Hi All,
We have a very distributed setup where in each region we have atleast one Admin account. We have a Global Service Desk which can Unlock,Reset the password for normal users. But they are unable to reset or unlock the password for Admin account.
So I would like to know is it can be possible. If Global desk can reset the password or Unlock the account for normal users can they do it for Admin account as well.
Thanks HA
Hi,
How can I move a certificate from current user to local computer store in Windows 2012 when the certificate's private key is marked as not exportable ?
Drag and drop is possible in Windows 2008 R2 when I open both current user and local computer stores in the same mmc. But in Windows 2012 it is not possible.
Thanks...
Hello
i've setup a PKI with offline Root and online intermediate under Windows 2012.
I deployed certificates to Active directory using
dspublish /RootCA
dspublish /NTauth and SubCA for intermediate
When i activate Auto enrollment or MMC Enrollment for Windows 7 Client the two certificates appear under Intermediate Certificate Authorities but the root certificate is not listed under the Root Certificate Authorities store. Client receives User Cert but because of the missing Root Cert it is untrusted.
I tried to put the root cert in my Autoenroll GPO but this has no effect. Pkiview Status is OK for my Root Cert
I already followed this Troubleshooting Guide without any result
http://blogs.technet.com/b/askds/archive/2007/11/06/how-to-troubleshoot-certificate-enrollment-in-the-mmc-certificate-snap-in.aspx
I could provide link with my certs if this would help?
I've seen one question where this appeared due to wrong signature, but I'm using sha1 so this should not be an issue.
Hi all,
I'm finishing my High Available setup of OCSP Response servers (Array).
I'm at the point that I have to configure my AIA (Authority Information Access) url.
I've noticed that all configurations in the help files and manuals online at technet are mentioning something like http://yourserver.contoso.com/ocsp, using http but never https.
Nowhere it's mentioned that it would be a best practice to use https (instead of http).
I've been doing some research on this, thinking of scenario's where our HA OCSP Responder (only to check our own client certificates) would actually be running on a public IP, or if there would be "man in the middle" attack scenario's to take in consideration. I've found one scenario in which one can tamper with the response message:http://www.thoughtcrime.org/papers/ocsp-attack.pdf
But as an "official" or good answer from an OCSP responder is signed by the CA (responder), I think it's not needed to add SSL in the traffic, as it would not add additional security at all (no benifit).
Note that our OCSP servers would never be running on public address, it would be offered using a reverse proxy + web application firewall. But in large networks like in my company, even for the internal network https is considered as the standard.
Please share your thoughts on this topic :)
Kind Regards,
David
Hi,
By default the "COM+ Network Access (DCOM-In)" inbound firewall rule from Windows Firewall is enabled. This enables you to enumerate through the DCE services running on port 135. Because this could be a security risk, we are looking for a way to filter all incoming traffic on port 135. Is there a way to this with Windows Firewall?
Thanks,
Ronald
We want to change the validity period on our CA. We have a root CA that stays turned off. We have a subordinate CA that issues all the certificates. We want to issue longer certificates. So after reading about this we would need to
change the subordinate CA's default setting using the following command.
certutil -getreg ca\ValidityPeriod
(This returns the current value of 2)
certutil -getreg ca\ValidityPeriodUnits
(This returns the current value of Years)
certutil -setreg ca\validityperiodunits 5
(This changes the default setting to 5, or something else, and restart certificate services to take effect.
Does the above change affect anything? Like any already issued certificates?
If the above does not affect already issued certificates, we then need to change some certificate's template validity period.
Example is that before the above change, we created a custom template with a validity date of 2 years and issued some certificates (those had a 2 year expiration).
If we change this template from 2 to 5 for validity period, does this cause already issued certificates from this template to stop working or do they continue to work and any newly issued certificate would get the new validity period?
Good day All
I am trying to install the Certificate Services on one of my 2012 DC's in order to create a cert for import into my Sonicwall 3500 NSA firewall. The purpose is to connect my LDAP service to the firewall so that when Remote users use thew VPN they can authenticate to the AD. And I KNOW NOTHING about configuring it, especially when I get to the"Private key Cryptography" option. Can anyone give me a hand in configuring this role properly so That I can get a 'root" cert for my firewall
Scott Cummins
We have a list of user accounts used for automated testing. These accounts will not authenticate to any web site with kerberos. Any other user account works without issue.Each set if users are in different OU's. If a non working user is moved to the default
user OU, still does not work. All users are in one group, domain users.
Troubleshooting is done on the same machine to rule out IE and windows 7 configuration concerns.
Using klist, a pre auth ticket is generated from the attempt to access the site.
Providing username and password at the application works.
No events seen in the logs.
Hi,
Need diagnosis with the following error, please:
When I perform the steps in the link below and send the text file to my internal ca (by going to submit new request and selecting the txt file), I get the following error:
http://technet.microsoft.com/en-us/library/cc732906(v=ws.10).aspx
I'm having some trouble with our deployment of EFS. I thought I had finished setting this up and some prelim testing was successful. We did make some changes to our GPO to allow auto-enrollment only by a selected group. We didn't do anything with EFS for a while and decided to do another test. Now we're not able to decrypt one another's files.
If I look at two files I'm seeing differences in thumbprint. File A has been encrypted by Person A and they've allowed me to decrypt. File B has been encrypted by me and I've allowed Person A to decrypt. When looking at Properties -> Details I see 4 different cert thumbprints. File A has Person A with cert thumbprint beginning 8FE8 and me 3D4F. File B has Person A with cert thumbprint 8FF4 and me D373. What's going on here?
I have Windows Server 2013 setup for File Sharing. I created & Shared the folder. I set the security and share permissions of the folder with Administrators and a group call Internal Workers. I do not have access from accessing
the share from another computer. If I added Users to the Security and Share permissions, it works. WHY????
Thank you
Ryan
One of my user keep getting locked out and when I ran the Account Lockout Status (LockoutStatus.exe), I could not find any information related to the lockout.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/15/2013 3:06:07 AM
Event ID: 4771
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC.domain.org
Description:
Kerberos pre-authentication failed.
Account Information:
Security ID: CBPP\john
Account Name: john
Service Information:
Service Name: krbtgt/domain
Network Information:
Client Address: ::ffff:10.0.0.33
Client Port: 50332
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x12
Pre-Authentication Type: 0
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4771</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2013-08-15T07:06:07.328366400Z" />
<EventRecordID>34664985</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="1204" />
<Channel>Security</Channel>
<Computer>CBPP-DC.cbpp.org</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">johnson</Data>
<Data Name="TargetSid">S-1-5-21-1292428093-1383384898-1417001333-1138</Data>
<Data Name="ServiceName">krbtgt/cbpp</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x12</Data>
<Data Name="PreAuthType">0</Data>
<Data Name="IpAddress">::ffff:10.0.0.33</Data>
<Data Name="IpPort">50332</Data>
<Data Name="CertIssuerName">
</Data>
<Data Name="CertSerialNumber">
</Data>
<Data Name="CertThumbprint">
</Data>
</EventData>
</Event>
Every 8 hours my Windows 2003 Domain Controllers attempt to Auto Enroll certificates and I get the below two entries in the Application Logs:
Type: Warning
Source: AutoEnrollment
Event ID: 17
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate from certificate authority CA.domain.com on Server (0x80070057). The parameter is incorrect.
Another certificate authority will be contacted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
AND
Type: Error
Source: AutoEnrollment
Event ID: 13
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070057). The parameter is incorrect.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I’ve tried adding the Domain Controllers group was added to Certsvc Service Dcom Access.
I’ve also noticed that there is a CA listed in AD that’s been decommissioned with a self-signed root certificate that is now expired.
I am far from an expert with CAs so any advice is welcome.
Hello-
I'm experiencing a weird issue that I'm hoping someone can shed some light upon.
I have need to export all of the certificates located within the "Trusted Root Authorities" (LocalMachine\AuthRoot) store, into a single file.
I start the certmgr.msc GUI (as Administrator), select the store, "Certificates", and see that there are currently 378 entries.
I change 'focus' to the pane showing the certificate list, and hit ctrl-A to select "all" of them. Choose the "Export" task,
and save them to a .p7b file.
Same issue happens if I select the first cert., scroll to the bottom of the list and hold shift while selecting the last cert ..instead of using ctrl-A.
All that is straight-forward and looks like it works perfectly.
However, when I process the resulting .p7b file- only 214 certs. are exported.
When I look into my (WinXP SP3) registry, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\
all 378 'keys' are present.
I've experienced this issue on both a WinXP SP3 system and a Win7 SP1.
I'm not sure if the problem could be registry corruption (on both systems?!), certmgr.msc itself, or a limitation of the .p7b file format?
Thanks in advance for any thoughts and/or insight into this.
I just want to clarify a step that is listed in the AD CS Migration article. It says if you're using the Server Manager installation of the role you need to follow these steps:
Start the Certificates snap-in for the local computer account.
In the console tree, double-click Certificates (Local Computer), and click Personal.
On the Action menu, click All Tasks, and then click Import to open the Certificate Import Wizard. Click Next.
Locate the <CAName>.p12 file created by the CA certificate and private key backup on the source CA, and click Open.
Type the password, and click OK.
Click Place all certificates in the following store.
Verify Personal is displayed in Certificate store. If it is not, click Browse, click Personal, and click OK.
 Note |
|---|
| If you are using a network HSM, complete steps 8 through 10 to repair the association between the imported CA certificate and the private key that is stored in the HSM. |
In the console tree, double-click Personal Certificates, and click the imported CA certificate.
On the Action menu, click Open. Click the Details tab, copy the serial number to the Clipboard, and then click OK.
Open a Command Prompt window, type certutil –repairstore My "{Serialnumber}" and then press ENTER.
Now, do I actually need to follow this? In the 2012 role installation you click "configure" and import the .p12 via the GUI. Do I need to do step #10?
