Automatically enter DNS names in the Subject Alternate Name (SAN) of issued certificates - with the TameMyCerts Policy Module for Microsoft Active Directory Certificate Services (ADCS)

Google is a major player with the Chromium project and products based on it such as Google Chrome and Microsoft Edge have moved to implement the RFC 2818 and to no longer trust certificates that no longer fulfill the RFC.

For us, the following sentence is of great explosiveness:

If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead
Continue reading „DNS-Namen automatisch in den Subject Alternate Name (SAN) ausgestellter Zertifikate eintragen – mit dem TameMyCerts Policy Modul für Microsoft Active Directory Certificate Services (ADCS)“

Change the Subject Alternative Name (SAN) of a certificate before it is issued - but do it securely!

In net circulate unfortunately much at many Instructions (also the big players are not excluded from this, not even Microsoft itself or the Grand Master Komar), which fatally recommend that the flag EDITF_ATTRIBUTESUBJECTALTNAME2 should be set on the certification authority - supposedly to be able to issue certificates with Subject Alternative Name (SAN) extension for manually submitted certificate requests.

Unfortunately, this procedure is not only unnecessary, it also has some unpleasant side effects, which in the worst case can help an attacker to take over the entire Active Directory structure.

Continue reading „Den Subject Alternative Name (SAN) eines Zertifikats vor dessen Ausstellung verändern – aber sicher!“

Basics: Delta revocation lists

Certificate revocation lists (CRLs) are used to remove issued certificates from circulation before the end of their validity period.

A CRL is a signed list of the serial numbers of certificates that have been revoked by the certification authority. The revocation list has an expiration date (usually a few days short) and is reissued and signed by the associated certification authority at regular intervals.

Certificate revocation lists can reach a considerable size if the volume of revoked certificates is high (as a rule of thumb, you can expect about 5 megabytes per 100,000 entries). The regular download of large certificate revocation lists by subscribers can generate a large network load. To address this problem, there is the concept of delta revocation lists.

Continue reading „Grundlagen: Deltasperrlisten“

Roles in a public key infrastructure

Understanding the roles involved is essential for designing a public key infrastructure.

The term "public key infrastructure" encompasses much more than the technical components and is often misleadingly used.

In summary, a public key infrastructure is both an authentication technology and the totality of all the components involved.

Continue reading „Rollen in einer Public Key Infrastruktur“

Deconstruction of an Active Directory integrated certification authority (Enterprise CA)

There are many instructions for setting up and commissioning IT services. However, the associated instructions for decommissioning are usually forgotten.

The following describes how to correctly decommission a certification authority (Enterprise Certification Authority) integrated into Active Directory.

Continue reading „Rückbau einer Active Directory integrierten Zertifizierungsstelle (Enterprise CA)“

Checking the integrity of backups of the certification authority database

Within the framework of the creation of a Backup of a certification authority The question may arise as to how to ensure that the integrity of the certification authority database backup is guaranteed so that it can be properly restored can be.

The Certification Authority database is available in a Microsoft JET Blue database engine (also known as Extensible Storage Engine, ESE). Their working and backup files have the extension .edb and can be created with the operating system tool esentutl be managed.

Continue reading „Prüfen der Integrität von Sicherungen der Zertifizierungsstellen-Datenbank“

Configuring a Certificate Template for Online Responders (OCSP) Response Signing Certificates

To use the Online Certificate Status Protocol (OCSP), it is necessary to configure an appropriate certificate template.

Continue reading „Konfigurieren einer Zertifikatvorlage für Onlineresponder (OCSP) Antwortsignatur-Zertifikate“

Sending S/MIME encrypted messages with Outlook for iOS is not possible: "There's a problem with one of your S/MIME encryption certificates."

Assume the following scenario:

There's a problem with one of your S/MIME encryption certificates. Contact your IT help desk for more info.
There is a problem with one of your S/MIME encryption certificates. Contact your IT help desk for more information.
Continue reading „Das Senden von S/MIME verschlüsselten Nachrichten mit Outlook for iOS ist nicht möglich: „There’s a problem with one of your S/MIME encryption certificates.““

Logins via the Network Policy Server (NPS) fail with reason "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."

Assume the following scenario:

  • A certificate-based login is performed with user or computer accounts to connect them to a wireless (IEEE 802.11 or Wireless LAN) or wired network (IEEE 802.3), or a remote access connection (e.g. DirectAccess, Routing and Remote Access (RAS), Always on VPN) to register.
  • The company uses Microsoft's Network Policy Server (NPS) as its Authentication, Authorization and Accounting (AAA) server.
  • Logging on to the network is no longer possible.
  • The network policy server logs the following event when a login attempt is made:
Network Policy Server denied access to a user. [...] Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
The network policy server has denied access to a user. [...] Authentication error due to mismatch of user credentials. The specified username is not associated with an existing user account, or the password was incorrect.
Continue reading „Anmeldungen über den Netzwerkrichtlinienserver (engl. Network Policy Server, NPS) scheitern mit Grund „Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.““

Unable to install Network Device Enrollment Service (NDES) at a site with read-only domain controllers

Assume the following scenario:

  • A network device registration service (NDES) is to be implemented in the network.
  • Read Only Domain Controllers (RODC) are located at the Active Directory site of the NDES server.
  • NDES role configuration fails with the following error message:
Failed to add the following certificate templates to the enterprise Active Directory Certificate Service or update security settings on those templates:
IPSEC(Offline request)
A referral was returned from the server. 0x8007202b (WIN32:8235 ERROR_DS_REFERRAL)
Continue reading „Keine Installation des Registrierungsdienstes für Netzwerkgeräte (NDES) an einem Standort mit nur schreibgeschützten Domänencontrollern möglich“

Subsequent archiving of private keys

For the encryption of e-mail messages, companies usually use the Secure / Multipurpose Internet Message Extensions (S/MIME) standard and provide their users with appropriate certificates for this purpose.

An important aspect here is that the users' private keys should be secured centrally - in contrast to the signature certificates that are otherwise mostly used. Incoming messages are encrypted for a specific private key and can only be decrypted again by the same person. Thus a backup of these keys must absolutely be available - also for the Synchronization to mobile devices this is indispensable. For this purpose, the Microsoft Active Directory Certificate Services offer the function of the Private Key Archival.

But what if private key archiving has not been set up and users have already applied for corresponding certificates?

Continue reading „Nachträgliche Archivierung privater Schlüssel“

Requesting certificates for endpoints managed with Microsoft Intune

In a networked world, it has become standard to work from anywhere, and also to work with mobile end devices such as smartphones or tablets in addition to classic desktop computers. Such end devices are usually connected by means of Mobile Device Management (MDM) managed by systems such as Microsoft Intune.

In most cases, users of mobile devices need digital certificates to prove their identity in order to gain access to corporate resources. Thus, it is necessary to provide these devices with an automatable yet secure interface for applying for these certificates.

Continue reading „Beantragung von Zertifikaten für mit Microsoft Intune verwaltete Endgeräte“

Transferring S/MIME certificates to Microsoft Intune

In a modern networked world, the confidential transmission of messages in the corporate environment is essential for business success. Despite their Age it is still impossible to imagine modern corporate communications without e-mail. However, its use has changed significantly over the decades.

Nowadays, it is common to be able to read and write business e-mails on mobile devices such as smartphones and tablets. Such end devices are usually connected by means of Mobile Device Management (MDM) managed by systems such as Microsoft Intune.

For the encryption of e-mail messages, companies usually use the Secure / Multipurpose Internet Message Extensions (S/MIME) standard and provide their users with the corresponding certificates. How do these certificates get to the end devices of the users in a scalable way?

Continue reading „Übertragen von S/MIME Zertifikaten zu Microsoft Intune“

Signing certificates bypassing the certification authority - solely using built-in tools

In the article "Signing certificates bypassing the certification authority"I described how an attacker with administrative rights on the certification authority can generate a logon certificate for administrative accounts of the domain by bypassing the certification authority software, i.e. by directly using the private key of the certification authority.

In the previous article I described the PSCertificateEnrollment Powershell Module is used to demonstrate the procedure. Microsoft supplies with certreq and certutil However, perfectly suitable pentesting tools are already included with the operating system ex works.

Continue reading „Signieren von Zertifikaten unter Umgehung der Zertifizierungsstelle – allein mit Bordmitteln“

Details of the event with ID 41 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center

Event Source:Microsoft Windows Kerberos Key Distribution Center
Event ID:41 (0x80000029)
Event log:System
Event type:Warning or error
Event text (English):The Key Distribution Center (KDC) encountered a user certificate that was valid but contained a different SID than the user to which it mapped. As a result, the request involving the certificate failed. See to learn more. User: %1 User SID: %2 Certificate Subject: %3 Certificate Issuer: %4 Certificate Serial Number: %5 Certificate Thumbprint: %6 Certificate SID: %7
Event text (German):The Key Distribution Center (KDC) found a valid user certificate, but it contained a different SID than the user it is assigned to. As a result, an error occurred in the request involving the certificate. For more information, see User: %1 User SID: %2 Certificate requester: %3 Certificate issuer: %4 Certificate serial number: %5 Certificate fingerprint: %6 Certificate SID: %7
Continue reading „Details zum Ereignis mit ID 41 der Quelle Microsoft-Windows-Kerberos-Key-Distribution-Center“