I am trying to sign a CSR generated by either OpenSSL or any other type of non-microsoft certificate. I basically get rejected when I import the request as it says it does not match the Templates available. How can I do this using Microsoft CA environment?
My environment is the 2-tier offline root standalone with online Enterprise issuing CA.
Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.
At the moment we're using one enterprise ca that issues certificates for all the domains in the forest. We want to setup a subordinate enterprise CA in the childomain. This CA will be used to issue health certificates and certificates used for authentication against a DirectAccess 2012 server. But is it safe to delete the default templates that are located in the certificate templates folder?
We don't want the subordinate CA to issue certificates that aren't needed since they are being issued by the Root CA.
I'm having problems setting up delegation for an account.
To troubleshoot (and make sure the customer had created the account), I tried:
Setspn -l svc_sapcrystal
That fails with "Unknown parameter svc_sapcrystal. Please check your usage"
It fails with every user account we've tried. The user is definitely logged in as a domain admin.
We've tried using the full domain account name too - still fails.
It's a Windows Server 2012 domain controller, not sure if that makes a difference. There is an old domain lurking, but everything is being done on the current domain.
Anyone got any ideas?
Andrew www.pursuittechnology.co.uk
I have setup a second NIC on my domain controllers and assigned a new VLAN for a backup-only network for DPM. This works but I've found that the 2nd NICs are broadcasting as available domain authentication points. This is causing problems for our wireless access points that are not VLAN aware. How can I prevent the 2nd NICs from offering authentication services over the network?
Thanks,
Joe
I've been going round in circles on this one for a while now, but still haven't resolved the problem. To summarize, we have a dedicated forest root, with multiple child domains. One of the child domains is separated from the root via a firewall, and the
DC's in this child domain replicate over IPSEC. The clients in this domain DO NOT have RPC connectivity to the root. All DC's in the forest are 2008R2 Enterprise.
In the root domain, we have our root CA, along with a subordinate CA. Clients in the 'other' domain (not firewalled) can check out certs no problem either using mmc or via the web gui. Clients in the firewalled domain cannot checkout certs using MMC (RPC error), but can via a web enrollment proxy running on one of the DC's (but WEP cannot issue computer certs, just user certs) and auto-enrollment doesn't work.
So, I read up on the Cert Enrollment Web Service and Policy Web Service. It seemed to imply this could provide a solution to our problem by allowing a special enrollment policy that doesn't require the clients to have RPC connectivity to the root CA's. I installed this on a DC in the firewalled domain, exactly following an MS guide. All the install went ok, and if I checkout a computer cert from the mmc snapin on the DC itself (using the new policy), this works fine. If I try it from a client though, it can see the new enrollment policy, but when I try to request the cert I get the error;
Enrollment Error
The specified domain either does not exist or could not be contacted
So, it appears even with this config, the client seems to need RPC connectivity to the root CA. I've checked everything I can think of, and it SHOULD work, but just isn't.
So, this is my last resort. If someone can help, or needs more information, just let me know. The other alternative I'm considering is actually installing another full subordinate CA on a DC in the firewalled domain. As the DC still has full access to the root, this might be my only remaining option.
I have a 4 GPOs that I would like to apply to the same OU and I would like to control the access to them by adding security groups of the users I want this policy to take effect to the "security filtering" field in the scope tab.
One of the GPO's is enabled for all users, the other three have specific users. For some reason the GPO that where all users have permission is taken effect an not the others. If I enforce the three groups with specific users will this enforcement apply to everything in the OU or just the users in the security filtering? In other words, does GPO enforcement ignores the security filter or the security filter still counts even when the GPO is enforced.
You may be asking why I am not using different OUs for this, well, I can't move these users out of this OU for management reasons.
I would appreciate your help with this.
Thanks,
D. Estrada
I have a 4 GPOs that I would like to apply to the same OU and I would like to control the access to them by adding security groups of the users I want this policy to take effect to the "security filtering" field in the scope tab.
One of the GPO's is enabled for all users, the other three have specific users. For some reason the GPO that where all users have permission is taken effect an not the others. If I enforce the three groups with specific users will this enforcement apply to everything in the OU or just the users in the security filtering? In other words, does GPO enforcement ignores the security filter or the security filter still counts even when the GPO is enforced.
You may be asking why I am not using different OUs for this, well, I can't move these users out of this OU for management reasons.
I would appreciate your help with this.
Thanks,
D. Estrada
We have software on our servers that exposes certificate requests made by our system. We have noticed that one certificate request that happens (and fails) a lot appears to be an expired Microsoft certificate. I cannot find this certificate any where in the certificate stores... Can someone help us locate where this is coming from? We would like to remove the expired certificate if that is the actual issue.
Certificate Revocation Status
Calling Application: svchost.exe
Certificate Name: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=MOPR/CN=Microsoft Windows
Certificate Issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Verification PCA
Certificate Serial Number: 330000001B1C4C5C7BD3FF112B00000000001B
Revocation Status: Unable to verify
Error: The certificate has expired.
We are looking at this because we have some performance issues and we are wondering if this might be the cause of some of our issues. These systems have no access to the internet, so that may be part of the equation.
I have windows server 2008 r2 with Active Directory. I want to know if is a best practice to rename an user account, for example "Chris" for "Monica" or just to disable it to create another?
Regards
Hi,
I think I found a problem with IPsec on server2008r2.
I have a customer that has a server in a datacenter. It has a public IP on the NIC. We are changing ISP and need our own Cisco appliances so I ordered ISA500W.
With the old ISP there are in Windows Firewall with Advanced Security (WFAS) connection security rules (CSR) for an IPSec tunnel to the old ISP's Cisco's. (type 861 I think) The IPSec tunnel works fine.
With our new ISA500W (behind NAT) the VPN builds/disconnects/builds/disconnects every few seconds. Actually more than once per second I think as the ISA500W log grows very quickly.
#1 It's not a problem with the new ISP's router as an old Linksys RVS4000 with same IP config behind their NAT connects fine. => No ISP or server config problem
#2 The ISA500W IPSec <-> Server 2008r2 works fine when Cisco has a public IP. => This might indicate a Cisco issue with NAT-T. But that was solved in latest firmware.
#3 The ISA500W IPsec <-> Other ISA500W: even behind NAT can they connect => So this confirms the Cisco NAT-T issue is solved in newest firmware.
I tested a bunch of things with virtual machines. Finally I tested a Windows Server 2012 machine with exact same WAN IP + Cisco behind NAT and that one establishes the tunnel in few seconds and keeps it stable.
#4 ISA500W IPSec <-> Server 2012 connects fine even behind NAT => This to me indicates a Server 2008r2 problem.
I know, in a way it's not a Server 2008 R2 issue as case #1 & #2 works. But case #4 is exact same config with Server 2012 and that one works.
I also opened a post on a Cisco forum as #1 same config, different vendor appliance, works.
https://supportforums.cisco.com/message/4007565
Can Microsoft & Cisco solve this together somehow?
Microsoft would say it's a Cisco issue as the Linksys works, and Cisco would say it's a Microsoft issue as Cisco <=> Server 2012 with NAT works...
best regards
David
We're trying to beef up security and implement multi-factor authentication for non-domain joined machines.
Currently only domain joined machines (the users need to provided their domain credentials and a computer cert is required on the device - autoenrollment is used) have the ability to do a L3 VPN in order to access our resources.
We'd like to extend that to non-domain joined machines such as Macs, Linux, Android, iOS devices. I was thinking along these lines, but don't know where to start:
- a user goes to a website and requests a new certificate. I don't know which is preferable user (probably) or computer, esp. if the user has many devices. If this wouldn't be possible, I'm not sure this URL would be available off the LAN, I need to
generate the certificate on behalf of the user and send it to them. I'm also thinking of limiting them so they can only import the cert once, but am not sure this is a good idea (how would I handle multiple devices?).
- I need to know which cert is for which user, so I can easily revoke it when he/she leaves the company.
CA's are 2008 R2.
Could someone provide a few tips and then URLs as to how to implement something like this.
I have a Data Recovery Agent that is expiring soon in our EFS environment. I found these instructions. Are they still valid? Is there anything that I need to look out for?
http://blogs.technet.com/b/askds/archive/2008/01/07/replacing-an-expired-dra-certificate.aspx
I configured Auto Enrollment for computer certificates with our AD CA and it worked fine. However I am now decommissioning the old CA. I've set up a new CA, disabled the old CA from issuing certs (however it is still up for authenticating and CRL).
New computers added to the domain are successfully autoenrolling with my new CA. However computers that currently have a cert with the old CA aren't pulling a certificate. I tried revoking the cert on the old CA, and deleting it from local store, but neither seemed to trigger.
Any suggestions? TIA.
Hi ,
question1:
i have to share some priviliges to CM facotory local IT,so ,i create another account and add it into domain admin group,but i donot want local IT to use my Domain admin account or change my password. e.g.there are 2 users in domain admin group (User_A and User_B,in windows server 2003 or 2008).How to prevent User_B to create a new user(e.g User_C) ,and add this new user into domain admin group.(keep User_A's right here).B
question2:
also for 2 domain users, how to prevent User_B to change User_A's password.
thanks very much
Hi everyone
I have a problem. In which "format" I need to add the attributes in when I want to submit a certificate on my pki? the attributes I want to add are:
X509v3 Extended Key Usage:TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System
X509v3 Key Usage:Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
When I insert them like this, I can't find them in the certificate. Any idea?
Regards
Désirée
I am using windows server 2003 enterprise edition. i forgot the windows Administrator log in password. It is only one user in my system. how to reset the password or how to log in.other than option of format of os because important softwares and data are there. i want it.
It works as domain controller, please give me an available tip for resetting Windows server 2003 administrator password without data loss. Thanks!
Hi, I need to install some SSL certificates on my 3 domain controllers to enable TLS.
I wish to use a third party CA (Symantec/Verisign) to produce the certificates. The domain my DC's are on is not public.
Is it possible to produce a certificate with our public facing domain name and use a Subject Name Alternative (SAN) option specifying the FQDN of the 3 domain controllers which can be installed on the domain controllers?
Or what is my solution here?
Thanks!