[NameConstraintsExtension] not taking effect on Sub-CA request, nor Root-CA...
I need to constrain the valid names for a child CA, and want this attribute visible in the certificate. I have placed the required entry in Policy.inf, and Capolicy.inf in both the Root and the Child...
View ArticleEmail encryption and signing steps for internal Microsoft PKI
Hello All.Our company has an internal PKI system we use for many things, Since we want to extend it so that we can use it for email encryption and Signing as well as document signing internally in the...
View ArticleEvent Log - Failure Audit 560 - NetBT_Tcpip
I have an XP machine on my network (Server 2003 PDC / Server 2000 backup DC) that is experiencing two of these errors every second - filling up my Security log and then booting my users off the...
View Articletrying to decomission a Microsoft Active Directory Certificate Authority...
Hello,I am trying to decommission a CA per this KB article: http://support.microsoft.com/kb/889250When I get to Step 3: Publish a new CRL I am getting this error: Directory object not found....
View ArticleProtect password hash when delegating user management rights.
We want to implement a user management policy that protects the password hashes of active directory user accounts. As such we want to grant our account administrators rights to those OUs that they...
View ArticleIIS doesn't ask for NTLM user and password while accessed from remote
The problem is that IIS asks for auth data when accessed from local network and localhost itself, but it doesn't when accessed from remote.It, instead, throws 401 - Unauthorized: Access is denied due...
View ArticleRegular user account running under high integrity level -What can be the reason?
Two (separate) Windows Server 2008 Enterprise Terminal Servers. Regular (domain) users run in the expected medium integrity level on one, but high on the other. The local group membership is identical....
View ArticleClik here to view.
ldap over ssl in windows 2008 r2
hi i wanted to configure ldap over ssl and i have created security template along with apropriate persmission however when i want to add it my domain 2008 R2 computer it gives me error.""the permision...
View Articletrying to decomission a CA
Hello,I am trying to decommission a CA per this KB article: http://support.microsoft.com/kb/889250When I get to Step 3: Publish a new CRL I am getting this error: Directory object not found....
View ArticleClik here to view.
IPSec Main mode 4653 Audit failure from IP addresss : Akamai and Microsoft...
I am updating my security log settings and testing some of the Advanced Logging features.I have IPsec NPS on the network, so I am interested in any IPsec failures.On my domain controllers I am getting...
View ArticleIPsec main mode negotiation failed - Failure reason: No policy configured
Lab setup: Windows Server 2008RC2 running CA, DC, NDES roles. Client: Embedded Linux device with strongSwan 5.1.1 and openssl. I have successfully configured NDES and SCEP, and enrolled a machine...
View ArticleKerberos Encrytion Types 2k3 to 2k8r2 problems after migration.
server 2k8r2 is not allowing a unix box to authenticate unless it sends;•aes256-cts-hmac-sha1-96 •aes128-cts-hmac-sha1-96• des3-cbc-sha1 • rc4-hmac des-cbc-crc • des-cbc-md5 • des-cbc-md4in the...
View ArticleSSL EV for Enterprise PKI
Helloi would like to test SSL EV for internal purpose.I follwed this guide...
View ArticleTo which store should we add email Encryption and Signing Cert so outlook can...
Hi All, I did a fresh install on Microsoft PKI in my test Lab and issued a Email encryption and Signing certificate in P7 format .After doing that I run the commandC:\>certutil -addstore My...
View ArticlePKI best practices. Key length and recommendations
I'm planning a simple Enterprise PKI for 802.1x port security on our cisco switch and MS NPS radius servers. I plan on using two CAs (one root and one sub CA). I will also be using the autoenrollment...
View ArticleRoot certificate export
Our organization has an internal domain with a PKI consisting of a single 2003 Server Enterprise Certificate Authority. About six months ago, I renewed our root certificate (512 key length) to 2048 key...
View ArticleProblem with my certificate chain?
I'm having SSL related issues with various hosts on my network, and I'm asking if there is a way to verify if everthing is OK with the certificate chain and the issuing process.In our environment we...
View ArticleHELP - Cannot Restore Shadow Copies - Access Denied - Security Restrictions?
Server 2008 environment. Attempting to restore from shadow copy. Attempts to do so while logged in as enterprise administrator returns error: You do not have permission to access...
View ArticleCertificate error with a 2008 R2 Domain Controller and a 2003 CA
Recently we updated the root CA on our Enterprise CA as the cert was about to expire. We renewed the Domain Controller certs manually on our DC's after that. Now our DC's are barking error after error...
View ArticleSecurity bulletins for pre-SP1 Windows Server 2008 R2
Is Microsoft is still releasing security bulletins for pre-SP1 Windows Server 2008 R2? My guess is no. The "service pack support end date" is listed as 4/9/2013. And a comparison of security bulletin...
View Article