Request Smartcard Logon certificates for more than 2 years from Certificate Authority
Dear all,
I have setup a Certificate Services in a Windows Server 2008 R2 domain and I request certificates via the CA webpage
http://ipofdomainserver/certsrv using the SmartCard logon custom template.
The problem is that my certificates are only valid for 2 years even though when I created my custom Smartcard logon I selected for validity period 5 years.
I read in documentation that issued certificates cannot have a greater validity than the root that signed them.
What and where I should modify to be able to request certificates from the template for more years than standard 2 ?
Ps: WINSC-CA is valid for 5 years. Should I generate a new WINSC-CA ? How ?
I was successfully able to create a root CA for 20 years, issued a certificate and login using smartcard using the following procedure:
1. I increased the CA lifetime to 20 years by using this link http://www.expta.com/2010/08/how-to-create-certificates-with-longer.html
Created the file CAPolicy.inf in %SYSTEMROOT% with following content
[Version]
Signature=”$Windows NT$”
[certsrv_server]
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
2. Renew CA root using this guide https://technet.microsoft.com/en-us/library/cc780374(v=ws.10).aspx
Console Root -> Certification Authority -> select domain -> Right click -> All Tasks ->
Renew CA certificate
3. Delete from Console Root -> Certificates (local computer) -> Trusted Root Certification
Authority -> Certificates the *WINSC-CA that has the previous lower validity, and from
Certificates (local computer) -> Personal, the *WINSC-CA that was lower validity
4. I performed a reboot here
5. Change in Console Root -> Certificate Templates -> Smartcard Logon Custom Template (my custom duplicate template) -> Properties -> Validity 10 years
6. Change in registry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriod
to value 10 for 10 years.
7. Request a new certificate from CA webpage http://ipofdomain/certsrv and let the webpage write it to
smartcard (I was making sure there is no other certificate on the smartcard)
8. Try to log in. At this point it should throw an erorr that smartcard logon is not supported for this
account type. This is becuase we need to enroll it again for domain authentication
9. Console Root -> Certificates (local Computer) -> Personal -> Right click -> All Tasks ->
Request new Certificate -> Next -> Active Directory Enrollment -> Next -> Select Domain Controller Authentication -> Enroll -> Finish.
Now you should be able to login using your smartcard and 10 years generated certificate.
Though I have a problem at step 3, after CA server reboots the *WINSC-CA certificate with lower
validity is restored automatically, but the certificates are generated for 10 years.
What am I doing wrong ? How can I delete the lower validity root CA ?
Similar Messages
-
Problems installing SSL certificates for more than one alias on iMS 5.2
I have a problem to getting encyption on IMAP/HTTP/SMTP when they are on the same server. I only getting one SSL certificate installed by the Netscape console wizard, and therefore only one alias.
Let's say I have 3 aliases to the same server just for the scalability, imap.vxu.se, smtp.vxu.se and mail.vxu.se for http (https). Then I can only have one certificate installed at the same time, for example https://mail.vxu.se. And the others, like (S)IMAP I getting a dialouge that says the hostname doesnt is the same as the registred in the certificate. How do I solve this? Is there some possibillity to install more than ONE certificate, so I can have one certificate for each alias?
Environment: Full 420R, Solaris 8, iMS5.2
Thanks in adviceAlthough I completely agree the comments that suggestion this is not a great configuration idea, the error you are seeing ("...bean not found...") likely has nothing to do with the configuration - at least not as mentioned. My first guess is that if you are running the same exact form (FMX) as you ran for your first test then there should be no error. The only way such an error would appear is if the proper jar files are not being pulled to the client JRE or if the fmx was not properly generated. Be sure you are including config=webutil in the URL or that you have added the Webutil configuration info to your own named configuration section of formsweb.cfg
Regardless, if this is a Windows machine, the probability of having problems with multiple installations of the same version is high. Consider that the system PATH, CLASSPATH, ORACLE_HOME and various other system variables needed by the server side of the installation will overlap for each installation. This will cause problems. On the client side, attempting to download jars of the same name from the same server, but which are not actually the same files will confuse the JRE. If the JRE detects that a file which it has already cached is coming from the same server (host) then it will not attempt to pull it again. This will be a problem if the jars are not exactly the same in both installation. Making the problem worse is that you may not be able to easily determine from which installation the jars (or any files) were obtained.
So. as a general rule, regardless of whether multple installations can co-exist, I would not recommend it. This is especially true on a Windows platform. -
My ipod touch 4th generation no longer holds it's charge for more than 40mins from full power, think it needs a new internal battery but have no idea how to go about this and am no longer covered by my guarantee. Can anyone advise me on what's best? Thanks in advance
Using the battery level meter in this manner is comparable to using your car's fuel gauge to calculate miles per gallon. The only thing that matters is the total amount of operating time from full charge to auto-shutdown.
Use an Apple wall-mount charger. Do NOT use a computer's USB port. Then, operate it normally until auto shut-down (ignore any low level alerts that may appear). An irony is that doing that test to determine the total operating time is also the exact procedure necessary to calibrate the battery level meter.
I'm not claiming that you do not have a problem. I am stating, however, that we don't yet know whether or not a battery problem exists.
According to Apple:
Use Your iPod Regularly
For proper reporting of the battery’s state of charge, be sure to go through at least one charge cycle per month (charging the battery to 100% and then completely running it down).
Elsewhere, Apple elaborates and explains that two half-discharges (or four quarter-discharges, etc.) equals one full discharge. -
Help me to search on calendar for more than one year
I desparately need to be able to search on calendar for more than one year., which was taken away on the new operating system. I have kept personal memories of my husband on there in the notes sections on days when we did things. ( I have also kept all kinds of personal notes, like doctor records or conversations, in the notes of events/dates.) it is a huge loss for me not to be able to search my calendar for more than one year. Is there any way I can do this?
Jens,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://forums.novell.com/ -
I accidentally changed a setting on my ipod touch and now it won't change back. I have had my ipod for more than two years and i dont know what to do. If i go to the apple store, would they fix it, or would i need to get a new one? If it could be fixed, how much would it cost?
If it is still under warranty you can call the 800 number to apple and enter the serial number and it will tell you if it is under warranty or not if not its like $30 basically for them to help or something like that it said today when i called...
Or take it to a genius bar if you have one near?
Or further explain what setting you are needing fixed back and im sure someone here can help you for free! -
I received a message on my iPhone saying that some charges could be applied due to activiation of iMessage. My question is: why have I been charged now, if I had already activated iMessage and I have been using it for more than a year.
We are basically users and can't really help with activation. So unless a staff member can check in, you need to speak to Customer Service.
http://helpx.adobe.com/x-productkb/global/service1.html
Serial number and activation chat
or
800-833-6687
Monday—Friday, 5am—7pm PT -
something went wrong with my apple tv and now it says that it is in retail demo mode. How can i fix it? I have had it for more than one year without any problem
To turn on/off retail mode, go to settings, general, legal.
Do not open legal, just put the cursor there.
Then, on the remote, type this sequence : right - right - left - center.
The AppleTV should reboot. -
I've been using iMovie '09 for more than a year and now .MTS files won't upload?
I've been using iMovie '09 for more than a year and each time I would plug in my SD card (using a card reader) the import box would open and I could select the clips I wanted to work with. Now, suddenly, today the import box won't open. Why??? I literally just used the exact same method three weeks ago and it worked fine. I have not done anything differently. Also, when I go to "file > import from camera" it only shows the built-in camera. What am I doing wrong? And how do I get my files? I do not want to download a converter of any time. I know there has to be a way because it literally just worked three weeks ago so I'm just trying to figure out why it won't work now.
Unfortunately, you cannot upgrade to Safari 5 or 6 on Mac OSX 10.4.11 and that is what you need to access iCloud (http://support.apple.com/kb/ht4759). I am not sure, but maybe you can install another and newer browser version of Firefox or Chrome to access iCloud.
-
I have a licence code for Adobe CS6 Master Collection which I'm using for more than a year, suddeny I am in trial mode (all programs) an it seems that this code is not accepted anymore. Help needed!!
Chat Now button near the bottom for Activation and Deactivation problems may help
http://helpx.adobe.com/x-productkb/policy-pricing/activation-deactivation-products.html -
Is it possible to pay for more than one year of membership in advance? Would I be able to pay for 3 years at one time?
In individual CC the maximum purchase can be done for 1 year,
However: An Enterprise Term License Agreement (ETLA) is ideal for organizations that manage large deployments of Adobe software and prefer a direct relationship with Adobe. An ETLA provides custom software licensing options and pricing for volume purchases, access to advanced customer support programs, and streamlined IT administration tools to package and deploy Adobe apps and services across the enterpris with an agreement of three years.
Business Enterprise Term License Agreement | Adobe Buying Programs
http://www.adobe.com/volume-licensing/education/enterprise-term-license-agreement.html
Regards
Rajshree -
REQUEST RUNNING FOR MORE THAN ONE DAY - HOW INVESTIGATE ABOUT THIS
Hi Everyone ...
As you know when you submit any request throigh concurrent manager . The request completed normal or give warning or error .
My probelm I have request running for more than one day .but I don't know right tool how invetigate about this issue .
I checked alert log and database lock but nothing wierd .
We are using 11.5.10.2 with 10.2.0.4 DB .
Thanks in advance ...
Edited by: user12010537 on 26/09/2010 05:39 ص
Edited by: user12010537 on 26/09/2010 05:46 صHi,
schavali wrote:
Use MOS Doc 735119.1 (How to Find Database Session & Process Associated with a Concurrent Program Which is Currently Running) to determine the PID of the concurrent request, then follow the steps identified in MOS Doc 1058210.6 (How to Enable SQL_TRACE for Another Session or in MTS Using Oradebug)
enable tha trace
Re: enable tha trace
Thanks,
Hussein -
I've had creative cloud installed and subscribed for more than a year. Recently I started getting problems and couldn't launch PS. This evening while trying to fix the problem I've managed to do something and now I can't launch either LR or PS. I get an error message about verifying my subscription when I click and get my subscription verified it ays "OK" and I clock to to application and then it jumps back to verification needed - and so it goes on and on and on and..
Here are two other examples of this happening..
I expected more from Apple.
https://discussions.apple.com/thread/6919109
https://discussions.apple.com/thread/6683814 -
Calendar message said if I wanted to save entries for more than a month I should go to settings and change to sync for 'all events'. I did this and all but repeating birthday entries disappeared. I have tried to reverse but nothing has reappeared. HELP!
Welcome to the discussions,
WHY does it claim to be 8G but my capacity now says its just 6.83
The size of you HD is calculated binary when it comes to use it, instead of decimal when companies want to advertise there products. 1 KB=1024Byte instead of 1000KB as advertised by the manufacturer. In your case this reduces the actual available space by the factor of 0.93 or approx. 7,4GB.
If you have an "other" section in your color bar showing the different types of data on your ipod, which is bigger than 500MB, this could be a sign of corrupt data caused by a sync that did not complete or copied damaged data. A restore will reduce the size to normal again.
Restoring: http://support.apple.com/kb/HT1414
If you restore your ipod, iTunes will install the newest firmware first and then add back your data and settings from your last backup if you choose to "restore from backup". Every backup is replaced by the following one, so make sure to include this folder in your backup routine in case you'll have to go back.
You can check the location and size of the backup folder for your ipod here:
Windows Vista and Windows 7: \Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\
copied from: About backups http://support.apple.com/kb/HT1766
Sorry, I can't answer your payment question, I have never used your kind of setup, maybe you can find something useful here: http://www.apple.com/support/itunes/ -
Dear experts,
We have two requirements regarding to the "Anual leave" quota.
1. Quota reduction when employee is inactive for more than 180 days
2. Advance quota days when employeee does not have enough balance
We have in place an "Anual Leave" quota related to a calendar year period, that gets generated dialy in time evaluation. This quota gets the employee entitlement from a set of rules that stored the corresponding balance in a period time type, that is the one that we defined in the customizing. This is working fine. The problems start when we try to incorporate the other two requirements.
Regarding the first requirement, if the employee has been inactive for more than 180 days in a calendar year due to unpaid leave, we need to start quota reduction as follow,
First, we need to clear the balance that was calculated above in the schema.
Then, we need to calculate one leave day for every 20 days worked till the end of the year, considering as such, everyday the employee is expected to work, except days on which the employee has been absent on unpaid leave.
For the second requirement we created a manual quota call "Advance Anual Leave". So, if the employee, wishes to take 20 working days holiday, but in his/her Anual Leave quota has only 10 days available, we have to create an "Advance Anual Leave" quota manualy for 10 days. When the quota for next year gets generated, we need to deduct these advanced 10 days from it. This deduction should stop the year after.
The problem we are finding with these two requirements is that, due to the Anual Leave quota gets generated dialy, we can't get the balance right.
Thanks in advance!
Kind regards,
AlexHello binbingogoABC,
Shopping on BestBuy.com should be easy and fun and not fraught with the kind of trouble that you describe. I regret very much that this has been your experience.
Using the information you provided when you signed up for Best Buy Unboxed I was able to locate your cancelled orders. I have requested more information from my back-office partners. As soon as I have additional details about your situation, I will reply again to this message. In the interim, I'm sorry that I must impose upon your patience.
I'm very grateful that you wrote to us with your concerns.
Sincerely, -
[Fwd: Client accessing MBeanHome for more than one domain receives SecurityException]
Fwd'ing to security newsgroup
-------- Original Message --------
Subject: Client accessing MBeanHome for more than one domain receives
SecurityException
Date: 4 Mar 2004 07:27:33 -0800
From: Dinesh Bhat <[email protected]>
Reply-To: Dinesh Bhat <[email protected]>
Organization: BEA NEWS SITE
Newsgroups: weblogic.developer.interest.management
Hi,
When a client accesses MBeans of more than one domains (Weblogic 8.1)
that have
different passwords, it receives a SecurityException. This occurs when
the MBeanHome
for each domain is looked up at initialization and reused for each
request ( to
access MBeans ). The security exception does not occur if the MBeanHome
for each
domain is looked up for each request. On initial review, this behavoir
seems inconsistent.
Looking up the MBeanHome for each request may introduce a significant
overhead.
I am not sure if concurrent lookups would also cause the same problem.
I have read on another post that we can work around this problem by
establishing
a trust relationship between the servers, but this may not be feasible
when one
is monitoring a lot of servers and the overhead of configuration may be
an issue.
I have attached code that can reproduce the problem.
Please advise on the correct approach.
Thanks
Dinesh Bhat
Panacya Inc.
import java.util.ArrayList;
import java.util.Set;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Hashtable;
import javax.management.MBeanServer;
import javax.naming.Context;
import weblogic.jndi.Environment;
import weblogic.management.MBeanHome;
* This class reproduces the Security Exception that is caused when a client tries to access
* MBeans of more than one domain with different weblogic passwords. Here is the stacktrace of the
* exception
* java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[weblogic, Administrators]
at weblogic.rjvm.BasicOutboundRequest.sendReceive(BasicOutboundRequest.java:108)
at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:138)
at weblogic.management.internal.AdminMBeanHomeImpl_811_WLStub.getDomainName(Unknown Source)
at WLSecurityTest.getWeblogicInfo(WLSecurityTest.java:140)
at WLSecurityTest.runTest(WLSecurityTest.java:75)
at WLSecurityTest.<init>(WLSecurityTest.java:66)
at WLSecurityTest.main(WLSecurityTest.java:51)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.intellij.rt.execution.application.AppMain.main(Unknown Source)
Caused by: java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[weblogic, Administrators]
at weblogic.security.service.SecurityServiceManager.seal(SecurityServiceManager.java:682)
at weblogic.rjvm.MsgAbbrevInputStream.getSubject(MsgAbbrevInputStream.java:181)
at weblogic.rmi.internal.BasicServerRef.acceptRequest(BasicServerRef.java:814)
at weblogic.rmi.internal.BasicServerRef.dispatch(BasicServerRef.java:299)
at weblogic.rjvm.RJVMImpl.dispatchRequest(RJVMImpl.java:920)
at weblogic.rjvm.RJVMImpl.dispatch(RJVMImpl.java:841)
at weblogic.rjvm.ConnectionManagerServer.handleRJVM(ConnectionManagerServer.java:222)
at weblogic.rjvm.ConnectionManager.dispatch(ConnectionManager.java:794)
at weblogic.rjvm.t3.T3JVMConnection.dispatch(T3JVMConnection.java:570)
at weblogic.socket.NTSocketMuxer.processSockets(NTSocketMuxer.java:105)
at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:32)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
* Note: the exception is caused only when the MBeanHome for each domain is cached and used for subsequent
* transactions. The exception does not occur if the MBeanHome for each domain is looked up for each transaction. This
* would significant overhead in practice. Also the transactions across the various domains occurs serially, hence
* the effect of concurrent lookups has to be tested.
* Usage:
* This class has been tested with weblogic 8.1
* The class needs weblogic.jar in its classpath
* One can specify the weblogic details as System properties. The properties need to be specified in
* the following format:
* wls.host.n, wls.userId.n, wls.password.n where n is the weblogix instance number. Also specify
* the boolean system property reconnect.each.iteration to toggle between reconnecting or not reconnecting
* for each iteration. When not reconnecting for each iteration, the MBeanHome is reused and the Security Exception
* occurs.
* Following is the example of system properties
* -Dwls.host.0=localhost:7001 -Dwls.userId.0=weblogic -Dwls.password.0=weblogic
* -Dwls.host.1=localhost:7011 -Dwls.userId.1=weblogic -Dwls.password.1=weblogic1
* -Dwls.host.2=localhost:7021 -Dwls.userId.2=weblogic -Dwls.password.2=weblogic2
* -Dreconnect.each.iteration=false
public class WLSecurityTest
ArrayList wlsDetailsList = new ArrayList();
HashMap connectionMap = new HashMap();
public static void main(String[] args)
try
WLSecurityTest wlSecurityTest = new WLSecurityTest();
catch (Exception e)
e.printStackTrace();
* Constructor
* @throws Exception
public WLSecurityTest() throws Exception
int noOfTries = 10;
getWLSDetails();
for( int i=0; i <= noOfTries; i++)
runTest();
* Runs the test
private void runTest()
for (int i = 0; i < wlsDetailsList.size(); i++)
WLSDetails wlsDetails = (WLSDetails) wlsDetailsList.get(i);
getWeblogicInfo(wlsDetails);
* Get Weblogic details from System properties
* @throws Exception
private void getWLSDetails() throws Exception
wlsDetailsList = new ArrayList();
String hostKeyTmpl = "wls.host";
String userIdKeyTmpl = "wls.userId";
String passwordKeyTmpl = "wls.password";
boolean done = false;
for (int i = 0; !done; i++)
WLSDetails wlsDetails = new WLSDetails();
String hostKey = hostKeyTmpl + "." + Integer.toString(i);
String userIdKey = userIdKeyTmpl + "." + Integer.toString(i);
String passwordKey = passwordKeyTmpl + "." + Integer.toString(i);
wlsDetails.hostName = System.getProperty(hostKey);
done = (wlsDetails.hostName == null) || (wlsDetails.hostName.length() == 0);
if (!done)
wlsDetails.userId = System.getProperty(userIdKey);
wlsDetails.password = System.getProperty(passwordKey);
connect(wlsDetails);
wlsDetailsList.add(wlsDetails);
* Lookup the MBeanHome for the specified weblogic server
* @param wlsDetails
* @throws Exception
public synchronized void connect(WLSecurityTest.WLSDetails wlsDetails) throws Exception
Context ctx = null;
MBeanHome mbHomeLocal = null;
try
Environment env = new Environment();
env.setProviderUrl("t3://" + wlsDetails.hostName);
env.setSecurityPrincipal(wlsDetails.userId);
env.setSecurityCredentials(wlsDetails.password);
Hashtable hashtable = env.getProperties();
System.out.println(hashtable.toString());
ctx = env.getInitialContext();
wlsDetails._mBeanHome = (MBeanHome) ctx.lookup(MBeanHome.ADMIN_JNDI_NAME);
catch (Exception e)
e.printStackTrace();
* Gets weblogic information using MBeans
* @param wlsDetails
public synchronized void getWeblogicInfo(WLSDetails wlsDetails)
try
boolean reconnectEachIteration =
Boolean.getBoolean("reconnect.each.iteration");
if( (reconnectEachIteration) || ((wlsDetails._mBeanHome == null) && (!reconnectEachIteration) ))
connect(wlsDetails);
MBeanHome mbHomeLocal = wlsDetails._mBeanHome;
String domainName = mbHomeLocal.getDomainName();
Set allMBeans = mbHomeLocal.getAllMBeans();
System.out.println("Size: " + allMBeans.size());
Set clusterMBeans = mbHomeLocal.getMBeansByType("Cluster", domainName);
System.out.println(clusterMBeans);
MBeanServer mBeanServer = mbHomeLocal.getMBeanServer();
catch (Exception ex)
ex.printStackTrace();
* Class that holds weblogic server details
class WLSDetails
String hostName = "";
String userId = "";
String password = "";
MBeanHome _mBeanHome = null;If Server version is 61.
Make user "system" password of all weblogic servers same.
If Server version above 61(70,81)
In the Security Advanced Settings un check generated credential and specify a common credentail for all the weblogic servers(domains).
Maybe you are looking for
-
I recently updated my iPad 2 to iOS 5 beta 2 and updated iTunes to the second beta. Now whenever I connect my iPad toitunes,it instantly pops up with an error message saying "iTunes has stopped working. A problemcaused the program to stop working co
-
How do I download a previously purchased item I've registered
I participated in a trial of Adobe Acrobat XI Pro. The subscription expired and I want to return to using Acrobat X General which I purchased and registered under my profile. I've uninstalled the trial version of XI Pro. How can I restore my purch
-
Problems running MS Silverlight
I can't get Microsoft Silverlight to run on my mid-2009 MacBook running OSX Lion 10.7.4, even after uninstalling, downloading and reinstalling Silverlight several times. Any suggestions. I need Silverlight to stream movies on Netflix.
-
When is the anticipated date of release of Camera RAW 8.3 (or what will read Nikon NEF from D610?)
Trying to find out how long my D610 NEF files will sit around, waiting for translation into images for PS CC. View NX2 obviously does this now, but....Anyway, thanks for your help. WBB
-
How To Create IR -ISO for an External Organization.
Hi All, we have a Business case, in which we have defined an Organization as an External Organization. When we try to create an Internal Requision and Internal sales order for the External Org as a customer, the system generated an ISO with no custom