Default certificate policies for DoD Root CA 2?

Similar Messages

• Need the default configuration of map-class and policies for WAAS version 5.3.1.20

  Do someone have the default configuraion cli of class-maps and policies for the WAAS version 5.3.1.20. I need this to compare with the configuration that I have in the network, I need the verify what have been changed.

  I'm sure you figured this out already since it's been 9 months.  But just in case someone needs this - you can restore the default policies if they don't show up.  Device Groups -> AllWAASGroup and edit.  There you will see a "Restore default Optimization Policies"

• Default acl permissions for root and user?

  after running permissions i keep getting acl permissions changed and will repair. Apparently it doesn't. Is their a manual way of resetting to defaults for both root and user.

  Turns out they didn't change themselves, but authentication got out of whack. This post fixed it for me, but I just jogged access on ical and blogs. Not sure which or both is needed, but after I toggled them over and back I was up and running again.
  <SNIP>
  Solution found athttp://michaeljin.wordpress.com/2010/01/05/locked-out-of-mac-os-x-server/
  It’s blog update time! Updates have been a little scarce lately, been super busy with getting trophies on PS3
  Anyway, recently encountered the following with a Mac mini server running Snow Leopard Server:
  Despite being able to ARD / Screenshare the Mac mini, I was unable to get any further than the login window. Authentication credentials are obviously valid. No weird access permissions have been set. However, the weird thing was, I can connect to the server via Server Admin tools (from another Mac) and all other services were running without a hitch.
  After much head scratching it turns out to be a sACL (Service Access Control List) issue.
  This thread solved the mystery!
  http://discussions.apple.com/thread.jspa?threadID=1654864
  To save you the trouble, I’ll lay it out here. I cannot take credit for this, but Randall can!
  Open Server Admin on a computer (any), and connect with the local admin to the machine.
  Select the server and authenticate.
  Select Settings, then go to Access. You’ll want to make sure that Login Window and SSH have the local admin account listed if you select the option to “Allow only these users”. For now, I would suggest making sure all services have “Allow all users and groups” selected.
  If (as in my case) it was set to Allow All in the first place, simply toggle the settings – back and forth.
  Save.
  Try logging in again… should be a good one!
  </SNIP>

• 802.1x/EAP-TTLS and EAP Certificate Policies

  Hello,
  I am having a hard time with 802.1x authentication against a radius server I manage. Every time I try to connect, I get a pop up about certificate verification - the certificate cannot be verified because there are no explicit trust settings. This system is to be used to authenticate people on a wireless network we are setting up. The machines and people being authenticated are not managed - I do not have the ability to force a configuration on their computer.
  After researching this it looks like OS X has certificate policies that are consulted depending on the certificate operation requested. For 802.1x, I think the EAP certificate policy and the x.509 basic policy are consulted. These policies are outlined here.
  The problem is that when I get the certificate popup and hit 'View Certificate', I don't see anything that would explain why it is not being verified. Both the server certificate and the CA root certificate are listed as valid. There are no messages about insufficient extended key usage values or hostname mismatches or anything. How can I tell what is actually wrong?

  I was hoping this could be accomplished without having to change the trust settings from whatever the default is. The people who will ultimately be using this are students and staff at a University - a moderate number of which are bothered by any appearance of lower security.
  The root cert is in X509Anchors. The certificate CN is the IP address and the RADIUS server does not have a PTR record in the DNS server.
  If I point Firefox at a website set up on the same machine with the same certificate, there are no complaints. If I use Safari, there is an error about the names not matching but the name listed on the cert according to Safari is the same name I typed in the address field and the same name listed in the ServerName configuration of the web server.
  Just kind of a weird problem.

• SBS 2011 GPO for changing the default save location for Word/Excel 2013 not working

  So this is a strange one. I've got an SBS 2011 server that's the only domain controller in the org. I've created a GPO to change the default save location for Excel 2013 and Word 2013 using the Office 2013 ADMX files which were installed to the PolicyDefinitions
  folder.
  The GPO (U-Office2013 Default Save Location) only contains:
  1. User Configuration - Microsoft Excel 2013/Excel Options/Save - Default file location - Enabled - Z:\
  2. User Configuration - Microsoft Word 2013/Word Options/Advanced/File Locations - Default file location - Enabled - Z:\
  The GPO is linked at the OU that contains my users for my SBS organization.
  When I do a gpupdate /force on a windows 7 system with office2013 installed, and then run a gpresult/rsop, the policy appears to be applied successfully as it lists my GPO under the Applied GPOs list on the workstation:
  Applied GPOs
  Default Domain Policy dyndns.local AD (24), Sysvol (24)
  U-Office2013 Default Save Location domain.local/SBSusers AD (6), Sysvol (6)
  In the gpresult report, the applied settings appear under:
  Administrative Templates
  Extra Registry Settings
  software\policies\microsoft\office\15.0\excel\options\defaultpath Z:\ U-Office2013 Default Save Location
  software\policies\microsoft\office\15.0\word\options\doc-path Z:\ U-Office2013 Default Save Location
  BUT, when I go to the workstation, and check office->options-Save-default file path, the path has not been changed to what the GPO is pushing.
  The strange thing is that in my test environment running 2008R2 server and Win7 with Office 2013 and identical settings the default save location is applied and works as expected.
  Any ideas?
  I've already tried re-installing the ADMX templates and re-created the GPO's several times.
  I should also note that other GPO's on the SBS2011 server such as the folder redirection GPO work as expected on the same windows 7 system. It just appears to be an issue with the default save location in office2013 and other Office 2013 related GPOs which
  utilize the recently added ADMX template that don't seem to be working for me.
  Thanks in advance.

  Hi Justin,
  Thanks for your reply. I have tried several different user accounts (all have local admin privileges to the workstation) with the same issue. The default save path does not get applied from the GPO to any of the users i've tried. Here's the steps I took
  per your suggestion:
  1. log on as a user who has never logged onto the workstation before.
  2. run gpupdate /force (entered y for yes when prompted to log off).
  3. Log back in as the user and open Office and check the default save path. It has not been changed to match the GPO setting.
  4. Check rsop to see if the policy was applied. Rsop states the gpo was applied successfully.
  I have attached the gpsvc.log file from a the session described above. The GPO Guid in question is: {DC3C93EC-7C28-48E9-BA38-FCA1E275A207}. Its common name is: U-Word 2013 Default Save Location. It's only setting is:
  Policies\Administrative Templates\Policy definitions(admx files retrieved from central store\Microsoft Word 2013\Word Options\Advanced\File Locations\Default File Location = Enabled\Documents = F:\
  -------gpsvc.log sections containing the aforementioned GUID start---------
  GPSVC(410.1730) 09:10:51:186 ProcessGPO:  ==============================
  GPSVC(410.df0) 09:10:51:186 GetGPOInfo:  ********************************
  GPSVC(410.1730) 09:10:51:186 ProcessGPO:  Searching <cn={DC3C93EC-7C28-48E9-BA38-FCA1E275A207},cn=policies,cn=system,DC=gc,DC=local>
  GPSVC(410.1730) 09:10:51:186 ProcessGPO:  User has access to this GPO.
  GPSVC(410.1730) 09:10:51:186 ProcessGPO:  GPO passes the filter check.
  GPSVC(410.1730) 09:10:51:186 ProcessGPO:  Found functionality version of:  2
  GPSVC(410.1730) 09:10:51:186 ProcessGPO:  Found file system path of:  <\\gc.local\SysVol\gc.local\Policies\{DC3C93EC-7C28-48E9-BA38-FCA1E275A207}>
  GPSVC(410.1730) 09:10:51:186 ProcessGPO:  Found common name of:  <{DC3C93EC-7C28-48E9-BA38-FCA1E275A207}>
  GPSVC(410.1730) 09:10:51:186 ProcessGPO:  Found display name of:  <U-Word 2013 Default Save Location>
  GPSVC(410.1730) 09:10:51:191 ProcessGPO:  Found user version of:  GPC is 3, GPT is 3
  GPSVC(410.1730) 09:10:51:191 ProcessGPO:  Found flags of:  0
  GPSVC(410.1730) 09:10:51:191 ProcessGPO:  Found extensions:  [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F73-3407-48AE-BA88-E8213C6761F1}]
  GPSVC(410.1730) 09:10:51:191 ProcessGPO:  ==============================
  GPSVC(410.1730) 09:10:51:191 ProcessLocalGPO:  Local GPO's gpt.ini is not accessible, assuming default state.
  GPSVC(410.1730) 09:10:51:191 ProcessLocalGPO:  GPO Local Group Policy doesn't contain any data since the version number is 0.  It will be skipped.
  GPSVC(410.1730) 09:10:51:191 GetGPOInfo:  Leaving with 1
  GPSVC(410.1730) 09:10:51:191 GetGPOInfo:  ********************************
  -------gpsvc.log start---------
  -------output of gpresult /r-------
  Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
  Copyright (C) Microsoft Corp. 1981-2001
  Created On 5/30/2014 at 9:24:08 AM
  RSOP data for GC\ssanders on OPTI9020-01 : Logging Mode
  OS Configuration:            Member Workstation
  OS Version:                  6.1.7601
  Site Name:                   Default-First-Site-Name
  Roaming Profile:             N/A
  Local Profile:               C:\Users\ssanders
  Connected over a slow link?: No
  COMPUTER SETTINGS
      CN=OPTI9020-01,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=gc,DC=local
      Last time Group Policy was applied: 5/30/2014 at 9:10:47 AM
      Group Policy was applied from:      GCSBS.gc.local
      Group Policy slow link threshold:   500 kbps
      Domain Name:                        GC
      Domain Type:                        Windows 2000
      Applied Group Policy Objects
          Windows SBS CSE Policy
          Windows SBS Client - Windows Vista Policy
          Windows SBS Client Policy
          Update Services Client Computers Policy
          C-Create Syntiro Root Folders
          Default Domain Policy
      The following GPOs were not applied because they were filtered out
          Local Group Policy
              Filtering:  Not Applied (Empty)
          Windows SBS Client - Windows XP Policy
              Filtering:  Denied (WMI Filter)
              WMI Filter: Windows SBS Client - Windows XP
      The computer is a part of the following security groups
          BUILTIN\Administrators
          Everyone
          BUILTIN\Users
          NT AUTHORITY\NETWORK
          NT AUTHORITY\Authenticated Users
          This Organization
          OPTI9020-01$
          Domain Computers
          System Mandatory Level
  USER SETTINGS
      CN=Stephen Sanders,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=gc,DC=local
      Last time Group Policy was applied: 5/30/2014 at 9:13:17 AM
      Group Policy was applied from:      GCSBS.gc.local
      Group Policy slow link threshold:   500 kbps
      Domain Name:                        GC
      Domain Type:                        Windows 2000
      Applied Group Policy Objects
          Windows SBS User Policy
          Windows SBS CSE Policy
          Small Business Server Folder Redirection Policy
          U-Word 2013 Default Save Location
          U-Office 2013 Disable Backstage
          U-Office Disable Start Screen
          U-Office Trust Center Settings
          U-Word Autorecover Location
          U-Word Autosave Interval
          U-Word Disable Capitalization First Word
          U-Word Set Arial Default Font
          U-Word UI Customizations
          U-Power Plan Settings
          Default Domain Policy
      The following GPOs were not applied because they were filtered out
          Local Group Policy
              Filtering:  Not Applied (Empty)
      The user is a part of the following security groups
          Domain Users
          Everyone
          BUILTIN\Administrators
          BUILTIN\Users
          NT AUTHORITY\INTERACTIVE
          CONSOLE LOGON
          NT AUTHORITY\Authenticated Users
          This Organization
          LOCAL
          Windows SBS Link Users
          Windows SBS Fax Users
          Windows SBS SharePoint_MembersGroup
          Windows SBS Folder Redirection Accounts
          Windows SBS Remote Web Workplace Users
          High Mandatory Level
  -------end gpresult output-------       
  Thanks in advance for any help. I also have a pps ticket open with Microsoft, but they're dragging their feet.

• Cisco ISE 1.1.1.268 patch 4 (Authorization polices for company asset & non company asset)

  Is there any way to differentiate company asset & non company asset machines as both use same AD credentials but only difference is company asset is domain joined machines & non company asset only use AD credentials.
  We want to create different authorization polices for company & non company asset machines. What condition I can use under authentication & authorization which help us to differentiate them except certificate.
  We want to do posture assetment for them as well.

  Hello Tabish-
  There are several ways you can do that. The easiest way (In my opinion) is to use PEAP machine based authentication for your domain computers while using PEAP user based authentication for non domain computers. Based on that a different authorization profile will be applied to the supplicant. For example, you can have a rule where if a computer is part of domain computers then it gets an throziation profile called Full_Access but if a domain user then apply authorization profile called Limited_Access. An important part of this solution is for your AD to be locked down where only certain users/admin's can add computers to the domain. Otherwise, by default, any domain users can add a computer to a domain. Putting some posture checks in between those would also not be a problem.
  Some other methods are to use EAP-TLS with digital certificates but this requires that you have  a PKI in place and every single domain computer is issued a digital certificate.
  Some more advanced methods are EAP-Chaining where you can perform both machine and user authentication.
  I hope this helps!
  Thank you for rating!

• SSL: how to use Multiple Private key/Certificate pair for authentication.

  Hi all,
  i am implementing SSL in java using X509 Certificate/private key combination.
  i have two set of private key/certificate pair.
  one is factory default and another is generated at run time.
  my problem is to try ssl connection with both pairs on same tcp/ip connection.
  e.g. on server side: first try ssl connection with factory default certificate, if it fails try connecting with generated certificate on same tcp/ip connection.
  on client side: if generated certificate(this certificate was generated at server side) is present first perform server authentication using this certificate otherwise authenticate server with factory default certificate.
  can someone please help and let me know how do i need to configure both ends(client and server) for achieving the same.
  Thanks In Advance
  Saurabh Ahuja

  Client code does not contain any default truststore and needs a certificate for authentication.Of course it does. OpenSSL has a way of doing that: some kind of equivalent for the truststore. None of the stuff you've posted here about generating certificates at runtime has any bearing on that problem.
  It's like this. The idea of PKI with SSL is as follows:
  - the server has a private key and a signed certificate. Preferably it's signed by a CA that the client already trusts, otherwise if it's self-signed it has to be exported from the server's keystore and imported into the truststores of all the clients.
  - the client has a truststore that trusts the server, one way or the other, see above.
  - the server's private key is private to it. Nobody else has it. Nobody else can ever get it. If it ever leaks, the server is compromised, and server authentication via that private key now means absolutely nothing. You have lost security.
  - the server sends its cert to the client along with a digital signature signed by its private key.
  - the client (a) decides whether it trusts the cert, via its truststore, and (b) verifies the digital signature, which establishes that the server owns the certificate.
  At this point the server is authenticated to the client and the SSL connection is open. It can now be used as an ordinary socket connection.
  If you want client authentication too, you need all the above in reverse as well, i.e. reading server for client and client for server throughout. Note particularly that each client must have its own private key. Otherwise the private key isn't private, so signing something with it doesn't establish ownership, so client authentication isn't valid.
  You need to understand all this stuff and relate it to the apparently broken security design of your application. Generating a private key and a certificate at runtime is complete nonsense within the context of PKI and SSL. It proves nothing, establishes nothing, authenticates nothing; it just wastes time.

• Can we have multiple policies for the same gateway?

  Hi all,
  Is there a way in which we can have multiple policies for the default gateway?
  When I try adding a new gateway (which is not mentioned in the installer.properties file) and have policies, there is a 404 error.
  When I add another service to the same gateway, I get an error - that the service could not be added to default policy.
  Help me please...
  My need is as follows
  Want to have multiple policies, so that each of the web-service can be attached to same. The relation needs to be one-to-many. One policy can have multiple web-services.
  Thanks in advance...

  Its not possible for the same development object. Only 1 person can access an object at a time and if mutiple users modify an object new TASKs are created under the same TRANSPORT.
  Only after releasing the tr you can create a new tr on the same object.
  Message was edited by:
          Abhishek Jolly

• Using a custom certificate store for SCCM 2012 clients and primary site server

  I have read what seems to be all the pki related documentation out there for SCCM 2012. I have a PKI infrastructure up and running issueing certificates with an offline root through group policy autoenrollment. The problem that i'm faced with is we are migrating
  from SCCM 2007 that was in native mode and we chose not to use the CA that we used for the old SCCM environment. When the clients attempt to communicate with the M.P. it runs through all of the different certificates and adds a tremendous amount of overhead
  to the M.P. We will have ten's of thousands of clients by migration end. Could someone please point me to a document that goes over how to leverage a custom certificate store that I could then tell the new 2012 environment to use? I know that it's in there,
  I've seen it in the console. The setup is one primary site server with SQL on box and the pki I just mentioned as well as the old 2007 environment that is still live.
  I read that you can try and use SAN as a method of identifying the new certs but I haven't found a good document covering exactly how that works. Any info you could provide I would be very grateful for. Thanks.

  Jason, thank you for your reply. I'm getting the impression that you have never been in the situation where you had to deal with 2 different PKI environments. Let me state that I understand what your saying about trust. We have to configure the trusted root
  CA via GPO. That simply isn't enough, and I have a valid example to backup this claim. When the new clients got the advertisement and began the ccmsetup process I used the /pki switch among others. What the client end up doing was selecting a certificate that
  had the longest validity period which was issued by our old CA. It checked the authentication chain, found it to be valid and selected it for communication. At that point the installation failed, period, no caveats as you say. The reason the install failed
  because the new PKI infrastructure is integrated into the new environment, and the old is not. So when you said " that
  are trusted and they can use *any* cert that is trusted because at the end of the day, there is no
  difference between two valid certs that have the same purpose as long as they are trusted. "
  that is not correct. Both certs are trusted, and use the same certificate template, but only one certificate would allow the install to complete successfully.
  Once I started using the CCMCERTISSUERS
  switch the client install went swimmingly. The only reason I'm still debating this point is because someone might read this thread see your comments and assume "well I've got my new PKI configured as a trusted root CA, I should be all set" and their
  deployment will fail, just as my pilot did.
  About Intune I'm looking forward to doing a POC in the lab i built with my Note 3. I'm hoping it goes well as I really want to have our MDM migrated into ConfigMgr... I think the
  biggest obstacle outside of selling it to management will be the actual device migration from the current MDM solution. From what I understand of the enrollment process manual install and config is the only path forward.
  Thanks Jason for your post and discussion.

• Code signing cert error using Digicert - Unable to build a valid certificate chain for the signer

  Steps to fix this error on code signing adobe air using .p12 cert from Digicert - Unable to build a valid certificate chain for the signer
  a. Open Firefox and browse to https://www.digicert.com/digicert-root-certificates.htm
  b. On the middle of the page, download -
  DigiCert Assured ID Code Signing CA-1
  Valid until: 10/Feb/2026
  Serial #: 07:F4:73:6F:AF:EF:40:8A:1F:66:40:F2:65:D1:0A:C1
  Thumbprint: B170A10819BEA936905D719E643399783E1F4567
  Download
  c. Install the cert in Firefox
  d. Once done, export again the code signing cert from digicert, through (click Firefox -> Preferences -> View Certificates -> HIghlight the digicert code signing cert -> click Backup)
  e. Done, the newly exported file should now have the valid certificate chain and that should fix the error "Unable to build a valid certificate chain for the signer"
  Even though this is from Digicert, this should also work for other Certificate Authority providers assuming you download your provider's root cert for code signing.
  Regards,
  Reigner S. Yrastorza

  Are you talking about AIR Help produced by RoboHelp or an AIR application that you are creating?
  If the latter, please see the notice at http://forums.adobe.com/community/robohelp/airhelp
  If you are using RoboHelp, which version?
  See www.grainge.org for RoboHelp and Authoring tips
  @petergrainge

• Unable to build a valid certificate chain for the signer

  Updating an AIR application after a few years and needed a new signing certificate which I purchased from Comodo.  Imported it successfully into Keychain Access and exported it as a pfx file.  When I identified this certificate to Flash Builder it went all the way through the build process and then came up with the error "Unable to build a valid certificate chain for the signer".
  I can see there was a discussion on this matter in October 2011 but this did not seem to answer my question as that guy was trying to use an Apple Dev Centre key rather than paying for one like I did.
  TIA
  David

  In Keychain Access, command-click your Class 2/3 certificate, the CA's intermediate certificate, and the CA's root certificate before hitting export.
  Short guide: Code Signing Certificates for Adobe Air in OS X

• Windows 8.1 default logon prompt for smart card instead of username/password

  Hello,
  We are currently in our pre-deployment test phase for Windows 8.1 and are trying to knock out the high visibility problems that we notice.  One of the issues we've noticed:
  When logging into Windows, the default prompt is for a username/password.  all of our users are using smart cards, so they have to click "sign-in options", click the smart card icon, and then enter their PIN.  How would I change the startup
  screen to default to smart card?
  Also, when locking the screen by removing the card it again prompts for the username/password when unlocking the screen.  So the users again have to click on "sign-in options" and select the smart card, otherwise they risk locking out their
  account by entering the PIN in the username/password field.
  when locking the screen via ctrl-alt-del or windows-L unlocking does default to the smart card, so I know it can be done! 
  thanks,
  -Nick

  Hi,
  I'm afraid we couldn't change the Sign-in Options order, I checked GP and Registry, there is no way to do it.
  However, there is another way is just enable "Require smart card" In GP. While after this policy enabled, All users will have to use smart cards to log on to the network. This means that the organization must have a reliable public key infrastructure (PKI)
  in place, and provide smart cards and smart card readers for all users.
  Location: GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
  Roger Lu
  TechNet Community Support

• Default Domain Policies

  By default, two polices are created when you dcpromo a server: Default Domain Policy, and Default Domain Controllers Policy. These polices should have guids of {31B2F340-016D-11D2-945F-00C04FB984F9} and {31B2F210-016D-11D2-945F-00C04FB981F1} respectively. However, in my 2003 domain, someone had renamed the default domain policy and put a new one named "Default Domain Policy". To make things worse, the Default Domain Controller Policy is missing but a new policy called "Default Domain Controllers Policy" is in its place. I currently have the following:
  Default Domain Policy -> {C0C9ADF5-8E49-499C-87B2-2804931871DA}
  Default Domain Policy - Disabled Original -> {31B2F340-016D-11D2-945F-00C04FB984F9}
  Default Domain Controllers Policy -> {6AC1786C-016F-11D2-945F-00C04fB984F9}
  I do not have backups of the original policies. I suspect the polices have been in this state for at least a year if not longer.
  What is the impact of leaving the policies in their current state?
  Should I attempt to restore the original policies using dcgpofix.exe?
  Will using dcgpofix cause any issues with my Exchange 2003 or SMS 2003 environments?
  Thanks,
  Sean

  Hi,
  The default policies created by the system should be:
  Default Domain Policy
  {31B2F340-016D-11D2-945F-00C04FB984F9}
  Default Domain Controllers Policy
  {6AC1786C-016F-11D2-945F-00C04fB984F9}
  These two policies are built-in policies that define default settings applies to domain users and computers.
  In this issue, I’d like to know whether the original Default Domain Policy is still linked to the domain or not. If yes, it will be OK even though it is renamed.
  Regards,
  Miles Li
  Microsoft Online Community Support
   

• Certificate authentication for Cisco VPN client

  I am trying to configure the cisco VPN client for certificate authentication on my ASA 5512-X. I have it setup currently for group authentication with shared pass. This works fine. But in order for you to pass pci compliance you cannot allow aggresive mode for ikev1. the only way to disable aggresive mode (and use main mode) is to use certificate authentication for the vpn client. I know that some one out there must being doing this already. I am goign round and round with this. I am missing some thing.
  I have tried as I might and all I can get are some cryptic error messages from the client and nothing on the firewall. IE failed to genterate signature, invalid remote signature id. I have tried using different signatures (one built on ASA and bought from Godaddy, and one built from Windows CA, and one self signed).
  Can some one provide the instructions on seting this up (asdm or cli). Can this even be done? I would love to just use the AnyConnect client but I believe you need licensing for that since our system states only 2 allowed. Thank you for your help.                    

  Dear Doug ,
            What is asa code your are running on ASA hardware , for cisco anyconnect you need have Code 8.0 on your hardware with cisco anyconnect essential license enabled .Paste your me show version i will help you whether you need to procure license for your hardware . By default your hardware will be shipped with any connect essential license when you have order your hardware with asa code above 8.0 .
  With Any connect essential you are allowed to use upto total VPN peers allowed based on your hardware
  1)  What is the AnyConnect Essentials License?
  The Anyconnect Essentials is a license that allows you to connect up to your 'Total VPN Peers"  platform limit with AnyConnect.  Without an AnyConnect Essentials license, you are limited to the 'SSLVPN Peers' limit on your device.  With the Anyconnect Essentials License, you can only use Anyconnect for SSL - other features such as CSD (Cisco Secure Desktop) and using the SSLVPN portal page for anything other than launching AnyConnect are restricted.
  You can see your limits for the various licensing by issuing the 'show version' command on your ASA.
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150      
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  Security Contexts              : 2        
  GTP/GPRS                       : Disabled 
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 750      
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          : Disabled 
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150      
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  Security Contexts              : 2        
  GTP/GPRS                       : Disabled 
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 750      
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          :  Enabled
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled
  Any connect VPN Configuration .
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

• Certificate Authority for Exchange 2013

  Dear,
  I will install exchange 2013, whether to install the Certificate Authority role also? 
  If it is necessary, to install this CA, is simply combined with ADDS server, Exchange Server or a separate server?
  Thanks

  Hi,
  As all above says, Exchange 2013 can use Self-signed Exchange certificate which is installed automatically after Exchange 2013 installation. But please note that this self-signed certificate would be not trusted for Exchange using.
  If your Exchange 2013 is not internet-facing, we can use the self-signed certificate in your internal domain environment. If you want to publish your Exchange 2013 to the internet and send/receive external mails, we need to have a valid and trusted certificate
  for Exchange using.
  To get trusted certificate, we can deployed an
  Enterprise root CA which self-signs its own CA certificate and uses Group Policy to publish that certificate to the Trusted Root Certification Authorities store of all servers and workstations in the domain. Or we can directly buy a third-party certificate
  for using.
  About where to install the CA, my personal suggestion is to install ADCS (Active Directory Certificate Services) on a standalone server. You can also install it with your DC. About how to install a
  Root Certification Authority, please refer to:
  http://technet.microsoft.com/en-us/library/cc731183.aspx
  Regards,
  Winnie Liang
  TechNet Community Support