IT Consultant Everyday Notes

Just some problems/solutions storage

Tag Archives: Certificates

PKI: Active Directory Web Service (ADWS) logs Event ID 1400 after changing DC certificate from “Domain Controller” template to “Kerberos Authentication” template.

Microsoft recommends using “Kerberos Authentication” template for Domain Controllers instead of older “Domain Controller” and “Domain Controller Authentication” templates https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki

we can easily do so creating a duplicate of “Kerberos Authentication” template and set up a superseding for templates issued based on older templates.

One of my Customers complained that when he did so, Active Directory Web Services (used, for example for remote Power Shell connect) started to log a Warning (Even Id 1400), regardless the fact the certificate has proper EKU and the server FQDN is included in subject name (as DNS name as it is described in the article) and in SAN.

image

Event Id: 1400

Active Directory Web Services could not find a server certificate with the specified certificate name. A certificate is required to use SSL/TLS connections. To use SSL/TLS connections, verify that a valid server authentication certificate from a trusted Certificate Authority (CA) is installed on the machine.
Certificate name:

It is important to note that by default “Kerberos Authentication” template has Subject name set to None as per RFC 3280, so he customized the template duplicate and put “DNS name” under “Subject name format”.

Resolution:

I created a new duplicate of the Kerberos Authentication template (Server 2003 Compatibility level!!!) and add a Common Name to the Subject Name field

image

after that I added the template to my CA and requested the template-based certificate from my Domain Controller. I removed the old certificatee to keep just one certificate in the Local machine store.

image

After after restart ADWS successfully recognized the certificate (Even Id 1401).

imageNote: Microsoft has an article saying the empty Subject name is fine from RFC point of view, but that can cause issues with third-party apps… It looks like not only with third party Smile

PKI: Enterprise PKI MMC displays a Subordinated CA as offline

I built a two layer PKI infrastructure and brought an Enterprise PKI MMC to verify the infrastructure health. All is ok but an Issuing CA. That was displayed with Status: ‘Error” and the message was “This CA is currently offline or unavailable”.

 

At the same time I could right-click it, select manage and it brought a very nice working CA MMC for me. So the CA is up and running and works fine, but for some reasons shown as offline in Enterprise PKI MMC.

Google did not bring too much, but search in Technet Forums gave a clue: https://social.technet.microsoft.com/Forums/en-US/fc8f6eba-447e-4e3f-a833-3b71bb3fc575/enterprise-pkiviewmsc-error-for-new-subca?forum=winserversecurity

I granted all permissions to my Domain Admins (this is Lab, otherwise it would be a custom security group). By default it was Manage CA and Issue and Manage Certificates only.

SNAGHTML48ce8f7f

and restarted the Certificate Services. After that Enterprise PKI became nice and green.

Lync 2013: Multi-user IM conferencing issue (really Certificate chain issue)

 

Our IT guys called me seeking for support with a weird issue. Multi-user IM conferencing starts to fail. I checked and see an attempt to start “Meet now” failed too with error on connection to conferencing server.

On Client side it gives Error 500 (source ID 239).

SNAGHTML100c6331

In Event Log of Front end Server I saw Event ID 32042 from LS User Services:

“Invalid Incoming HTTPS Certificate”

SNAGHTMLfff905b

 

I checked the certificate and it looked perfectly fine, not expired and with a proper chain.

Next day most contacts in Lync Client were observed in “Updating…” state. Not good.

 

Resolution:

We deployed a Microsoft KB 2901554 to fix SChannel Authentication Provider on Windows Server 2012 R2

Next I Run the following Power Shell command (one line):

Get-Childitem cert:\LocalMachine\root -Recurse |Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File c:\computer_filtered.txt

to figure out if there are any intermediate certs in Trusted Root certificate folder as recommended in this article

And found one certificate in the wrong container. I moved it in Intermediate Certification Authorities and restarted Lync Services. After that the issue seems to be resolved.

Lync: Request certificate for Reverse Proxy

First of all, Microsoft has an article for that.

But, the article did not work for me – Entrust needed additional fields (like Country, Locality) filled and for some reasons all my CSRs had 1024 key request even though I put 2048 in MMC Wizard.

Finally I decided to do it old way, via .inf file and certreq tool.

here is .inf file I created:

SNAGHTML4b3b961

Note: the CSR requests SHA-1 certificate. Microsoft supports SHA-1 until 2017. You can tweak it to request SHA-2 cert.

PKI: How to clean faulty Certificate Request

I recently needed to update an Entrust certificate on my Lync Reverser Proxy. Lync does not have a Wizard to generate CSR so I used Microsoft KB https://technet.microsoft.com/en-us/library/gg429704(v=ocs.15).aspx to generate it. Unfortunately KB does not say you need to add Country, Locality and other information and CSR generated failed on Entrust. I added information, but in this case CSR failed because of key length – it has 1024 even though I put 2048. so I end up with several faulty CSRs. How to clean them out? Google search brought me some powershell scripts. Looked a bit too complex. Finally I found an answer on ExpertExchange.

You can basically use certificates MMC (local machine store) and delete unwaneted CSRs there. After that remove CSR files from location where you saved them.

SNAGHTML4a65622

PKI: Private Key Export failed during CA migration

I am currently lead a project for PKI migration from 2003 Servers to 2012 R2.

ISSUE: During migration one of CAs I observed an error when I tried to restore a Private Key saved on an old CA to the new CA.

 

The error said: Import private key: Active directory certificate services setup failed with the following error: Cannot find object or property. 0x80092004 (-2146885628 crypt_e_not_found)

RESOLUTION: I checked the machine local storage and found the old CA certificate there (without Private Key). The certificate was installed by GPO.  I deleted the certificate and retry Private Key import from CA installation wizard (where it failed). This time the cert was imported successfully.

SCCM 2012: Certificate requirements

Lync 2013: Front end server start fails

One of my Lync 2013 FE did not start after update to August 2014 CU.

The error pointed to certificate:

 

Event Id: 14397:

A configured certificate could not be loaded from store. The serial number is attached for reference.

Extended Error Code: 0x800B0109(CERT_E_UNTRUSTEDROOT).

—————————————————————————————————

Event Id 14646:

A serious problem related to certificates is preventing Lync Server from functioning.

Unable to use the default outgoing certificate.
Error 0x800B0109(CERT_E_UNTRUSTEDROOT).
The certificate may have been deleted or may be invalid, or permissions are not set correctly.
Ensure that a valid certificate is present in the local computer certificate store. Also ensure that the server has sufficient privileges to access the store.

——————————————————————————————————

details page (for Event Id 14397) shows the certificate number. I tried to find it using PowerShell

Get-ChildItem -Path CERT: -Recurse | FT Subject, SerialNumber | FindStr <NUMBER FROM EVENT VIEWER>

It returned an empty string. So I rerun it without |findstr … and checked output. Naturally I saw one of cert number is similar to whatever was in event id  BUT

1. it was backward and

2. each two bytes were changed in place

It is confusing, eh? so I will try to give an example:

Number in Event viewer:    ABCDEFGH12

Certificate number: 12GHEFCDAB

After that I found the certificate in question – it is my pool cert which works just fine of my first FE server…

I checked the certificate using Cert MMS – it looked ok and fully trusted. Trusted root – GeoTrust Global CA was on its place.

Resolution: An intermediate certificate (GeoTrust SSL CA – G2) was not under “Intermediate Certification Authorities”. I copied it from my first server store to the second one and restarted the front-end on the second server. It started successfully this time.

PKI: Enable SAN support on Microsoft CA after server migration.

 

I migrated my Lab Enterprise CA from Windows Server 2008 R2 to Windows Server 2012 R2. I tried in-place upgrade. Everything seemed to be fine until I tried to request a SAN certificate from it.

It looks like this feature was lost in migration and I needed to re-enable it using

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

command (one line).

 

Do NOT forget to restart the CA service – the commend makes changes in registry.

More information about SANs and why you may decide to not enable them in this Technet Article

Certificate WEB request failed with: This Web browser does not support the generation of certificate requests.

Issue: I am trying to send a certificate request from my Windows 2012 Server running IE 10 (default).

The request fails with the error: “This Web browser does not support the generation of certificate requests.”

 

Resolution: Press F12 and select IE 10 Compatibility View. After that CertSrv page should be displayed properly:

image