Hi,
I am trying to configure SSL for windows web-server 2003; which is further connected to 3 nodes of weblogic (on which application is deployed).
access flow:
IDAM (Identity and access management) -> web-server -> application sever.
I have made necessary changes in httpd.conf and ssl.conf files. but unable to figure out how to change ports for web-server as web-server is further communicating with 3 nodes of web-logic.
Please help me out on this !!
Thanks.
I'm not quite sure if this is neccessarily the best place to ask for a solution to the actual issue we're having, but as we already have a workaround, I'm more looking for a generic overview of what happens during the domain join process in regards to our issue. If you can provide me with a shortcut solution to the problem, I won't complain, but my main goal is to understand what's going on.
Now for my question:
Basically, some clients are not trusting a certificate that they should. We have a workaround but I'd like to understand why it works, and if there's a better way to fix it. That is, if we remove one of the affected clients from the domain, reset the account, and rejoin, the problem is resolved.
What I'm wondering is, what is exactly is happening during the domain join process that changes certificate trust? How is it possible that some domain member computers trust a cert issued by our CA without any additional special configuration, while others do not trust that cert. Could the availability of the CA during the join process have affected this? (i.e., if the CA was down for maintenance when the computer was joined to the domain, would it alter whatever is normally done to make it trust certs issued by that server?)
For those of you who would like more context, here's what's going on:
We have an in-house web app that was recently updated and moved to a new server, and we're having a few issues with certificate trust. Shortly before the new server was built, we migrated to AD for our DS, and we are running a single 2008 domain. The new server is a domain member, and the certificate used by the application server was issued by an internal CA, which is currently still accessible. The old cert was self-signed, and installed manually on all of our OS images, and is therefore trusted by all of our PCs. I should also add that all of our desktops in this problem are currently members of the same domain as the server and CA.
The problem we're running into is that when removing the old version off the app (which points to the old server), and installing the new versions, some of the PCs are complaining that the new server certificate is not trusted. We can still connect, but the app is written such that it expects the PC to trust the server, and therefore fails to install properly. So far, this seems limited to *some* of our Windows XP client machines. Most XP machines, and, so far, all of our Win7 machines, have no issues.
Hello,
I have created a service, using an account which is member of Administrators (on local server), but when I start the service in permissions group I don't have group administrators. I am starting the service with same account than I create it.
I checked permissions on the program, and administrators is setup in permissions.
SO I just want to add group Administrators for the program launched in service.
Regards,
I have just completed the 2 year renewal of our Issuing CA and I went to add the new Revocation Configuration to the OCSP server however I get the following error message when selecting the CA certificate from the AD.
The error I get is "The CA certificate could not be retrieved. Element not found. (Exception from HRESULT: 0x80070490)"
This server is an OCSP end point for two issuing CA's and the first server configuration was setup fine. The two main differences between the two issues CA's is that:
1. Issuing CA is configured as a SAN issuing CA.
2. The server has a 60 character name. Which I believe should not be a problem as it is less than the 64 char limit... but it is close.
Any ideas were to start troubleshooting setting up the new OCSP configuration for the renewed Issuing CA servers..
Thanks
Alan Burchill
Alan Burchill (MVP)
http://www.grouppolicy.biz
@alanburchill
HI all,
I have set up a PKI in my multi domain environemnt. I did a two tier setup with an offline root and two issuing CA's.
The issuing CAs were setup by accident in the root with a NON enterprise ADmin account. they were setup with a root domain admin account instead.
I need to understand the implications of this;
What i have seen so far.
1. Cert Publishers group in child domains are empty.
2. Some 2008 DC's are getting the root CA and issued a CA from the issuing CA, but also generate the following evet in event viewer;
Event id 80; Source Microsoft-Windows-CertificationAuthority on a windows 2008 certificate server
Active Directory Certificate Services could not publish a Certificate for request ##### to the following location on server DC.DOMAIN.COM: CN=user,OU=OU, DC=domain,DC=com. Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344).
ldap: 0x32: 00002098: SecErr: DSID-03150E8A, problem 4003
I know this realtes back to cert publishers group.
My question is, what settings would of been missed out by not using an enterprise admin account. Is this something i can add in myslef or do i need to decom the new environemnt and start again.
Other useful bits;
All servers are 2012 STD
the root CA was published to my AD using the -f -dspublish command using a root domain admin account.
Some certs are being issued in child domain but there are numerous warnings logged (as above)
Thanks for your help in advance!
Hello,
I'm attempting to create and submit a request to my Enterprise CA (on Server 2012) from a 2003 Server. I'm using the web request form and using the Web Server template. I create the request and submit. All I get for my efforts is a web page dialogue saying "This page has not finished loading yet. Please wait a few seconds and try again". Any ideas?
Thanks,
DML
DLovitt
First convenient and easy way to reset Windows server 2008 password: Another Administrator
1. Admin administrator can be used to login Windows server 2008 directly
Access Windows server 2008 with admin account. Change or reset lost Windows 2008 password directly.
2. Run Net User command to reset Windows server 2008 password with Command Prompt
If you want to reset Windows password, admin account is necessary to login Windows first.
Search cmd in run box, click and run it as administrator.
Type net user in the Command Prompt and press Enter. Windows user account names will be listed for you in the Command Prompt screen
Type net user <net user name> <new user password> and hit Enter
<net user name>: the user you want to reset its password
<new user password>: the new password for the user your type
The new password has been successfully reset when the command is completed successfully.
Second convenient and easy way to reset Windows server 2008 password: Windows Password Genius
1. Search, download, install and run it on another accessible computer
2. Insert a blank USB disk into it to create a password reset disk
3. Plug bootable USB reset disk into locked Windows server, boot it from USB device
4. Windows Password Genius program runs, choose user account, and click “Reset password”
5. Reboot Windows server 2008. Access it without password.
One user's account keeps locked out and we have found out there are endless bad password attempts associated with his account. In Windows event logs and Netlogon service, we have identify the source computer name. But it is just a NUMBER! Which cannot be resolved properly. The log looks like this:
Obviously Windows won't allow you to name a PC with just numbers. If we trying to ping 952229, we get 0.14.135.165... which doesn't make any sense.
Anyone seen this kind of attack before?
Hi people!
In GPO " ...-> Public Key Policies -> Certificate Service Client - Auto-Enrollment" is option "Additional stores. Use "," to separate multiple stores. For example:"stores1, stores2, stores3"".
What does this mean?
Thank youfor your answers!
I've been going round in circles on this one for a while now, but still haven't resolved the problem. To summarize, we have a dedicated forest root, with multiple child domains. One of the child domains is separated from the root via a firewall, and the
DC's in this child domain replicate over IPSEC. The clients in this domain DO NOT have RPC connectivity to the root. All DC's in the forest are 2008R2 Enterprise.
In the root domain, we have our root CA, along with a subordinate CA. Clients in the 'other' domain (not firewalled) can check out certs no problem either using mmc or via the web gui. Clients in the firewalled domain cannot checkout certs using MMC (RPC error), but can via a web enrollment proxy running on one of the DC's (but WEP cannot issue computer certs, just user certs) and auto-enrollment doesn't work.
So, I read up on the Cert Enrollment Web Service and Policy Web Service. It seemed to imply this could provide a solution to our problem by allowing a special enrollment policy that doesn't require the clients to have RPC connectivity to the root CA's. I installed this on a DC in the firewalled domain, exactly following an MS guide. All the install went ok, and if I checkout a computer cert from the mmc snapin on the DC itself (using the new policy), this works fine. If I try it from a client though, it can see the new enrollment policy, but when I try to request the cert I get the error;
Enrollment Error
The specified domain either does not exist or could not be contacted
So, it appears even with this config, the client seems to need RPC connectivity to the root CA. I've checked everything I can think of, and it SHOULD work, but just isn't.
So, this is my last resort. If someone can help, or needs more information, just let me know. The other alternative I'm considering is actually installing another full subordinate CA on a DC in the firewalled domain. As the DC still has full access to the root, this might be my only remaining option.
Hi all,
i am getting this error after configuring ADCS & a subordinate -
This error is received when i paste the csr contents & try to generate a certificate,
Please help as i am new to ADCS.
Thanks,
Pranay.
Kind of a weird problem, joined a Windows 2008 R2 server to the domain, at no point though does it appear to have logged the default security events except the most basic ones relating to start up and shut down. E.g. Event ID 4624 is not recorded for local log on events.
There is a domain security policy which overrides some of the local settings, but at no point even before joining the domain did it appear to record local log on events and nearly all the other default stuff it's supposed to record.
So I went into the local security policy on the server and forced the auditing to occur, this has solved the problem but I'm a bit worried as to why it happened in the first place? Some weird problem with the setup of the server? Is there anything I can check in the registry for example to see what may have happened?
I've a standalone (not in AD domain) Win Server 2008 R2 Standard x64 box. I want my standard Windows users (non-admin) to be able to run an application. But when the users try to run the application they are prompted for administrator password. The application will only run with an account with administrative privileges. However, I do not want to assign admin rights to the users to be able to run this application. I've tried the solution as given at http://technet.microsoft.com/en-us/magazine/ff431742.aspx
1. On the Start menu, locate the program that you want to always run as an administrator.This did not work for me. The users are still prompted to provide password for a user with administrative rights.
Please help.
Hi Everyone,
I am stuck with this problem , we have two domain controllers, the primary one failed and it had the certificate services role , I followed some guides and I created a new machine as the primary domain controller though syncing with the secondary domain controller, now I am trying to install the active directory certificate services to the new primary domain controller but problem is I need the private key of the root certificate , how can I get this ? I checked the installed certificates on the secondary domain controller and I found the root certificate but I can not export it with the private key ..
any help please ?
Thanks
Misbah
