In the default configuration, all certification authority certificates of Active Directory integrated certification authorities (Enterprise Certification Authority) are located in an object of type CertificationAuthority named NTAuthCertificates within the Configuration Partition of the Active Directory forest.
Continue reading „Bearbeiten des NTAuthCertificates Objektes im Active Directory“Category: Active Directory
Attack vector on Active Directory directory service via smartcard logon mechanism
In simple terms, public key cryptography can be reduced to the assumption that the private part of each key pair is known only to its owner.
A certification authority is responsible for the correct identification of users, computers or resources. Its issued certificates are therefore granted a trust status because all participants assume that their private key is known only to it.
If an attacker succeeds in gaining knowledge of a certification authority's private key, or at least Perform signatures using the private key, the integrity of the certification authority is no longer guaranteed.
Continue reading „Angriffsvektor auf den Active Directory Verzeichnisdienst über den Smartcard Logon Mechanismus“Installing the Network Device Enrollment Service (NDES) without Enterprise Administrator permissions
Assume the following scenario:
- One installs a Network Device Enrollment Service (NDES) server.
- The role configuration fails with the following error message:
Insufficient access rights to perform this operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS
Typically, the NDES roll configuration requires, that the installing user is a member of the Enterprise Admins group. However, this is not technically necessary and contradicts Microsoft's security hardening recommendations, since NDES is not (necessarily) a system that is assigned to the highest security layer (Tier-0).
Below is a way to configure the NDES role even without the required permissions.
Continue reading „Den Registrierungsdienst für Netzwerkgeräte (NDES) ohne Enterprise Administrator Berechtigungen installieren“Publishing a certificate revocation list (CRL) fails with the error message "Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)".
Assume the following scenario:
- An attempt is made to publish a new certificate revocation list (CRL) on a certification authority
- The certificate authority is configured to publish the certificate revocation lists to Active Directory (LDAP CDP).
- Publishing the certificate revocation list fails with the following error message:
Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)Continue reading „Die Veröffentlichtung einer Zertifikatsperrliste (CRL) schlägt fehl mit der Fehlermeldung „Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)““
Publishing a certificate revocation list (CRL) fails with the error message "Directory object not found. 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)".
Assume the following scenario:
- An attempt is made to publish a new certificate revocation list (CRL) on a certification authority.
- The certificate authority is configured to publish the certificate revocation lists to Active Directory (LDAP CDP).
- Publishing the certificate revocation list fails with the following error message:
Directory object not found. 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)Continue reading „Die Veröffentlichtung einer Zertifikatsperrliste (CRL) schlägt fehl mit der Fehlermeldung „Directory object not found. 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)““
Domain controller does not check extended key usage on smart card login
Anyone who wants to use the smartcard logon function in their company would be well advised to ensure that their certification authority has the strongest possible security hardening. This includes some essential measures:
- Removing all unnecessary certification authority certificates from the NTAuthCertificates object in Active Directory: Each certification authority located in this store is authorized to issue smartcard logon certificates in Active Directory for the complete forest.
- Use qualified subordinationRestricting the certification authority certificates so that they are only trusted for the extended key usages actually issued. In the event of a compromise of the certification authority, the damage is then limited to these extended key usages. The "Smart Card Logon" Extended Key Usage would then only be present in the certification authority certificate of the certification authority that actually issues such certificates.
What is interesting about these thoughts, however, is that the domain controllers do not check the extended key usages at all when logging in via smartcard.
Continue reading „Domänencontroller überprüfen erweiterte Schlüsselverwendung (Extended Key Usage) bei Smartcard Anmeldung nicht“Active Directory forest compromised by EDITF_ATTRIBUTESUBJECTALTNAME2 flag
In net circulate unfortunately much at many Instructions (also the big players are not excluded from this, not even Microsoft itself or the Grand Master Komar), which fatally recommends that the EDITF_ATTRIBUTESUBJECTALTNAME2 flag should be set on the certification authority - supposedly to be able to issue Subject Alternative Name (SAN) extension certificates for manually submitted certificate requests.
Unfortunately, this approach is not only unnecessary, it also has some unpleasant side effects, which in the worst case can help an attacker to take over the entire Active Directory forest.
Continue reading „Gefährdung der Active Directory Gesamtstruktur durch das Flag EDITF_ATTRIBUTESUBJECTALTNAME2“What requirements must be met on the infrastructure side for smartcard logins to be possible?
In order for a smart card login to be successful, some requirements must be met in the Active Directory environment:
Overview of the different generations of domain controller certificates
Over the generations of Windows operating systems, various certificate templates for domain controllers have been established. In a current Active Directory directory service, one will find three different templates for this purpose.
- Domain controller
- Domain Controller Authentication
- Kerberos Authentication
Below is a description of each template and a recommendation for configuring domain controller certificate templates.
Continue reading „Übersicht über die verschiedenen Generationen von Domänencontroller-Zertifikaten“Why Active Directory integrated certificate authorities are members of the "Pre-Windows 2000 Compatible Access" security group
As part of security hardening efforts against the Active Directory directory service, the question of why Active Directory integrated certificate authorities (Enterprise Certification Authority) are members of the Pre-Windows 2000 Compatible Access security group comes up frequently.
Continue reading „Warum Active Directory integrierte Zertifizierungsstellen Mitglieder der „Pre-Windows 2000 Compatible Access“ Sicherheitsgruppe sind“certutil -dcinfo fails with error message "KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"
Assume the following scenario:
- Domain controllers have certificates for LDAP over SSL.
- The certificates do not include the Extended Key Usage "Smart Card Logon" or "Kerberos Authentication".
- If you run certutil -dcinfo, the command reports the following error message:
0 KDC certificates for DC01Continue reading „certutil -dcinfo schlägt fehl mit Fehlermeldung „KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)““
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
Manual publishing of a certificate revocation list (CRL) to Active Directory fails with error 0x8007202b (WIN32: 8235 ERROR_DS_REFERRAL)
Assume the following scenario:
- An offline root certificate authority has been installed. The server on which the certificate authority is installed is not a domain member.
- This is configured for Active Directory blacklist publications.
- The blacklists are uploaded to the Active Directory using certutil -dspublish.
- The operation fails with the following error message:
certutil -dspublish "ADCS Labor Root CA.crl"Continue reading „Die manuelle Veröffentlichung einer Zertifikatsperrliste (CRL) ins Active Directory schlägt fehl mit Fehlermeldung 0x8007202b (WIN32: 8235 ERROR_DS_REFERRAL)“
ldap:///CN=ADCS Lab Root CA,CN=ADCS Lab Root CA,CN=cdp,CN=Public Key Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint?certificateRevocationList
ldap: 0xa: LDAP_REFERRAL: 0000202B: RefErr: DSID-03100835, data 0, 1 access points
ref 1: 'unavailableconfigdn'
CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235 ERROR_DS_REFERRAL)
CertUtil: A referral was returned from the server.
Manual application for a domain controller certificate
There are cases where you cannot or do not want to obtain domain controller certificates from a certification authority in your own Active Directory forest.
In this case, the use of certificate templates is not possible, and one must manually create a Certificate Signing Request (CSR).
Requesting a certificate fails with the error message "The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. 0x80090345 (-2146892987 SEC_E_DELEGATION_REQUIRED).". When importing PFX files, the private key is missing.
Here's the scenario:
- The import of a PFX file seems to be successful, but afterwards the private key is missing. A check with certutil ends with the error message "Missing stored keyset".
- Requesting a certificate on a client fails with the following error message:
The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. 0x80090345 (-2146892987 SEC_E_DELEGATION_REQUIRED).Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit der Fehlermeldung „The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. 0x80090345 (-2146892987 SEC_E_DELEGATION_REQUIRED).“. Beim Import von PFX-Dateien fehlt der private Schlüssel.“
Requesting a certificate fails with the error message "A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted."
Assume the following scenario:
- You try to apply for a certificate from an Active Directory-integrated certification authority (Enterprise Certification Authority).
- To do this, use the Microsoft Management Console (MMC), either for the logged-in user (certmgr.msc) or for the computer (certlm.msc).
- However, the desired certificate template is not displayed for selection, even though it has been correctly published on the certification authority.
- The logged-in user (or computer) also has the necessary permissions to request certificates from the certificate template in question (enroll).
- In the list of available certificate templates within the MMC, all certificate templates are displayed. At the desired certificate template is written:
A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit der Fehlermeldung „A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.““
English 
Deutsch