Certificate enrollment web servce GPO enablement failure
2012 Std R2
Added certificate authority role with web services
configuring via library hh831625
I have verified that IIS has the default site ADPolicyProvider_CEP_Kerbos and I copied the URI <a href="https:///ADPolicyProvider_CEP_Kerbos/service.svc/CEP">https://<server>/ADPolicyProvider_CEP_Kerbos/service.svc/CEP
I added a domain GPO per directions Certificate Enrollment Policy Web Services. I am editing the GPO for Computer->Policies->Windows Settings-> Security Settings->Public Key Policies. I double click Certificate Services Client - Certificate
Enrollment Policy. I enable the policy and ADD certificate enrollment policy list. I paste the above URI, Authentication type is "Windows Integrated". When I validate server I get the following error:
An error occurred while obtaining certificate enrollment policy
URI:https://<server>/ADPolicyProvider_CEP_Kerbos/services.svc/CEP
Error: The remote endpoint does not exist or could not be located. 0x803d00d (-21434855939 WS_E_ENDPOINT_NOT_FOUND)
Help with this final validation is appreciated. Logged on as administrator with domain admin rights and enterprise Admins rights
John Lenz
Hi,
Please try to do the following steps at first. Thanks.
Configuring the CEP web address in the client
Before I go into the steps it is important to understand that this configuration is based on the security context. You have a CEP configuration for the user, and you have another configuration for the computer. Depending on what certificates you plan on
issuing (user or computer certificates) you may only require one of these to be configured.
Configuring user certificate enrollment
Run CertMgr.msc.
Expand Certificates, then Current User.
Expand Personal.
Right click on Personal, and select All Tasks, then
Advanced Operations, then Manage Enrollment Policies…
On the Manage Enrollment Policies dialog click the Add… button. See Figure 12
Type in the URI for the CEP service in the field. This will be in the format of:
https://<Internet FQDN>/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP
In my example this would be:
https://cert-enroll.fabrikam.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP
NOTE: the only thing that will be unique to your environment is the Internet FQDN of the URI.
In the Authentication type drop down select: Username/password
Click the Validate button.
Once the Validate button is pressed, you will be prompted to type in a domain user name and password. Supply these credentials.
If everything goes correctly you should see that the validation test passed in the lower section of the dialog box see Figure 13.
NOTE: You can see in Figure 13 that the only difference is the DNS portion of this URI. If you scroll down further in the validation output, you will see the friendly name you added under the website configuration being displayed also.
Click the Add button.
Uncheck Enable for automatic enrollment and renewal.
NOTE: Failure to do so could cause users to be prompted for user name and password each time they logon to the computer. This occurs because Windows Autoenrollment runs immediately after the user has logged on. If the enrollment policy is configured for automatic
enrollment and renewal, Windows Autoenrollment will attempt to contact the configured CEP server when it starts in order to determine if new certificates have been assigned. Since this will result in the users being prompted for credentials every time they
log on your users may be annoyed.
Click the OK button.NOTE: Follow the same procedures to configure the Enrollment Policy server for the computer personal store if you need to enroll for computer certificates.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Similar Messages
-
Certificate Authority Web Enrollment - CSP states loading
Hello,
I have setup an enterprise sub CA (the root is offline).
I have been able to issue certificates, but I did not have the Web Service, Policy Web Service or the Web Enrollment turned on.
I turned them on yesterday and when I visit the website, when I click Create and submit a request to this CA it takes to the next page where I can request a certificate. I created a duplicate template for the User Certificate and made it available.
I see it in the drop down, however under key options, CSP just says loading. I went to this site:http://support.microsoft.com/kb/939290 and followed the instructions, Active Scripting is enabled and it still
continues to state loading.
I am at a complete loss as to what the problem might be. Event logs on CA server are clean, no errors or warning.
Any suggestions?
Update: I tried to get to the site from the actual CA server and it displays the The Web site is attempting to perform a digital certificate operation on your behalf, etc...
And it populated the CSP.
I tried it from another server and it worked.
I tried it from another workstation and it shows loading in the CSP.
Has anyone run into this issue?Hi,
As this works on one of your servers, whether all your workstation have this issue?
Certificate Enrollment Web Services client computers must be computers running at least Windows 7 or Windows Server 2008 R2 operating systems. To utilize key-based renewal, client computers must be running at least Windows 8 or Windows Server 2012 operating
systems.
Please follow the below article for more details:
http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx
Regards,
Yan Li
Regards, Yan Li -
NDES Certificate Enrollment on Surface fails
Hi all
I implemented a NDES infra based on Pietrs Blog in my Sandpit Lab (Infra runs on ConfigMgr 2012 R2 CU4), OS 2012 R2
http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2014/04/25/part-2-scep-certificate-enrolling-using-configmgr-2012-crp-ndes-and-windows-intune.aspx I repeated each step sure 2 or 3 times.
If I try to assign a Client Cert/user Cert (both of them) it always fails 0X87D1FDE8 Remediation failed as posted here
https://social.technet.microsoft.com/Forums/en-US/15aebec7-4870-49af-8c0c-17d3d376783a/ndes-scep-certificate-profile-0x87d1fde8-remediation-failed-deployment-of-certificate-profiles?forum=configmanagermdm&prof=required
(All Certs are new re-created. NDES, CRP new installed). If there are no enrollments of certs possible I can understand it but Android 4.2 Devices are enrolling like a charme. A Detail the NDES Server is reachable via WAP Proxy but this works (If I enter
the Test URL I'm able to open the cert file). Finally on the Surface the Regkey in the MDM Hive is created and the NDES URi is available. All Log Files are looking fine.
Any ideas/help or tips will be very appreciated.
Cheers,
+MatAll
It is running know. It was a heavy war in My lab ... ;-) - and raised from several missconfigured components and Settings. For an easier overview enclosed by component:
CA
I have an Enterprise Root CA with subordinated Issueing CA in the lab. Failure 1: The life time of the Issueing CA Cert is only configured for 2 years. So I changed this using certutil to 10 years (Root CA 20 years, Issueing 10 years). Failure 2: The NDES
Template had a longer life time than the issueing CA. This raised in the failed cert request the issue "Life time incorrect"
WAP Proxy
On the WAP Proxy the required Settings
Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Value: MaxFieldLength
Type DWORD
Data: 65534 (decimal)
Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Value: MaxRequestBytes
Type DWORD
Data: 65534 (decimal)
were applied but the required December Update 2014 Hotfix
http://blogs.technet.com/b/ems/archive/2014/12/11/hotfix-large-uri-request-in-web-application-proxy-on-windows-server-2012-r2.aspx was not properly installed (the WAP Proxy is a Workgroup Server)
NDES
The listed http Settings above I made a mistake (Dec and Hex) so typically copy/past error.
CRP
At least one Server is properly configured
Some Remarks
Within the Policies both certs Root and Iuessing CA has to be deployed to the Root Store. Later on in the configuration for the SECP Cert enrollment the template of the issueing CA has to be choosen.
Very happy that this is rolling. Next step is to configure the WIFI Network (NPAS) that only devices with a valid Client certificate can use them.
The biggest pain Overall is that the logging process is not really helpful and confusing e.g. the MCSEP.log reports
2905.902.0:<2015/4/14, 19:31:3>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): 44D6EDAE C3C7C52F DE1B2CE4 9C102C22 5DF4CC54 but the enrolling is working fine. Here Microsoft should investigate for a better overview.
Cheers,
+mat -
Auto certificate enrollment for computers not happening
Hi
In my environment the auto certificate enrollment for computers not happening through GPO.
Domain computers has permission of enroll on computer certificate template.
Please suggest.
Regards,
Deepak SHi,
Please reconfirm the Autoenrollment group policy is configured and applied to the user or machine. Verify the Group Policy settings set the proper registry settings. If Group
Policy is configured correctly, the next step is to troubleshoot enrollment.
Autoenrollment requires the use of Version 2 or Version 3 Certificate Templates. Certificate Authorities must be on the appropriate OS Version and edition. The table below
outlines OS Version and Edition support for Version 2 and Version 3 certificate templates.
The similar thread:
Certificate Autoenrollment for Domain Computers GPO does not work
http://social.technet.microsoft.com/Forums/windowsserver/en-US/3797dad9-6c4f-41e4-8c4f-ad37a7570aa4/certificate-autoenrollment-for-domain-computers-gpo-does-not-work?forum=winserversecurity
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
SSL certificates and Web Services Usage inside Oracle Database Questions!
We have implemented a specific business logic using PL/SQL for our client, so we open a file and process each line of this, doing something in the Database and also call a Web Services (Service1) using UTL_HTTP package. Service1 runs in a Windows 2008 Server in the DMZ as Database server.
Service1 is already working, and we can call the service from PL/SQL without troubles.
However, according with security client's policies they requires all Web services be consumed via https including Service1, so we must to follow the procedure established for Oracle in order to enable the calling of service1 via https from the Database.
Our client's DBA and IT Team are concerned about two subjects before to continue to follow the certificate installation:
- SSL Certificates:
1- Can installed certificates in the Database put in risk the stability of the database?
2- Can installed certificates in the Database generate performance issues?
3- Can installed certificates reloading the Databases?
2- Can installed certificates in the Database generate security issues?
- Web services:
1- Can web services calling from the Database put in risk the stability of the database?
2- Can web services calling from the Database generate performance issues?
3- Can web services calling from the Database generate security issues in the DMZ?
Could you please give us any clues, about the possible negative impact related with the SSL certificates and Web Services Usage inside Oracle Database, if it’s the case this impact exists?.
Those are the links describing the procedure mentioned above.
1 -http://www.kotti.es/2009/11/oracle-wallet/
DB: Oracle 9i.
Average number of lines in file: 300
Periodicity: Twice at day.Thiago:
You are correct in that there should be no problem interacting with a Web service that has an HTTPS endpoint as long as you create a wallet and specify it when you make your UTL_HTTP calls, like the PayPal example.
I am not aware of a PL/SQL utility to create a XMLDsig Standard message, but if you find some Java source out there that does it, you may be able to follow a technique I used for a similar use case:
http://jastraub.blogspot.com/2009/07/hmacsha256-in-plsql.html
Regards,
Jason -
No password prompt from ASA 5500 for certificate enrollment
Greetings,
I work in a lab testing interoperability between Avaya and Cisco VoIP products.
I am setting up an environment to test Avaya 96x1 phones with VPN using SCEP
going thru an ASA 5510 to a backend IP PBX.
Environment: Windows Server 2008 R2, Enterprise Edition, AD with DNS, NDES
Cisco ASA 5510 running 9.0(1)
I would like to setup certificate enrollment between a Windows Server 2008 R2 and a
Cisco ASA 5510. Here are the commands that I use for the Cisco ASA 5510:
crypto key generate rsa modulus 2048
crypto ca trustpoint ASA5510-trust
enrollment url http://10.129.112.20/certsrv/mscep/mscep.dll
enrollment retry period 5
enrollment retry count 3
password Interop123
exit
crypto ca authenticate ASA5510-trust
crypto ca enroll ASA5510-trust
Everything works as expected until I try to enroll. There is no prompt for the
enrollment password and the certificate request is denied.
ciscoasa(config)# crypto ca enroll ASA5510-trust
% Start certificate enrollment ..
% The fully-qualified domain name in the certificate will be: ciscoasa.avayasil.avaya.com
% Include the device serial number in the subject name? [yes/no]: No
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
ciscoasa(config)# The certificate enrollment request was denied by CA!
Why isn't there a prompt for the enrollment password?
BTW, If I set "enforcepassword" to "0" in the Windows registry, then it works.
Thanks,Richard,
In the trustpoint config you have the challange defined.
http://www.cisco.com/en/US/docs/security/asa/asa90/command/reference/p1.html#wp1961480
If this command is enabled, you will not be prompted for a password during certificate enrollment.
Did you try removing it? If you're still not being asked after removing it. It's most likely a bug.
M. -
Certificate Enroll Errors RPC Server Is Unavailable
I have a scenario in which I would like some advice before moving on. We have a Server 2012 root CA that was put in about a year-year and a half ago and at the same time there was another 2008 R2 root CA that was installed on a DC that was hosting FSMO roles.
Well that DC started to die so we transferred the FSMO roles and removed certificate services. However, we only uninstalled the role but as I understand, there is a bit of cleanup to do in AD beyond just removing the role. So when we started to perform the
first step, I noticed remnants of old servers that are no longer around. I've discovered that our previous admin had made 3 other servers (I believe all 2003) that have all completely gone away and yet are still listed in the Trusted Root Certification Authorities
on all computers and I find in the event log the following error when I log in to our domain machines of them trying to contact each of the old CA servers:
Certificate enrollment for Local system failed to enroll for a Machine certificate with request ID N/A from server.domain.org\server (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
Now I have no way of knowing whether or not this admin actually properly removed the role before decommissioning these servers and I have no idea why we needed so many servers to be root CA's in the first place? Anyhow, I was wondering if the proper procedure
would be to remove the root trusted certs from group policy and then clean up the remnant entries in AD as described in the Microsoft documentation of removing a root CA from your environment. I still see some errors and machines requesting to check for stuff
like CRL with the most recent root CA that we removed so I just wanted to check to see if all of these errors will go away once we finish the cleanup and if there is anything special that needs to be done for the potentially orphaned root CA's. We did take
a backup of the 2008R2 CA (the one that was on the dying DC) before we removed the role and I have confirmed that our production CA (the one that we would like to remain in production - is a sub CA of an offline root) has already issued new machine and DC
certs to our domain machinese and domain controllers.
Sorry for the lengthy post. Please let me know if any more information is required and thank you in advance!Hello,
the root CA normally is the first one in a forest issuing the certificates for the subordinate CAs if required or for certificates.
http://technet.microsoft.com/en-us/library/cc731183.aspx
SO there is no need for multiple root CAs.
To get rid of everything old and be sure the CA is configured correct for your needs I suggest to ask this in
http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights. -
Cisco CA + Cisco VPN Client - Error 42: Unable to create certificate enrolment request
We find ourselves in a difficult situation with the
Cisco VPN Cleint version 5.0.07.0290 where it keeps giving us an
"Error 42: Unable to create certificate enrolment request" when we attempt to use the Online enrolment method to create and enrol a new certificate.
There is no additional information in the VPN client logs where we have set 3-High for all logs.
In addition, Wireshark does not show any packets sent from the machine running the client to the Cisco 3825 router which runs the Cisco CA.
To create and enrol a certificate we do the following:
1. Click on the Enroll button to show the Certificate Enrolment dialog
2. Select Online
3. Select <New> for Certificate Authority
4. Enter http://192.168.120.1 as CA URL (note, 192.168.120.1 is the IP of the Cisco 3825)
5. Click Next to display the dialog where we can enter certificate details
6. Enter details in all fileds except IP Address and Domain
7. Click Enroll which shows a dilaog with the Error 42 ... message in it.
If we attempt to create a request by using the File method, all works fine, that is, the client creates a file with the enrolment request.
The fact that the client does not send any messages to the Cisco CA leads us to belive that we have a pronblem on the clinet machine. However, the client does not write any information in the logs, so it is a bit hard to fix the problem.
We will be grateful for any assistance that you can provide with this issue. I can provide additional configuration information if required for both the client and the Cisco CA. Note that we have not modified any client configuration. Basically, we installed the clinet on a Windows 7 64bit machine and attempted the steps listed above.
Thank you
EmilFYI, I just came up against this problem and the solution in my instance was to ensure that the Cisco CA Server was configured to automatically grant certificate requests.
Cisco2691#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cisco2691(config)#crypto pki server CERTSERVER
Cisco2691(cs-server)#grant ?
auto Automatically grant incoming SCEP enrollment requests
none Automatically reject any incoming SCEP enrollment request
ra-auto Automatically grant RA-authorized incoming SCEP enrollment request
Cisco2691(cs-server)#grant auto
% The CS config is locked. You need to shut the server off before changing its configuration.
Cisco2691(cs-server)#shut
Cisco2691(cs-server)#grant auto
Cisco2691(cs-server)#
Mar 25 19:39:53.356: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
Cisco2691(cs-server)#no shut
% Certificate Server enabled. -
ASA Local CA certificate enrollment invitation
Hi,
I have been looking for the answer for a while.....
My ASA is version 8.2.1
I am planning to use ASA loca CA to ditsribute certificate for SSL VPN user.
After I create a user and email OTP, you get the E-mail like below.
(The following example is found at http://www.cisco.com/japanese/warp/public/3/jp/service/manual_j/sec/asa/caclcg4/chapter39/12172_01_39.shtml)
Date: 12/22/06
To: [email protected]
From: Wuseradmin
Subject: Certificate Enrollment Invitation
You have been granted access to enroll for a certificate.
The credentials below can be used to obtain your certificate.
Username: [email protected]
One-time Password: C93BBB733CD80C74
Enrollment is allowed until: 15:54:31 UTC Thu Dec 27 2006
NOTE: The one-time password is also used as the passphrase to unlock the certificate file.
Please visit the following site to obtain your certificate:
https://wu5520-FO.frdevtestad.local/+CSCOCA+/enroll.html
You may be asked to verify the fingerprint/thumbprint of the CA certificate
during installation of the certificates. The fingerprint/thumbprint should be:
MD5: 76DD1439 AC94FDBC 74A0A89F CB815ACC
SHA1: 58754FFD 9F19F9FD B13B4B02 15B3E4BE B70B5A83
My question is where the hostname (wu5520-FO.frdevtestad.local) of URL is from.
I though it is from hostname of ASA, so I changed hostname of ASA.
However the URL did not change.
Any comment would be greately appricated.
Thanks,
TaroHello Taro,
Agree with Atri,
I have not deal with this cases but it makes sense that you need to reset the CA server as it's basically using a different configuration set for the FQDN.
As soon as you enable the ASA CA capability the URL will be created based on the FQDN, so as it's up and running it will not change... That's how I see it,
Give it a try and let us know,
I think you can only remove the CA config with
clear config crypto ca server’
So be careful,
Regards
Julio -
Error with web service SRT: Unexpected failure in SOAP processing occurred:
Hello,
I get the following error with a web service
"SRT: Unexpected failure in SOAP processing occurred: ("No configuration for this HTTP server instance")"
Any ideas on how to solve this ?
Thanks.
Regards, MichelHi,
I think the WSDL file shared with you and the soap message you are getting are a mismatch.
Try to check the soap message xml format and see if matches the ouputs tags structure in WSDL file.
Thanks & Rgds,
Aditya -
Failed Calling A X.509 Certificate Secured Web Service From OSB
Hi,
I have wsdl resource, business service and proxy service setup in OSB 11.1.1.6 on Linux. The business service will consume a X.509 certificate secured web service running on a remote server.
Below is my approach:
The consumer of the proxy service of OSB signs its saop request header.
My OSB proxy service authenticates the signature and forward the request to business service.
The business service signs the outbound soap request header. (To do this I configured the keystore in Security Provider Configuration of my SOA_domain in Enterprise Manager. Also I applied Web Service Policy of Service Client type to the business service.)
This is not working yet. Not sure if my approach is correct or not?
Thank you,
EricI validated the keystore, all the certificates used and the value for keystore.sig.csf.key / value for keystore.recipient.alias. They are all as expected. Restarted the server. Still failed for OSB to invoke the remote secured web service, but worked if only use soapUI to invoke the same remote secured web service directly.
The error message is:
General security error (WSSecurityEngine: No crypto property file supplied for decryption); nested exception is org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied for decryption)
In the soap request / reponse message shown in the OSB Test Console, there seems to be two signature sections in the header and encryption section although I tried not to encrypt the soap request. I am using Web Service Client Policy "calpers/wss11_x509_token_with_message_integrity_client_policy_osb" which was created based on "oracle/wss11_x509_token_with_message_protection_client_policy". The difference between the two policies is my policy not to sign nor to encrypt entire body.
In the "Message Signing Setting" section, I unchecked the "Include Entire Body" and left the three default namespaces under the Header Elements.
In the "Message Encrypt Setting" section, I unchecked the "Include Entire Body" and also left the one default namespace under the Header Elements.
I don't know how to attach document here, so i add long saop message here.
Business Service Testing - BookSec_Biz_Svc_52
Request Document
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
</soap:Header>
<soapenv:Body>
<book:BookRequest xmlns:book="http://www.dortman.com/books/BookService">
<book:bookId>10</book:bookId>
<book:bookTitle>eric</book:bookTitle>
<book:bookAuthor>Z</book:bookAuthor>
</book:BookRequest>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp wsu:Id="Timestamp-eEud1RcUOPcnV0fDqd6gZQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2013-03-14T18:10:00Z</wsu:Created>
<wsu:Expires>2013-03-14T18:15:00Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="BST-VnzMtSwHMI8THKi2hhG2SQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
MIICazCCAdSgAwIBAgIEUTY65zANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxEzARBgNVBAcTCk1ldHJvcG9saXMxFjAUBgNVBAoTDUp1c3RpY2UgTGVhZ2UxFjAUBgNVBAsTDUp1c3RpYyBMZWFndWUxEzARBgNVBAMTCkNsYXJrIEtlbnQwHhcNMTMwMzA1MTgzNTE5WhcNMTMwNjAzMTgzNTE5WjB6MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxEzARBgNVBAcTCk1ldHJvcG9saXMxFjAUBgNVBAoTDUp1c3RpY2UgTGVhZ2UxFjAUBgNVBAsTDUp1c3RpYyBMZWFndWUxEzARBgNVBAMTCkNsYXJrIEtlbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJhF0cMUwB/EjAyIOy9Cq8KCDqTXvlnlvMGq6LEhiGOtrATYy+JnHURcPUeusi65Ua3bE7JACWhHJ0fYEl7NtxPPSN3Q1RovkWGQ6I5O2XuEyMHg3MISh2CHhnkGSR+W6riDSUoB0ZC0KTgu14OTwqo54JSY/ugQszY7QC9DAuabAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAWeQ6LjMo12bY65GmnrmLdbRNm95RkL6gJCKa9pyUaMfvaIqKpmMQW8RM+eB90CR5DrM8oO2+8uKcqTt/pGNRYi2UJh2X0CdmyQQTmf3mCfgoZ597VTl+k3mKHKeeST7ZwAyBRL2jI0VisopFHpUhIwABoDgwOMpLcCF974AZ2rA=
</wsse:BinarySecurityToken>
*<dsig:Signature* Id="XSIG-oISn2AADumTdR86sONuz8g22" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<dsig:Reference URI="#Timestamp-eEud1RcUOPcnV0fDqd6gZQ22">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>3LQ1IpQR3rKHvP6Ov/m9ZRoecZM=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>X2BUn9TLL26Ay9A3HGEn/mnGCCE=</dsig:SignatureValue>
<dsig:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#EK-h7saqC1VyBKZw2n1IHz8GQ22" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
+*</dsig:Signature>*+
*<dsig:Signature* xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#BST-VnzMtSwHMI8THKi2hhG2SQ22">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>dau9qjB2lxIvlaoDIHuWVHqjulI=</dsig:DigestValue>
</dsig:Reference>
<dsig:Reference URI="#STR-QC3ZDBRwsXv8unEWVns9rQ22">
<dsig:Transforms>
<dsig:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
<wsse:TransformationParameters>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</wsse:TransformationParameters>
</dsig:Transform>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>nPO9mKSC9cMg2fEkGZI+ujy5O1Q=</dsig:DigestValue>
</dsig:Reference>
<dsig:Reference URI="#XSIG-oISn2AADumTdR86sONuz8g22">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>qXkW/ZFFNc8Bu0VL9eF6c4np7IA=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>
MuHCTh5cW8TiVKtkWFl+Of2EFAiHwuPTR7J9b4/n2KZtPy2OCrgi1lBpuzhFKLhoBxYNOK8TMOa/3b223Vv+CQUfUP7z0YVj5Ck7QETYngaQlS07KulnstJjsAgHBV8Zk3A0EafuWF2c3t5wBzEkgEC99v0EdY3mRiCzt7vh2qs=
</dsig:SignatureValue>
<dsig:KeyInfo Id="KeyInfo-0LT1QavoIVXOHesZfrxTwg22">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#BST-VnzMtSwHMI8THKi2hhG2SQ22" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
+*</dsig:Signature>*+
*<xenc:EncryptedKey* Id="EK-h7saqC1VyBKZw2n1IHz8GQ22" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/>
</xenc:EncryptionMethod>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference wsu:Id="STR-QC3ZDBRwsXv8unEWVns9rQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">q9Z9yPxvNw4CvSLQNI4rxVlSF+w=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue xmime:contentType="application/octet-stream" xmlns:xmime="http://www.w3.org/2005/05/xmlmime">
Tgdhxy6wMJBBrw23iq1GLCm0TYKBXSVQvBcN+7TXdXL6FPSjhcbfXqtoz7wzirbSwUZuu+DrYuWs
0BjRXqw3auUSCMlkm4IoT1ag3wFQQ/PEbB8HNlYhW3gp/At3toTw+k5p9wOUd4BMFAiXyeHQ8+dQ
8JUiohXhiHErTDn6fFQ=
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</wsse:Security>
</soap:Header>
<soapenv:Body>
<book:BookRequest xmlns:book="http://www.dortman.com/books/BookService">
<book:bookId>10</book:bookId>
<book:bookTitle>eric</book:bookTitle>
<book:bookAuthor>Z</book:bookAuthor>
</book:BookRequest>
</soapenv:Body>
</soapenv:Envelope>
Response Document
The invocation resulted in an error: Internal Server Error.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<soapenv:Fault>
<faultcode>soapenv:Client</faultcode>
<faultstring xmlns:lang="en">
General security error (WSSecurityEngine: No crypto property file supplied for decryption); nested exception is org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied for decryption) </faultstring>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>
Response Metadata
<con:metadata xmlns:con="http://www.bea.com/wli/sb/test/config">
<tran:headers xsi:type="http:HttpResponseHeaders" xmlns:http="http://www.bea.com/wli/sb/transports/http" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<tran:user-header name="Accept" value="text/xml"/>
<tran:user-header name="Expires" value="Thu, 14 Mar 2013 18:10:01 GMT"/>
<tran:user-header name="SOAPAction" value=""""/>
<http:Cache-Control>max-age=0</http:Cache-Control>
<http:Connection>close</http:Connection>
<http:Content-Type>text/xml; charset=UTF-8</http:Content-Type>
<http:Date>Thu, 14 Mar 2013 18:10:01 GMT</http:Date>
<http:Server>Apache</http:Server>
<http:Transfer-Encoding>chunked</http:Transfer-Encoding>
</tran:headers>
<tran:response-code xmlns:tran="http://www.bea.com/wli/sb/transports">2</tran:response-code>
<tran:response-message xmlns:tran="http://www.bea.com/wli/sb/transports">Internal Server Error</tran:response-message>
<tran:encoding xmlns:tran="http://www.bea.com/wli/sb/transports">UTF-8</tran:encoding>
<http:http-response-code xmlns:http="http://www.bea.com/wli/sb/transports/http">500</http:http-response-code>
</con:metadata> -
Hello,
I tried to install new SHA2 3th-Party certificates on our WLCs. There are old WiSM1-Boards and 2504 to support our old 1230 Access Points, running 7.0.251.2, which didn't install it, although the config manual for 7.6 and 8.0 say that SHA2 certificates are supported since 7.0.250.0. When I tried to install the SHA2-certificates I get the message "File transfer failed" an the log says:
*TransferTask: Dec 12 13:22:14.394: #UPDATE-3-CERT_INST_FAIL: updcode.c:1869 Failed to install Webauth certificate. rc = 1
*TransferTask: Dec 12 13:22:14.394: #SSHPM-3-KEYED_PEM_DECODE_FAILED: sshpmcert.c:4085 Cannot PEM decode private key
I tried to install the same certificates on our WiSM2-Boards, running 7.4.121.0 and I failed too. The same certificates could be installed on a 2504 running 8.0.100 without any problems.
In all 3 cases I tried to install unchained certificates for web management and Level 3 chained certificates for web authentication. I used the following guides to get the certificates (e.g. taken from the config manual 8.0.100):
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/70584-csr-wlc-00.pdf
Which software versions support SHA2 certificates and which didn't ? Is the a list for it ?
RegardsHello,
I solved the problem. First I used a Debian Linux system with Openssl 1.0.1. After I searched the internet using one of the log messages above I found sites which mentioned to use Openssl 0.9.x. So I tried a productive and security fixes Debian Linux System running Openssl 0.9.8 and I succeeded. The wlcs accepted the certificate files and used it after a reboot. The Web GUI still shows a SHA1 Fingerprint, but the certificate signature Algorithm is SHA2:
Signature Algorithm: sha256WithRSAEncryption
When you check the openssl.org homepage Openssl 0.9.8 is still one of the actual version of openssl and is still available and fixed. But the Openssl Roadmap says:
"We don't want to have to maintain too many branches. This is likely to include a timescale for the EOL of version 0.9.8"
I don't know the differences between certificates made with openssl 0.9.8 and 1.0.1. Is there anybody who can explain it to me ?
Regards -
MAC OS X Certificate Enrollment
I want to use this configuration for MAC OS X certificate enrollment. What is required on the Windows PKI side for this to work? Do I need NDES or something else?
Thank you.
MCITP Exchange 2010 | MCITP Lync Server 2010 | MCTS Windows 2008The Macintosh OS lacks any long term certificate life-cycle management and the difficulty of enrollment and lack of renewal generally makes this un-scalable. Third party products fill the gap - such as AirWatch or Mobile Iron.
Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com -
Is there any guide lines how you can secure windows 7 gpo enable system services startup security settings?
For example like many do with Forefront Client Security Anti-Malware service, and there is lots of other service that you would like to have control over to get an secure and stable Windows 7.
/SaiTechHi,
Since there is no response from you, we considered that you have gotten what you want in previous post.
For further question, please don't hesitate to come back here and let's discuss again.
If you have any feedback on our support, please click here
Kate Li
TechNet Community Support -
Deleted user Certificate enrollment requests
We have a user account, "Temp_admin " which was set up as a temporary domain admin, which was deleted a few months ago. For some reason this account is still triggering and Successfully being authenticated for certificate enrollment
on our internal certificate server. At least according to the application log on Dc#4. Looking at the logs on our certificate server this user does not even exist. event ID's 64 and 65 every 3-4 minutes with this. Any idea how to stop this or atleast keep
it from authenticating?
Server 2008r2 domain.
Certificate enrollment for *******\Temp_admin successfully load policy from policy server
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}"
EventSourceName="CertEnroll" />
<EventID Qualifiers="33370">64</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated
SystemTime="2014-09-02T19:56:04.000000000Z" />
<EventRecordID>99069</EventRecordID>
<Correlation
/>
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>MDSTVDC04.*******.local</Computer>
<Security UserID="S-1-5-21-420886195-1495481658-928725530-6981" />
</System>
<EventData>
<Data Name="Context">*******\Temp_admin</Data>
<Data Name="ServerID" />
</EventData>
</Event>
Certificate enrollment for *******\Temp_admin is successfully authenticated by policy server {0E730552-3DDB-465A-83AD-CFAF040B236B}
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}"
EventSourceName="CertEnroll" />
<EventID Qualifiers="33370">65</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated
SystemTime="2014-09-02T19:56:04.000000000Z" />
<EventRecordID>99068</EventRecordID>
<Correlation
/>
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>MDSTVDC04.*******.local</Computer>
<Security UserID="S-1-5-21-420886195-1495481658-928725530-6981" />
</System>
<EventData>
<Data Name="Context">*******\Temp_admin</Data>
<Data Name="ServerURL">{0E730552-3DDB-465A-83AD-CFAF040B236B}</Data>
</EventData>
</Event>Temp_admin is deleted from the domain
sid2username output: Error evaluating user name. Some or all identity references could not be translated.
Tested with Known accounts and they work so Temp account can not be found.
First thing I tried to do was search the AD Domain by both the sid and username and they could not be found. I was involved in a motorcycle accident and a temp was hired for the 3 months I was away. The temp did not leave on good terms and the account was
deleted as soon as she left the building.
This user was still listed under user profiles in the registry with that sid.
I deleted all references to the sid from the registry on that DC and restarted the server and the issue has disappeared. Really don't think I should have had to go this route though.
Maybe you are looking for
-
Unable to customise Tab (color) in Portal Theme through Theme Editor
Hi Everyone , I m working on Themes in Portal 7.0 . I have customised the theme but dont know why i m not able to customise Tabs (Color) . Like When u click on System Administration ->System Configuration ->system landcape -> (There is second menu w
-
HT4623 I have an old iPad with iOS 5 , how can upgrade to last iOS ?
How can upgrade my old iPad with iOS 5 to the last version of iPad iOS?
-
i have bought new hard drive because my older one was damaged. it was making noise like beeping sometimes. my new hard drive also makes same sometimes beeping and in my task manager sometimes it shows full 100% disk usage, mostaly when i turn on the
-
Hi, Appreciate all help on the following: Have a requirement to validate user messages that are received in a batch. Each message in a message has a start-time (date) and a end-time (date). Need to validate and ensure that there are no time overlaps
-
HT1273 Steaming photos to Apple itv using itunes for windows 7
I have just purchased an Apple Itv and can't find the option within itunes to select my photo directory for streaming. I am using windows 7 and the latest version of itunes for widows 7. I can't find in itunes the option to select the location of my