Configure logging level for the certification authority event log.

Some Windows events generated by the certification authority are only generated from a certain logging level.

The following describes how to determine and change the logging level of a certification authority.

Continue reading „Protokollierungsebene (Log Level) für das Ereignisprotokoll der Zertifizierungsstelle konfigurieren“

Certificate or revocation list issuance fails with error code CERTSRV_E_NO_DB_SESSIONS

Assume the following scenario:

  • The Certification Authority cannot issue certificates and/or
  • The Certification Authority cannot issue revocation lists.
  • At least one of the following error messages is logged:

Event ID: 53 (Microsoft-Windows-CertificationAuthority)

Active Directory Certificate Services denied request 12345 because An attempt was made to open a Certification Authority database session, but there are already too many active sessions. The server may need to be configured to allow additional sessions. 0x8009400f (-2146877425 CERTSRV_E_NO_DB_SESSIONS). The request was for CN=Rudi Ratlos. Additional information: Denied by Policy Module

Event ID: 130 (Microsoft-Windows-CertificationAuthority)

Active Directory Certificate Services could not create a certificate revocation list. An attempt was made to open a Certification Authority database session, but there are already too many active sessions. The server may need to be configured to allow additional sessions 0x8009400f (-2146877425). This may cause applications that need to check the revocation status of certificates issued by this CA to fail. You can recreate the certificate revocation list manually by running the following command: "certutil -CRL". If the problem persists, restart Certificate Services.
Continue reading „Die Ausstellung von Zertifikaten oder Sperrlisten schlägt fehl mit Fehlercode CERTSRV_E_NO_DB_SESSIONS“

Installation of a certificate authority fails with error code ERROR_INVALID_PARAMETER

Assume the following scenario:

  • A certification authority is installed
  • The role configuration fails with the following error message:
CCertSrvSetupProperty: The parameter is incorrect. 0x80070057 (WIN32: ERROR_INVALID_PARAMETER).
Continue reading „Die Installation einer Zertifizierungsstelle schlägt fehl mit Fehlercode ERROR_INVALID_PARAMETER“

Role configuration for Network Device Enrollment Service (NDES) fails with error message "Failed to Enroll RA certificates. The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)"

Assume the following scenario:

  • One installs a Network Device Enrollment Service (NDES) server
  • One has the necessary permissions to install the role (local administrator, enterprise administrator)
  • The role configuration fails with the following error message:
Failed to Enroll RA certificates. The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
Continue reading „Die Rollenkonfiguration für den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „Failed to Enroll RA certificates. The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)““

Analyze network problems with Wireshark without installing software on production systems

Often, problems with the public key infrastructure can be found in the underlying network - for example, if a firewall rule is missing from the network.

Thus, it is helpful if one is able to record network traffic in order to analyze it. Excellent tools exist for this purpose, such as Wiresharkbut these require that an installation be made on the system in question, which cannot and should not be done easily on a production system.

Fortunately, the Windows Server operating system has a built-in mechanism to capture network packets. However, the resulting files are not compatible with Wireshark. The Microsoft proprietary tool, Message Analyzer, was discontinued on Nov 25, 2019 and the download links removed.

The following therefore describes how such a recording can be generated and subsequently converted into a Wireshark-compatible format in order to be able to analyze the recording away from the server in question.

Continue reading „Netzwerkprobleme mit Wireshark analysieren, ohne Software auf produktiven Systemen installieren zu müssen“

The display name of a certificate template is not resolved. Only the object identifier (OID) of the certificate template is displayed.

Assume the following scenario:

  • For a certificate template, only the object identifier is shown, but not the display name and/or
  • Queries against the certificate authority database contain only the object identifier for the certificate template ("CertificateTemplate" field), but not the display name.
Continue reading „Der Anzeigename einer Zertifikatvorlage wird nicht aufgelöst. Es wird nur der Objektidentifizierer (OID) der Zertifikatvorlage angezeigt.“

Is there a dependency of the Network Devices Registration Service (NDES) with the NTAuthCertificates object?

The Network Device Registration Service (NDES) has two Registration Authority Certificates. With the enrollment agent certificate, certificate requests are signed and one can use the Configure NDES device template accordingly so that certificates are also only issued if the submitted certificate requests also have a corresponding signature..

Do you plan to use the Certification Authority connected to the NDES remove from the NTAuthCertificates objectThe question may arise as to whether mutual dependencies need to be taken into account here - after all, this requires Enroll on Behalf Of (EOBO) the presence of the certificate authority certificate in NTAuthCertificates.

Continue reading „Gibt es eine Abhängigkeit des Registrierungsdienstes für Netzwerkgeräte (NDES) mit dem NTAuthCertificates Objekt?“

Installation of a certificate authority fails with error code "Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA)."

Assume the following scenario:

  • An attempt is made to install a certificate authority
  • The role configuration fails with the following error message:
An error occurred when creating the new key container "ADCS Labor Issuing CA 3". Please make sure the CSP is installed correctly or select another CSP.
Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).
Continue reading „Die Installation einer Zertifizierungsstelle schlägt fehl mit Fehlercode „Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).““

Lock check via online responder (OCSP) fails with HTTP error code 404 (HTTP_E_STATUS_NOT_FOUND)

Assume the following scenario:

Continue reading „Die Sperrprüfung über den Onlineresponder (OCSP) schlägt fehl mit HTTP Fehlercode 404 (HTTP_E_STATUS_NOT_FOUND)“

Installation of a certificate authority integrated into Active Directory using Windows PowerShell fails with error message "A value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)".

Assume the following scenario:

  • A certification authority (Enterprise CA) integrated into Active Directory is installed using Windows PowerShell (Install-AdcsCertificationAuthority).
  • The role configuration fails with the following error message:
Install-AdcsCertificationAuthority : Active Directory Certificate Services setup failed with the following error: A value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)
Continue reading „Die Installation einer ins Active Directory integrierten Zertifizierungsstelle mittels Windows PowerShell schlägt fehl mit Fehlermeldung „A value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)““

Force domain controller (or other participants) to use an online responder (OCSP)

By default, Windows systems, even if an online responder (OCSP) is configured, will be sent to a certain number of OCSP requests fall back to a (if available) brevocation list, because this is usually more efficient in such a case. However, this behavior is not always desired.

For example, if one uses smart card logins, one might want to know if Logins were executed with unauthorized issued certificates. In conjunction with the deterministic good of the online responder you can thus create an (almost) seamless Audit trail create for all smartcard logins.

Continue reading „Domänencontroller (oder andere Teilnehmer) zwingen, einen Onlineresponder (OCSP) zu verwenden“

Configure the "Magic Number" for the online responder

Even if an online responder is present in the network and the certification authorities have entered its address in the Authority Information Access (AIA) extension of the issued certificates, it is not always guaranteed that the online responder is actually used.

One variable here is the "Magic Number", which is present on every Windows operating system. It causes the system to fall back to blacklists (if present) if requests are made too often via OCSP for the same certificate authority.

Continue reading „Die „Magic Number“ für den Onlineresponder konfigurieren“

Overview of the audit events generated by the online responder (OCSP)

The following is an overview of the audit events generated by the online responder in the Windows Event Viewer.

In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.

Continue reading „Übersicht über die vom Onlineresponder (OCSP) generierten Audit-Ereignisse“

Configure deterministic "good" for the online responder (OCSP).

In the default configuration, the online responder returns the status "Good" for requested certificates that do not appear on one of the configured revocation lists.

This can be problematic because the online responder has no knowledge of certificates issued by the certification authorities. If an attacker succeeds in issuing a certificate using the private key of the certification authority without their knowledge, this would not be detected by the online responder, and would also be reported in the Audit log show up as "Good".

Continue reading „Deterministisches „Good“ für den Onlineresponder (OCSP) konfigurieren“
en_USEnglish