There are situations in which you cannot operate NDES with changing passwords. This is usually the case when there is either no management solution for the devices to be managed, or when it cannot handle changing passwords.
In this case, you can configure NDES to generate a static password that will not change afterwards.
For test environments, it is often helpful to be able to work with smartcards. Below is a brief guide on how to set up a virtual smartcard in a Hyper-V guest using a virtualized Trusted Platform Module (TPM).
Continue reading „Erstellen einer virtuellen Smartcard in einem Hyper-V Gastsystem“In order for domain controllers to process smart card logins, they need certificates that provide this function.
Continue reading „Domänencontroller-Zertifikatvorlagen und Smartcard Anmeldung“There may be cases where it is necessary to install the standard Microsoft certificate templates before installing the first Active Directory integrated certificate authority (Enterprise Certification Authority), or to reinstall the templates, for example because they have been corrupted or otherwise modified.
Continue reading „(Neu-) Installieren der Microsoft Standard Zertifikatvorlagen“In the default configuration, all certification authority certificates of Active Directory integrated certification authorities (Enterprise Certification Authority) are located in an object of type CertificationAuthority named NTAuthCertificates within the Configuration Partition of the Active Directory forest.
Continue reading „Bearbeiten des NTAuthCertificates Objektes im Active Directory“In simple terms, public key cryptography can be reduced to the assumption that the private part of each key pair is known only to its owner.
A certification authority is responsible for the correct identification of users, computers or resources. Its issued certificates are therefore granted a trust status because all participants assume that their private key is known only to it.
If an attacker succeeds in gaining knowledge of a certification authority's private key, or at least Perform signatures using the private key, the integrity of the certification authority is no longer guaranteed.
Continue reading „Angriffsvektor auf den Active Directory Verzeichnisdienst über den Smartcard Logon Mechanismus“A useful hardening measure for Certification Authorities is to restrict the Certification Authority certificates so that they are only used for the actually issued extended key usage (Extended Key Usage) becomes familiar.
In the event of a compromise of the certification authority, the damage is then (at least) limited to the defined extended key usages.
The Smart Card Logon Extended Key Usage, which is of interest for many attacks (in conjunction with the certification authority's membership in NTAuthCertificates) would then only be present in the certification authority certificate of the certification authority that actually issues such certificates.
Continue reading „Grundlagen: Einschränken der erweiterten Schlüsselverwendung (Extended Key Usage, EKU) in Zertifizierungsstellen-Zertifikaten“Assume the following scenario:
The Network Device Enrollment Service cannot create or modify the registry key "Software\Microsoft\Cryptography\MSCEP\EncryptedPassword". Grant Read and Write permissions on the registry key "Software\Microsoft\Cryptography\MSCEP" to the account that the Network Device Enrollment Service is running as.Continue reading „Der Registrierungsdienst für Netzwerkgeräte (NDES) protokolliert die Fehlermeldung „The Network Device Enrollment Service cannot create or modify the registry key Software\Microsoft\Cryptography\MSCEP\EncryptedPassword.““
Assume the following scenario:
You do not have sufficient permission to enroll with SCEP. Please contact your system administrator.
Continue reading „Die Network Device Enrollment Service (NDES) Administrations-Webseite (certsrv/mscep_admin) meldet „You do not have sufficient permission to enroll with SCEP. Please contact your system administrator.““ Assume the following scenario:
Assume the following scenario:
CMSCEPSetup::Install: The system cannot find the path specified. 0x80070003 (WIN32: 3 ERROR_PATH_NOT_FOUND)Continue reading „Die Rollenkonfiguration für den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „CMSCEPSetup::Install: The system cannot find the path specified. 0x80070003 (WIN32: 3 ERROR_PATH_NOT_FOUND)““
Assume the following scenario:
The password cache is full.Continue reading „Die Network Device Enrollment Service (NDES) Administrations-Webseite (certsrv/mscep_admin) meldet „The password cache is full.““
When planning a public key infrastructure, the question naturally arises as to which key lengths should be selected for certification authority and end certificates.
Continue reading „Welche Schlüssellängen sollten für Zertifizierungsstellen und Zertifikate verwendet werden?“Google is a major player with the Chromium project and products based on it such as Google Chrome and Microsoft Edge have moved to implement the RFC 2818 and to no longer trust certificates that no longer fulfill the RFC.
For us, the following sentence is of great explosiveness:
Continue reading „Erzeugen einer RFC 2818 konformen Zertifikatanforderung für SSL Zertifikate“If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead
https://tools.ietf.org/html/rfc2818
By default, the Network Device Enrollment Service (NDES) requests certificates from the "IPsec (Offline Request)" template. This certificate template is from Windows 2000 times and cannot be edited. Therefore, it is recommended to change the default settings and use your own certificate templates that serve your personal requirements.
Continue reading „Gerätevorlage für den Registrierungsdienst für Netzwerkgeräte (NDES) konfigurieren“
English 
Deutsch