Analyze network problems with Wireshark without installing software on production systems

Often, problems with the public key infrastructure can be found in the underlying network - for example, if a firewall rule is missing from the network.

Thus, it is helpful if one is able to record network traffic in order to analyze it. Excellent tools exist for this purpose, such as Wiresharkbut these require that an installation be made on the system in question, which cannot and should not be done easily on a production system.

Fortunately, the Windows Server operating system has a built-in mechanism to capture network packets. However, the resulting files are not compatible with Wireshark. The Microsoft proprietary tool, Message Analyzer, was discontinued on Nov 25, 2019 and the download links removed.

The following therefore describes how such a recording can be generated and subsequently converted into a Wireshark-compatible format in order to be able to analyze the recording away from the server in question.

Continue reading „Netzwerkprobleme mit Wireshark analysieren, ohne Software auf produktiven Systemen installieren zu müssen“

The display name of a certificate template is not resolved. Only the object identifier (OID) of the certificate template is displayed.

Assume the following scenario:

  • For a certificate template, only the object identifier is shown, but not the display name and/or
  • Queries against the certificate authority database contain only the object identifier for the certificate template ("CertificateTemplate" field), but not the display name.
Continue reading „Der Anzeigename einer Zertifikatvorlage wird nicht aufgelöst. Es wird nur der Objektidentifizierer (OID) der Zertifikatvorlage angezeigt.“

Is there a dependency of the Network Devices Registration Service (NDES) with the NTAuthCertificates object?

The Network Device Registration Service (NDES) has two Registration Authority Certificates. With the enrollment agent certificate, certificate requests are signed and one can use the Configure NDES device template accordingly so that certificates are also only issued if the submitted certificate requests also have a corresponding signature..

Do you plan to use the Certification Authority connected to the NDES remove from the NTAuthCertificates objectThe question may arise as to whether mutual dependencies need to be taken into account here - after all, this requires Enroll on Behalf Of (EOBO) the presence of the certificate authority certificate in NTAuthCertificates.

Continue reading „Gibt es eine Abhängigkeit des Registrierungsdienstes für Netzwerkgeräte (NDES) mit dem NTAuthCertificates Objekt?“

Installation of a certificate authority fails with error code "Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA)."

Assume the following scenario:

  • An attempt is made to install a certificate authority
  • The role configuration fails with the following error message:
An error occurred when creating the new key container "ADCS Labor Issuing CA 3". Please make sure the CSP is installed correctly or select another CSP.
Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).
Continue reading „Die Installation einer Zertifizierungsstelle schlägt fehl mit Fehlercode „Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).““

Lock check via online responder (OCSP) fails with HTTP error code 404 (HTTP_E_STATUS_NOT_FOUND)

Assume the following scenario:

Continue reading „Die Sperrprüfung über den Onlineresponder (OCSP) schlägt fehl mit HTTP Fehlercode 404 (HTTP_E_STATUS_NOT_FOUND)“

Installation of a certificate authority integrated into Active Directory using Windows PowerShell fails with error message "A value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)".

Assume the following scenario:

  • A certification authority (Enterprise CA) integrated into Active Directory is installed using Windows PowerShell (Install-AdcsCertificationAuthority).
  • The role configuration fails with the following error message:
Install-AdcsCertificationAuthority : Active Directory Certificate Services setup failed with the following error: A value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)
Continue reading „Die Installation einer ins Active Directory integrierten Zertifizierungsstelle mittels Windows PowerShell schlägt fehl mit Fehlermeldung „A value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)““

Force domain controller (or other participants) to use an online responder (OCSP)

By default, Windows systems, even if an online responder (OCSP) is configured, will be sent to a certain number of OCSP requests fall back to a (if available) brevocation list, because this is usually more efficient in such a case. However, this behavior is not always desired.

For example, if one uses smart card logins, one might want to know if Logins were executed with unauthorized issued certificates. In conjunction with the deterministic good of the online responder you can thus create an (almost) seamless Audit trail create for all smartcard logins.

Continue reading „Domänencontroller (oder andere Teilnehmer) zwingen, einen Onlineresponder (OCSP) zu verwenden“

Configure the "Magic Number" for the online responder

Even if an online responder is present in the network and the certification authorities have entered its address in the Authority Information Access (AIA) extension of the issued certificates, it is not always guaranteed that the online responder is actually used.

One variable here is the "Magic Number", which is present on every Windows operating system. It causes the system to fall back to blacklists (if present) if requests are made too often via OCSP for the same certificate authority.

Continue reading „Die „Magic Number“ für den Onlineresponder konfigurieren“

Overview of the audit events generated by the online responder (OCSP)

The following is an overview of the audit events generated by the online responder in the Windows Event Viewer.

In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.

Continue reading „Übersicht über die vom Onlineresponder (OCSP) generierten Audit-Ereignisse“

Configure deterministic "good" for the online responder (OCSP).

In the default configuration, the online responder returns the status "Good" for requested certificates that do not appear on one of the configured revocation lists.

This can be problematic because the online responder has no knowledge of certificates issued by the certification authorities. If an attacker succeeds in issuing a certificate using the private key of the certification authority without their knowledge, this would not be detected by the online responder, and would also be reported in the Audit log show up as "Good".

Continue reading „Deterministisches „Good“ für den Onlineresponder (OCSP) konfigurieren“

The certification authority service does not start and throws the error message "The device that is required by this cryptographic provider is not ready for use. 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY)"

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
The device that is required by this cryptographic provider is not ready for use. 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY)
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „The device that is required by this cryptographic provider is not ready for use. 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY)““

Details of the event with ID 5127 of the source Microsoft-Windows-Security-Auditing

Event Source:Microsoft Windows Security Auditing
Event ID:5127 (0x1407)
Event log:Security
Event type:Information
Event text (English):The OCSP Revocation Provider successfully updated the revocation information. CA Configuration ID: %1 Base CRL Number: %2 Base CRL This Update: %3 Base CRL Hash: %4 Delta CRL Number: %5 Delta CRL Indicator: %6 Delta CRL This Update: %7 Delta CRL Hash: %8
Event text (German):The OCSP response service has successfully updated the revocation information. Certification authority configuration ID: %1 Base revocation list number: %2 Base revocation list, this update: %3 Base revocation list hash: %4 Delta revocation list number: %5 Delta revocation list display: %6 Delta revocation list, this update: %7 Delta revocation list hash: %8
Continue reading „Details zum Ereignis mit ID 5127 der Quelle Microsoft-Windows-Security-Auditing“

Details of the event with ID 5126 of the source Microsoft-Windows-Security-Auditing

Event Source:Microsoft Windows Security Auditing
Event ID:5126 (0x1406)
Event log:Security
Event type:Information
Event text (English):Signing Certificate was automatically updated by the OCSP Responder Service. CA Configuration ID: %1 New Signing Certificate Hash: %2
Event text (German):The signing certificate was automatically updated by the OCSP response service. Certification authority configuration ID: %1 New signature certificate hash: %2
Continue reading „Details zum Ereignis mit ID 5126 der Quelle Microsoft-Windows-Security-Auditing“

Details of the event with ID 5125 of the source Microsoft-Windows-Security-Auditing

Event Source:Microsoft Windows Security Auditing
Event ID:5125 (0x1405)
Event log:Security
Event type:Information
Event text (English):A request was submitted to OCSP Responder Service.
Event text (German):A request is transmitted to the OCSP response service.
Continue reading „Details zum Ereignis mit ID 5125 der Quelle Microsoft-Windows-Security-Auditing“
en_USEnglish
de_DEDeutsch en_USEnglish