Certificate enrollment web servce GPO enablement failure

Similar Messages

• Certificate Authority Web Enrollment - CSP states loading

  Hello,
  I have setup an enterprise sub CA (the root is offline).
  I have been able to issue certificates, but I did not have the Web Service, Policy Web Service or the Web Enrollment turned on.
  I turned them on yesterday and when I visit the website, when I click Create and submit a request to this CA it takes to the next page where I can request a certificate.  I created a duplicate template for the User Certificate and made it available.
  I see it in the drop down, however under key options, CSP just says loading. I went to this site:http://support.microsoft.com/kb/939290 and followed the instructions, Active Scripting is enabled and it still
  continues to state loading.
  I am at a complete loss as to what the problem might be. Event logs on CA server are clean, no errors or warning.
  Any suggestions?
  Update: I tried to get to the site from the actual CA server and it displays the The Web site is attempting to perform a digital certificate operation on your behalf, etc...
  And it populated the CSP.
  I tried it from another server and it worked.
  I tried it from another workstation and it shows loading in the CSP.
  Has anyone run into this issue?

  Hi,
  As this works on one of your servers, whether all your workstation have this issue?
  Certificate Enrollment Web Services client computers must be computers running at least Windows 7 or Windows Server 2008 R2 operating systems. To utilize key-based renewal, client computers must be running at least Windows 8 or Windows Server 2012 operating
  systems.
  Please follow the below article for more details:
  http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx
  Regards,
  Yan Li
  Regards, Yan Li

• NDES Certificate Enrollment on Surface fails

  Hi all
  I implemented a NDES infra based on Pietrs Blog in my Sandpit Lab (Infra runs on ConfigMgr 2012 R2 CU4), OS 2012 R2
  http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2014/04/25/part-2-scep-certificate-enrolling-using-configmgr-2012-crp-ndes-and-windows-intune.aspx I repeated each step sure 2 or 3 times.
  If I try to assign a Client Cert/user Cert (both of them) it always fails 0X87D1FDE8 Remediation failed as posted here
  https://social.technet.microsoft.com/Forums/en-US/15aebec7-4870-49af-8c0c-17d3d376783a/ndes-scep-certificate-profile-0x87d1fde8-remediation-failed-deployment-of-certificate-profiles?forum=configmanagermdm&prof=required
  (All Certs are new re-created. NDES, CRP new installed). If there are no enrollments of certs possible I can understand it but Android 4.2 Devices are enrolling like a charme. A Detail the NDES Server is reachable via WAP Proxy but this works (If I enter
  the Test URL I'm able to open the cert file). Finally on the Surface the Regkey in the MDM Hive is created and the NDES URi is available. All Log Files are looking fine.
  Any ideas/help or tips will be very appreciated.
  Cheers,
  +Mat

  All
  It is running know. It was a heavy war in My lab ... ;-) - and raised from several missconfigured components and  Settings. For an easier overview enclosed by component:
  CA
  I have an Enterprise Root CA with subordinated Issueing CA in the lab. Failure 1: The life time of the Issueing CA Cert is only configured for 2 years. So I changed this using certutil to 10 years (Root CA 20 years, Issueing 10 years). Failure 2: The NDES
  Template had a longer life time than the issueing CA. This raised in the failed cert request the issue "Life time incorrect"
  WAP Proxy
  On the WAP Proxy the required Settings
  Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
  Value: MaxFieldLength
  Type DWORD
  Data: 65534 (decimal)
  Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters  
  Value: MaxRequestBytes
  Type DWORD
  Data: 65534 (decimal)       
  were applied but the required December Update 2014 Hotfix
  http://blogs.technet.com/b/ems/archive/2014/12/11/hotfix-large-uri-request-in-web-application-proxy-on-windows-server-2012-r2.aspx was not properly installed (the WAP Proxy is a Workgroup Server)
  NDES
  The listed http Settings above I made a mistake (Dec and Hex) so typically copy/past error.
  CRP
  At least one Server is properly configured
  Some Remarks
  Within the Policies both certs Root and Iuessing CA has to be deployed to the Root Store. Later on in the configuration for the SECP Cert enrollment the template of the issueing CA has to be choosen.
  Very happy that this is rolling. Next step is to configure the WIFI Network (NPAS) that only devices with a valid Client certificate can use them.
  The biggest pain Overall is that the logging process is not really helpful and confusing e.g. the MCSEP.log reports
  2905.902.0:<2015/4/14, 19:31:3>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): 44D6EDAE C3C7C52F DE1B2CE4 9C102C22 5DF4CC54 but the enrolling is working fine. Here Microsoft should investigate for a better overview.
  Cheers,
  +mat

• Auto certificate enrollment for computers not happening

  Hi
  In my environment the auto certificate enrollment for computers not happening through GPO.
  Domain computers has permission of enroll on computer certificate template.
  Please suggest.
  Regards,
  Deepak S

  Hi,
  Please reconfirm the Autoenrollment group policy is configured and applied to the user or machine. Verify the Group Policy settings set the proper registry settings. If Group
  Policy is configured correctly, the next step is to troubleshoot enrollment.
  Autoenrollment requires the use of Version 2 or Version 3 Certificate Templates. Certificate Authorities must be on the appropriate OS Version and edition. The table below
  outlines OS Version and Edition support for Version 2 and Version 3 certificate templates.
  The similar thread:
  Certificate Autoenrollment for Domain Computers GPO does not work
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/3797dad9-6c4f-41e4-8c4f-ad37a7570aa4/certificate-autoenrollment-for-domain-computers-gpo-does-not-work?forum=winserversecurity
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SSL certificates and Web Services Usage inside Oracle Database Questions!

  We have implemented a specific business logic using PL/SQL for our client, so we open a file and process each line of this, doing something in the Database and also call a Web Services (Service1) using UTL_HTTP package. Service1 runs in a Windows 2008 Server in the DMZ as Database server.
  Service1 is already working, and we can call the service from PL/SQL without troubles.
  However, according with security client's policies they requires all Web services be consumed via https including Service1, so we must to follow the procedure established for Oracle in order to enable the calling of service1 via https from the Database.
  Our client's DBA and IT Team are concerned about two subjects before to continue to follow the certificate installation:
       - SSL Certificates:
  1- Can installed certificates in the Database put in risk the stability of the database?
            2- Can installed certificates in the Database generate performance issues?
            3- Can installed certificates reloading the Databases?
            2- Can installed certificates in the Database generate security issues?
       - Web services:
  1- Can web services calling from the Database put in risk the stability of the database?
  2- Can web services calling from the Database generate performance issues?
  3- Can web services calling from the Database generate security issues in the DMZ?
  Could you please give us any clues, about the possible negative impact related with the SSL certificates and Web Services Usage inside Oracle Database, if it’s the case this impact exists?.
  Those are the links describing the procedure mentioned above.
  1 -http://www.kotti.es/2009/11/oracle-wallet/
  DB: Oracle 9i.
  Average number of lines in file: 300
  Periodicity: Twice at day.

  Thiago:
  You are correct in that there should be no problem interacting with a Web service that has an HTTPS endpoint as long as you create a wallet and specify it when you make your UTL_HTTP calls, like the PayPal example.
  I am not aware of a PL/SQL utility to create a XMLDsig Standard message, but if you find some Java source out there that does it, you may be able to follow a technique I used for a similar use case:
  http://jastraub.blogspot.com/2009/07/hmacsha256-in-plsql.html
  Regards,
  Jason

• No password prompt from ASA 5500 for certificate enrollment

  Greetings,
  I work in a lab testing interoperability between Avaya and Cisco VoIP products.
  I am setting up an environment to test Avaya 96x1 phones with VPN using SCEP
  going thru an ASA 5510 to a backend IP PBX. 
  Environment:  Windows Server 2008 R2, Enterprise Edition, AD with DNS, NDES
                       Cisco ASA 5510 running 9.0(1)
  I would like to setup certificate enrollment between a Windows Server 2008 R2 and a
  Cisco ASA 5510.  Here are the commands that I use for the Cisco ASA 5510:
       crypto key generate rsa modulus 2048
       crypto ca trustpoint ASA5510-trust
           enrollment url http://10.129.112.20/certsrv/mscep/mscep.dll
           enrollment retry period 5
           enrollment retry count 3
           password Interop123
           exit
       crypto ca authenticate ASA5510-trust
       crypto ca enroll ASA5510-trust
  Everything works as expected until I try to enroll. There is no prompt for the
  enrollment password and the certificate request is denied.
  ciscoasa(config)# crypto ca enroll ASA5510-trust
  % Start certificate enrollment ..
  % The fully-qualified domain name in the certificate will be: ciscoasa.avayasil.avaya.com
  % Include the device serial number in the subject name? [yes/no]: No
  Request certificate from CA? [yes/no]: yes
  % Certificate request sent to Certificate Authority
  ciscoasa(config)# The certificate enrollment request was denied by CA!
  Why isn't there a prompt for the enrollment password?
  BTW, If I set "enforcepassword" to "0" in the Windows registry, then it works.
  Thanks,

  Richard,
  In the trustpoint config you have the challange defined.
  http://www.cisco.com/en/US/docs/security/asa/asa90/command/reference/p1.html#wp1961480
  If this command is enabled, you will not be prompted for a password during certificate enrollment.
  Did you try removing it? If you're still not being asked after removing it. It's most likely a bug.
  M.

• Certificate Enroll Errors RPC Server Is Unavailable

  I have a scenario in which I would like some advice before moving on. We have a Server 2012 root CA that was put in about a year-year and a half ago and at the same time there was another 2008 R2 root CA that was installed on a DC that was hosting FSMO roles.
  Well that DC started to die so we transferred the FSMO roles and removed certificate services. However, we only uninstalled the role but as I understand, there is a bit of cleanup to do in AD beyond just removing the role. So when we started to perform the
  first step, I noticed remnants of old servers that are no longer around. I've discovered that our previous admin had made 3 other servers (I believe all 2003) that have all completely gone away and yet are still listed in the Trusted Root Certification Authorities
  on all computers and I find in the event log the following error when I log in to our domain machines of them trying to contact each of the old CA servers:
  Certificate enrollment for Local system failed to enroll for a Machine certificate with request ID N/A from server.domain.org\server (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
  Now I have no way of knowing whether or not this admin actually properly removed the role before decommissioning these servers and I have no idea why we needed so many servers to be root CA's in the first place? Anyhow, I was wondering if the proper procedure
  would be to remove the root trusted certs from group policy and then clean up the remnant entries in AD as described in the Microsoft documentation of removing a root CA from your environment. I still see some errors and machines requesting to check for stuff
  like CRL with the most recent root CA that we removed so I just wanted to check to see if all of these errors will go away once we finish the cleanup and if there is anything special that needs to be done for the potentially orphaned root CA's. We did take
  a backup of the 2008R2 CA (the one that was on the dying DC) before we removed the role and I have confirmed that our production CA (the one that we would like to remain in production - is a sub CA of an offline root) has already issued new machine and DC
  certs to our domain machinese and domain controllers.
  Sorry for the lengthy post. Please let me know if any more information is required and thank you in advance!

  Hello,
  the root CA normally is the first one in a forest issuing the certificates for the subordinate CAs if required or for certificates.
  http://technet.microsoft.com/en-us/library/cc731183.aspx
  SO there is no need for multiple root CAs.
  To get rid of everything old and be sure the CA is configured correct for your needs I suggest to ask this in
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

• Cisco CA + Cisco VPN Client - Error 42: Unable to create certificate enrolment request

  We find ourselves in a difficult situation with the
  Cisco VPN Cleint version 5.0.07.0290 where it keeps giving us an
  "Error 42: Unable to create certificate enrolment request" when we attempt to use the Online enrolment method to create and enrol a new certificate.
  There is no additional information in the VPN client logs where we have set 3-High for all logs.
  In addition, Wireshark does not show any packets sent from the machine running the client to the Cisco 3825 router which runs the Cisco CA.
  To create and enrol a certificate we do the following:
  1. Click on the Enroll button to show the Certificate Enrolment dialog
  2. Select  Online
  3. Select <New> for Certificate Authority
  4. Enter http://192.168.120.1 as CA URL (note, 192.168.120.1 is the IP of the Cisco 3825)
  5. Click Next to display the dialog where we can enter certificate details
  6. Enter details in all fileds except IP Address and Domain
  7. Click Enroll which shows a dilaog with the Error 42 ... message in it.
  If we attempt to create a request by using the File method, all works fine, that is, the client creates a file with the enrolment request.
  The fact that the client does not send any messages to the Cisco CA leads us to belive that we have a pronblem on the clinet machine. However, the client does not write any information in the logs, so it is a bit hard to fix the problem.
  We will be grateful for any assistance that you can provide with this issue. I can provide additional configuration information if required for both the client and the Cisco CA. Note that we have not modified any client configuration. Basically, we installed the clinet on a Windows 7 64bit machine and attempted the steps listed above.
  Thank you
  Emil

  FYI, I just came up against this problem and the solution in my instance was to ensure that the Cisco CA Server was configured to automatically grant certificate requests.
  Cisco2691#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  Cisco2691(config)#crypto pki server CERTSERVER
  Cisco2691(cs-server)#grant ?
    auto     Automatically grant incoming SCEP enrollment requests
    none     Automatically reject any incoming SCEP enrollment request
    ra-auto  Automatically grant RA-authorized incoming SCEP enrollment request
  Cisco2691(cs-server)#grant auto
  % The CS config is locked. You need to shut the server off before changing its configuration.
  Cisco2691(cs-server)#shut
  Cisco2691(cs-server)#grant auto
  Cisco2691(cs-server)#
  Mar 25 19:39:53.356: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
  Cisco2691(cs-server)#no shut
  % Certificate Server enabled.

• ASA Local CA certificate enrollment invitation

  Hi,
  I have been looking for the answer for a while.....
  My ASA is version 8.2.1
  I am planning to use ASA loca CA to ditsribute certificate for SSL VPN user.
  After I create a user and email OTP, you get the E-mail like below.
  (The following example is found at http://www.cisco.com/japanese/warp/public/3/jp/service/manual_j/sec/asa/caclcg4/chapter39/12172_01_39.shtml)
  Date: 12/22/06
  To: [email protected]
  From: Wuseradmin
  Subject: Certificate Enrollment Invitation
  You have been granted access to enroll for a certificate.
  The credentials below can be used to obtain your certificate.
  Username: [email protected]
  One-time Password: C93BBB733CD80C74
  Enrollment is allowed until: 15:54:31 UTC Thu Dec 27 2006
  NOTE: The one-time password is also used as the passphrase to unlock the certificate file.
  Please visit the following site to obtain your certificate:
  https://wu5520-FO.frdevtestad.local/+CSCOCA+/enroll.html
  You may be asked to verify the fingerprint/thumbprint of the CA certificate
  during installation of the certificates. The fingerprint/thumbprint should be:
  MD5: 76DD1439 AC94FDBC 74A0A89F CB815ACC
  SHA1: 58754FFD 9F19F9FD B13B4B02 15B3E4BE B70B5A83
  My question is where the hostname (wu5520-FO.frdevtestad.local) of URL is from.
  I though it is from hostname of ASA, so I changed hostname of ASA.
  However the URL did not change.
  Any comment would be greately appricated.
  Thanks,
  Taro

  Hello Taro,
  Agree with Atri,
  I have not deal with this cases but it makes sense that you need to reset the CA server as it's basically using a different configuration set for the FQDN.
  As soon as you enable the ASA CA capability the URL will be created based on the FQDN, so as it's up and running it will not change... That's how I see it,
  Give it a try and let us know,
  I think you can only remove the CA config with
  clear config crypto ca server’
  So be careful,
  Regards
  Julio

• Error with web service SRT: Unexpected failure in SOAP processing occurred:

  Hello,
    I get the following error with a web service
  "SRT: Unexpected failure in SOAP processing occurred: ("No configuration for this HTTP server instance")"
  Any ideas on how to solve this ?
  Thanks.
  Regards, Michel

  Hi,
  I think the WSDL file shared with you and the soap message you are getting are a mismatch.
  Try to check the soap message xml format and see if matches the ouputs tags structure in WSDL file.
  Thanks & Rgds,
  Aditya

• Failed Calling A X.509 Certificate Secured Web Service From OSB

  Hi,
  I have wsdl resource, business service and proxy service setup in OSB 11.1.1.6 on Linux. The business service will consume a X.509 certificate secured web service running on a remote server.
  Below is my approach:
  The consumer of the proxy service of OSB signs its saop request header.
  My OSB proxy service authenticates the signature and forward the request to business service.
  The business service signs the outbound soap request header. (To do this I configured the keystore in Security Provider Configuration of my SOA_domain in Enterprise Manager. Also I applied Web Service Policy of Service Client type to the business service.)
  This is not working yet. Not sure if my approach is correct or not?
  Thank you,
  Eric

  I validated the keystore, all the certificates used and the value for keystore.sig.csf.key / value for keystore.recipient.alias. They are all as expected. Restarted the server. Still failed for OSB to invoke the remote secured web service, but worked if only use soapUI to invoke the same remote secured web service directly.
  The error message is:
  General security error (WSSecurityEngine: No crypto property file supplied for decryption); nested exception is org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied for decryption)
  In the soap request / reponse message shown in the OSB Test Console, there seems to be two signature sections in the header and encryption section although I tried not to encrypt the soap request. I am using Web Service Client Policy "calpers/wss11_x509_token_with_message_integrity_client_policy_osb" which was created based on "oracle/wss11_x509_token_with_message_protection_client_policy". The difference between the two policies is my policy not to sign nor to encrypt entire body.
  In the "Message Signing Setting" section, I unchecked the "Include Entire Body" and left the three default namespaces under the Header Elements.
  In the "Message Encrypt Setting" section, I unchecked the "Include Entire Body" and also left the one default namespace under the Header Elements.
  I don't know how to attach document here, so i add long saop message here.
       Business Service Testing - BookSec_Biz_Svc_52
       Request Document
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  </soap:Header>
  <soapenv:Body>
  <book:BookRequest xmlns:book="http://www.dortman.com/books/BookService">
  <book:bookId>10</book:bookId>
  <book:bookTitle>eric</book:bookTitle>
  <book:bookAuthor>Z</book:bookAuthor>
  </book:BookRequest>
  </soapenv:Body>
  </soapenv:Envelope>
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsu:Timestamp wsu:Id="Timestamp-eEud1RcUOPcnV0fDqd6gZQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsu:Created>2013-03-14T18:10:00Z</wsu:Created>
  <wsu:Expires>2013-03-14T18:15:00Z</wsu:Expires>
  </wsu:Timestamp>
  <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="BST-VnzMtSwHMI8THKi2hhG2SQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  MIICazCCAdSgAwIBAgIEUTY65zANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxEzARBgNVBAcTCk1ldHJvcG9saXMxFjAUBgNVBAoTDUp1c3RpY2UgTGVhZ2UxFjAUBgNVBAsTDUp1c3RpYyBMZWFndWUxEzARBgNVBAMTCkNsYXJrIEtlbnQwHhcNMTMwMzA1MTgzNTE5WhcNMTMwNjAzMTgzNTE5WjB6MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxEzARBgNVBAcTCk1ldHJvcG9saXMxFjAUBgNVBAoTDUp1c3RpY2UgTGVhZ2UxFjAUBgNVBAsTDUp1c3RpYyBMZWFndWUxEzARBgNVBAMTCkNsYXJrIEtlbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJhF0cMUwB/EjAyIOy9Cq8KCDqTXvlnlvMGq6LEhiGOtrATYy+JnHURcPUeusi65Ua3bE7JACWhHJ0fYEl7NtxPPSN3Q1RovkWGQ6I5O2XuEyMHg3MISh2CHhnkGSR+W6riDSUoB0ZC0KTgu14OTwqo54JSY/ugQszY7QC9DAuabAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAWeQ6LjMo12bY65GmnrmLdbRNm95RkL6gJCKa9pyUaMfvaIqKpmMQW8RM+eB90CR5DrM8oO2+8uKcqTt/pGNRYi2UJh2X0CdmyQQTmf3mCfgoZ597VTl+k3mKHKeeST7ZwAyBRL2jI0VisopFHpUhIwABoDgwOMpLcCF974AZ2rA=
  </wsse:BinarySecurityToken>
  *<dsig:Signature* Id="XSIG-oISn2AADumTdR86sONuz8g22" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
  <dsig:SignedInfo>
  <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
  <dsig:Reference URI="#Timestamp-eEud1RcUOPcnV0fDqd6gZQ22">
  <dsig:Transforms>
  <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </dsig:Transforms>
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <dsig:DigestValue>3LQ1IpQR3rKHvP6Ov/m9ZRoecZM=</dsig:DigestValue>
  </dsig:Reference>
  </dsig:SignedInfo>
  <dsig:SignatureValue>X2BUn9TLL26Ay9A3HGEn/mnGCCE=</dsig:SignatureValue>
  <dsig:KeyInfo>
  <wsse:SecurityTokenReference>
  <wsse:Reference URI="#EK-h7saqC1VyBKZw2n1IHz8GQ22" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
  </wsse:SecurityTokenReference>
  </dsig:KeyInfo>
  +*</dsig:Signature>*+
  *<dsig:Signature* xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
  <dsig:SignedInfo>
  <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <dsig:Reference URI="#BST-VnzMtSwHMI8THKi2hhG2SQ22">
  <dsig:Transforms>
  <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </dsig:Transforms>
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <dsig:DigestValue>dau9qjB2lxIvlaoDIHuWVHqjulI=</dsig:DigestValue>
  </dsig:Reference>
  <dsig:Reference URI="#STR-QC3ZDBRwsXv8unEWVns9rQ22">
  <dsig:Transforms>
  <dsig:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
  <wsse:TransformationParameters>
  <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </wsse:TransformationParameters>
  </dsig:Transform>
  </dsig:Transforms>
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <dsig:DigestValue>nPO9mKSC9cMg2fEkGZI+ujy5O1Q=</dsig:DigestValue>
  </dsig:Reference>
  <dsig:Reference URI="#XSIG-oISn2AADumTdR86sONuz8g22">
  <dsig:Transforms>
  <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </dsig:Transforms>
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <dsig:DigestValue>qXkW/ZFFNc8Bu0VL9eF6c4np7IA=</dsig:DigestValue>
  </dsig:Reference>
  </dsig:SignedInfo>
  <dsig:SignatureValue>
  MuHCTh5cW8TiVKtkWFl+Of2EFAiHwuPTR7J9b4/n2KZtPy2OCrgi1lBpuzhFKLhoBxYNOK8TMOa/3b223Vv+CQUfUP7z0YVj5Ck7QETYngaQlS07KulnstJjsAgHBV8Zk3A0EafuWF2c3t5wBzEkgEC99v0EdY3mRiCzt7vh2qs=
  </dsig:SignatureValue>
  <dsig:KeyInfo Id="KeyInfo-0LT1QavoIVXOHesZfrxTwg22">
  <wsse:SecurityTokenReference>
  <wsse:Reference URI="#BST-VnzMtSwHMI8THKi2hhG2SQ22" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
  </wsse:SecurityTokenReference>
  </dsig:KeyInfo>
  +*</dsig:Signature>*+
  *<xenc:EncryptedKey* Id="EK-h7saqC1VyBKZw2n1IHz8GQ22" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
  <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/>
  </xenc:EncryptionMethod>
  <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
  <wsse:SecurityTokenReference wsu:Id="STR-QC3ZDBRwsXv8unEWVns9rQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">q9Z9yPxvNw4CvSLQNI4rxVlSF+w=</wsse:KeyIdentifier>
  </wsse:SecurityTokenReference>
  </dsig:KeyInfo>
  <xenc:CipherData>
  <xenc:CipherValue xmime:contentType="application/octet-stream" xmlns:xmime="http://www.w3.org/2005/05/xmlmime">
  Tgdhxy6wMJBBrw23iq1GLCm0TYKBXSVQvBcN+7TXdXL6FPSjhcbfXqtoz7wzirbSwUZuu+DrYuWs
  0BjRXqw3auUSCMlkm4IoT1ag3wFQQ/PEbB8HNlYhW3gp/At3toTw+k5p9wOUd4BMFAiXyeHQ8+dQ
  8JUiohXhiHErTDn6fFQ=
  </xenc:CipherValue>
  </xenc:CipherData>
  </xenc:EncryptedKey>
  </wsse:Security>
  </soap:Header>
  <soapenv:Body>
  <book:BookRequest xmlns:book="http://www.dortman.com/books/BookService">
  <book:bookId>10</book:bookId>
  <book:bookTitle>eric</book:bookTitle>
  <book:bookAuthor>Z</book:bookAuthor>
  </book:BookRequest>
  </soapenv:Body>
  </soapenv:Envelope>
       Response Document
  The invocation resulted in an error: Internal Server Error.
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Body>
  <soapenv:Fault>
  <faultcode>soapenv:Client</faultcode>
  <faultstring xmlns:lang="en">
  General security error (WSSecurityEngine: No crypto property file supplied for decryption); nested exception is org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied for decryption) </faultstring>
  </soapenv:Fault>
  </soapenv:Body>
  </soapenv:Envelope>
       Response Metadata
  <con:metadata xmlns:con="http://www.bea.com/wli/sb/test/config">
  <tran:headers xsi:type="http:HttpResponseHeaders" xmlns:http="http://www.bea.com/wli/sb/transports/http" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <tran:user-header name="Accept" value="text/xml"/>
  <tran:user-header name="Expires" value="Thu, 14 Mar 2013 18:10:01 GMT"/>
  <tran:user-header name="SOAPAction" value="&quot;&quot;"/>
  <http:Cache-Control>max-age=0</http:Cache-Control>
  <http:Connection>close</http:Connection>
  <http:Content-Type>text/xml; charset=UTF-8</http:Content-Type>
  <http:Date>Thu, 14 Mar 2013 18:10:01 GMT</http:Date>
  <http:Server>Apache</http:Server>
  <http:Transfer-Encoding>chunked</http:Transfer-Encoding>
  </tran:headers>
  <tran:response-code xmlns:tran="http://www.bea.com/wli/sb/transports">2</tran:response-code>
  <tran:response-message xmlns:tran="http://www.bea.com/wli/sb/transports">Internal Server Error</tran:response-message>
  <tran:encoding xmlns:tran="http://www.bea.com/wli/sb/transports">UTF-8</tran:encoding>
  <http:http-response-code xmlns:http="http://www.bea.com/wli/sb/transports/http">500</http:http-response-code>
  </con:metadata>

• WLC: which software-version support SHA2 certificates for Web Authentification and Web Management ?

  Hello,
  I tried to install new SHA2 3th-Party certificates on our WLCs. There are old WiSM1-Boards and 2504 to support our old 1230 Access Points, running 7.0.251.2, which didn't install it, although the config manual for 7.6 and 8.0 say that SHA2 certificates are supported since 7.0.250.0. When I tried to install the SHA2-certificates I get the message "File transfer failed" an the log says:
  *TransferTask: Dec 12 13:22:14.394: #UPDATE-3-CERT_INST_FAIL: updcode.c:1869 Failed to install Webauth certificate. rc = 1
  *TransferTask: Dec 12 13:22:14.394: #SSHPM-3-KEYED_PEM_DECODE_FAILED: sshpmcert.c:4085 Cannot PEM decode private key
  I tried to install the same certificates on our WiSM2-Boards, running 7.4.121.0 and I failed too. The same certificates could be installed on a 2504 running 8.0.100 without any problems.
  In all 3 cases I tried to install unchained certificates for web management and Level 3 chained certificates  for web authentication. I used the following guides to get the certificates (e.g. taken from the config manual 8.0.100):
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/70584-csr-wlc-00.pdf
  Which software versions support SHA2 certificates and which didn't ? Is the a list for it ?
  Regards

  Hello,
  I solved the problem. First I used a Debian Linux system with Openssl 1.0.1. After I searched the internet using one of the log messages above I found sites which mentioned to use Openssl 0.9.x. So I tried a productive and security fixes Debian Linux System running Openssl 0.9.8 and I succeeded. The wlcs accepted the certificate files and used it after a reboot. The Web GUI still shows a SHA1 Fingerprint, but the certificate signature Algorithm is SHA2:
  Signature Algorithm: sha256WithRSAEncryption
  When you check the openssl.org homepage Openssl 0.9.8 is still one of the actual version of openssl and is still available and fixed. But the Openssl Roadmap says:
  "We don't want to have to maintain too many branches. This is likely to include a timescale for the EOL of version 0.9.8"
  I don't know the differences between certificates made with openssl 0.9.8 and 1.0.1. Is there anybody who can explain it to me ?
  Regards

• MAC OS X Certificate Enrollment

  I want to use this configuration for MAC OS X certificate enrollment. What is required on the Windows PKI side for this to work? Do I need NDES or something else?
  Thank you.
  MCITP Exchange 2010 | MCITP Lync Server 2010 | MCTS Windows 2008

  The Macintosh OS lacks any long term certificate life-cycle management and the difficulty of enrollment and lack of renewal generally makes this un-scalable. Third party products fill the gap - such as AirWatch or Mobile Iron.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

• Is there any guide lines how you can secure windows 7 gpo enable system services startup security settings?

  Is there any guide lines how you can secure windows 7 gpo enable system services startup security settings?
  For example like many do with Forefront Client Security Anti-Malware service, and there is lots of other service that you would like to have control over to get an secure and stable Windows 7.
  /SaiTech

  Hi, 
  Since there is no response from you, we considered that you have gotten what you want in previous post. 
  For further question, please don't hesitate to come back here and let's discuss again. 
  If you have any feedback on our support, please click here
  Kate Li
  TechNet Community Support

• Deleted user Certificate enrollment requests

     We have a user account, "Temp_admin " which was set up as a temporary domain admin, which was deleted  a few months ago. For some reason this account is still triggering and Successfully being authenticated for certificate enrollment
  on our internal certificate server. At least according to the application log on Dc#4. Looking at the logs on our certificate server this user does not even exist. event ID's 64 and 65 every 3-4 minutes with this. Any idea how to stop this or atleast keep
  it from authenticating?
  Server 2008r2 domain.
  Certificate enrollment for *******\Temp_admin successfully load policy from policy server 
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}"
  EventSourceName="CertEnroll" />
    <EventID Qualifiers="33370">64</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated
  SystemTime="2014-09-02T19:56:04.000000000Z" />
    <EventRecordID>99069</EventRecordID>
    <Correlation
  />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>MDSTVDC04.*******.local</Computer>
    <Security UserID="S-1-5-21-420886195-1495481658-928725530-6981" />
    </System>
  <EventData>
    <Data Name="Context">*******\Temp_admin</Data>
    <Data Name="ServerID" />
    </EventData>
   </Event>
  Certificate enrollment for *******\Temp_admin is successfully authenticated by policy server {0E730552-3DDB-465A-83AD-CFAF040B236B}
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}"
  EventSourceName="CertEnroll" />
    <EventID Qualifiers="33370">65</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated
  SystemTime="2014-09-02T19:56:04.000000000Z" />
    <EventRecordID>99068</EventRecordID>
    <Correlation
  />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>MDSTVDC04.*******.local</Computer>
    <Security UserID="S-1-5-21-420886195-1495481658-928725530-6981" />
    </System>
  <EventData>
    <Data Name="Context">*******\Temp_admin</Data>
    <Data Name="ServerURL">{0E730552-3DDB-465A-83AD-CFAF040B236B}</Data>
    </EventData>
    </Event>

  Temp_admin is deleted from the domain
  sid2username output: Error evaluating user name. Some or all identity references could not be translated. 
  Tested with Known accounts and they work so Temp account can not be found.
  First thing I tried to do was search the AD Domain by both the sid and username and they could not be found. I was involved in a motorcycle accident and a temp was hired for the 3 months I was away. The temp did not leave on good terms and the account was
  deleted as soon as she left the building. 
  This user was still listed under user profiles in the registry with that sid. 
  I deleted all references to the sid from the registry on that DC and restarted the server and the issue has disappeared. Really don't think I should have had to go this route though.