Assume the following scenario:
- A certificate template is configured for automatic request and issuance (AutoEnrollment).
- Users or computers apply for new certificates at regular intervals and long before the defined renewal period.
Author: Uwe Gradenegger
The key algorithm of certificate requests is not checked by the certification authority's policy module
Assume the following scenario:
- A certificate template is configured to use elliptic curve based keys (e.g. ECDSA_P256).
- As a result, a minimum key length of 256 bits is configured.
- Nevertheless, certificate requests that use other ECC curves or RSA-based keys are also signed.
SignTool installation without Windows Software Development Kit (SDK) installation
One way to perform code signatures is to use the SignTool command line tool. This is part of the Windows 10 Software Development Kit (SDK).
If you want to use the tool on a system without having to install Visual Studio or the Windows SDK, you can proceed as follows.
Continue reading „SignTool Installation ohne Installation des Windows Software Development Kit (SDK)“Code signature for PowerShell script files
Below is a description of the options available for executing PowerShell script files, and what is possible by signing them.
Continue reading „Codesignatur für PowerShell Scriptdateien“Certificate request fails with error message "The request is not supported. 0x80070032 (WIN32: 50 ERROR_NOT_SUPPORTED)".
Assume the following scenario:
- A certificate is requested from an Active Directory integrated certification authority (Enterprise Certification Authority).
- The request fails with the following error message:
An error occurred while enrolling for a certificate. The certificate request could not be submitted to the certification authority. Url: CA02.intra.adcslabor.de\ADCS Labor Issuing CA 1 Error: The request is not supported. 0x80070032 (WIN32: 50 ERROR_NOT_SUPPORTED)Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „The request is not supported. 0x80070032 (WIN32: 50 ERROR_NOT_SUPPORTED)““
The role configuration for the Certificate Enrollment Web Service (CES) fails with error message "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)".
Assume the following scenario:
- A role configuration for the Certificate Enrollment Web Service (CES) is performed.
- The role configuration fails with the following error message:
CCertificateEnrollmenServerSetup::InitializeInstallDefaults: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)Continue reading „Die Rollenkonfiguration für den Certificate Enrollment Web Service (CES) schlägt fehl mit Fehlermeldung „Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)““
The role configuration for the Certificate Enrollment Web Service (CES) fails with error message "The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE".
Assume the following scenario:
- A role configuration for the Certificate Enrollment Web Service (CES) is performed.
- The role configuration fails with the following error message:
The Certificate Enrollment Web Service Setup failed because the CA "CA02.intra.adcslabor.de\ADCS Labor Issuing CA 1" cannot be contacted. Check the name, and confirm that the CA is properly configured and available. The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)Continue reading „Die Rollenkonfiguration für den Certificate Enrollment Web Service (CES) schlägt fehl mit Fehlermeldung „The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE““
Automatic renewal of manually requested certificates without intervention of a certificate manager
Assuming a use case is implemented for certificates where users specify the identity contained in the certificate in the certificate request, and this requires manual intervention by the certificate managers, the question arises as to how to proceed when the certificates expire or the certificate template is moved to another certification authority in order to minimize tickets at the help desk and thus the resulting work for the certificate managers.
Continue reading „Automatische Erneuerung manuell beantragter Zertifikate ohne Eingriff eines Zertifikatmanagers“Microsoft Outlook: Emails encrypted with S/MIME cannot be opened. The error message "Internal error." appears.
Assume the following scenario:
- A user receives an e-mail message encrypted with Secure/Multipurpose Internet Mail Extensions (S/MIME).
- The message cannot be opened.
- When opening the message, the following error message is displayed:
Leider besteht ein Problem beim Öffnen dieses Elements. Dies kann vorübergehend sein. Wenn dieser Fehler erneut auftritt, sollten Sie Outlook neu starten. Fehler im zugrunde liegenden Sicherheitssystem. Interner Fehler.Continue reading „Microsoft Outlook: Mit S/MIME verschlüsselte E-Mails können nicht geöffnet werden. Es erscheint die Fehlermeldung „Interner Fehler.““
S/MIME with the Outlook app for Apple IOS and Android only possible with devices managed via Intune
If you want to make S/MIME certificates available to your users on the smartphone as well, you may be surprised to discover that this is not possible with the Outlook app unless you also use Microsoft Intune as a management solution for the devices.
Microsoft has published in an article "Sensitivity labeling and protection in Outlook for iOS and Android" now clarified that this is due to the respective system architecture.
Continue reading „S/MIME mit der Outlook App für Apple IOS und Android nur mit über Intune verwalteten Geräten möglich“From Zero to Enterprise Administrator through Network Device Enrollment Service (NDES) - and What to Do About It
In the following, I would like to present a highly dangerous PKI configuration, perhaps not necessarily known to the general public, which can probably be encountered quite frequently in this way in corporate networks.
I show how, by exploiting various unfortunate circumstances in the Windows PKI, it is possible to elevate privileges from mere network access to complete Active Directory takeover.
The initial point of attack in this example is the Network Device Enrollment Service (NDES).
Continue reading „Von Null auf Enterprise Administrator durch den Registrierungsdienst für Netzwerkgeräte (NDES) – und was dagegen getan werden kann“What does the "Enable Certificate Privacy" option mean when exporting certificates?
With Windows Server 2016 and Windows 10, a new "Enable Certificate Privacy" option has been implemented for exporting private key certificates via the Microsoft Management Console (MMC).
When exporting private key certificates, the certificate is exported to a PKCS#12 (.PFX) file.
Continue reading „Was bedeutet die Option „Enable Certificate Privacy“ beim Zertifikatexport?“Installation of a certification authority fails with error message "The Certification Authority is already installed."
Assume the following scenario:
- A certification authority is installed.
- An error occurred during installation that required a retry.
- The certification authority role was uninstalled and then the role configuration was tried again.
- The role configuration fails with the following error message:
The Certification Authority is already installed. If you are trying to reinstall the role service, you must first uninstall it.Continue reading „Die Installation einer Zertifizierungsstelle schlägt fehl mit Fehlermeldung „The Certification Authority is already installed.““
Google Chrome reports error code "ERR_SSL_PROTOCOL_ERROR" when calling a web page
Assume the following scenario:
- A web page is accessed using Google Chrome.
- The connection setup fails with the following error message:
Diese Website kann keine sichere Verbindung bereitstellen test.intra.adcslabor.de hat eine ungültige Antwort gesendet. Versuchen Sie, die Windows-Netzwerkdiagnose auszuführen. ERR_SSL_PROTOCOL_ERRORContinue reading „Google Chrome meldet Fehlercode „ERR_SSL_PROTOCOL_ERROR“ beim Aufruf einer Webseite“
Installation or uninstallation of a Windows feature fails with error message "The service is configured to not accept any remote shell requests."
Assume the following scenario:
- A Windows role concerning Active Directory Certificate Services (Certification Authority, Network Device Enrollment Service (NDES), Certificate Authority Web Enrollment (CAWE), Certificate Enrollment Web Services (CEP, CES), or Online Certificate Service Provider (OCSP)) is to be installed or uninstalled.
- The installation or uninstallation fails with the following error message:
The status of the role services on the target machine cannot be determined. Please retry. The error is The WS-Management service cannot process the request. The service is configured to not accept any remote shell requests.Continue reading „Die Installation oder Deinstallation eines Windows-Features schlägt fehl mit Fehlermeldung „The service is configured to not accept any remote shell requests.““
English 
Deutsch