As part of security hardening efforts against the Active Directory directory service, the question of why Active Directory integrated certificate authorities (Enterprise Certification Authority) are members of the Pre-Windows 2000 Compatible Access security group comes up frequently.
Continue reading „Warum Active Directory integrierte Zertifizierungsstellen Mitglieder der „Pre-Windows 2000 Compatible Access“ Sicherheitsgruppe sind“Author: Uwe Gradenegger
Role configuration for the Network Device Enrollment Service (NDES) fails with error message "Failed to enroll RA certificates. The RPC server is unavailable. 0x800706ba (Win32: 1722 RPC_S_SERVER_UNAVAILABLE)".
Assume the following scenario:
- One installs a Network Device Enrollment Service (NDES) server
- One has the necessary permissions to install the role (local administrator, enterprise administrator)
- The role configuration fails with the following error message:
Failed to enroll RA certificates. The RPC server is unavailable. 0x800706ba (Win32: 1722 RPC_S_SERVER_UNAVAILABLE)Continue reading „Die Rollenkonfiguration für den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „Failed to enroll RA certificates. The RPC Server is unavailable. 0x800706ba (Win32: 1722 RPC_S_SERVER_UNAVAILABLE)““
Role configuration for Network Device Enrollment Service (NDES) fails with error message "Failed to enroll RA certificates. The endpoint is a duplicate. 0x800706cc (WIN32: 1740 RPC_S_DUPLICATE_ENDPOINT)".
Assume the following scenario:
- One installs a Network Device Enrollment Service (NDES) server.
- One has the necessary permissions to install the role (local administrator, enterprise administrator).
- The role configuration fails with the following error message:
Failed to enroll RA certificates. The endpoint is a duplicate. 0x800706cc (WIN32: 1740 RPC_S_DUPLICATE_ENDPOINT)Continue reading „Die Rollenkonfiguration für den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „Failed to enroll RA certificates. The endpoint is a duplicate. 0x800706cc (WIN32: 1740 RPC_S_DUPLICATE_ENDPOINT)““
Role configuration for Network Device Enrollment Service (NDES) fails with error message "Insufficient access rights to perform this operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)".
Assume the following scenario:
- One installs a Network Device Enrollment Service (NDES) server.
- The role configuration fails with the following error message:
Insufficient access rights to perform this operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTSContinue reading „Die Rollenkonfiguration für den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „Insufficient access rights to perform this operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)““
Viewing the certificate store of the online responder (OCSP) and checking the signature certificates
Sometimes it is necessary to verify a signature certificate of an online responder, for example when the connection to the (if present) Hardware Security Module (HSM) has to be verified. The online responder uses its own certificate store when the certificates are automatically retrieved from a certificate authority.
Continue reading „Einsicht in den Zertifikatspeicher des Onlineresponders (OCSP) und Überprüfung der Signaturzertifikate“certutil -dcinfo fails with error message "KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"
Assume the following scenario:
- Domain controllers have certificates for LDAP over SSL.
- The certificates do not include the Extended Key Usage "Smart Card Logon" or "Kerberos Authentication".
- If you run certutil -dcinfo, the command reports the following error message:
0 KDC certificates for DC01Continue reading „certutil -dcinfo schlägt fehl mit Fehlermeldung „KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)““
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
Publishing a certificate revocation list (CRL) fails with error message "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)".
Assume the following scenario:
- A new revocation list is created on the certification authority.
- The certification authority is configured to publish revocation lists to a network path.
- Publishing fails with the following error message:
Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)Continue reading „Die Veröffentlichung einer Zertifikatsperrliste (CRL) schlägt fehl mit Fehlermeldung „Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)““
Publishing a certificate revocation list (CRL) fails with error message "The directory name is invalid. 0x8007010b (WIN32/HTTP: 267 ERROR_DIRECTORY)".
Assume the following scenario:
- A new revocation list is created on the certification authority.
- Publishing fails with the following error message:
The directory name is invalid. 0x8007010b (WIN32/HTTP: 267 ERROR_DIRECTORY)Continue reading „Die Veröffentlichung einer Zertifikatsperrliste (CRL) schlägt fehl mit Fehlermeldung „The directory name is invalid. 0x8007010b (WIN32/HTTP: 267 ERROR_DIRECTORY)““
Manual publishing of a certificate revocation list (CRL) to Active Directory fails with error 0x8007202b (WIN32: 8235 ERROR_DS_REFERRAL)
Assume the following scenario:
- An offline root certificate authority has been installed. The server on which the certificate authority is installed is not a domain member.
- This is configured for Active Directory blacklist publications.
- The blacklists are uploaded to the Active Directory using certutil -dspublish.
- The operation fails with the following error message:
certutil -dspublish "ADCS Labor Root CA.crl"Continue reading „Die manuelle Veröffentlichung einer Zertifikatsperrliste (CRL) ins Active Directory schlägt fehl mit Fehlermeldung 0x8007202b (WIN32: 8235 ERROR_DS_REFERRAL)“
ldap:///CN=ADCS Lab Root CA,CN=ADCS Lab Root CA,CN=cdp,CN=Public Key Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint?certificateRevocationList
ldap: 0xa: LDAP_REFERRAL: 0000202B: RefErr: DSID-03100835, data 0, 1 access points
ref 1: 'unavailableconfigdn'
CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235 ERROR_DS_REFERRAL)
CertUtil: A referral was returned from the server.
Manual application for a domain controller certificate
There are cases where you cannot or do not want to obtain domain controller certificates from a certification authority in your own Active Directory forest.
In this case, the use of certificate templates is not possible, and one must manually create a Certificate Signing Request (CSR).
Use Microsoft Network Load Balancing (NLB) for revocation list distribution points (CDP), access to job information (AIA), and online responders (OCSP).
It is generally a good idea to ensure the availability of CRL Distribution Points (CDP), Authority Information Access (AIA), and if available, Online Responders (OCSP) at all times.
Access to the revocation information is even more critical than to the certificate authority itself. If the revocation status of a certificate cannot be checked, it is possible (depending on the application) that the certificate is not considered trustworthy and the associated IT service cannot be used.
Continue reading „Verwenden von Microsoft Network Load Balancing (NLB) für die Sperrlistenverteilungspunkte (CDP), den Zugriff auf Stelleninformationen (AIA) und Onlineresponder (OCSP)“Combining the SMTP Exit Module with a local SMTP server for increased resilience
Assume the following scenario:
- The certification authority is configured to send e-mail notifications about the events on the certification authority only using the SMTP Exit module.
- The configured SMTP server is not always reliably accessible, for example, because it is not designed to be highly available.
- If the SMTP server fails, the certificate authority will operate very slowly because the email notifications cannot be delivered. In some circumstances, the certificate authority service will no longer start.
Disabling the SMTP Exit Module of a Certification Authority
Assume the following scenario:
- The certification authority is configured to send e-mail notifications about the events on the certification authority only using the SMTP Exit module.
- The configured SMTP server is unreachable, for example due to a failure.
In this case, the exit module cannot deliver the email notifications. It will time out and the certificate authority will work very slowly.
Continue reading „Deaktivieren des SMTP Exit-Moduls einer Zertifizierungsstelle“The online responder (OCSP) requests new signature certificates every four hours
Assume the following scenario:
- The online responders are configured to request signing certificates using a certificate template from an Active Directory integrated certificate authority.
- The online responders apply for a new signature certificate at regular intervals (every four hours), even though the existing certificate is still valid for a sufficiently long time.
Transfer certificate revocation lists to revocation list distribution points using SSH Secure Copy (SCP) with public key authentication (Windows Server 2019).
If the servers providing the revocation list distribution points are located in a Demilitarized Zone (DMZ), for example, or data transfer via Server Message Block (SMB) is not possible for other reasons, the blacklists can be transferred to the distribution points using SSH Secure Copy (SCP). As of Windows Server 2019, the OpenSSH server and client packages are available. The following describes the setup with authentication via public keys (Public Key Authentication) instead of passwords as an example
Continue reading „Übertragen der Zertifikatsperrlisten auf die Sperrlistenverteilpunkte mit SSH Secure Copy (SCP) mit Authentifizierung über öffentliche Schlüssel (Windows Server 2019)“