Log forwarding from a non-domain server certificate types

I'm trying to set up a source initiated subscription (Log forwarding) where the event source server is not in the same domain as the event collector server. I'm following these steps:
https://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx
It states that for this to work I need the following:
The collector computer should have a server authentication certificate (certificate with a server authentication purpose) in a
local computer certificate store.
And
The source machine should have a client authentication certificate (certificate with a client authentication purpose) in a
local computer certificate store.
I'm looking to use a third party certificate authority to get the 2 above client and server certs. My question is what type of certificates will I need for this to work? As there seem to be a lot of types and I am new to certs.

Hi Chard,
You can just request certificates from Computer Certificate Template. Certificate issued from Computer Certificate Template can be used for both Client and Server authentication.
Here is a related article below for you:
Certificate Templates Overview
https://technet.microsoft.com/en-us/library/cc730826(v=ws.10).aspx
In addition, if you have further query regarding certificates or CA, please refer to security forum below:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Similar Messages

Email forwarding from my own domain to my verizon email account is taking a long time...

Email forwarding from my own domain to my verizon email account is taking a long time.
I have email addresses registered at moniker.com. When I send an email to an email address that is forwarding to my verizon email, it takes a long time to arrive.

Hmmm ... none of the header is showing this hitting the Verizon edge anywhere along the line. At some point the header has to show the mail transiting vztpa.verizon.com or vzsac.verizon.com which are intake servers for messages headed for Verizon. What I'm see in the header so far is that it took about 4-6 seconds (depending on what clocks you believe) to make from one end of the connection to the other.
You got this out of your Verizon mailbox?

Remotely create sites from a non IIS server

Hi!
I'm creating some scripts to create websites to different web servers, but I'm standing in a non IIS server. So, I wanted to install the powershell snap-in for IIS administration, but I read that from Windows R2 it's a module, and can only be accessed from
an IIS server.
So, my question goes to, if I can't install the snap-in anymore because I'm working with R2 servers, can I create some local script that creates all my sites, and then just invoke it from my non IIS server? Or that is not going to work?
Thanks!

Hello.
You can install windows features (windows server 2008) using this:
Import-Module ServerManager
Get-WindowsFeature
Add-WindowsFeature FeatureName
Unfortunately IIS cmdlets don't have -ComputerName parameter and you cannot manage a remote server.
In powershell 3 you can use remote modules (remooting should be enabled on the remote server - see
man about_Remote_Requirements):
$servername="Server1"
$session=New-PSSession -ComputerName $servername -Credential (Get-Credential -Message "Enter your credential to access $servername")
Import-Module WebAdministration -PSSession $session
get-website # will be ran on remote server
Good luck)

Migrating SAP products from a non-SQL Server platform to a SQL Server 2005

Hi,
I have another question too.
Can someone pls provide me the Considerations for Migrating SAP products from a non-SQL Server platform to a SQL Server 2005 platform?
More specifically from Oracle to SQL 2005.
Regards
Abhi

Hello
You need to perform an OSDB migration.
This will involve exporting your SAP system into a DB neutral format and then reloading this into an SQL 2005 SAP system.
Please review http://service.sap.com/osdbmigration
I recommend you review the homo/heterogeneous system copy guide for your SAP release.
Thanks
N.P.C

How to request certificate from a non-domain computer

We using a Windows Server 2008 R2 Enterprise CA to issuing webserver-certificates (SSL). The CA-Server is a member of a AD-Domain and online. Now we want to request certificates from computers like Windows Server 2008 R2 or Linux Server which aren't member
of the domain.
How we can request certificates automatically with a script remote from these Windows Servers, for example ? Is it possible to use the "Certificate Enrollment Web Service" without the "Certificate Enrollment Policy Web Service" ?
Is it possible to use certreq in this scenario ?
Thanks for your help.

Now I have found a solution. Shortly I want describe the way:
Prerequirements:
1. ADCS Enterprise Certification Authority is installed
2. ADCS Certificate Enrollment Web Service is installed on a server
3. ADCS Certificate Enrollment Policy Web Service is installed on an other server
Steps to do:
1. Prepare a request-file for a certificate
2. On a computer which is not a member of the Domain/Forest of the CA-Service: submit the request to the CA and receive the issued certificate. The following command have to written in one line without line breaks.
certreq -submit
    -Username {domain}\{username}
    -p {password}
    -PolicyServer "https://{FQDN CertificateEnrollmentPolicyWebService-Server/-Alias}/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP"
    -config "https://{FQDN CertificateEnrollentWebService-Server/-Alias}/{CAName}_CES_UsernamePassword/service.svc/CES"
    -attrib "CertificateTemplate:{TemplateName}"
    {Enter Path and Name of the Request-File}
    {Choose Path and Filename for certificate}
   Sample:
   certreq -submit
        -Username contoso\Serviceaccount
        -p P@ssw0rd
        -PolicyServer "https://CAPolicyEnroll.contoso.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP"
        -config "https://CAWebEnroll.contoso.com/IssuingCA1_CES_UsernamePassword/service.svc/CES"
        -attrib "CertificateTemplate:MyOwnSSLTemplate"
        request.req
        sslcert.cer
3. Now you can find a file with your requested certificate locally in path you have choosen for the certificate-file.
I hope this will be helpful for other people enrolling certificates on non-domain member computers.

Non-Domain Server Cert Requirements Enterprise vs. Standard

Is there a way to monitor a non-domain machine without having an enterprise cert server? I am using a standard CA currently and was wondering if I absolutely had to upgrade it to a Enterprise CA? We currently only need to monitor 4 off domain
servers so if we can avoid it we will.
Thanks

Hi,
Read this
http://social.technet.microsoft.com/wiki/contents/articles/2017.certificate-enrollment-for-system-center-operations-manager-agent.aspx
http://OpsMgr.ru/

I cant log in in my 2012 domain server

I was practice active directory on my server but when i made user and connect two pc to my domain i restart server and now i can't log in as admin and it shows my domain pc to login to them but when wanted to eneter windows or domain says your pass
is not correct
when i press users pass to enter says you can't login
how can i enter my server as admin ?

Hi,
Checkout the below link for installing Active Directory,
http://www.youtube.com/watch?v=_M9i5IcVwJA
Checkout the below link for joining the computers to domain,
http://www.howtogeek.com/99381/it-how-to-join-machines-to-your-active-directory-domain/
After joining the computers to Active Directory domain,
For example if your domain name is mydomain.local,
Then you need to login to domain machines as mydomain\administrator or
mydomain\<AD user name> and password of the corresponding user account.
Regards,
Gopi
JiJi
Technologies

How to retrieve/gather images from a non-ZEN server?

Our main ZENworks server is 4.01 and it's running out of space for
images. We have an OES server that I'd like to use to push & pull images.
I looked at the Security tab / Upload restrictions in the Server Policy
and thought I might be able to define exactly where images can be stored
but haven't made any changes yet. Any ideas on how I can make this work?

On Wed, 14 Dec 2005 15:39:41 GMT, [email protected] wrote:
> Is that the only way?
yes.. the imgserv.nlm does access the harddrive via connection 0... it is
not able to authenticate..
and honestly why would you want to pull an image from another server
causing double amount of traffic..
you only need to install the imgserv on the other server and reference him
in your scripts... the old one can do the pxe stuff..
If you have already compiled drivers or have linux.2 please put them on
http://forge.novell.com/modules/xfmo...ect/?zfdimgdrv
Marcus Breiden
If you are asked to email me information please change -- to - in my e-mail
address.
The content of this mail is my private and personal opinion.
http://www.edu-magic.net

ADD a none domain server IP into my DNS server

Hello,
since few days, we have interconnected two clients together throuth SDSL MPLS line (like VPN) so that each client can ping the server IP from each other.
For ex : client A (192.168.50.50) can ping client B (192.168.100.100). That work fine
Now I'd like to add in each DNS server the right settings in order to ping the server name instead of the IP.
As I'm not very good with DNS, I prefere ask before changing settings in it
So xould someone explain me what to do in order to do this?
Thanks in advance
Best Regards
Thierry

You mention two clients connected. Is the DNS server a separate DNS server?
Is there a DNS server at each location?
I agree with Meinolf. But you have to make sure you only use the DNS server(s) that have the record you created. If you put in another DNS, such as your ISP's DNS, then it won't work.
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Can I remotely failover clusters with powershell from a non clustered server? Windows Server 2008 R2

Hello,
I'm trying to remotely administer my windows clusters and fail them over with a PowerShell Script. The server I'm using is not a clustered server. I've already installed the Failover Clustering Tools. I'm able to retrieve information about
my clusters but when I try to fail them over I receive an error saying "The cluster service is not running."
The command I'm using is 'Get-ClusterNode $Server | Get-ClusterGroup | Move-ClusterGroup'
Error message: 'Get-ClusterNode : The cluster service is not running. Make sure that the service is running on all nodes in the cluster'
Is there a way to install the cluster service or is there a different way to go around this error?
Thank you!

Hi Armando,
To get cluster node information, please try to use the cmd cluster.exe, like:
cluster.exe node NodeName /force
For more detailed information to use clusterexe, please refer to this article:
Mapping Cluster.exe Commands to Windows PowerShell Cmdlets for Failover Clusters
To remotely manage Cluster server, you can also try the powershell pssession with the cmdlet enter-pssession to accesss the remote server:
Learn How to Manage Remote PowerShell Sessions
I hope this helps.

Open Data Set Error while trying to read file from non SAP server

Hi all,
is it possible to read data from non-SAP application Sever?
I'm using OPEN DATASET p_filin FOR INPUT IN LEGACY TEXT MODE CODE PAGE '1504',
Where p_filin is other Windows server.Our applicition server is under Unix.Is it a problem?
I make test to read file from SAP application server and it was ok.So how to call other server?
Thanks!

Hi,
Yes it is possible to read data from a non SAP server through the statement OPEN DATASET.
The important thing to check is that the SAP Server got enough access to the non SAP server so it can perform a reading/writing process depending on your needs.
You should contact your network administrator and BASIS to help you check the permissions. This can be pretty tricky, specially if the servers are in different domains.
Regards,
Gilberto Li

How do I transfer files from my AIX database server to my Windows AS?

Hello, I need to transfer log files from my AIX database server to my Windows AS so I can view them in a form. Any ideas??
Regards

Install samba with the samba client (smbclient). Push them via the smbclient directly to you Windows machine OR the other way around, start the samba deamons (smbd and nmbd). Make a Windows network share on your AIX machine and view them in your form directly.
If you can't use samba then an alternative is the use of NFS

Where I can find the logs in Exchange that I can check or see if our mail server accepted the emails from a certain domain.

Good day, I would like to know where I can find the logs in Exchange that I can check or see if our mail server accepted the emails from a certain domain. The problem is we can receive emails
from other domains like yahoo,gmail etc but from a specific domain we cannot receive emails from them. I checked the whitelist of our Exchange and that domain is currently listed.

As suggested above, Message tracking is your option to get these reports into your environment.
To gather more information about, you may walk through this informative technet resource :
https://technet.microsoft.com/en-us/library/bb124926%28v=exchg.150%29.aspx
Here is another :
https://technet.microsoft.com/en-us/library/bb124375%28v=exchg.150%29.aspx
Moreover, if you wish to find this report into real time, you may consider on this automated solution (http://www.exchangereports.net/) that could be a good alternative approach for you.

ACS forwarding from untrusted domain 0x80090325 SEC_E_UNTRUSTED_ROOT

I have SCOM 2012 R2 Update Rollup 4 installed with 2 management servers running WS12R2 in a single management group in my main AD domain. One of the management servers is also an ACS collector. I have an untrusted AD domain, with a SCOM gateway server in
it, and I used the gateway to install a SCOM agent on a domain controller in that domain. Now I am trying to configure an ACS forwarder on that untrusted domain controller to talk to the ACS collector back on the management server.
However, when I restart the
Microsoft Monitoring Agent Audit Forwarding service on that domain controller, I get this error in its
Event Viewer > Apps and Services > Operations Manager:
1/23/2015 5:08:01 PM Source AdtAgent Event ID 4369 Forwarder unsuccessfully tried to connect to the following collector(s):
<acsCollectorFQDN>:51909, status: 0x80090325 (TCP connect), source:registry addresses tried: <IP>:51909. If the list of collectors is blank, then AdtAgent was unable to locate a collector. Common reasons for this message are: The machinef(s)
listed is not online. AdtServer is not running on the machine(s) listed. AdtServer on the machine(s) listed is not listening on the specified port. TCP connectivity to the AdtServer machine is blocked by firewall, IPSec, or other filtering mechanism AdtServer
on the machine(s) listed actively refused the connection (due to policy or current activity load). For detailed failure information, enable trace logging using the TraceFlags registry key and examine the AdtAgent.log in the \temp subdirectory of the Windows
directory.
I followed these two articles in order to set up the ACS forwarder on the DC in the untrusted domain: "How to configure security events collection by using Audit Collection Services from computers in untrusted environment?" {1/3/12}https://gefufna.wordpress.com/2012/01/03/how-to-configure-security-events-collection-by-using-audit-collection-services-from-computers-in-untrusted-environment/ "Forwarder
is unable to connect to collector Event id 4369 in forwarder event view" {5/5/14}
http://jimmy-scom.blogspot.com/2014/05/forwarder-is-unable-to-connect-to.html
EXTRA INFO Here are the detailed steps that I took (sorry for all this, but there are an awful number of steps!):
1) I confirmed that the agent for the DC shows as Healthy in OM Console > Monitoring > Operations Manager > Agent Details > Agent Health State > Agent State (right) pane.
2) On the ACS collector, I stopped
Operations Manager Audit Collection Service, then from Admin cmd prompt I did this:
c:> cd \windows\system32\security\adtserver
c:> adtserver –c
} 1 certificates found for server authentication usage.
Enter the number of the certificate you want AdtServer to use for authenticating to AdtAgent or 0 to quit without saving: 1
Certificate 1 selected. Attempting to save thumbprint to registry ...
success.
Then I started
Operations Manager Audit Collection Service.
3) On the DC in the untrusted domain, from Admin cmd prompt I did this:
c:> cd c:\windows\system32
c:> adtagent -c
} No Issued To Issued By Expires
Thumbprint
1: <untrustedDCfqdn> <untrustedDomainCA> 2015-11-30 02:44:58 <thumbprint>
2 certificates found for client authentication usage.
Enter the number of the certificate you want AdtAgent to use for authenticating to AdtServer or 0 to quit without saving: > 1
} Certificate 1 selected. Attempting to save thumbprint to registry… success.
4) On the DC in the untrusted domain, I opened mmc > Certificates > Local Computer > Personal > Certificates > I exported the certificate from step 3 to a DER encoded binary X.509 (.CER) file.
5) I also looked at the Certification Path for the certificate, and figured out which certificate is its Root CA certificate. I copied that certificate to a DER encoded binary X.509 (.CER) file.
6) I copied the first .CER file to a computer in my main domain, which is at 2012 R2 level. From AD Users and Computers, I created a "dummy" computer object using the NetBios name of the DC back on the untrusted domain. I right clicked the computer
object > Named Mappings > I added the .CER file, and left "Use Subject for alternate identity" checked. I unchecked "Use Issuer for alternate security identity".
7) I copied the Root CA certificate .CER file over to the SCOM management server that doubles as my ACS collector, and from there I did mmc > Certificates > Local Computer > Trusted Root Certificates > Certificates > I imported the Root
CA certificate.
8) I also went to my CA server on my main domain, I ran pkiview.msc > right clicked “Enterprise PKI” > Manage AD Containers > NTAuthCertificates tab > and I imported the Root CA certificate there as well.
9) I ran telnet from the DC on the untrusted domain, and confirmed that port 51909 is open from there to the ACS collector on the main domain.
10) I enabled audit collection fot the DC on the untrusted domain. I did this from OM Console > Monitoring > Operations Manager > Agent Details > Agent Health State > Agent State (second column in middle pane) > I selected the Healthy <untrustedDCfqdn>
> I clicked Enable Audit Collection.
Then under "Task Parameters" > i clicked [Override] > for New Value I specified <ACScollectorFQDN>. For task credentials I specified Other account, and specified a domain admin account in the untrusted domain. The result was "The
task completed successfully. Enable Audit Collection, status:Success".
11) On the ACS collector, I restarted Operations Manager Audit Collection Service. On the DC in the untrusted domain I restarted Microsoft Monitoring Agent Audit Forwarding service.
12) Result was this error on the DC in the untrusted domain, in its
Event Viewer > Apps and Services > Operations Manager
1/23/2015 5:08:01 PM Source AdtAgent Event ID 4369 Forwarder unsuccessfully tried to connect to the following collector(s):
<acsCollectorFQDN>:51909, status: 0x80090325 (TCP connect), source:registry addresses tried: 10.1.1.91:51909. If the list of collectors is blank, then AdtAgent was unable to locate a collector. Common reasons for this message are: The machinef(s)
listed is not online. AdtServer is not running on the machine(s) listed. AdtServer on the machine(s) listed is not listening on the specified port. TCP connectivity to the AdtServer machine is blocked by firewall, IPSec, or other filtering mechanism AdtServer
on the machine(s) listed actively refused the connection (due to policy or current activity load). For detailed failure information, enable trace logging using the TraceFlags registry key and examine the AdtAgent.log in the \temp subdirectory of the Windows
directory.
13) On the DC in the untrusted domain I created DWORD reg value
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdtAgent\Parameters\TraceFlags and set it to 524420 decimal. The resulting c:\windows\temp\AdtAgent.log file only confirmed that I'm getting 0x80090325 errors.
After all this, why am I getting 0x80090325, which translates to SEC_E_UNTRUSTED_ROOT ??? Did I do something wrong in steps 5, 7 and 8? Thanks for reading all the way through :)
Marko

Thanks Yan Li, you gave me an idea. I got the ACS forwarder in the untrusted domain to work (!), by analyzing the setup on the SCOM gateway that I set up in the untrusted domain. I issued the ACS forwarder a certificate from the domain that SCOM is in, INSTEAD
of configuring the ACS forwarder to use the certificate that it already had from its own domain.
So the new procedure is: do steps 1 and 2, then instead of step 3 I did this…
2B) I issued a certificate from the AD domain containing SCOM to the domain controller in the untrusted domain that is my ACS forwarder. I did this from the AD Certificate Services web site, and asked it to use certificate template that I created for the
SCOM gateway server in the untrusted domain.
2C) The new certificate appeared in the Personal store of the domain controller. I exported it, then ran the MomCertImport utility so that I would not get an error in the next step (per
http://www.systemcentercentral.com/scom-deployment-across-multiple-networks/)
3) On the domain controller in the untrusted domain, I re-ran "adtserver -c", and selected the new certificate.
3B) I then ran “MomCertImport /Remove”, since I already have a SCOM gateway in the untrusted domain.
Then I proceeded with steps 4, skipped 5, did 6, skip 7-8, did 9-11, result was this on the DC in the untrusted domain, in its Event Viewer > Apps and Services > Operations Manager
2/3/2015 12:20:01 PM Source AdtAgent Event ID 4368 Forwarder successfully connected to the following collector:
<ACScollectorFQDN>:51909, status: 0x0 (success), source: registry
addresses tried: <IPaddress>:51909
ACS forwarding works now! I will confirm by repeating the procedure for another domain controller in the untrusted forest.
Marko

"Unable to check revocation" error while checking CDP from non-domain user account

Hi!
I use 3-tier PKI infrastructure:
Stand-alone offline Root CA: RootCA;
Stand-alone offline Intermediate subordinate CA: SubCA;
Enterprise CA: EntSubCA.
In certificate we have three CDP point for CRL check:
ldap:///, http:// and file://
I have Windows 2008 R2 server joined to domain.
I use command certutil –verify –urlfetch <filename.cer> >check.txt for revocation checking of certificate.
When I use domain user account for revocation checking, all OK.
I have access to any CDP and all fine.
But when i use local server user account, I haven't access to ldap:/// and process failed although all other links is OK.
My question is "why check fail with non-domain user accout while other CDP point succesfully verifed"?
Here is the logfile from local user:
Issuer:
CN=EntSubCA
DC=DED
DC=ROOT
Subject:
CN=servername.domain_name
Cert Serial Number: 5a896145000300006ee2
dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
NotBefore: 05.02.2015 20:03
NotAfter: 05.02.2016 20:03
Subject: CN=servername.domain_name
Serial: 5a896145000300006ee2
SubjectAltName: DNS Name=servername.domain_name
Template: Machine
70 e4 6b 16 05 a1 62 e3 6d 24 96 ff 44 74 ee a2 3e ce df 18
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
Verified "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Base CRL CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
OK "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
OK "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 018d:
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
33 af 4d be 0e 35 45 94 bc 8b 3f d9 c1 60 e7 0c c4 83 17 b6
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=SubCA
NotBefore: 13.11.2014 19:12
NotAfter: 13.11.2017 19:22
Subject: CN=EntSubCA, DC=DED, DC=ROOT
Serial: 6109015b000100000008
Template: SubCA
9b 04 17 9f c5 fe 52 ca a5 58 49 6c c6 18 fa db 13 b3 92 9e
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The network path was not found. 0x80070035 (WIN32: 53)
file://\\sub_ca\CertEnroll\sub_ca_SubCA(1).crt
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\SubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/SubCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (32)" Time: 0
[0.0] file://\\ca\crl\SubCA.crl
Verified "Base CRL (32)" Time: 4
[1.0] http://webserver/crl/SubCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 32:
Issuer: CN=SubCA
8d a9 9d 51 65 a3 8e 77 02 22 40 57 62 70 e8 f6 c5 2e 60 1e
CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 28.05.2008 12:09
NotAfter: 28.05.2058 12:19
Subject: CN=SubCA
Serial: 616bd19f000100000004
Template: SubCA
06 d2 47 e7 dc 8f a7 97 a2 b8 c3 92 03 19 24 0c 47 45 22 14
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 4
[0.0] http://webserver/crl/RootCA.crl
Verified "Base CRL (1c)" Time: 0
[1.0] file://\\ca\crl\RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 27.05.2008 16:10
NotAfter: 27.05.2110 16:20
Subject: CN=RootCA
Serial: 258de6fbd3bbab92460530e9e9f10536
5d e4 56 38 13 0a 52 aa 66 51 25 61 19 33 c9 d7 a2 c7 dd 38
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 0
[0.0] file://\\ca\crl\RootCA.crl
Verified "Base CRL (1c)" Time: 4
[1.0] http://webserver/crl/RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
Issuance[0] = 1.2.700.113556.1.4.7000.233.28688.7.167403.1102261.1593578.2302197.1
Exclude leaf cert:
5b 8d 96 39 f8 a3 6f af f3 89 bc 8d 78 e2 da 53 21 b8 ff aa
Full chain:
ca 99 30 47 9b ad ab ce 97 cc 70 80 a5 4e 11 b3 1a 83 98 78
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.5.5.7.3.1 Server Authentication
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.

What you have discovered is the reason to *not* use LDAP URLs for CDP and AIA extensions in your PKI. To access those URLs, the account must access to the URLs. In your output, it is quite clear that the local account does not have necessary permissions
(you also use FILE URLs for publication, which again is not recommended).
The best practice is to use a single URL for the CDP extension. It should be an HTTP URL that is hosted on a highly available (internally and externally accessible) Web cluster.
For the AIA extension, it should contain two URLs: one for the CA certificate - again to an internally and externally accessible, highly available Web cluster and one for the OCSP service - also
an internally and externally accessible, highly available Web cluster.
the other issue is that the root CA is *not* trusted when run by a non-domain account. How are you adding the trusted root CA. It is recommended to do this by running
certutil -dspublish -f RootCA.crt.
This will ensure that the computer account trusts the root CA. In your output, the root CA certificate is not trusted.
Brian

Log forwarding from a non-domain server certificate types

Similar Messages

Maybe you are looking for