New blog on Active Directory Certificate Services with a focus on security

I'm happy to announce that my much appreciated former colleague Dagmar Heidecker is blogging again.

In her new role at the Microsoft Compromise Recovery Security Practice Dagmar's thematic focus is especially (but not only) on security topics around Active Directory Certificate Services and related components.

Her blog can be found at the Core Infrastructure and Security Blog.

Manual assignment of a Remote Desktop certificate fails with error message "Invalid parameter".

Assume the following scenario:

Set-WMIInstance : Invalid parameter
 At line:1 char:1
 Set-WMIInstance -path $TerminalServicesConfig.__path -argument @{SSLC ...
 ~~~~~~~~~~~~~~~~~ CategoryInfo : InvalidOperation: (:) [Set-WmiInstance], ManagementException
 FullyQualifiedErrorId : SetWMIManagementException,Microsoft.PowerShell.Commands.SetWmiInstance
Continue reading „Die manuelle Zuweisung eines Remotedesktop-Zertifikats schlägt fehl mit Fehlermeldung „Invalid parameter““

When restoring a certification authority, the certification authority certificate is not selectable during role installation

Assume the following scenario:

Continue reading „Bei der Wiederherstellung einer Zertifizierungsstelle ist das Zertifizierungsstellen-Zertifikat bei der Rollen-Installation nicht auswählbar“

Installation of a certificate authority certificate fails with error message "Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)".

Assume the following scenario:

  • A new certification authority is installed.
  • After configuring the certification authority role and issuing the certification authority certificate, it should now be installed on the certification authority.
  • A hardware security module (HSM) is used to protect the private key of the certification authority certificate.
  • The installation of the certificate authority certificate fails with the following error message:
An error was detected while configuring Active Directory Certificate Services.
The Active Directory Certificate Services Setup Wizard will need to be rerun to complete the configuration.
The new certificate public key does not match the current outstanding request.
The wrong request may have been used to generate the new certificate: Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)
Continue reading „Die Installation eines Zertifizierungsstellen-Zertifikats schlägt fehl mit Fehlermeldung „Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)““

Reconnecting to the private key fails with error message "Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"

Assume the following scenario:

Cannot find the certificate and private key for decryption.
CertUtil: -repairstore command FAILED: 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
CertUtil: Cannot find object or property.
Continue reading „Die Wiederherstellung der Verbindung zum privaten Schlüssel schlägt fehl mit Fehlermeldung „Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)““

Installation of the default certificate templates fails with error message "This security ID may not be assigned as the owner of this object."

Assume the following scenario:

  • For the first time, a certification authority (Enterprise Certification Authority) integrated into Active Directory is to be installed in the network.
  • The rights to install the certificate authority have been delegated to a separate security group or account for security reasons, so no Enterprise Administrator login is required. Put another way: The user used is not a member of the Enterprise Administrators group in the Active Directory forest.
  • Since this is the first certification authority in the network, no Standard certificate templates installed in the Active Directory. When opening the certificate template management console (certtmpl.msc), one is prompted to install it.
  • The installation fails with the following error message:
Windows could not install the new certificate templates. This security ID may not be assigned as the owner of this object.
Continue reading „Die Installation der Standard-Zertifikatvorlagen schlägt fehl mit Fehlermeldung „This security ID may not be assigned as the owner of this object.““

Code signatures of Appx packages via SignTool.exe fail with error code 0x8007000b (ERROR_BAD_FORMAT)

Assume the following scenario:

  • An Appx package is to be signed.
  • For this purpose the SignTool.exe used.
  • The code signing certificate used was recently renewed.
  • The signing process with the new code signing certificate fails with the following error message:
"Error: SignerSign() failed." (-2147024885/0x8007000b)
Continue reading „Codesignaturen von Appx Paketen per SignTool.exe schlagen fehl mit Fehlercode 0x8007000b (ERROR_BAD_FORMAT)“

Issue certificates with shortened validity period

Sometimes it is necessary to issue certificates with a shorter validity period than configured in the certificate template. Therefore, you may not want to reconfigure the certificate template right away or create another certificate template.

Continue reading „Zertifikate mit verkürzter Gültigkeitsdauer ausstellen“

Root certificates are imported on domain members into the certificate store for intermediate certificate authorities

Some will have noticed that the certificate store for intermediate CAs usually also contains certificates for root CAs.

As a rule, this behavior is not critical. In certain cases however, this can also cause problems with applications.

Continue reading „Stammstellen-Zertifikate werden auf Domänenmitgliedern in den Zertifikatspeicher für Zwischenzertifizierungsstellen importiert“

Basics: The Key Usage Certificate Extension

Certificate extensions were introduced with version 3 of the X.509 standard. The Key Usage extension is an optional certificate extension that can be used in the RFC 5280 is defined and is used to limit the allowed uses for a key.

Continue reading „Grundlagen: Die Key Usage Zertifikaterweiterung“

Establish a mapping from a user certificate to the associated computer

Assume the following scenario:

  • A user's computer is stolen or infected with malware.
  • The integrity of certificates located on the computer can no longer be guaranteed.
  • The certificates of the user(s) that were requested on this computer must be revoked.
  • However, one would like to avoid revoking all certificates of a user.
  • Thus, a connection must be established between the user's certificates and the computer on which they were requested.

If the certificates were issued by Autoenrollment requested, we can take advantage of the fact that a corresponding attribute was part of the original certificate request, and that the certificate request is stored in the certificate authority database along with the certificate.

Continue reading „Eine Zuordnung von einem Benutzerzertifikat zum dazugehörigen Computer herstellen“

No remote desktop logon possible from outside the Active Directory forest

Assume the following scenario:

  • You want to establish a remote desktop connection.
  • The client computer from which the connection is made is not a member of the same Active Directory forest as the target computer.
  • The connection fails with the following error message:
A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For assistance, contact your system administrator or technical support.
Continue reading „Keine Anmeldung per Remotedesktop von außerhalb der Active Directory Gesamtstruktur möglich“

Login to the Network Device Enrollment Service (NDES) administration web page fails with HTTP error code 401 "Unauthorized: Access is denied due to invalid credentials."

Assume the following scenario:

  • An NDES server is configured on the network.
  • When calling the NDES administration web page (certsrv/mscep_admin) is not possible.
  • After several unsuccessful login attempts, the following HTTP error message is returned:
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
Continue reading „Die Anmeldung an der Administrations-Webseite für den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit HTTP Fehlercode 401 „Unauthorized: Access is denied due to invalid credentials.““

Electronic data exchange with the German Pension Insurance

Recently, together with the B-I-T GmbH Information and processes from Hanover worked on implementing the electronic data exchange with the statutory health insurance funds and the pension insurance from one application.

Here, a combination of authenticated data transmission of both signed and encrypted messages is used. PKI technologies are used in all these cases.

The message format used is here documented.

Continue reading „Elektronischer Datenaustausch mit der Deutschen Rentenversicherung“

Restoring certificates from the SMTP Exit Module data

If you restore a certification authority from a backup after a disaster has occurred, you will probably find that certificates were issued in the period between the last backup and the system failure with corresponding data loss.

These certificates are now not stored in the restored certificate authority database, so they cannot be restored if needed.

If you are using the SMTP Exit Module, you can at least determine the serial numbers of the certificates from the sent e-mails and revoke them.

Continue reading „Wiederherstellen von Zertifikaten aus den Daten des SMTP Exit Moduls“
en_USEnglish
de_DEDeutsch en_USEnglish