Tag: Group Policy

What happens if a user has requested multiple certificates?

I recently encountered the phenomenon that due to a faulty request logic, several users had made new certificate requests at regular intervals.

The certificate template was configured to have incoming certificate requests released by a certificate manager, i.e. the certificates were not issued automatically. The certificate requests were to be checked by a separate code and then released.

One would now expect that (since all certificate requests would eventually be approved) users would now find multiple certificates of the same type in their certificate store (and the applications that use it). However, this was not the case.

Continue reading „Was passiert, wenn ein Benutzer mehrere Zertifikate beantragt hat?“

Remote desktop certificate request fails with error message "The permissions on the certificate template do not allow the current user to enroll for this type of certificate."

Assume the following scenario:

The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
Continue reading „Die Beantragung von Remotedesktop-Zertifikaten schlägt fehl mit Fehlermeldung „The permissions on the certificate template do not allow the current user to enroll for this type of certificate.““

Remote desktop certificate request fails with error message "The requested certificate template is not supported by this CA."

Assume the following scenario:

The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The requested certificate template is not supported by this CA.
Continue reading „Die Beantragung von Remotedesktop-Zertifikaten schlägt fehl mit Fehlermeldung „The requested certificate template is not supported by this CA.““

Installation or uninstallation of a Windows feature fails with error message "The service is configured to not accept any remote shell requests."

Assume the following scenario:

  • A Windows role concerning Active Directory Certificate Services (Certification Authority, Network Device Enrollment Service (NDES), Certificate Authority Web Enrollment (CAWE), Certificate Enrollment Web Services (CEP, CES), or Online Certificate Service Provider (OCSP)) is to be installed or uninstalled.
  • The installation or uninstallation fails with the following error message:
The status of the role services on the target machine cannot be determined. Please retry. The error is The WS-Management service cannot process the request. The service is configured to not accept any remote shell requests.
Continue reading „Die Installation oder Deinstallation eines Windows-Features schlägt fehl mit Fehlermeldung „The service is configured to not accept any remote shell requests.““

Restrict extended key usage (EKU) for imported root certification authority certificates

A useful hardening measure for Certification Authorities is to restrict the Certification Authority certificates so that they are only used for the actually issued extended key usage (Extended Key Usage) becomes familiar.

In the event of a compromise of the certification authority, the damage is then limited to these Extended Key Usages. The smart card logon extended key usage would then only be present in the certification authority certificate of the certification authority that actually issues such certificates.

Continue reading „Die erweiterte Schlüsselverwendung (Extended Key Usage, EKU) für importierte Stammzertifizierungstellen-Zertifikate einschränken“

Configuration of security event monitoring (auditing settings) for certification authorities

In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.

Continue reading „Konfiguration der Überwachung von Sicherheitsereignissen (Auditierungseinstellungen) für Zertifizierungsstellen“

Standard auditing rules for Windows Server operating systems

Once a group policy with audit settings is active, the default auditing rules preconfigured with the operating system are turned off and only the explicitly configured audit settings are applied.

Continue reading „Standard-Auditierungsregeln für Windows Server Betriebssysteme“

Identify the active Remote Desktop (RDP) certificate

If one has a Remote Desktop Certificate Template and a appropriate group guidelines configured, or manually assigned a remote desktop certificateYou may want to verify that the certificates on the participating computers are being used correctly by the Remote Desktop session host.

Continue reading „Identifizieren des aktiven Remotedesktop (RDP) Zertifikats“

Configuring a Group Policy (GPO) for Remote Desktop (RDP) Certificates

After configuring a certificate template for the distribution of Remote Desktop certificates (see the article "Configuring a Certificate Template for Remote Desktop (RDP) Certificates"), a group policy is still required that instructs the participating computers to also use the certificates originating from the template.

Continue reading „Konfigurieren einer Gruppenrichtlinie (GPO) für Remotedesktop (RDP) Zertifikate“

Clients connected via Virtual Private Network (VPN) do not renew certificates automatically

Assume the following scenario:

  • Client computers automatically obtain certificates from an Active Directory integrated certificate authority (Enterprise Certification Authority).
  • Expiring certificates are renewed automatically when the clients are on the internal network.
  • However, expiring certificates are not automatically renewed when clients are connected via Virtual Private Network (VPN).
  • This can result in clients not renewing their certificate in time before it expires and no longer being able to connect to the VPN.
Continue reading „Über Virtual Private Network (VPN) verbundene Clients erneuern Zertifikate nicht automatisch“
en_USEnglish
de_DEDeutsch en_USEnglish