Enabling Basic Authentication for the Network Device Enrollment Service (NDES)

If the Network Device Enrollment Service (NDES) is reinstalled (Preferably without Enterprise Administrator permissions), only the Windows-integrated authentication for the administration web page is activated at first. With this (via NT LAN Manager, NTLM) protocol, authentication via user name and password is also possible. However, not all client applications support this.

Likewise, a company might be willing to, Disable NTLM where possible and enforce Kerberos for login. Enforcing Kerberos removes the ability to log in to the Network Device Registration Service administration page via username and password (since this is done with NTLM credentials). However, Basic Authentication can be retrofitted to provide an option here again.

One way out of this dilemma can be Basic Authentication, the setup of which will be explained below.

Continue reading „Aktivieren der Basic Authentication für den Registrierungsdienst für Netzwerkgeräte (NDES)“

Disabling NTLM and enforcing Kerberos at the Network Device Enrollment Service (NDES) administration web page.

Many companies pursue the strategy of (largely) disabling the NT LAN Manager (NTLM) authentication protocol in their networks.

This is also possible for the administration web page of the network device registration service (NDES). How exactly this is implemented and how this may change the application behavior is explained below.

Continue reading „Deaktivieren von NTLM und erzwingen von Kerberos an der Administrations-Webseite des Registrierungsdienstes für Netzwerkgeräte (NDES)“

Changes to Certificate Issuance and Certificate-Based Logon to Active Directory with the May 10, 2022 Patch for Windows Server (KB5014754)

With the May 10, 2022 patch, Microsoft is attempting to patch a vulnerability in the Active Directory in which the certificate-based enrollment (commonly known as PKINIT or also Smartcard Logon) to close.

The update changes both the behavior of the Certification Authority as well as the behavior of Active Directory when processing certificate-based logins.

Continue reading „Änderungen an der Zertifikatausstellung und an der zertifikatbasierten Anmeldung am Active Directory mit dem Patch für Windows Server vom 10. Mai 2022 (KB5014754)“

Selecting the identity for the IIS Network Device Enrollment Service (NDES) application pool.

If one installs a Network Device Enrollment Service (NDES), one is faced with the question under which identity the IIS application pool should be operated. In the following, the individual options are examined in more detail in order to facilitate a selection.

Continue reading „Auswahl der Identität für den IIS Anwendungspool des Registrierungsdienstes für Netzwerkgeräte (NDES)“

About the "Build this from Active Directory information" option for certificate templates

When configuring a certificate template, one must decide on the intended certificate content, i.e., among other things, which identities are confirmed by the certificates and how they are mapped.

In the "Subject Name" tab of the certificate template configuration dialog, you can configure how the identity confirmed by the certificate is mapped.

Continue reading „Zur Option „Build this from Active Directory information“ bei Zertifikatvorlagen“

Verification of the domain controller certificates throws the error code ERROR_ACCESS_DENIED

Assume the following scenario:

  • With certutil a verification of the domain controller certificates is performed.
  • The operation fails with the following error message:
0: DC01

*** Testing DC[0]: DC01
Enterprise Root store: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
KDC certificates: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

CertUtil: -DCInfo command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
CertUtil: Access is denied.
Continue reading „Die Überprüfung der Domänencontroller-Zertifikate wirft den Fehlercode ERROR_ACCESS_DENIED“

Basics: Automatic Certificate Management Environment (ACME)

The ACME protocol was developed by the operators of the project Let's Encrypt designed to support the exhibition of Web server certificates to automate. It is specified in RFC 8555.

The goal is to make the process of proving ownership of the DNS resource (IP addresses cannot currently be identified, but this is planned in the future), but not of the person or organization behind it, in order to subsequently be able to obtain a web server certificate without human interaction.

Continue reading „Grundlagen: Automatic Certificate Management Environment (ACME)“

Basics: Name Constraints

Name restrictions are a part of the X.509 standard and in the RFC 5280 described. They are a tool that can be used within the qualified subordination can be used to control the validity range of a certification authority certificate in a fine-grained manner.

Continue reading „Grundlagen: Namenseinschränkungen (Name Constraints)“

It's time: Migrating the PKI components from Windows Server 2012 to a new operating system

At the turn of the year, a note to all operators of a Microsoft Certification Authority and connected services:

The End of Microsoft product support for Windows Server 2012 and 2012 R2 is slowly approaching, it is the October 10, 2023.

Thus, it is time to prepare for the move to a new operating system.

Continue reading „Es wird Zeit: Migrieren der PKI Komponenten von Windows Server 2012 auf ein neues Betriebssystem“

Requesting certificates with elliptic curve based keys fails when using Microsoft Platform Crypto Provider

Assume the following scenario:

Error: The requested operation is not supported. 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)

On Windows Server 2016, the error message "No provider was specified for the store or object. 0x80092006 (-2146885626 CRYPT_E_NO_PROVIDER)" is issued with otherwise identical behavior.

Continue reading „Die Beantragung von Zertifikaten mit auf elliptischen Kurven basierenden Schlüsseln schlägt fehl, wenn der Microsoft Platform Crypto Provider verwendet wird“

Basics: Elliptic curves with regard to their use in the public key infrastructure

With Windows Vista and Windows Server 2008, the Cryptography API: Next Generation (CNG) was introduced into the Windows systems.

This term refers to a collection of modern cryptographic functions. Among other things, the CNG enables the use of certificates that use keys based on elliptic curves (also called Elliptic Curve Cryptography, ECC) with the Microsoft Certification Authority and the Windows operating system.

Continue reading „Grundlagen: Elliptische Kurven in Hinsicht auf ihre Verwendung in der Public Key Infrastruktur“

Microsoft Outlook: Signed e-mail messages are rejected by the receiving mail server with error message "Invalid S/MIME encrypted message."

Assume the following scenario:

  • A user sends an e-mail message signed with Secure/Multipurpose Internet Mail Extensions (S/MIME).
  • The sender uses Microsoft Outlook for Macintosh.
  • The receiving mail server rejects the message and sends back a Non-Delivery Report (NDR):
550 5.6.0 M2MCVT.StorageError.Exception: ConversionFailedException - , Content conversion: Invalid S/MIME encrypted message.; storage error in content conversion.
Continue reading „Microsoft Outlook: Signierte E-Mail Nachrichten werden vom empfangenden Mailserver abgelehnt mit Fehlermeldung „Invalid S/MIME encrypted message.““

What happens if a user has requested multiple certificates?

I recently encountered the phenomenon that due to a faulty request logic, several users had made new certificate requests at regular intervals.

The certificate template was configured to have incoming certificate requests approved by a certificate manager, i.e., certificates were not issued automatically. Certificate requests were to be checked using a separate code and then approved.

One would now expect that (since all certificate requests would eventually be approved) users would now find multiple certificates of the same type in their certificate store (and the applications that use it). However, this was not the case.

Continue reading „Was passiert, wenn ein Benutzer mehrere Zertifikate beantragt hat?“

It is not possible to create a certificate template. Error message "The following template name has already been used".

Assume the following scenario:

  • A new certificate template is to be created.
  • The creation fails with the following error message:
The following template name has already been used: ADCSLaborBenutzerTest. Enter a unique template name.
Continue reading „Die Erzeugung einer Zertifikatvorlage ist nicht möglich. Fehlermeldung „The following template name has already been used““

Operating the Certification Authority without exit module

If a certification authority is installed, the "Windows Default" exit module is automatically activated. This enables e-mail messages to be sent when certain events occur at the certification authority. However, most companies do not use this feature at all.

However, even if the exit module is not used at all, it causes sessions on the certification authority database (see Event no. 46). On Certification Authorities with high load this can be problematic.

If the functions it offers are not used at all (The „Windows Default“ exit module does not work under Windows Server Core.), it can also be disabled completely.

Continue reading „Betreiben der Zertifizierungsstelle ohne Exit Modul“
en_USEnglish