Configuring a Certificate Template for Authentication Mechanism Assurance (AMA)

Authentication Mechanism Assurance (AMA) provides the ability to tie membership in a security group to enrollment with a smart card certificate containing a specific Object Identifier (OID).

If the user does not log in with the smartcard certificate, but with user name and password, he is also not a member of the security group.

The following describes how to generate a certificate template for use with Authentication Mechanism Assurance.

Continue reading „Konfigurieren einer Zertifikatvorlage für Authentication Mechanism Assurance (AMA)“

Include the wildcard issuance policy (All Issuance Policies) in a certification authority certificate

If you install an issuing CA and do not explicitly request an issuance policy, the resulting CA certificate will not contain an issuance policy.

If you want to include the wildcard issuance policy (All Issuance Policies) in the certification authority certificate, you must proceed as follows:

Continue reading „Die Wildcard Ausstellungsrichtlinie (All Issuance Policies) in ein Zertifizierungsstellen-Zertifikat aufnehmen“

Include the issuance policies for Trusted Platform (TPM) Key Attestation in a certification authority certificate.

If you install an issuing CA and do not explicitly request an issuance policy, the resulting CA certificate does not contain an issuance policy.

If you want to include the issuance policies for Trusted Platform (TPM) Key Attestation in the certification authority certificate, you must proceed as follows.

Continue reading „Die Ausstellungsrichtlinien (Issuance Policies) für Trusted Platform (TPM) Key Attestation in ein Zertifizierungsstellen-Zertifikat aufnehmen“

Determine and export a Trusted Platform Module (TPM) Endorsement Certificate

If you want to use the Trusted Platform Module (TPM) key attestation, you have the option of attesting the TPM via the endorsement certificate (EkCert), among other things. The following describes how to obtain this information.

Continue reading „Ermitteln und Exportieren eines Trusted Platform Module (TPM) Endorsement Zertifikats“

Determine the checksum (hash) of a Trusted Platform (TPM) Endorsement Key

If you want to use the Trusted Platform Module (TPM) key attestation, you have the option of attesting the TPM via the endorsement key (EkPub), among other things. The following describes how to obtain this information.

Continue reading „Die Prüfsumme (Hash) eines Trusted Platform (TPM) Endorsement Key ermitteln“

Frequently Used Extended Key Usages and Issuance Policies

The following is a list of commonly used extended key usage and issuance policies that are used repeatedly in practice to restrict certificate authority certificates.

Continue reading „Häufig verwendete erweiterte Schlüsselverwendungen (Extended Key Usages) und Ausstellungsrichtlinien (Issuance Policies)“

Logon via smartcard fails with error message "The revocation status of the authentication certificate could not be determined."

Assume the following scenario:

  • A user has a Smartcard Logon certificate and logs on to the Active Directory domain with it.
  • The login fails. The following error message is returned to the user's computer:
The revocation status of the authentication certificate could not be determined.
Continue reading „Die Anmeldung via Smartcard schlägt fehl mit Fehlermeldung „The revocation status of the authentication certificate could not be determined.““

Certificate Enrollment Web Service (CES) request fails with error code "WS_E_SERVER_REQUIRES_NEGOTIATE_AUTH".

Assume the following scenario:

  • A Certificate Enrollment Web Service (CES) is implemented in the network.
  • A certificate request is sent to the CES.
  • The certificate request fails with the following error message:
The remote endpoint requires HTTP authentication scheme 'negotiate'. 0x803d001f (-2143485921 WS_E_SERVER_REQUIRES_NEGOTIATE_AUTH)
Continue reading „Die Beantragung eines Zertifikats über den Certificate Enrollment Web Service (CES) schlägt fehl mit dem Fehlercode „WS_E_SERVER_REQUIRES_NEGOTIATE_AUTH““

Certificate Enrollment Web Service (CES) request fails with error code "WS_E_INVALID_FORMAT".

Assume the following scenario:

  • A Certificate Enrollment Web Service (CES) is implemented in the network.
  • A certificate request is sent to the CES.
  • The certificate request fails with the following error message:
The input data was not in the expected format or did not have the expected value. 0x803d0000 (-2143485952 WS_E_INVALID_FORMAT)
Continue reading „Die Beantragung eines Zertifikats über den Certificate Enrollment Web Service (CES) schlägt fehl mit dem Fehlercode „WS_E_INVALID_FORMAT““

Certificate Enrollment Web Service (CES) request fails with error code "WS_E_ENDPOINT_NOT_FOUND".

Assume the following scenario:

  • A Certificate Enrollment Web Service (CES) is implemented in the network.
  • A certificate request is sent to the CES.
  • The certificate request fails with the following error message:
The remote endpoint does not exist or could not be located. 0x803d000d (-2143485939 WS_E_ENDPOINT_NOT_FOUND)
Continue reading „Die Beantragung eines Zertifikats über den Certificate Enrollment Web Service (CES) schlägt fehl mit dem Fehlercode „WS_E_ENDPOINT_NOT_FOUND““

Certificate Enrollment Policy creation for Certificate Enrollment Policy Web Service (CEP) fails with error code "WS_E_INVALID_FORMAT".

Assume the following scenario:

  • A Certificate Enrollment Policy Web Service (CEP) is implemented in the network.
  • An enrollment policy is configured.
  • Testing the connection fails with the following error message: 
Error: The input data was not in the expected format or did not have the expected value. 0x803d0000 (-2143485952 WS_E_INVALID_FORMAT)
Continue reading „Die Erstellung einer Zertifikatregistrierungsrichtlinie (Enrollment Policy) für den Certificate Enrollment Policy Web Service (CEP) schlägt fehl mit dem Fehlercode „WS_E_INVALID_FORMAT““

Configuring the Network Device Enrollment Service (NDES) to work with a Group Managed Service Account (gMSA).

For security reasons, it may make sense to operate NDES with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.

Continue reading „Den Registrierungsdienst für Netzwerkgeräte (NDES) für den Betrieb mit einem Group Managed Service Account (gMSA) konfigurieren“

Enabling Debug Logging for the Network Device Enrollment Service (NDES)

When trying to track down an error in the Network Device Enrollment Service (NDES), it is helpful to enable debug logging.

Continue reading „Debug Protokollierung für den Registrierungsdienst für Netzwerkgeräte (NDES) aktivieren“

The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot be started (0x80070002). The system cannot find the file specified."

Assume the following scenario:

  • An NDES server is configured on the network.
  • HTTP error 500 (Internal Server Error) is reported when accessing the NDES application web page (mscep) and the NDES administration web page (certsrv/mscep_admin).
  • It will be the Event No. 2 stored in the application event log: 
The Network Device Enrollment Service cannot be started (0x80070002). The system cannot find the file specified.
Continue reading „Der Registrierungsdienst für Netzwerkgeräte (NDES) protokolliert die Fehlermeldung „The Network Device Enrollment Service cannot be started (0x80070002). The system cannot find the file specified.““
en_USEnglish
de_DEDeutsch en_USEnglish