Basics: Authentication procedures for the Internet Information Services (IIS)

The Active Directory Certificate Services offer a number of web-based add-on interfaces (Network Device Registration Service (NDES), Certificate Enrollment Policy Web Service (CEP), Certificate Enrollment Web Service (CES), Certification Authority Web Enrollment (CAWE).

The Microsoft Internet Information Services (IIS) are thus almost indispensable for a Microsoft PKI. Each of the web-based interfaces (and also in-house developments) bring their own unique challenges in terms of authentication procedures and their implementation.

The following article should bring a little clarity to the topic.

Continue reading „Grundlagen: Authentisierungsverfahren für die Internet Information Services (IIS)“

Disabling NTLM and enforcing Kerberos at the Network Device Enrollment Service (NDES) administration web page.

Many companies pursue the strategy of (largely) disabling the NT LAN Manager (NTLM) authentication protocol in their networks.

This is also possible for the administration web page of the network device registration service (NDES). How exactly this is implemented and how this may change the application behavior is explained below.

Continue reading „Deaktivieren von NTLM und erzwingen von Kerberos an der Administrations-Webseite des Registrierungsdienstes für Netzwerkgeräte (NDES)“

Changes to Certificate Issuance and Certificate-Based Logon to Active Directory with the May 10, 2022 Patch for Windows Server (KB5014754)

With the May 10, 2022 patch, Microsoft is attempting to patch a vulnerability in the Active Directory in which the certificate-based enrollment (commonly known as PKINIT or also Smartcard Logon) to close.

The update changes both the behavior of the Certification Authority as well as the behavior of Active Directory when processing certificate-based logins.

Continue reading „Änderungen an der Zertifikatausstellung und an der zertifikatbasierten Anmeldung am Active Directory mit dem Patch für Windows Server vom 10. Mai 2022 (KB5014754)“

No remote desktop logon possible from outside the Active Directory forest

Assume the following scenario:

  • You want to establish a remote desktop connection.
  • The client computer from which the connection is made is not a member of the same Active Directory forest as the target computer.
  • The connection fails with the following error message:
A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For assistance, contact your system administrator or technical support.
Continue reading „Keine Anmeldung per Remotedesktop von außerhalb der Active Directory Gesamtstruktur möglich“

Certificate enrollment policy check via Certificate Enrollment Policy (CEP) web service fails with error code "WS_E_ENDPOINT_FAULT_RECEIVED".

Assume the following scenario:

  • Users (or computers) should request certificates via the Certificate Enrollment Policy (CEP) web service.
  • For this purpose, a certificate enrollment policy is configured, which points to a Certificate Enrollment Policy Web Service (CEP).
  • Authentication is done via Kerberos.
  • When checking the address, the connection to the CEP fails and you get the following error message:
An error occurred while obtaining certificate enrollment policy.
Url: https://cews.adcslabor.de/ADCSLaborIssuingCA1_CES_Kerberos/service.svc/CES
Error: A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)
Continue reading „Die Überprüfung der Zertifikatregistrierungsrichtlinie über den Zertifikatregistrierungs-Richtlinienwebdienst (CEP) schlägt fehl mit Fehlercode „WS_E_ENDPOINT_FAULT_RECEIVED““

Performing a functional test for the Certificate Enrollment Policy Web Service (CEP)

After installing a Certificate Enrollment Policy Web Service (CEP), or after more extensive maintenance work, an extensive functional test should be performed to ensure that all components are working as desired.

Continue reading „Funktionstest durchführen für den Certificate Enrollment Policy Web Service (CEP)“

Installing a Certificate Enrollment Policy Web Service (CEP)

The following describes how to install the Certificate Enrollment Policy Web Service (CEP).

Continue reading „Installation eines Certificate Enrollment Policy Web Service (CEP)“

Requesting certificates via Certificate Enrollment Web Services fails with error message "Error: A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)".

Assume the following scenario:

  • A user requests a certificate.
  • An enrollment policy is configured for this, which points to a Certificate Enrollment Policy Web Service (CEP).
  • Authentication is done via Kerberos.
  • The application for the certificate is made by the CEP server itself.
  • The connection to the CEP fails and the user receives the following error message:
Error: A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)
Continue reading „Die Beantragung eines Zertifikats über die Certificate Enrollment Web Services schlägt fehl mit Fehlermeldung „Error: A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)““
en_USEnglish