I migrated an enterprise root CA from 2008 Standard to 2012 Standard.  All seems to be working, however when I submit a certificate request (via web enrollment) for a user certificate, it appears to work properly, but the following event is generated on the CA:

Active Directory Certificate Services could not publish a Certificate for request 24 to the following location on server dc01.lab.com: CN=Admin,OU=IT,OU=Administrators,DC=lab,DC=com.  Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344).
ldap: 0x32: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

I've given the Cert Publishers AD group read/write to 'Domain users' and 'Domain computers' per some recommendations I saw in a similar thread, however that didn't fix anything.  

**Update**

I rebooted the server and this error went away, however I'm receiving the following errors after a reboot from the CA services:

The "Windows default" Policy Module logged the following warning: The Active Directory connection to ??? has been reestablished to DC01.lab.com.

The "Windows default" Policy Module "Initialize" method returned an error. The specified domain either does not exist or could not be contacted. The returned status code is 0x8007054b (1355).  The Active Directory containing the Certification Authority could not be contacted.

Could not connect to the Active Directory.  Active Directory Certificate Services will retry when processing requires Active Directory access.

When I generated a new user certificate after a reboot it logged this:  The "Windows default" Policy Module logged the following warning: The Active Directory connection to DC01.lab.com has been reestablished to DC01.lab.com.

Hello All,

Project - There are more then 2 users who access the same Windows 8 machine using their domain credential and we need to ensure that we should implement TPM/bitlocker for that machine and users should not share their Bitlocker password.

Machine Detail.

TPM mother board.

OS - Windows 8 x64.

Domain joined machine (DC - windows 2008 R2)

Number of users going to use this machine with their domain credential - more then 1

Any suggestion, pointer to implement the same would be great.

Thanks in advance,

Arun

Arun Kumar | MCSE:W2K3 + Messaging | MCTS:Exchange 2007 | MCTS:OCS 2007 R2 | ITIL-F V3

Hello,

I'm attempting to create and submit a request to my Enterprise CA (on Server 2012) from a 2003 Server.  I'm using the web request form and using the Web Server template.  I create the request and submit. All I get for my efforts is a web page dialogue saying "This page has not finished loading yet.  Please wait a few seconds and try again".  Any ideas?

Thanks,

DML

DLovitt

HI all,

I have set up a PKI in my multi domain environemnt. I did a two tier setup with an offline root and two issuing CA's.

The issuing CAs were setup by accident in the root with a NON enterprise ADmin account. they were setup with a root domain admin account instead.

I need to understand the implications of this;

What i have seen so far.

1. Cert Publishers group in child domains are empty.

2. Some 2008 DC's are getting the root CA and issued a CA from the issuing CA, but also generate the following evet in event viewer;

Event id 80; Source Microsoft-Windows-CertificationAuthority on a windows 2008 certificate server
Active Directory Certificate Services could not publish a Certificate for request ##### to the following location on server DC.DOMAIN.COM: CN=user,OU=OU, DC=domain,DC=com.  Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344).

ldap: 0x32: 00002098: SecErr: DSID-03150E8A, problem 4003

I know this realtes back to cert publishers group.

My question is, what settings would of been missed out by not using an enterprise admin account. Is this something i can add in myslef or do i need to decom the new environemnt and start again.

Other useful bits;

All servers are 2012 STD

the root CA was published to my AD using the -f -dspublish command using a root domain admin account.

Some certs are being issued in child domain but there are numerous warnings logged (as above)

Thanks for your help in advance!

Hi all,

    I've hit a potential problem while deploying a two-tier CA PKI. All servers running Server 2012 standard, Offline Root installed as local admin and the Enterprise Issuing CAs were installed using a Domain Admin account rather than an Enterprise Admin.... I read (afterwards) that the account requirements are Enterprise Admin to install the CA role, NDES etc.

The strange thing is all seems to be OK for most certificate requests but I have experienced a few 'funny' events and the CertOCM.log file has LOTS of access denied errors. The main problem seems to be DCs in child domains requesting a cert and, other than the fact some get them and some don't, the event ID 80 is being logged with the following warning:

Active Directory Certificate Services could not publish a certificate for request %1 to the following location on server %4: %2.  %3.%5%6

I've been looking at the following articles (http://support.microsoft.com/kb/281271&http://support.microsoft.com/kb/219059) - adding the Cert Publishers group into the child domain Cert Publishers group but the customer is loathe to try this as a)this is a new clean install and I've just decommissioned their old environment! and b) what else is affected by not installing using the EA account....

Understandable to be honest and annoyed with myself for missing this! (All my other deployments must have been completed using a member of the EA group!!!)

Can anyone please confirm EXACTLY what is modified during the Enterprise CA install (obviously correctly using EA permissions!) and also are there any other implications to following the above articles to get around the problem?

If I can't get an official answer I suspect I will be decommissioning the 2 new Issuing CAs and re-installing. With Enterprise Admin rights this time!!

Thanks in advance,

James.

PS - This is an exert from the CertOCM.log file;

114.5354.949: <2013/8/14, 14:06:12>: End: CCertSrvSetup::SetCADistinguishedName
114.2577.948: <2013/8/14, 14:06:12>: Begin: CCertSrvSetup::SetDatabaseInformation
114.2620.949: <2013/8/14, 14:06:12>: End: CCertSrvSetup::SetDatabaseInformation
114.684.948: <2013/8/14, 14:06:37>: Begin: CCertSrvSetup::InitializeDefaults
109.7915.0:<2013/8/14, 14:06:37>: 0x80070002 (WIN32: 2)
109.7934.0:<2013/8/14, 14:06:37>: 0x80070002 (WIN32: 2)
109.7915.0:<2013/8/14, 14:06:37>: 0x80070002 (WIN32: 2)
401.1317.946: <2013/8/14, 14:06:37>: Opened Policy inf: C:\Windows\CAPolicy.inf
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-GMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-CMAC
109.1077.0:<2013/8/14, 14:06:37>: 0xe0000102 (INF: -536870654)
114.737.0:<2013/8/14, 14:06:37>: 0xe0000102 (INF: -536870654)
454.346.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259)
454.346.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259)
454.346.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259)
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-GMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-CMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-GMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-CMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-GMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-CMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-GMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-CMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-GMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-CMAC
452.627.0:<2013/8/14, 14:06:37>: 0x80090030 (-2146893776): Microsoft Platform Crypto Provider
454.678.0:<2013/8/14, 14:06:37>: 0x80090030 (-2146893776)
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-GMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-CMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-GMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-CMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-GMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-CMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-GMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-CMAC
452.722.0:<2013/8/14, 14:06:37>: 0x80090016 (-2146893802): XXXXXXXXXXXXXXXX (replaced as contains NetBIOS name)
112.339.0:<2013/8/14, 14:06:37>: 0x80090016 (-2146893802): Exception at ds\security\services\ca\fs\crypto\cngcryptofactory.cpp(441): NCryptOpenKey(hProv, &hKey, pwszKeyName, nLegacyKeySpec, acquireToOpenKeyFlags(fAcquire))
HRESULT = 0x80090016
114.883.949: <2013/8/14, 14:06:37>: End: CCertSrvSetup::InitializeDefaults
114.3137.948: <2013/8/14, 14:06:37>: Begin: CCertSrvSetup::SetCASetupProperty
114.3226.949: <2013/8/14, 14:06:37>: End: CCertSrvSetup::SetCASetupProperty
114.3137.948: <2013/8/14, 14:06:37>: Begin: CCertSrvSetup::SetCASetupProperty
114.3226.949: <2013/8/14, 14:06:37>: End: CCertSrvSetup::SetCASetupProperty
114.3137.948: <2013/8/14, 14:06:37>: Begin: CCertSrvSetup::SetCASetupProperty
114.3226.949: <2013/8/14, 14:06:37>: End: CCertSrvSetup::SetCASetupProperty
114.3137.948: <2013/8/14, 14:06:37>: Begin: CCertSrvSetup::SetCASetupProperty
114.3226.949: <2013/8/14, 14:06:37>: End: CCertSrvSetup::SetCASetupProperty
114.4910.948: <2013/8/14, 14:06:37>: Begin: CCertSrvSetup::SetCADistinguishedName

Olá galera,

Esta semana surgiu um assunto na empresa, qual o ideal utilizando strings de conexão para o Banco Oracle, utilização datasource completo ou utilizando tnsnames.ora e dentro dele colocar as referências das informações do banco de dados. Qual é a melhor prática, o ideal em questão de segurança?

Exemplo:

<add name="XYZ" connectionString="Data Source=XYZ.WORLD;User ID=xyz;Password=xyz;"/>

ou

 <add name="XYZ" connectionString="Data Source=(DESCRIPTION =

    (ADDRESS_LIST =

      (LOAD_BALANCE = off)

      (FAILOVER = on)

      (ADDRESS_LIST =

        (LOAD_BALANCE = on)

        (FAILOVER = on)

        (ADDRESS = (PROTOCOL = TCP)(HOST = XYZ1-1.internal.xyz.org.uk)(PORT = 1522))

        (ADDRESS = (PROTOCOL = TCP)(HOST = XYZ1-2.internal.xyz.org.uk)(PORT = 1522))

      )

      (ADDRESS_LIST =

        (LOAD_BALANCE = on)

        (FAILOVER = on)

        (ADDRESS = (PROTOCOL = TCP)(HOST = XYZ2-1.internal.xyz.org.uk)(PORT = 1522))

        (ADDRESS = (PROTOCOL = TCP)(HOST = XYZ2-1.internal.xyz.org.uk)(PORT = 1522))

      )

    )

    (CONNECT_DATA =

      (SERVICE_NAME = UVASA)

      (FAILOVER_MODE =

        (TYPE = select)

        (METHOD = basic)

        (RETRIES = 16)

        (DELAY = 1)

      )

    )

  );User ID=xyz;Password=xyz;"/>

First convenient and easy way to reset Windows server 2008 password: Another Administrator

1. Admin administrator can be used to login Windows server 2008 directly

Access Windows server 2008 with admin account. Change or reset lost Windows 2008 password directly.

2. Run Net User command to reset Windows server 2008 password with Command Prompt

If you want to reset Windows password, admin account is necessary to login Windows first.

Search cmd in run box, click and run it as administrator.

Type net user in the Command Prompt and press Enter. Windows user account names will be listed for you in the Command Prompt screen

Type net user <net user name> <new user password> and hit Enter

<net user name>: the user you want to reset its password

<new user password>: the new password for the user your type

The new password has been successfully reset when the command is completed successfully.

Second convenient and easy way to reset Windows server 2008 password: Windows Password Genius

1. Search, download, install and run it on another accessible computer

2. Insert a blank USB disk into it to create a password reset disk

3. Plug bootable USB reset disk into locked Windows server, boot it from USB device

4. Windows Password Genius program runs, choose user account, and click “Reset password”

5. Reboot Windows server 2008. Access it without password.

The problem is with an offline logon to the computer using a smart card Outlook is not able to connect to the Exchange server even once the network is available (see steps below)

a) Logon with smart card when the computer is not connected to the network

b) Then connect the computer to the network

c) Open MS outlook and it tries communicating with the Exchange server but fails (smart card appears busy when outlook attempts to communicate with the exchange server)

d) The windows event log shows Smart Card Logon error( Event ID 17) : "An error occurred while decrypting a message: key not valid for use in specified state"

Are you aware if there are any additional steps required after an offline logon using smart card to authenticate with the domain once the network is available.

Kind of a weird problem, joined a Windows 2008 R2 server to the domain, at no point though does it appear to have logged the default security events except the most basic ones relating to start up and shut down.  E.g. Event ID 4624 is not recorded for local log on events.

There is a domain security policy which overrides some of the local settings, but at no point even before joining the domain did it appear to record local log on events and nearly all the other default stuff it's supposed to record.

So I went into the local security policy on the server and forced the auditing to occur, this has solved the problem but I'm a bit worried as to why it happened in the first place?  Some weird problem with the setup of the server?  Is there anything I can check in the registry for example to see what may have happened?

I have been having some issues getting file permissions worked out to act the way that I need them to.   We are using AD to control the permissions.

Folder structure:

Share
-Common
--Pictures
---Date1
---Date2
---Date3
---Date4
-Documents

We have a bunch of users which need access to the pictures folder, and each date within that folder, they need write access to that folder, but MUST NOT have the ability to rename or move that date1-4 folders. 

I created a group for the pictures folder, I added users to that group as members, and then I added that group to the permissions of pictures, with write permission. 

Share has Authenticated Users (Traverse Folder, List Folder, Read Attributes, Read Permissions) This folder, subfolder and files.
Common has Authenticated Users (Inherited)
Photos has no inheritance and Photos_group (Traverse Folder, List Folder, Read Attributes, Read Extended Attributes, Read Permissions) This folder, subfolder and files. 
Date1 has no inheritance and Photos_group (Traverse Folder, List Folder, Read Attributes, Read Extended Attributes, Create Files, Create Folders, Write Attributes, Write Extended Attributes, Delete, Read Permissions) Subfolders and files. 

However, though this stops users from renaming the folder Date1 or moving that folder, it also stops them from editing files within Date1, or moving folders within that folder. 

I have tried a bunch of similar permissions, but always end up with either the ability to edit the documents within the date folders, and the ability to move the date folders, or neither. 

I am looking for the correct permissions that will allow users to Modify files and folders within the date folders, but NOT to move/rename/delete the Folders that are within the Photos folder (which includes the Date folders)

Any help would awesome, thanks. 

noticed a lot of "windows filtering platform" events on an 2008 r2 member server in a 2008 R2 domain.

for grins, disabled windows filtering platform events on my GPO that sets audit settings. gpupdate on client, events stopped as desired. got rid of the windows filtering platform settings on the gpo, gpupdate on the client, events started again. ok. all working as expected.

then i went in to the local security policy on this same member server and disabled the windows filtering platform auditing. events stopped. i realized *all* security events had stopped. did some research, found out that legacy auditing settings and advanced auditing settings can't live together. so i removed the windows filtering platform configuration from the local security settings on the client. gpupdate /force to get the group policy auditing settings back. they show up in rsop and gpresult /H. but it's still not auditing anything (this is an exchange server so there are constant logins).  auditpol /get /category:/* shows no auditing on anything on this client. i Disabled the "force audit policy subcategory settings to override audit policy category settings" option. gpupdate /force on the client, still no auditing. auditpol /clear and gpupdate /force, still no auditing. group policy is refreshing ok. it's just not getting the auditing settings. this is only on the client where i configured local policy for a minute. when i do a gpupdate, i see a bunch of audit policy 4719 events in the security log, they just say "this/that/success/failure removed." i even made a benign change to the audit policy GPO to see if that would kickstart it, and that change does appear in rsop and gpresult /h. but no auditing. gpresult /H does show the local group policy in the "applied gpos" section, but none of the settings show "local group policy" as the winning gpo.

how do i get this client to pick up the (legacy) audit settings in group policy again?

Hello

i've setup a PKI with offline Root and online intermediate under Windows 2012.

I deployed certificates to Active directory using

dspublish /RootCA

dspublish /NTauth and SubCA for intermediate

When i activate Auto enrollment or MMC Enrollment for Windows 7 Client the two certificates appear under Intermediate Certificate Authorities but the root certificate is not listed under the Root Certificate Authorities store. Client receives User Cert but because of the missing Root Cert it is untrusted.

I tried to put the root cert in my Autoenroll GPO but this has no effect. Pkiview Status is OK for my Root Cert

I already followed this Troubleshooting Guide without any result

http://blogs.technet.com/b/askds/archive/2007/11/06/how-to-troubleshoot-certificate-enrollment-in-the-mmc-certificate-snap-in.aspx

I could provide link with my certs if this would help?

I've seen one question where this appeared due to wrong signature, but I'm using sha1 so this should not be an issue.

I wanted to check with the community about the following situation.

SERVERs are Windows 2012 running DA.

We have a third party security company that runs PCI audit scans on a regular basis, they have recently detected the a vulnerability on the DA servers (see below). The DA servers are fully patched.

The proposed solution seems a little obscure and doing some research I have found the following article which describes the issue and a way to get it fix in IIS servers (How to configure Microsoft IIS to not accept weak SSL ciphers). 

http://blog.zenone.org/2009/03/pci-compliance-disable-sslv2-and-weak.html

This is a standard security scan and my assumption is that a lot of Microsoft DA customers facing PCI scans will be experiencing the same issue.

We would appreciate if someone can advise or guide us into the right direction.

VULNERABILITY DETAILS
CVSS Base Score: 5.4 AV:N/AC:H/Au:N/C:C/I:N/A:N
CVSS Temporal Score: 4.4 E:F/RL:TF/RC:UR
Severity: 4
QID: 38143
Category: General remote services
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Last Update: 08/06/2008
THREAT:
The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server.
The client-server communication is general encrypted using a symmetric cipher like RC2, RC4, DES or 3DES. However, some SSL ciphers allow
communication without encryption. This vulnerability allows anyone who can sniff the traffic between the client and the server to see the
communication.
Please note that this detection only checks for weak cipher support at the SSL layer. Some servers may implement additional protection at the data
layer. For example, some SSL servers and SSL proxies (such as SSL accelerators) allow cipher negotiation to complete but send back an error
message and abort further communication on the secure channel. This vulnerability may not be exploitable for such configurations.
IMPACT:
An attacker can exploit this vulnerability to read apparently secure communication.
SOLUTION:
Disable ciphers which support cleartext communication.L Server Allows Cleartext Communication Vulnerability

Hi Team,

I had a problem, I had 3 tier certificate chain. Root,Intermediate,Enterprise CA.

 My Enterprise CA had an issue

Revocation Status : The revocation function was unable to check revocation because the revocation server was offline.

The latest event viewer is error Certificate Authority event id 66 Active Directory Certificate Services could not publish a Base CRL for key 1 to the following location: file://\\my-location.crl.  Cannot create a file when that file already exists. 0x800700b7 (WIN32/HTTP: 183).

One of my user keep getting locked out and when I ran the Account Lockout Status (LockoutStatus.exe), I could not find any information related to the lockout.

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          8/15/2013 3:06:07 AM

Event ID:      4771

Task Category: Kerberos Authentication Service

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:      DC.domain.org

Description:

Kerberos pre-authentication failed.

Account Information:

               Security ID:                        CBPP\john

               Account Name:                 john

Service Information:

               Service Name:                   krbtgt/domain

Network Information:

               Client Address:                  ::ffff:10.0.0.33

               Client Port:                         50332

Additional Information:

               Ticket Options:                  0x40810010

               Failure Code:                     0x12

               Pre-Authentication Type:               0

Certificate Information:

               Certificate Issuer Name:               

               Certificate Serial Number:            

               Certificate Thumbprint:                 

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

    <EventID>4771</EventID>

    <Version>0</Version>

    <Level>0</Level>

    <Task>14339</Task>

    <Opcode>0</Opcode>

    <Keywords>0x8010000000000000</Keywords>

    <TimeCreated SystemTime="2013-08-15T07:06:07.328366400Z" />

    <EventRecordID>34664985</EventRecordID>

    <Correlation />

    <Execution ProcessID="500" ThreadID="1204" />

    <Channel>Security</Channel>

    <Computer>CBPP-DC.cbpp.org</Computer>

    <Security />

  </System>

  <EventData>

    <Data Name="TargetUserName">johnson</Data>

    <Data Name="TargetSid">S-1-5-21-1292428093-1383384898-1417001333-1138</Data>

    <Data Name="ServiceName">krbtgt/cbpp</Data>

    <Data Name="TicketOptions">0x40810010</Data>

    <Data Name="Status">0x12</Data>

    <Data Name="PreAuthType">0</Data>

    <Data Name="IpAddress">::ffff:10.0.0.33</Data>

    <Data Name="IpPort">50332</Data>

    <Data Name="CertIssuerName">

    </Data>

    <Data Name="CertSerialNumber">

    </Data>

    <Data Name="CertThumbprint">

    </Data>

  </EventData>

</Event>

Hi,

I am working on getting my certificate authority to work across forests.

At the moment, it is in "Forest A".

"Forest B" has a number of Sharepoint servers, which for Sharepoint-specific implementation details, require an internal CA.

Is it the right design to enable trust across the DCs to provide certificates to machines in Forest B? Or is there another way to achieve this without creating a trust. In effect, I would like to add a certificate to the "personal" store for the computer account on servers in Forest B.

Thanks

We have set up a Server 2012 domain with Windows 8 workstations in a remote location that we cannot physically attend. We have allowed several domain users to be a local admin on the workstations, and they are meant to contact us before installing any new software on a workstation.

The situation has arisen where unauthorised software has been installed on a workstation, but the staff with the local admin authority all claim they did not install it.

Is there a way to:

1)  find whose credentials were used to install the software?
2) set up some method for the server/workstation to notify us each time new software is installed or PC local admin credentials are used, so we are aware in future if and when this happens?

Hi All,

I am building an ADFS environment. However, I have noticed that my certificates in the computer certificate store represent a different host name. I would like to fix this by placing a certificate into the store from my cert authority (internal). However, the cert authority is in a different forest. Would this cause an issue?

Thanks