Category: Active Directory

Prevent smartcard logon to the network

Installing Active Directory Certificate Services in the default configuration automatically configures the environment to accept smart card logins from domain controllers.

Therefore, if the use of smart card logins is not desired, it makes sense to disable the functionality so that, in the event the certificate authority is compromised, it can not to jeopardize the Active Directory.

Continue reading „Smartcard Anmeldung im Netzwerk unterbinden“

How are the compatibility settings for certificate templates technically mapped?

Since the Certificate Services management tools in Windows Server 2012, you can select the desired compatibility for the certificate authority and certificate recipient when configuring a certificate template.

In the following, this function is described in more detail, as well as possible effects in practice.

Continue reading „Wie sind die Kompatibilitätseinstellungen für Zertifikatvorlagen technisch abgebildet?“

Automatically change passwords for accounts that require login via smartcard or Windows Hello for Business

A new feature of Windows Server 2016 is that the passwords for accounts that have a plain Login with smartcards be automatically renewed according to the password light lines.

If the "Smart card is required for interactive logon" option is enabled for a user account, the password of the user account is set to a random value once. However, the password never changes after that, which makes the account more vulnerable to pass-the-hash attacks.

The newly introduced feature solves this problem by generating new randomly generated passwords for corresponding accounts on a regular basis (depending on the password policy configured for the account).

Continue reading „Automatisches Ändern der Passwörter für Konten, die eine Anmeldung via Smartcard oder Windows Hello for Business erfordern“

Classification of ADCS components in the Administrative Tiering Model

If, in addition to the Active Directory Certificate Services, the administrative tiering model is also implemented for the Active Directory directory service, the question arises as to how the individual PKI components are to be assigned to this model in order to be able to perform targeted security hardening.

Continue reading „Einordnung der ADCS-Komponenten in das administrative Schichtenmodell (Administrative Tiering Model)“

Basics and risk assessment Delegation settings

Delegation is required whenever there is an intermediary between the user and the actual service. In the case of certification authority web registration, this would be the case if it is installed on a separate server. It then acts as an intermediary between the applicant and the certification authority.

Continue reading „Grundlagen und Risikobetrachtung Delegierungseinstellungen“

After installing or migrating a certificate authority to a new server, you can no longer publish your own certificate templates

Assume the following scenario:

Continue reading „Nach Installation oder Migration einer Zertifizierungsstelle auf einen neuen Server können keine eigenen Zertifikatvorlagen mehr veröffentlicht werden“

Requesting a certificate fails with the error message "You cannot request a certificate at this time because no certificate types are available."

Assume the following scenario:

  • You try to apply for a certificate from an Active Directory-integrated certification authority (Enterprise Certification Authority).
  • To do this, use the Microsoft Management Console (MMC), either for the logged-in user (certmgr.msc) or for the computer (certlm.msc).
  • The logged-in user also has the necessary permissions to request certificates from the certificate template in question (enroll).
  • You don't get any certificate templates to choose from, even though they are correctly published on the certificate authorities.
  • There is also no "Show hidden templates" option. This usually appears at the bottom left of the dialog.
  • The following error message is displayed:
Certificate types are not available. You cannot request a certificate at this time because no certificate types are available. If you need a certificate, contact your administrator.
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit der Fehlermeldung „You cannot request a certificate at this time because no certificate types are available.““

Publishing a certificate template on a CA fails with error message "The template information on the CA cannot be modified at this time. This is most likely because the CA service is not running or there are replication delays. Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)".

Assume the following scenario:

  • An administrator publishes a certificate template on a certificate authority.
  • The operation fails with the following error message:
The template information on the CA cannot be modified at this time. This is most likely because the CA service is not running or there are replication delays. Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
Continue reading „Das Veröffentlichen einer Zertifikatvorlage auf einer Zertifizierungsstelle schlägt fehl mit Fehlermeldung „The template information on the CA cannot be modified at this time. This is most likely because the CA service is not running or there are replication delays. Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)““

Use Authentication Mechanism Assurance (AMA) to secure administrative account logins.

Authentication Mechanism Assurance (AMA) is a feature designed to ensure that a user is a member of a security group only if they can be shown to have logged in using a strong authentication method (i.e., a smart card). If the user logs in via username and password instead, he or she will not have access to the requested resources.

Originally intended for access to file servers, however, AMA can also be used (with some restrictions) for administrative logon. Thus, for example, it would be conceivable for a user to be unprivileged when logging in with a username and password, and to have administrative rights when logging in with a certificate.

Continue reading „Verwenden von Authentication Mechanism Assurance (AMA) für die Absicherung der Anmeldung administrativer Konten“

Basics of certificate request via Certificate Enrollment Web Services (CEP, CES) with the MS-XCEP and MS-WSTEP protocols

With Windows Server 2008 R2 and Windows 7, a new functionality for certificate enrollment has been introduced: The Certificate Enrollment Web Services, which are mapped by two server roles:

  • Certificate Enrollment Policy Web Service (CEP)
  • Certificate Enrollment Web Services (CES)

The following is a description of the background to these roles, how they work, and the possible deployment scenarios.

Continue reading „Grundlagen Zertifikatbeantragung über Certificate Enrollment Web Services (CEP, CES) mit den Protokollen MS-XCEP und MS-WSTEP“

Basics of manual and automatic certificate requests via Lightweight Directory Access Protocol (LDAP) and Remote Procedure Call / Distributed Common Object Model (RPC/DCOM) with the MS-WCCE protocol

The following describes the process that runs in the background when certificates are requested manually or automatically in order to achieve the highest possible level of automation.

Continue reading „Grundlagen manuelle und automatische Zertifikatbeantragung über Lightweight Directory Access Protocol (LDAP) und Remote Procedure Call / Distributed Common Object Model (RPC/DCOM) mit dem MS-WCCE Protokoll“

Manually running the autoenrollment process

By default, all domain members automatically replicate the Public Key Services object he Active Directory forest through the autoenrollment process. The triggers for this are:

  • When the user logs in (for computers, when the computer account logs in, i.e. at system startup).
  • By timer every 8 hours.
  • When updating group policies, assuming there has been a change.

If you do not want to wait for the autoenrollment to be triggered automatically, you can start it manually. The different ways to run the autoenrollment process are described below.

Continue reading „Manuelles Ausführen des Autoenrollment Prozesses“

Associate a universal security group with an Object Identifier (OID) in the Active Directory directory service (Authentication Mechanism Assurance).

Authentication Mechanism Assurance (AMA) provides the ability to tie membership in a security group to enrollment with a smart card certificate containing a specific Object Identifier (OID).

If the user does not log in with the smartcard certificate, but with user name and password, he is also not a member of the security group.

The following describes how to establish the connection between the certificate and the security group.

Continue reading „Eine universelle Sicherheitsgruppe mit einem Object Identifier (OID) im Active Directory Verzeichnisdienst verbinden (Authentication Mechanism Assurance)“

Configuring a Certificate Template for Authentication Mechanism Assurance (AMA)

Authentication Mechanism Assurance (AMA) provides the ability to tie membership in a security group to enrollment with a smart card certificate containing a specific Object Identifier (OID).

If the user does not log in with the smartcard certificate, but with user name and password, he is also not a member of the security group.

The following describes how to generate a certificate template for use with Authentication Mechanism Assurance.

Continue reading „Konfigurieren einer Zertifikatvorlage für Authentication Mechanism Assurance (AMA)“
en_USEnglish
de_DEDeutsch en_USEnglish