Uwe Gradenegger - Page 39 - Uwe Gradenegger

Certificate Enrollment Policy Service does not display certificate templates configured for compatibility with Windows Server 2016 or Windows 10

There is a known bug in the Certificate Enrollment Policy Web Service (CEP) that causes certificate templates configured for compatibility with Windows Server 2016 or Windows 10 not to display.

How are the compatibility settings for certificate templates technically mapped?

Since the Certificate Services management tools in Windows Server 2012, you can select the desired compatibility for the certificate authority and certificate recipient when configuring a certificate template.

In the following, this function is described in more detail, as well as possible effects in practice.

Overview of the availability of options when changing the compatibility settings of a certificate template

The following is an overview of which options become available in each case when the compatibility settings for the certificate authority and/or the certificate recipients are changed.

Requesting certificates via Certificate Enrollment Web Services using Windows PowerShell fails with error message "Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)".

Assume the following scenario:

An attempt is made to request a certificate via Windows PowerShell using Certificate Enrollment Web Services.
The request fails with the following error message:

Get-Certificate : CX509EnrollmentPolicyWebService::LoadPolicy: Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)

Requesting certificates via Certificate Enrollment Web Services using Windows PowerShell fails with error message "Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"

Assume the following scenario:

An attempt is made to request a certificate via Windows PowerShell using Certificate Enrollment Web Services. The name of the certificate template is included with the -Template argument.
The request fails with the following error message:

Get-Certificate : CertEnroll::CX509CertificateTemplates::get_ItemByName: Cannot find object or property. 0x80092004

(-2146885628 CRYPT_E_NOT_FOUND)

Windows Defender detects certutil as malware (Win32/Ceprolad.A)

Assume the following scenario:

One leads a Functional test for the Certificate Enrollment Policy Web Server (CEP) by.
For this, one uses a certutil command that uses Kerberos authentication, e.g.:

certutil -ping -kerberos -config "https://{Servername}/ADPolicyProvider_CEP_Kerberos/service.svc/CEP" CEP

The certutil command is incorrectly detected by Windows Defender or Windows Defenter Advanced Threat Protection as Win32/Ceprolad.A.

Required Windows security permissions for the Certificate Enrollment Policy Web Service (CEP)

Assuming one implements Microsoft's Active Directory Administrative Tiering Model, or applies similar hardening measures to one's servers, this will have an impact on the CEP components.

Automatically change passwords for accounts that require login via smartcard or Windows Hello for Business

A new feature of Windows Server 2016 is that the passwords for accounts that have a plain Login with smartcards be automatically renewed according to the password light lines.

If the "Smart card is required for interactive logon" option is enabled for a user account, the password of the user account is set to a random value once. However, the password never changes after that, which makes the account more vulnerable to pass-the-hash attacks.

The newly introduced feature solves this problem by generating new randomly generated passwords for corresponding accounts on a regular basis (depending on the password policy configured for the account).

In-Place Upgrade of a Certification Authority from Windows Server 2012 R2 or 2016 to Windows Server 2019

At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.

In-Place Upgrade of a Certification Authority from Windows Server 2012 SP2 or 2012 R2 to Windows Server 2016

In-Place Upgrade of a Certification Authority from Windows Server 2008 SP2 to Windows Server 2008 R2

In-Place Upgrade of a Certification Authority from Windows Server 2008 SP2 to Windows Server 2012

In-Place Upgrade of a Certification Authority from Windows Server 2008 R2 to Windows Server 2012 R2

Remote desktop connection no longer possible after in-place upgrade of Windows Server operating system

Assume the following scenario:

An in-place upgrade of the certification authority's operating system is performed.
After the upgrade I can no longer log in via Remote Desktop. The connection fails with the following error message:

An authentication error has occurred.
The function requested is not supported.
Remote Computer: 192.168.1.149
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

In German:

Authentifizierungsfehler.
Die angeforderte Funktion wird nicht unterstützt.
Remotecomputer: 192.168.1.149
Ursache könnte eine CredSSP Encryption Oracle-Abwehr sein.
Weitere Informationen finden Sie unter https://go.microsoft.com/fwlink/?linkid=866660

Should HTTPS be used for the Network Device Enrollment Service (NDES)?

The Network Device Enrollment Service (NDES) is Microsoft's implementation of the Simple Certificate Enrollment Protocol (SCEP) developed by Cisco in the early 2000s. The first implementation was released with Windows Server 2003.

It may come as a surprise that NDES does not use Secure Socket Layer (SSL) for the HTTP connections in the default setting to this day. This fact is explained and evaluated in more detail below.