Tag: Smartcard Logon

Active Directory forest compromised by EDITF_ATTRIBUTESUBJECTALTNAME2 flag

In net circulate unfortunately much at many Instructions (also the big players are not excluded from this, not even Microsoft itself or the Grand Master Komar), which fatally recommends that the EDITF_ATTRIBUTESUBJECTALTNAME2 flag should be set on the certification authority - supposedly to be able to issue Subject Alternative Name (SAN) extension certificates for manually submitted certificate requests.

Unfortunately, this approach is not only unnecessary, it also has some unpleasant side effects, which in the worst case can help an attacker to take over the entire Active Directory forest.

Continue reading „Gefährdung der Active Directory Gesamtstruktur durch das Flag EDITF_ATTRIBUTESUBJECTALTNAME2“

Overview of the different generations of domain controller certificates

Over the generations of Windows operating systems, various certificate templates for domain controllers have been established. In a current Active Directory directory service, one will find three different templates for this purpose.

  • Domain controller
  • Domain Controller Authentication
  • Kerberos Authentication

Below is a description of each template and a recommendation for configuring domain controller certificate templates.

Continue reading „Übersicht über die verschiedenen Generationen von Domänencontroller-Zertifikaten“

certutil -dcinfo fails with error message "KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"

Assume the following scenario:

  • Domain controllers have certificates for LDAP over SSL.
  • The certificates do not include the Extended Key Usage "Smart Card Logon" or "Kerberos Authentication".
  • If you run certutil -dcinfo, the command reports the following error message:
0 KDC certificates for DC01
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
Continue reading „certutil -dcinfo schlägt fehl mit Fehlermeldung „KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)““

Manual application for a domain controller certificate

There are cases where you cannot or do not want to obtain domain controller certificates from a certification authority in your own Active Directory forest.

In this case, the use of certificate templates is not possible, and one must manually create a Certificate Signing Request (CSR).

Continue reading „Manuelle Beantragung eines Domänencontroller-Zertifikats“
en_USEnglish
de_DEDeutsch en_USEnglish