Enabling Secure Sockets Layer (SSL) for the Network Device Enrollment Service (NDES).

In the default configuration, the Network Device Enrollment Service (NDES) only accepts unencrypted connections via HTTP. It is recommended that at least the NDES administration web page be configured for HTTP over TLS (HTTPS) to make it difficult to capture network traffic. The following is a guide.

For a closer look at the need to use SSL, see the article "Should HTTPS be used for the Network Device Enrollment Service (NDES)?„.

Continue reading „Secure Sockets Layer (SSL) für den Registrierungsdienst für Netzwerkgeräte (NDES) aktivieren“

Moving Network Device Enrollment Service (NDES) to another certification authority

Assume the following scenario:

  • There is one NDES instance installed on the network.
  • The Certification Authority issuing to NDES is to be changed.

The official statement on this is that NDES must be reinstalled and reconfigured in this case. However, this is not necessary. The necessary steps are described below.

Continue reading „Network Device Enrollment Service (NDES) auf eine andere Zertifizierungsstelle umziehen“

Installing the Network Device Enrollment Service (NDES) without Enterprise Administrator permissions

Assume the following scenario:

  • One installs a Network Device Enrollment Service (NDES) server.
  • The role configuration fails with the following error message: 
Insufficient access rights to perform this operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS

Typically, the NDES roll configuration requires, that the installing user is a member of the Enterprise Admins group. However, this is not technically necessary and contradicts Microsoft's security hardening recommendations, since NDES is not (necessarily) a system that is assigned to the highest security layer (Tier-0).

Below is a way to configure the NDES role even without the required permissions.

Continue reading „Den Registrierungsdienst für Netzwerkgeräte (NDES) ohne Enterprise Administrator Berechtigungen installieren“

Role configuration for Network Device Enrollment Service (NDES) fails with error message "CMSCEPSetup::SetMSCEPSetupProperty: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)".

Assume the following scenario

  • One installs a Network Device Enrollment Service (NDES) server
  • The role configuration fails with the following error message: 
CMSCEPSetup::SetMSCEPSetupProperty: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
Continue reading „Die Rollenkonfiguration für den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „CMSCEPSetup::SetMSCEPSetupProperty: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)““

Using custom Registration Authority (RA) certificate templates for the Network Device Enrollment Service (NDES).

The Network Device Enrollment Service (NDES) uses two certificate templates for its internal function to make it act as a Registration Authority (RA). These are published during role configuration of the NDES service on the configured certificate authority and certificates are requested:

  • CEP Encryption
  • Exchange Enrollment Agent (Offline Request)

These certificate templates are standard templates from the Windows 2000 world (version 1 templates), i.e. they cannot be edited. In addition, the Exchange Enrollment Agent (Offline Request) template is marked as a user template, i.e. during NDES role configuration the certificate is requested in the context of the installing user and then imported into the machine store. At the latest when the certificates are to be renewed after two years, things get complicated here.

It is therefore a good idea to use your own certificate templates for NDES. These can be adapted in terms of their key length, for example. The use of hardware security modules (HSM) is also possible in this way. Even automatic renewal can be configured.

Continue reading „Eigene Registration Authority (RA) Zertifikatvorlagen für den Registrierungsdienst für Netzwerkgeräte (NDES) verwenden“

When installing a new certificate authority certificate, you get the error message "The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)".

Assume the following scenario:

  • One installs a new certification authority certificate on the certification authority, either because the certification authority was newly installed, or because the certification authority certificate was renewed.
  • During the installation you get the following error message:
Cannot verify certificate chain. Do you wish to ignore the error and continue? The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)
Continue reading „Bei der Installation eines neuen Zertifizierungsstellenzertifikats erhält man die Fehlermeldung „The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)““

Publishing a certificate revocation list (CRL) fails with the error message "Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)".

Assume the following scenario:

  • An attempt is made to publish a new certificate revocation list (CRL) on a certification authority
  • The certificate authority is configured to publish the certificate revocation lists to Active Directory (LDAP CDP).
  • Publishing the certificate revocation list fails with the following error message: 
Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)
Continue reading „Die Veröffentlichtung einer Zertifikatsperrliste (CRL) schlägt fehl mit der Fehlermeldung „Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)““

Publishing a certificate revocation list (CRL) fails with the error message "Directory object not found. 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)".

Assume the following scenario:

  • An attempt is made to publish a new certificate revocation list (CRL) on a certification authority.
  • The certificate authority is configured to publish the certificate revocation lists to Active Directory (LDAP CDP).
  • Publishing the certificate revocation list fails with the following error message:
Directory object not found. 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)
Continue reading „Die Veröffentlichtung einer Zertifikatsperrliste (CRL) schlägt fehl mit der Fehlermeldung „Directory object not found. 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)““

Domain controller does not check extended key usage on smart card login

Anyone who wants to use the smartcard logon function in their company would be well advised to ensure that their certification authority has the strongest possible security hardening. This includes some essential measures:

  • Removing all unnecessary certification authority certificates from the NTAuthCertificates object in Active Directory: Each certification authority located in this store is authorized to issue smartcard logon certificates in Active Directory for the complete forest.
  • Use qualified subordinationRestricting the certification authority certificates so that they are only trusted for the extended key usages actually issued. In the event of a compromise of the certification authority, the damage is then limited to these extended key usages. The "Smart Card Logon" Extended Key Usage would then only be present in the certification authority certificate of the certification authority that actually issues such certificates.

What is interesting about these thoughts, however, is that the domain controllers do not check the extended key usages at all when logging in via smartcard.

Continue reading „Domänencontroller überprüfen erweiterte Schlüsselverwendung (Extended Key Usage) bei Smartcard Anmeldung nicht“

Active Directory forest compromised by EDITF_ATTRIBUTESUBJECTALTNAME2 flag

In net circulate unfortunately much at many Instructions (also the big players are not excluded from this, not even Microsoft itself or the Grand Master Komar), which fatally recommends that the EDITF_ATTRIBUTESUBJECTALTNAME2 flag should be set on the certification authority - supposedly to be able to issue Subject Alternative Name (SAN) extension certificates for manually submitted certificate requests.

Unfortunately, this approach is not only unnecessary, it also has some unpleasant side effects, which in the worst case can help an attacker to take over the entire Active Directory forest.

Continue reading „Gefährdung der Active Directory Gesamtstruktur durch das Flag EDITF_ATTRIBUTESUBJECTALTNAME2“

What requirements must be met on the infrastructure side for smartcard logins to be possible?

In order for a smart card login to be successful, some requirements must be met in the Active Directory environment:

Continue reading „Welche Voraussetzungen müssen auf Infrastruktur-Seite erfüllt sein, damit Smartcard-Anmeldungen möglich sind?“

Removing ADCS-specific extensions from certificates

When using Active Directory Certificates, it is noticeable that there are certain extensions in the certificates of the certification authorities and the certificates they issue that are not defined in the relevant RFCs and are specific to AD CS.

Continue reading „Entfernen der ADCS-spezifischen Erweiterungen aus Zertifikaten“

Firewall rules required for Active Directory Certificate Services

Implementing an Active Directory integrated certification authority often requires planning the firewall rules to be created on the network. The following is a list of the required firewall rules and any pitfalls.

Continue reading „Benötigte Firewallregeln für Active Directory Certificate Services“

Description of the EDITF_ADDOLDKEYUSAGE flag

When installing a subordinate certificate authority, you may encounter the following behavior:

  • One requests a Key Usage extension that is marked as critical, for example, or does not include DigitalSignature.
  • However, the certificate issued by the parent certificate authority includes DigitalSignature, and the Key Usage extension is marked as non-critical.
  • The parent certification authority is a standalone certification authority, i.e. without Active Directory integration.
Continue reading „Beschreibung des Flags EDITF_ADDOLDKEYUSAGE“

Installing Remote Server Administration Tools for Active Directory Certificate Services on Windows 10 version 1809 and later

Since Windows 10 version 1809, the remote server management tools can no longer be found as a standalone download, but are part of Features on Demand.

Continue reading „Remoteserver-Verwaltungstools für Active Directory Certificate Services auf Windows 10 ab Version 1809 installieren“
en_USEnglish
de_DEDeutsch en_USEnglish