Month: July 2020

Using Microsoft Network Load Balancing (NLB) for Certificate Enrollment Web Services (CEP, CES)

It is generally a good idea to ensure the availability of the certificate enrollment Web services (Certificate Enrollment Policy Service, CEP, and Certificate Enrollment Web Service, CES) at all times.

The following describes how this can be achieved with the Windows feature "Network Load Balancing" (NLB).

Continue reading „Verwenden von Microsoft Network Load Balancing (NLB) für die Zertifikatregistrierungs-Webdienste (CEP, CES)“

Certificate enrollment policy check via Certificate Enrollment Policy (CEP) web service fails with error code "WS_E_ENDPOINT_FAULT_RECEIVED".

Assume the following scenario:

  • Users (or computers) should request certificates via the Certificate Enrollment Policy (CEP) web service.
  • For this purpose, a certificate enrollment policy is configured, which points to a Certificate Enrollment Policy Web Service (CEP).
  • Authentication is done via Kerberos.
  • When checking the address, the connection to the CEP fails and you get the following error message: 
An error occurred while obtaining certificate enrollment policy.
 Url: https://cews.adcslabor.de/ADCSLaborIssuingCA1_CES_Kerberos/service.svc/CES
 Error: A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)
Continue reading „Die Überprüfung der Zertifikatregistrierungsrichtlinie über den Zertifikatregistrierungs-Richtlinienwebdienst (CEP) schlägt fehl mit Fehlercode „WS_E_ENDPOINT_FAULT_RECEIVED““

Overview of audit events generated by the Certification Authority

The following is an overview of the audit events generated by the certification authority in the Windows Event Viewer.

In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.

Continue reading „Übersicht über die von der Zertifizierungsstelle generierten Audit-Ereignisse“

Login via smart card using Remote Desktop (RDP) fails with error message "The requested key container does not exist on the smart card."

Assume the following scenario:

  • A user logs on to a remote desktop system using the smart card logon function.
  • The user uses a Yubico Yubikey as a smartcard. The required middleware is installed on both the local and the remote system.
  • The login fails with the following error message:
The system could not log you on. The requested key container does not exist on the smart card.
Continue reading „Die Anmeldung via Smartcard über Remotedesktop (RDP) schlägt fehl mit Fehlermeldung „The requested key container does not exist on the smart card.““

Overview of Windows events generated by the Certificate Enrollment Policy (CEP) service

The following is an overview of the events generated by the Certificate Enrollment Policy (CEP) service in the Windows Event Viewer.

The Certificate Registration Policy Service events are not officially documented. The following list was generated using the Windows Event Log Messages (WELM) tool.

Continue reading „Übersicht über die vom Zertifikatregistrierungs-Richtliniendienst (CEP) generierten Windows-Ereignisse“

Overview of Windows events generated by the Certificate Enrollment Web Service (CES).

The following is an overview of the events generated by the Certificate Enrollment Web Service (CES) in the Windows Event Viewer.

The events of the Certificate Enrollment Web Service are not officially documented. The following list was generated using the Windows Event Log Messages (WELM) tool.

Continue reading „Übersicht über die vom Zertifikatregistrierungs-Webdienst (CES) generierten Windows-Ereignisse“

Overview of Windows events generated by the Network Device Enrollment Service (NDES).

The following is an overview of the events generated by the Network Devices Registration Service (NDES) in the Windows Event Viewer.

The events of the Network Devices Registration Service are not officially documented. The following list was generated using the Windows Event Log Messages (WELM) tool.

Continue reading „Übersicht über die vom Registrierungsdienst für Netzwerkgeräte (NDES) generierten Windows-Ereignisse“

Overview of Windows events generated by the online responder (OCSP)

The following is an overview of the events generated by the online responder (OCSP) in the Windows Event Viewer.

The events of the online responder are not officially documented. The following list was generated using the Windows Event Log Messages (WELM) tool.

Continue reading „Übersicht über die vom Onlineresponder (OCSP) generierten Windows-Ereignisse“

Combination online responder (OCSP) with delta CRL and revocation list distribution point (CDP) without delta brevocation list for increased resilience

OCSP responses from a Microsoft OCSP resonder are valid for exactly as long as the underlying revocation list. In some scenarios, you may want to reduce OCSP validity times by using delta CRLs. At the same time, however, no delta CRL should be used for the revocation lists entered in the CDP paths in order to enable a fallback to a CRL with a longer validity.

Continue reading „Kombination Onlineresponder (OCSP) mit Delta CRL und Sperrlistenverteilpunkt (CDP) ohne Deltasperrliste für gesteigerte Resilienz“

Effects of the failure of the online responder (OCSP) on the verification of the revocation status of a certificate

The following section examines how the revocation status check behaves if the online responder should fail. Depending on the configuration of the certificates issued, the behavior can vary considerably.

Continue reading „Auswirkungen des Ausfalls des Onlineresponders (OCSP) auf die Überprüfung des Sperrstatus eines Zertifikats“

Performing a functional test for the network device registration service (NDES)

After installing a Network Device Enrollment Service (NDES), or after more extensive maintenance, an extensive functional test should be performed to ensure that all components are operating as desired.

Continue reading „Funktionstest durchführen für den Registrierungsdienst für Netzwerkgeräte (NDES)“

Configuring the Network Device Enrollment Service (NDES) for use with an alias.

The following describes the steps required to configure the Network Device Enrollment Service (NDES) for use with an alias.

The term alias means that the service is not called with the name of the server on which it is installed, but with a generic name independent of this name. The use of an alias allows the service to be moved to another system at a later time without having to inform all participants of the new address.

Continue reading „Den Network Device Enrollment Service (NDES) für die Verwendung mit einem Alias konfigurieren“

Configuring the certificate authority to a static port (RPC endpoint)

In the default configuration, the certificate authority's certificate request interface is configured to negotiate dynamic ports for the incoming RPC/DCOM connections (for more details, see the article "Firewall rules required for Active Directory Certificate Services„).

Network protocolDestination portProtocol
TCP135RPC Endpoint Mapper
TCP49152-65535RPC dynamic ports

This configuration is not feasible in every enterprise environment. Often there are restrictive firewall rules that do not allow the use of dynamic network ports.

In such a case, the certificate authority must be configured to a static port.

Continue reading „Konfigurieren der Zertifizierungsstelle auf einen statischen Port (RPC-Endpunkt)“
en_USEnglish
de_DEDeutsch en_USEnglish