Windows Domain Controller certificate for non domain clients

Similar Messages

• Sharing Primary Site and Secondary Site's SUP WSUS for non-SCCM client use

  I was wondering if the WSUS deployed for the SCCM's SUP can also be (re)used for non-SCCM clients.
  Our SCCM infrastructure are mainly used to manage Workstations whereas our back-end servers are not deployed with SCCM agents due to overlapping SLAs and responsibilities. However, we would like to take advantage of WSUS's centralized update repository without
  each back-end servers initiating connection to the Internet to get their updates.
  Is this possible?

  No. WSUS servers that are used for SUPs are controlled by ConfigMgr and cannot be used outside ConfigMgr.
  Torsten Meringer | http://www.mssccmfaq.de

• Create a certificate for non domain-joined PCs

  We have a standard AD domain wit a CA and SharePoint/Exchange servers, hosted internally and externally with TMG 2010 as our firewall. For the external hosting, we have an external certificate from one of the main certificate providers. Internally, our domain-joined
  PCs look to the CA to get their trusted certificate from.
  This is the issue I am encountering:
  Our external users (the ones whose PC is not joined to our domain) are fine when they access our SharePoint and Exchange services externally.
  However, when they are connected via VPN, they receive a certificate error and when I look in Certificate > Certification path, I can see that it says:
  "DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
  When such a PC connects to the same website when NOT connected via VPN to the domain, they receive:
  "DOMAIN NAME" Root CA > "DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
  How can I create a certificate for these non-domain joined PCs so that I can import the certificate in the Trusted Root Certification Authorities store? Thank you!

  It sounds like the question you are really asking is :
  How do I designate the internal root CA as a trusted root CA
  Run certutil -addstore root RootCert.crt (this must be run from an administrative command prompt)
  This designates the root CA as a trusted root on the client. You also may want to install the intermediate cert to the store (you are not clear on what VPN product you are using, so it may or may not do proper chain building).
  Run Certutil -addstore CA IssuingCA.crt 
  Brian

• Issuing certificates for user and clients from different forest/domain

  Hello,
  at first I would like to say that I have made some researches on this forum and in the Internet overall.
  I have AD Forest with ~10 sites all over the Europe, DFL and FFL is 2008 R2, right now we are migrating site by site from old domain (samba) to AD.
  Last time I have deployed PKI based on offline root CA and 2 Enterprise acting as 2-node Failover Cluster.
  Everything in my AD Forest is OK, I mean, autoenrollment works perfect for users and computers from my forest, 
  now I need to deploy a certificate (for test) to one web-based pbx server in samba domain, there are no trusts etc. Samba domain as well as AD Forest are working on the same network, with routeable subnets in each site, so there is no problem with connectivity,
  What are possible way to achieve this goal? I mean to issue cert to client from different forest, so that this client is able to validate it, validate certificate chain and renew it when needed?
  I have Installed and Configured CE Web Service and CE Policy Web Service. Now I have configured Enrollment Policies on my virtual machine (being part of different domain), I selected username/password authentication, I am able to request certificate, I can
  see all templates which I should see, but when I try to enroll I got an error:
  (translated from my language)A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider
  My root CA cert is added to trusted publishers for computer and user node as well.
  What could be wrong? If you have any ideas or questions, please share or ask. 
  Thank you in advance.

  Everything is clear, I have Certificate Enrollment Web Services installed and configured,
  problem is what i get from certutil - TCAInfo
  ================================================================
  CA Name: COMPANY-HATADCS002-ISSUING-CA
  Machine Name: COMPANYClustGenSvc
  DS Location: CN=COMPANY-HATADCS002-ISSUING-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=COMPANY,DC=COM
  Cert DN: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
  CA Registry Validity Period: 2 Years -- 2016-03-04 12:20
   NotAfter: 2019-02-14 12:44
  Connecting to COMPANYClustGenSvc\COMPANY-HATADCS002-ISSUING-CA ...
  Server "COMPANY-HATADCS002-ISSUING-CA" ICertRequest2 interface is alive (1078ms)
    Enterprise Subordinate CA
  dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_NT_AUTH
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwRevocationFreshnessTime: 18 Days, 4 Minutes, 1 Seconds
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwRevocationFreshnessTime: 18 Days, 4 Minutes, 1 Seconds
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
    Issuer: CN=HATADCS001-COMPANY-ROOT-CA
    NotBefore: 2014-02-14 12:34
    NotAfter: 2019-02-14 12:44
    Subject: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
    Serial: 618f3506000000000002
    Template: SubCA
    9e1bea4ffa648e5fe3e9f8c4be3c604c49af04e9
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      CRL 02:
      Issuer: CN=HATADCS001-COMPANY-ROOT-CA
      ThisUpdate: 2014-02-14 12:16
      NextUpdate: 2024-02-15 00:36
      d7bafb666702565cae940a389eaffef9c919f07a
    Issuance[0] = 1.2.3.4.1455.67.89.5 
  CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=HATADCS001-COMPANY-ROOT-CA
    NotBefore: 2014-02-14 11:55
    NotAfter: 2024-02-14 12:05
    Subject: CN=HATADCS001-COMPANY-ROOT-CA
    Serial: 18517ac8a4695aa74ec0c61b475426a8
    b19b85e0e145da17fc673dfe251b0e2a3aeb05e9
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Issuance[0] = 1.2.3.4.1455.67.89.5 
  Exclude leaf cert:
    5b309c67a8b47c50966088a4d701c8526072c9ac
  Full chain:
    413b91896ba541d252fc9801437dcfbb21d37d91
    Issuer: CN=HATADCS001-COMPANY-ROOT-CA
    NotBefore: 2014-02-14 12:34
    NotAfter: 2019-02-14 12:44
    Subject: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
    Serial: 618f3506000000000002
    Template: SubCA
    9e1bea4ffa648e5fe3e9f8c4be3c604c49af04e9
  A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
  Supported Certificate Templates:
  Cert Type[0]: COMPANYOnlineResponder (COMPANY Online Responder) -- No Access!
  Cert Type[1]: COMPANYWebServer(SSL) (COMPANY WebServer (SSL))
  Cert Type[2]: COMPANYUser(Autoenrollment) (COMPANY User (Autoenrollment))
  Cert Type[3]: COMPANYKeyRecoveryAgents (COMPANY Key Recovery Agents)
  Cert Type[4]: COMPANYEnrollmentAgent(Computer) (COMPANY Enrollment Agent (Computer))
  Cert Type[5]: COMPANYEnrollmentAgent (COMPANY Enrollment Agent)
  Cert Type[6]: COMPANYComputer(Autoenrollment) (COMPANY Computer (Autoenrollment)) -- No Access!
  Validated Cert Types: 7
  ================================================================
  COMPANYClustGenSvc\COMPANY-HATADCS002-ISSUING-CA:
    Enterprise Subordinate CA
    A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
    Online
  CertUtil: -TCAInfo command completed successfully.
  please put some light on it because it's driving me crazy :/
  Thanks in advance
  one remark: certutil -tcainfo performed on CA directly is 100% OK, no errors regarding 
  "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)"

• Remove existing share folders in windows domain client machines

  Hi Team,
  I used sysinternals tool shareenum & found in our Windows domain network many users have shared folders in their local machine which is highlighted by auditor. Now i have found a way through GP to block Filesharing but how can i remove existing shared
  folders from all windows client machines.
  Please help.

  This is Exchange 2010 forum, suggest you to post this in Windows forum to get faster responses...
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/home
  Blog |
  Get Your Exchange Powershell Tip of the Day from here

• Risk Management & Process controls for non SAP client

  Hi Forum Gurus,
  I need clarity on the following:  Can Risk managment 3.0 and Process controls be implemented for a non-SAP client?
  i.e. Our client does not run SAP, but they are interested in RM and PC, so is this possible to implement?
  Any advice would be highly appreciated.
  Kind regards,
  PREVO.

  Hi Prevo,
  Process control and Risk management 3.0 are delivered within same installation package files so it is same for both the applications .
  Also real time agents for Oracle or peoplesoft are avaialble if you want to leverage the automated control functionality of PC 3.0 in non SAP environment.
  Remember the automated control functionality is the optional feature of PC3.0.If you wish only to use the manual controls features of PC 3.0 you dont need RTAs(real time agent).
  You can find further information about manual controls at http://service.sap.com
  use the quicklink '/rkt' then the following menu path: SAP Business Objects for GRC Solutions -> SAP BO Process Control 3.0 -> Technology Consultant
  Regards
  Debraj

• Generate Certificates for WLC and clients

  Hi Guys
  I've been working acording the following document to integrate my WLC 5508 with LDAP for internal users:
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
  However when I try to generate the device certificate on Windows Server 2012, I see the steps are different, for example when I reach the step 4 (of Generate a Device Certificate for the WLC section), the CA ask me for a Certificate Signing Request instead of Create and submit request to this CA option, as appears in the document.
  How do I get this? 
  Thanks in advance for your support!
  Marcelo

  Hi,
  If you are trying to get a device certificate for WLC, then you may need to use 3rd party software like openSSL for this.
  Below post may help you to see how you can do this
  http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/
  HTH
  Rasika
  *** Pls rate all useful responses ****

• DHCP configuration for non-compliant clients

  So your question isn't for a live situation, but because you are studying for a test?

  hello!
  i have a question about network policy server..
  that is , how to configure DHCP server to lease IP address to non-compliant client??
  specifically for access to remediation servers
  thank you..
  This topic first appeared in the Spiceworks Community

• DSCP marking for non WMM-clients

  hello,
  i just made several tries but didn´t find the result which i expected. i have the following scenario:
  non WMM-clients in branches in our WAN
  traffic over the wan line must be shaped
  there is no local breakout, the traffoic should be tunneled to the central datacenter
  so what i want to achieve is that every traffic from this non WMM-clients (which are using a special SSID (i call it here "EXTERNAL")) is getting marked in that way that the CAPWAP-packets are holding dscp-values so that i can refer on these packets beforer they are going over the WAN-connection
  what i did:
  the ssid uses the QOS-Profile "bronze"
  WMM is disabled
  the QOS-Profile itself has 802.1p enabled with a value of 1
  so i expected that every traffic via this ssid "EXTERNAL" gets a dscp marking in the capwap packet of 10 (perhaps also 12 or 14, i´m not sure whcih value really is used). in reality i see 0.
  i´m using Wismv1 with version 7.0.230. i also tried it with 5508 with the same version but it didn´t work. APs are 1142.
  is my expectation wrong that this scenario is working in this way? do i forget something??
  thanks for your help

  The WLAN can only re-mark client traffic that has existing DSCP values in the original packet, typically at the application layer. The platinum profile itself has 46 as VoWLAN, 48 as Mgmt traffic (CAPWAP etc), and 56 as network traffic, classifying them as such based on the original marking. The values are only remarked if the configured SSID is different.
  This link provides a few more details:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807e9717.shtml

• 1240AG WPA2 and PSK for non radius clients

  does this device support this options?
  We want to move to WPA2 enterprise and use our radius server (windows IAS), but we want to hand out a key to non domain computers. We have production machines that arent on the domain for various reasons.
  2nd question, does the AP allow for creating a 2nd "Guest" wireless for visitors?
  thanks!

  Hi Shayne,
  The Cisco 1240 supports WPA2/AES.Yes, the can provide different security policys via different SSIDs. For example:
  SSID#1 - Corporate - WPA2/AES 802.1X
  SSID#2 - CorporatePSK - WPA2/AES PSK
  SSID#3 - Guest
  There is a good deal of configuration to make this happen. But yes this is supported..
  Here is a link how to configure SSIDs on a autonomous access points
  http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37ssid.html
  Please be so kind to rate helpful post!

• Certificates for IPSEC vpn clients in ASA 8.0

  Hello!
  I have configured MS CA and i setup vpn client and ASA 7.0 to make tunnel with certificates.
  Same configuration does not work with ASA 8.0 I get error
  CRYPTO_PKI: Checking to see if an identical cert is
  already in the database...
  CRYPTO_PKI: looking for cert in handle=d4bb2888, digest=
  b8 e5 74 97 f3 bf 25 1c 2e e5 21 3e d1 93 d6 15 | ..t...%...!>....
  CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
  CRYPTO_PKI: Cert not found in database.
  CRYPTO_PKI: Looking for suitable trustpoints...
  CRYPTO_PKI: Found a suitable authenticated trustpoint CA1.
  CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: Incorrect KeyUsage
  (40)
  CRYPTO_PKI: Certificate validation: Failed, status: 1873. Attempting to retrieve
  revocation status if necessary
  ERROR: Certificate validation failed. Peer certificate key usage is invalid, ser
  ial number: 250F3ECE0000000009AF, subject name: cn=xxxxx,ou=xxxx,o=xxxxx,c=
  xx
  CRYPTO_PKI: Certificate not validated
  Why the key usage is invalid? What certificate template must be used in MS CA in order to get a regular key usage?
  The CA enrollement is terminal.
  THANKS!

  The cert needs to have the Digital Signature key usage set.
  Not sure what templates are available on MS CA, but it should be something like "Ipsec user" I suppose.
  To make ASA 8 behave the same as ASA 7 (i.e. disable th check on the cert's key usage), configure:
  crypto ca trustpoint
  ignore-ipsec-keyusage

• A Web application + API for non web clients

  Hi there,
  I am new to the java enterprise world, i have a query regarding the application i am developing currently, I am not sure this is the exact category to ask this question but please help me on this.
  In very simple terms my applications job is to give a listing or view of files distributed across network.
  For this I need to have a webApp which can provide a view to all web clients. (where view is nothing but listing of files independent of there location)
  Because this view tells nothing more than files , and i am as data center administrator cannot tell much about data, so we need to provide APIs so other applications (WebAPP or anything else)
  can present the view in more data specific terms.
  The webapp part is fine with me, but how do i support API being on an application server like glassfish.
  Please help me on this.
  Thanks in advance
  AP

  Dear all,
  Anyone can help me to clear this problem ?

• Certificates for Server and Client to install . Pls advice

  I am doing File --XI --- File scenario with FTPS.
  Currently consider only File -- XI part now.
  We go point by point: for this link:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/964f67ec-0701-0010-bd88-f995abf4e1fc
  Blog says:
  1. In the visual admin of XI make Server Public and Private keys.
  2. In the visual admin of XI make Client Public and Private keys.
  Suppose File Sender System is Server and XI is Client
  Questions:
  a. Do I need make Server Public and Private keys In the visual admin of XI ?
  b. Do I need make Client Public and Private keys In the visual admin of XI ?
  Generic Rule -- system1 sends its public key to system2 and  similarly system2 sends its public key to system1.
  c. For Export keys and Import keys as given in blog
  -- I am not able to get this part given from Page 38 - 41 of this blog.
  Pls advice me
  Regards
  Edited by: Henry A on Mar 3, 2008 1:07 PM
  Edited by: Henry A on Mar 3, 2008 1:08 PM
  Edited by: Henry A on Mar 3, 2008 1:54 PM

  Hi DecaXD,
  thank you for quick response :)
  on the client site i tried to establish the connection to the work repository with the following connection information:
  Login information*:
  Oracle Data Integrator Connection
  Login name = odi_server
  User = SUPERVISOR
  Database connection (Master Repository):
  User = odim
  URL = jdbc:oracle:thin:@<server ip>:1521:orcl
  A work repository could be found, but the connection failed! (?!)
  " ODI-26130: Connection to the repository failed.
  oracle.odi.core.config.NotWorkRepositorySchemaException: ODI-10147: Repository type mismatches.     
  Could not get JDBC Connection; nested exception is java.sql.SQLException: Unable to start the Universal Connection Pool: oracle.ucp.UniversalConnectionPoolException: Invalid SQL-Query for validating the connection (+translated from german into english+) "
  my ODI configuration on the server site (loged in as: odiw):
  topology tab*:
  Physical architecture:
  Technology:
  Definition:
  Dataserver name = oracle_db_11gr2
  User = odiw
  JDBC-URL = jdbc:oracle:thin:@10.168.178.131:1521:orcl
  Datasource:
  Agent = OracleDIAgent
  JNDI-Name = [DataSourceName]
  Agents:
  Definition:
  Name = OracleDIAgent
  Host = <IP of the server>
  Port = 8001
  Webapplicationcontext = oraclediagent
  Datasources:
  Dataserver = oracle_db_11gr2
  JNDI-Name = [DataSourceName]
  Logical architecture:
  Technology:
  Defintion:
  Name = oracle_db_11gr2
  Context = aMIS_dev
  Physical schema = oracle_db_11gr2.ODIW
  Agent:
  Name = OracleDIAgent
  Context = aMIS_dev
  Physical agent = OracleDIAgent
  when i test the connection of the data server (topology>physical architecture>technology>oracle>oracle_db_11gr2) with the OracleDIAgent i receive the
  " ODI-26039: Connection failed.
  oracle.odi.runtime.agent.invocation.InvocationException: javax.naming.NameNotFoundException: Unable to resolve '[DataSourceName]'. Resolved ''; remaining name '[DataSourceName]' "
  since testing the connection on the server site failed in first place, i couldn't test the connection on the client site.

• Deliverables for non-Java clients

  I'm trying to write my first web service. My server code can be in Java but the client system cannot use Java anything. I'm looking at the Java web services tutorial provided by Sun and it seems to assume a Java client. Do I need to go elsewhere for a tutorial that will show me how to construct a web service that does not assume a Java client? I also won't be using the Sun ap server but tomcat, so I wonder if again that's a reason to not use the tutorial. Suggestions? Thanks.

  I'm trying to write my first web service. My server code can be in Java but the client system cannot use Java anything. I'm looking at the Java web services tutorial provided by Sun and it seems to assume a Java client. Do I need to go elsewhere for a tutorial that will show me how to construct a web service that does not assume a Java client? I also won't be using the Sun ap server but tomcat, so I wonder if again that's a reason to not use the tutorial. Suggestions? Thanks.

• Non-ACC client for WSIT enabled services

  Hallo All,
  Can anyone tell me how I could develop a non-ACC java client for SSL enabled web service/Reliable Messaging enabled web services.
  As of now, I am able to access these services with clients deployed in ACC containers of Glassfish V2UR1.
  I read some thing about glassfish connectors, but did not get a clear picture. I don't believe that Glassfish doesn't have support for non-ACC clients.
  Thanks a lot in advance.

  Hallo All,
  Can anyone tell me how I could develop a non-ACC java client for SSL enabled web service/Reliable Messaging enabled web services.
  As of now, I am able to access these services with clients deployed in ACC containers of Glassfish V2UR1.
  I read some thing about glassfish connectors, but did not get a clear picture. I don't believe that Glassfish doesn't have support for non-ACC clients.
  Thanks a lot in advance.