Basics: The Key Usage Certificate Extension

Certificate extensions were introduced with version 3 of the X.509 standard. The Key Usage extension is an optional certificate extension that can be used in the RFC 5280 is defined and is used to limit the allowed uses for a key.

Continue reading „Grundlagen: Die Key Usage Zertifikaterweiterung“

Establish a mapping from a user certificate to the associated computer

Assume the following scenario:

  • A user's computer is stolen or infected with malware.
  • The integrity of certificates located on the computer can no longer be guaranteed.
  • The certificates of the user(s) that were requested on this computer must be revoked.
  • However, one would like to avoid revoking all certificates of a user.
  • Thus, a connection must be established between the user's certificates and the computer on which they were requested.

If the certificates were issued by Autoenrollment requested, we can take advantage of the fact that a corresponding attribute was part of the original certificate request, and that the certificate request is stored in the certificate authority database along with the certificate.

Continue reading „Eine Zuordnung von einem Benutzerzertifikat zum dazugehörigen Computer herstellen“

No remote desktop logon possible from outside the Active Directory forest

Assume the following scenario:

  • You want to establish a remote desktop connection.
  • The client computer from which the connection is made is not a member of the same Active Directory forest as the target computer.
  • The connection fails with the following error message:
A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For assistance, contact your system administrator or technical support.
Continue reading „Keine Anmeldung per Remotedesktop von außerhalb der Active Directory Gesamtstruktur möglich“

Login to the Network Device Enrollment Service (NDES) administration web page fails with HTTP error code 401 "Unauthorized: Access is denied due to invalid credentials."

Assume the following scenario:

  • An NDES server is configured on the network.
  • When calling the NDES administration web page (certsrv/mscep_admin) is not possible.
  • After several unsuccessful login attempts, the following HTTP error message is returned:
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
Continue reading „Die Anmeldung an der Administrations-Webseite für den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit HTTP Fehlercode 401 „Unauthorized: Access is denied due to invalid credentials.““

Electronic data exchange with the German Pension Insurance

Recently, together with the B-I-T GmbH Information and processes from Hanover worked on implementing the electronic data exchange with the statutory health insurance funds and the pension insurance from one application.

Here, a combination of authenticated data transmission of both signed and encrypted messages is used. PKI technologies are used in all these cases.

The message format used is here documented.

Continue reading „Elektronischer Datenaustausch mit der Deutschen Rentenversicherung“

Restoring certificates from the SMTP Exit Module data

If you restore a certification authority from a backup after a disaster has occurred, you will probably find that certificates were issued in the period between the last backup and the system failure with corresponding data loss.

These certificates are now not stored in the restored certificate authority database, so they cannot be restored if needed.

If you are using the SMTP Exit Module, you can at least determine the serial numbers of the certificates from the sent e-mails and revoke them.

Continue reading „Wiederherstellen von Zertifikaten aus den Daten des SMTP Exit Moduls“

Details of the event with ID 1073 of the source Microsoft-Windows-TerminalServices-RemoteConnectionManager

Event Source:Microsoft-Windows-TerminalServices-RemoteConnectionManager
Event ID:1073 (0xC0000431)
Event log:System
Event type:
Event text (English):The msPKI-Cert-Template-OID column for the template-based certificate %1 returned an unknown data type %2.
Event text (German):The msPKI-Cert-Template-OID column for template-based certificate %1 returned unknown data type %2.
Continue reading „Details zum Ereignis mit ID 1073 der Quelle Microsoft-Windows-TerminalServices-RemoteConnectionManager“

Details of the event with ID 1072 of the source Microsoft-Windows-TerminalServices-RemoteConnectionManager

Event Source:Microsoft-Windows-TerminalServices-RemoteConnectionManager
Event ID:1072 (0xC0000430)
Event log:System
Event type:
Event text (English):The cn column for the template-based certificate %1 returned an unknown data type %2.
Event text (German):The column "cn" for the template-based certificate %1 has returned the unknown data type %2.
Continue reading „Details zum Ereignis mit ID 1072 der Quelle Microsoft-Windows-TerminalServices-RemoteConnectionManager“

Details of the event with ID 1065 of the source Microsoft-Windows-TerminalServices-RemoteConnectionManager

Event Source:Microsoft-Windows-TerminalServices-RemoteConnectionManager
Event ID:1065 (0xC0000429)
Event log:System
Event type:Error
Event text (English):The template-based certificate that is being used by the RD Session Host server for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption has expired and cannot be replaced by the RD Session Host server. The following error occurred: %1.
Event text (German):The template-based certificate used by the Remote Desktop session host server for authentication and encryption using Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) has expired and cannot be replaced by the Remote Desktop session host server. Error: %1.
Continue reading „Details zum Ereignis mit ID 1065 der Quelle Microsoft-Windows-TerminalServices-RemoteConnectionManager“

Details of the event with ID 1064 of the source Microsoft-Windows-TerminalServices-RemoteConnectionManager

Event Source:Microsoft-Windows-TerminalServices-RemoteConnectionManager
Event ID:1064 (0xC0000428)
Event log:System
Event type:Error
Event text (English):The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occured: %1.
Event text (German):The Remote Desktop session host server cannot install a new template-based certificate to be used for authentication and encryption using Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL). Error: %1.
Continue reading „Details zum Ereignis mit ID 1064 der Quelle Microsoft-Windows-TerminalServices-RemoteConnectionManager“

Details of the event with ID 1063 of the source Microsoft-Windows-TerminalServices-RemoteConnectionManager

Event Source:Microsoft-Windows-TerminalServices-RemoteConnectionManager
Event ID:1063 (0xC0000427)
Event log:System
Event type:Information
Event text (English):A new template-based certificate to be used by the RD Session Host server for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption has been installed. The name for this certificate is %1. The SHA1 hash of the certificate is provided in the event data.
Event text (German):A new template-based certificate has been installed to be used by the Remote Desktop session host server for authentication and encryption using Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL). The name of this certificate is %1. The SHA1 hash value of the certificate is provided in the event data.
Continue reading „Details zum Ereignis mit ID 1063 der Quelle Microsoft-Windows-TerminalServices-RemoteConnectionManager“

Details of the event with ID 1062 of the source Microsoft-Windows-TerminalServices-RemoteConnectionManager

Event Source:Microsoft-Windows-TerminalServices-RemoteConnectionManager
Event ID:1062 (0xC0000426)
Event log:System
Event type:Error
Event text (English):The RD Session Host server is configured to use a template-based certificate for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption, but the subject name on the certificate is invalid. %1 The SHA1 hash of the certificate is in the event data. Therefore, the default certificate will be used by the RD Session Host server for authentication. To resolve this issue, make sure that template used to create this certificate is configured to use DNS name as subject name .
Event text (German):The Remote Desktop session host server is configured to use a template-based certificate for authentication and encryption using Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL), but the requester name on the certificate is invalid. %1 The SHA1 hash value of the certificate is included in the event data. Therefore, the Remote Desktop session host server uses the default certificate for authentication. To resolve the issue, ensure that the template used to create this certificate is configured to use a DNS name as the requestor name.
Continue reading „Details zum Ereignis mit ID 1062 der Quelle Microsoft-Windows-TerminalServices-RemoteConnectionManager“

Details of the event with ID 1059 of the source Microsoft-Windows-TerminalServices-RemoteConnectionManager

Event Source:Microsoft-Windows-TerminalServices-RemoteConnectionManager
Event ID:1059 (0xC0000423)
Event log:System
Event type:
Event text (English):The RD Session Host Server authentication certificate configuration data was invalid and the service reset it. If the computer was configured to use a specific certificate, please verify it is available in the certificate store and use the administrative tools to select it again.
Event text (German):The configuration information of the authentication certificate for the Remote Desktop session host server was invalid and the service reset it. If the computer was configured to use a specific certificate, verify that it is available in the certificate store and use the management utilities to reselect it.
Continue reading „Details zum Ereignis mit ID 1059 der Quelle Microsoft-Windows-TerminalServices-RemoteConnectionManager“

Details of the event with ID 1058 of the source Microsoft-Windows-TerminalServices-RemoteConnectionManager

Event Source:Microsoft-Windows-TerminalServices-RemoteConnectionManager
Event ID:1058 (0xC0000422)
Event log:System
Event type:
Event text (English):The RD Session Host Server has failed to replace the expired self signed certificate used for RD Session Host Server authentication on SSL connections. The relevant status code was %1.
Event text (German):Error replacing the expired self-signed certificate for Remote Desktop session host server authentication for SSL connections. Associated status code: %1.
Continue reading „Details zum Ereignis mit ID 1058 der Quelle Microsoft-Windows-TerminalServices-RemoteConnectionManager“
en_USEnglish