Checking the integrity of backups of the certification authority database

Within the framework of the creation of a Backup of a certification authority The question may arise as to how to ensure that the integrity of the certification authority database backup is guaranteed so that it can be properly restored can be.

The Certification Authority database is available in a Microsoft JET Blue database engine (also known as Extensible Storage Engine, ESE). Their working and backup files have the extension .edb and can be created with the operating system tool esentutl be managed.

Continue reading „Prüfen der Integrität von Sicherungen der Zertifizierungsstellen-Datenbank“

Sending S/MIME encrypted messages with Outlook for iOS is not possible: "There's a problem with one of your S/MIME encryption certificates."

Assume the following scenario:

There's a problem with one of your S/MIME encryption certificates. Contact your IT help desk for more info.
There is a problem with one of your S/MIME encryption certificates. Contact your IT help desk for more information.
Continue reading „Das Senden von S/MIME verschlüsselten Nachrichten mit Outlook for iOS ist nicht möglich: „There’s a problem with one of your S/MIME encryption certificates.““

Logins via the Network Policy Server (NPS) fail with reason "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."

Assume the following scenario:

  • A certificate-based login is performed with user or computer accounts to connect them to a wireless (IEEE 802.11 or Wireless LAN) or wired network (IEEE 802.3), or a remote access connection (e.g. DirectAccess, Routing and Remote Access (RAS), Always on VPN) to register.
  • As a server for authentication, authorization and accounting (AAA), the company uses the Network Policy Server (NPS) from Microsoft.
  • Logging on to the network is no longer possible.
  • The network policy server logs the following event when a login attempt is made:
Network Policy Server denied access to a user. [...] Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
The network policy server has denied access to a user. [...] Authentication error due to mismatch of user credentials. The specified username is not associated with an existing user account, or the password was incorrect.
Continue reading „Anmeldungen über den Netzwerkrichtlinienserver (engl. Network Policy Server, NPS) scheitern mit Grund „Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.““

Unable to install Network Device Enrollment Service (NDES) at a site with read-only domain controllers

Assume the following scenario:

  • A network device registration service (NDES) is to be implemented in the network.
  • Read Only Domain Controllers (RODC) are located at the Active Directory site of the NDES server.
  • NDES role configuration fails with the following error message:
Failed to add the following certificate templates to the enterprise Active Directory Certificate Service or update security settings on those templates:
EnrollmentAgentOffline
CEPEncryption
IPSEC(Offline request)
A referral was returned from the server. 0x8007202b (WIN32:8235 ERROR_DS_REFERRAL)
Continue reading „Keine Installation des Registrierungsdienstes für Netzwerkgeräte (NDES) an einem Standort mit nur schreibgeschützten Domänencontrollern möglich“

Renewal of a certificate via the Network Device Enrollment Service (NDES) fails with error code CERT_E_UNTRUSTEDCA

Assume the following scenario:

  • A certificate is requested through the Network Device Enrollment Service (NDES).
  • Renewal mode is used here, i.e. the certificate request is signed with an existing certificate.
  • The request for the new certificate fails with the following error message:
A certification chain processed correctly, but one of the CA
certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
Continue reading „Die Erneuerung eines Zertifikats über den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlercode CERT_E_UNTRUSTEDCA“

Installation of a new certification authority certificate fails with error code "ERROR_INVALID_PARAMETER".

Assume the following scenario:

  • A new Certification Authority certificate is requested for a subordinate Certification Authority and issued by the superordinate Certification Authority.
  • The Subject Distinguished Name (Subject DN) is identical to that of the previous certification authority certificate.
  • However, the installation of the certificate authority certificate fails with the following error message:
An error was detected while configuring Active Directory Certificate Services.
The Active Directory Certificate Services Setup Wizard will need to be rerun to complete the configuration.
The new certificate subject name does not exactly match the active CA name.
Renew with a new key to allow minor subject name changes: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER).
Continue reading „Die Installation eines neuen Zertifizierungsstellen-Zertifikats schlägt fehl mit Fehlercode „ERROR_INVALID_PARAMETER““

The Certificate Connector for Microsoft Intune throws the error message "ArgumentException: String cannot be of zero length" during configuration.

Assume the following scenario:

  • An NDES server has been set up for use with Microsoft Intune.
  • The configuration of the Intune Certificate Connector cannot be completed because the following error message is thrown:
Error in Microsoft Intune Certificate Connector configuration. No changes were made to feature or proxy settings.
Unexpected error: System.ArgumentException: The string cannot have a length of 0 (zero).
Parameter name: name
  for System.Security.Principal.NTAccount.ctor(String name)
Continue reading „Der Certificate Connector für Microsoft Intune wirft bei der Konfiguration die Fehlermeldung „ArgumentException: String cannot be of zero length““

Logon error with Windows Hello for Business: "Contact the system administrator and tell them that the KDC certificate could not be verified."

Assume the following scenario:

  • The company is using Windows Hello for Business.
  • Users receive the following error message when logging in to the client:
Sign-in failed. Contact your system administrator and tell them that the KDC certificate could not be validated. Additional information may be available in the system event log.
Continue reading „Anmeldefehler mit Windows Hello for Business: „Wenden Sie sich an den Systemadministrator, und teilen Sie ihm mit, dass das KDC-Zertifikat nicht überprüft werden konnte.““

Verification of the domain controller certificates throws the error code ERROR_ACCESS_DENIED

Assume the following scenario:

  • With certutil a verification of the domain controller certificates is performed.
  • The operation fails with the following error message:
0: DC01

*** Testing DC[0]: DC01
Enterprise Root store: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
KDC certificates: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

CertUtil: -DCInfo command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
CertUtil: Access is denied.
Continue reading „Die Überprüfung der Domänencontroller-Zertifikate wirft den Fehlercode ERROR_ACCESS_DENIED“

Requesting certificates with elliptic curve based keys fails when using Microsoft Platform Crypto Provider

Assume the following scenario:

Error: The requested operation is not supported. 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)

On Windows Server 2016, the error message "No provider was specified for the store or object. 0x80092006 (-2146885626 CRYPT_E_NO_PROVIDER)" is issued with otherwise identical behavior.

Continue reading „Die Beantragung von Zertifikaten mit auf elliptischen Kurven basierenden Schlüsseln schlägt fehl, wenn der Microsoft Platform Crypto Provider verwendet wird“

Microsoft Outlook: Signed e-mail messages are rejected by the receiving mail server with error message "Invalid S/MIME encrypted message."

Assume the following scenario:

  • A user sends an e-mail message signed with Secure/Multipurpose Internet Mail Extensions (S/MIME).
  • The sender uses Microsoft Outlook for Macintosh.
  • The receiving mail server rejects the message and sends back a Non-Delivery Report (NDR):
550 5.6.0 M2MCVT.StorageError.Exception: ConversionFailedException - , Content conversion: Invalid S/MIME encrypted message.; storage error in content conversion.
Continue reading „Microsoft Outlook: Signierte E-Mail Nachrichten werden vom empfangenden Mailserver abgelehnt mit Fehlermeldung „Invalid S/MIME encrypted message.““

What happens if a user has requested multiple certificates?

I recently encountered the phenomenon that due to a faulty request logic, several users had made new certificate requests at regular intervals.

The certificate template was configured to have incoming certificate requests released by a certificate manager, i.e. the certificates were not issued automatically. The certificate requests were to be checked by a separate code and then released.

One would now expect that (since all certificate requests would eventually be approved) users would now find multiple certificates of the same type in their certificate store (and the applications that use it). However, this was not the case.

Continue reading „Was passiert, wenn ein Benutzer mehrere Zertifikate beantragt hat?“

It is not possible to create a certificate template. Error message "The following template name has already been used".

Assume the following scenario:

  • A new certificate template is to be created.
  • The creation fails with the following error message:
The following template name has already been used: ADCSLaboratoryUserTest. Enter a unique template name.
Continue reading „Die Erzeugung einer Zertifikatvorlage ist nicht möglich. Fehlermeldung „The following template name has already been used““

Cause research: Snipping Tool and other components in Windows 11 no longer usable due to expired certificate

Today went through many Mediathat some apps and components in the recently released Windows 11 no longer work since 01.11.2021 and that the cause for this is a certificate that expired on 31.10.2021. In the meantime Microsoft has pointed out in a blogpost and also a patch for some affected components published.

Unfortunately, none of the available sources provided detailed information about what exactly the problem was. So let's get to the bottom of it ourselves.

Continue reading „Ursachenforschung: Snipping Tool und weitere Komponenten in Windows 11 wegen abgelaufenem Zertifikat nicht mehr benutzbar“

Manual assignment of a Remote Desktop certificate fails with error message "Invalid parameter".

Assume the following scenario:

Set-WMIInstance : Invalid parameter
 At line:1 char:1
 Set-WMIInstance -path $TerminalServicesConfig.__path -argument @{SSLC ...
 ~~~~~~~~~~~~~~~~~ CategoryInfo : InvalidOperation: (:) [Set-WmiInstance], ManagementException
 FullyQualifiedErrorId : SetWMIManagementException,Microsoft.PowerShell.Commands.SetWmiInstance 
Continue reading „Die manuelle Zuweisung eines Remotedesktop-Zertifikats schlägt fehl mit Fehlermeldung „Invalid parameter““
en_USEnglish