Author: Uwe Gradenegger

Automatically change passwords for accounts that require login via smartcard or Windows Hello for Business

A new feature of Windows Server 2016 is that the passwords for accounts that have a plain Login with smartcards be automatically renewed according to the password light lines.

If the "Smart card is required for interactive logon" option is enabled for a user account, the password of the user account is set to a random value once. However, the password never changes after that, which makes the account more vulnerable to pass-the-hash attacks.

The newly introduced feature solves this problem by generating new randomly generated passwords for corresponding accounts on a regular basis (depending on the password policy configured for the account).

Continue reading „Automatisches Ändern der Passwörter für Konten, die eine Anmeldung via Smartcard oder Windows Hello for Business erfordern“

In-Place Upgrade of a Certification Authority from Windows Server 2012 R2 or 2016 to Windows Server 2019

At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.

Continue reading „In-Place Upgrade einer Zertifizierungsstelle von Windows Server 2012 R2 oder 2016 zu Windows Server 2019“

In-Place Upgrade of a Certification Authority from Windows Server 2012 SP2 or 2012 R2 to Windows Server 2016

At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.

Continue reading „In-Place Upgrade einer Zertifizierungsstelle von Windows Server 2012 SP2 oder 2012 R2 zu Windows Server 2016“

In-Place Upgrade of a Certification Authority from Windows Server 2008 SP2 to Windows Server 2008 R2

At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.

Continue reading „In-Place Upgrade einer Zertifizierungsstelle von Windows Server 2008 SP2 zu Windows Server 2008 R2“

In-Place Upgrade of a Certification Authority from Windows Server 2008 SP2 to Windows Server 2012

At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.

Continue reading „In-Place Upgrade einer Zertifizierungsstelle von Windows Server 2008 SP2 zu Windows Server 2012“

In-Place Upgrade of a Certification Authority from Windows Server 2008 R2 to Windows Server 2012 R2

At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.

Continue reading „In-Place Upgrade einer Zertifizierungsstelle von Windows Server 2008 R2 zu Windows Server 2012 R2“

Remote desktop connection no longer possible after in-place upgrade of Windows Server operating system

Assume the following scenario:

  • An in-place upgrade of the certification authority's operating system is performed.
  • After the upgrade I can no longer log in via Remote Desktop. The connection fails with the following error message:
An authentication error has occurred.
The function requested is not supported.
Remote Computer: 192.168.1.149
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

In German:

Authentication error.
The requested function is not supported.
Remote computer: 192.168.1.149
The cause could be a CredSSP Encryption Oracle defense.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660
Continue reading „Keine Remotedesktopverbindung mehr möglich nach In-Place Upgrade des Windows Server Betriebssystems“

Should HTTPS be used for the Network Device Enrollment Service (NDES)?

The Network Device Enrollment Service (NDES) is Microsoft's implementation of the Simple Certificate Enrollment Protocol (SCEP) developed by Cisco in the early 2000s. The first implementation was released with Windows Server 2003.

It may come as a surprise that NDES does not use Secure Socket Layer (SSL) for the HTTP connections in the default setting to this day. This fact is explained and evaluated in more detail below.

Continue reading „Sollte HTTPS für den Registrierungsdienst für Netzwerkgeräte (NDES) verwendet werden?“

Certificate request fails with error message "Error Parsing Request The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT)".

Assume the following scenario

  • A certificate request is sent to a certification authority.
  • The certificate request fails with the following error message:
Error Parsing Request The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „Error Parsing Request The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT)““

Token for CDP and AIA configuration of a certification authority

The following is an overview of the tokens for the CDP and AIA configuration of a certification authority.

Continue reading „Token für die CDP- und AIA- Konfiguration einer Zertifizierungsstelle“

Requesting certificates via Network Device Enrollment Service (NDES) fails with error message "The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH)".

Assume the following scenario:

  • A network device enrollment service (NDES) is implemented in the network.
  • Requesting a certificate fails with the following error message: 
"The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH)"
Continue reading „Die Beantragung von Zertifikaten über den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH)““

Requesting certificates via Network Device Enrollment Service (NDES) fails with error message "The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)".

Assume the following scenario:

  • A network device enrollment service (NDES) is implemented in the network.
  • Requesting a certificate fails with the following error message:
The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)
Continue reading „Die Beantragung von Zertifikaten über den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)““

Requesting certificates via Network Device Enrollment Service (NDES) fails with HTTP error code 500

Assume the following scenario:

  • A network device enrollment service (NDES) is implemented in the network.
  • The NDES server uses a domain account for the identity of the SCEP IIS application pool.
  • Requesting certificates via NDES fails with HTTP error code 500 (Internal Server Error).
  • Calling the mscep and mscep_admin pages also fails with HTTP error code 500.
  • Even after an iisreset or restart of the NDES server, no event appears after calling the mscep or mscsp_admin page that the NDES service has started or that there were errors.
Continue reading „Die Beantragung von Zertifikaten über den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt mit HTTP Fehlercode 500 fehl“

The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error"

Assume the following scenario:

  • An NDES server is configured on the network.
  • When accessing the NDES application web page (mscep) and the NDES administration web page (certsrv/mscep_admin), HTTP error 500 (Internal Server Error) is reported with error code 0x80004005.
  • The events are No. 2 and No. 8 stored in the application event log: 
The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error
Continue reading „Der Registrierungsdienst für Netzwerkgeräte (NDES) protokolliert die Fehlermeldung „The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error““

Using Microsoft Network Load Balancing (NLB) for Certificate Enrollment Web Services (CEP, CES)

It is generally a good idea to ensure the availability of the certificate enrollment Web services (Certificate Enrollment Policy Service, CEP, and Certificate Enrollment Web Service, CES) at all times.

The following describes how this can be achieved with the Windows feature "Network Load Balancing" (NLB).

Continue reading „Verwenden von Microsoft Network Load Balancing (NLB) für die Zertifikatregistrierungs-Webdienste (CEP, CES)“
en_USEnglish
de_DEDeutsch en_USEnglish