in place auditing for all activity of one particular user who he thinks is carrying out activities that are harmful to the operation of the company. I have shown him the basic auditing that comes with Windows, but he finds it cumbersome to view and trawl through.
Can anybody recommend a cheap, user friendly system that can present the Windows logs in a more palatable manner, maybe in a report or as a simple web page. What he is looking for is to be able to see logon/logoff times, files accessed/deleted/modified.
Thanks,
Hi all,
Just wondered on best procedure to clear up a mess I have been presented with. We have a root CA Server in one of our subdomains that has been installed historically. We already have a root CA server else which is part of the proper hierachy so I would like to remove the incorrect Root CA and replace it with an issuing CA. I am also trying to avoid impact where possible to users/applications etc. Is it best to complete decom/remove the incorrect Root CA first or install the new Issuing CA first then decom the old Root CA? Im concerned I might end up with duplicate templates in AD. Thanks