WinPE and Certificates

Similar Messages

• Server 2012 R2 - Essentials Experience - - I jacked my CA and certificates all to @#&$%!!

  Windows Server 2012 R2 - Essentials Experience
  In trying to put pieces together, I jacked my CA and certificates all to @#&$%!!
  Some of the factors involved are:
   Server0 - Hyper-V Host
    Server1 - DC, 2012 R2 Essentials Experience role
    Server2 - Exchange 2013
   Client Machines -
    Windows 7 Pro
    XP (Yes, these are my cross to bear... - worth noting their presence, but I'm working them out) 
   The functional requirements:
    Anywhere Access for Remote users
     - Remote Desktop for Windows 7 machines
    Outlook Web Access
  The mistake... 'Web Application Proxy'
   -which uninstalled the CA
  There is a CA back now, but after days of spinning in cirles in a rare area where I feel nearly completely lost (Certificate services) I am asking for help getting these pieces put back together.
  The current situation:
   The network is up with all of the network and business services required to work 'Inside the Office' - so the client is "functional".
   The "Essentials Experience" is broken and won't install to the clients, though it does provide the Essentials website, access to server shared files (fairly gracefully, I might add) and, as an administrator user, I can get to the servers via
  RWA through the site and there are no certificate problems with that since I have a secured certificate for the domain. 
   OWA has been moved to a further back burner while I try to get the Essentials Experience functioning t the point where the remote users can get to their workstations through RWA... This is the biggest current hurdle... RWA for the clients.
  Trying to install the client to the workstations nets me the "The Server is not available.  Try connecting this computer again,..." message at the point of username and password authentication.
  The clientdeploy.log finishes like this:
   [4976] 141016.153746.2670: ClientSetup: Standard Error:
   [4784] 141016.153746.2670: ClientSetup: The exit code of the process (C:\Windows\system32\nslookup.exe) is: 0
   [4784] 141016.153746.2670: ClientSetup: Set CD Fail reason 10 for SQM in ClientDeployment.exe
   [4784] 141016.153746.2670: ClientSetup: RecordClientDeploymentFailReason: Save registry failed in ClientDeployment.exe : System.UnauthorizedAccessException: Cannot write to the registry key.
    at Microsoft.Win32.RegistryKey.EnsureWriteable()
    at Microsoft.Win32.RegistryKey.CreateSubKeyInternal(String subkey, RegistryKeyPermissionCheck permissionCheck, Object registrySecurityObj, RegistryOptions registryOptions)
    at Microsoft.Win32.RegistryKey.CreateSubKey(String subkey, RegistryKeyPermissionCheck permissionCheck)
    at Microsoft.WindowsServerSolutions.ClientSetup.ClientDeploy.Helper.RecordClientDeploymentFailReason(UInt32 failReason)
   [4784] 141016.153746.2670: ClientSetup: Exiting ValidateUserTask.Run
   [4784] 141016.153746.2670: ClientSetup: Task with Id=ClientDeploy.ValidateUser has TaskStatus=Failed
   [4784] 141016.153746.2670: ClientSetup: Task with Id=ClientDeploy.ValidateUser has RebootStatus=NoReboot
   [4784] 141016.153746.2670: ClientSetup: Exting ConnectorWizardForm.RunTasks
   [1272] 141016.153755.0976: ClientSetup: Back from the Client Deployment Wizard
   [1272] 141016.153755.0976: ServerDiscovery:HostsFileUpdater: Removing hosts file entry: 1-WGB-01
   [1272] 141016.153755.0976: ClientSetup: Saving Wizard Data
   [1272] 141016.153755.0976: ClientSetup: End of ClientDeploy: ErrorCode=1603
  The computerconnector.log shows nothing of value.
  What I want to accomplish as a 'first step' toward recovery is to get the workstations properly connected so they show up in the Dashboard 'Devices' pane and can be managed and access by the Essentials tools.
  Secondarily, I would like to get the client side tools in place and functioning (I expect the latter will be a side effect of the former).
  So,... for anyone patient enough to have read this far... uh,... help?

  Actually,... I can now confirm the delicacy of which you speak...
  After a support incident with Microsoft which spanned a marathon 18+ hours on the phone and remote access by no fewer than 7 Microsoft Engineers, we got to a successful result. 
  It is a point of utter frustration for me when people put in threads like this then don't bother to come back and report 'how the issue was solved', and sadly, I am about to have done that merely because my span of functional attention and valuable reporting
  capability was basically gone before I submitted the ticket and following all that was done in my state was not conceivably possible. 
  So - all I can do is apologize for not being able to report a valuable resolution and give a few little tidbits.
  The net result is this - DO WHAT YOU CAN TO AVOID THE SITUATION IN THE FIRST PLACE.  Once your CA is in place, LEAVE IT THE $%@& ALONE!!!!  I mean... my best current advice.
  In all, the CA was uninstalled and reinstalled 4 times after my blunder and significant work was done in ADSIEdit as well as substantial manual manipulation of certificates and CAs that was well outside of my (quite considerable) scope of expertise.
  I wish I had more to offer in the world of resolution.
  With this said, I will make one more request of viewers and moderators alike:
  THIS QUESTION IS OFFICIALLY NOT ANSWERED.  IT WILL NEVER BE ANSWERED.  THE RESOLUTION IS NOT AVAILABLE TO THE MORTAL MAN.
  DO NOT MARK IT AS ANSWERED
  IF YOU MUST DO SOMETHING, DELETE THE WHOLE THREAD, BUT DO NOT BURDON PEOPLE WHO ARE LOOKING FOR REAL ANSWERS WITH THE NECESSITY OF READING THROUGH THIS.
  DO NOT MARK THIS QUESTION AS ANSWERED
  I hope this makes sense for people, and I hope people will appreciate NOT having to read this as though there is some 'resolution' contained within.

• PKCS#11 Provider unable to fetch asymmetric keys and certificates

  Hi,
  I'm facing a problem while getting keys and certificate from Eracom HSM (ProtectServer Orange:38039 Model: PSO:PL50) using Sun PKCS#11 Provider. It gets only the symmetric keys but NEVER gets the asymmetric keys.
  My code snippet and configuration file are:
       Java Code:
       java.io.InputStream is = new java.io.FileInputStream("pkcs11.cfg");
  sun.security.pkcs11.SunPKCS11 pkcs11_provider = new sun.security.pkcs11.SunPKCS11(is);
  System.out.println("Provider Name : " + pkcs11_provider.getName());
  java.security.Security.addProvider(pkcs11_provider);
  KeyStore ks = KeyStore.getInstance("PKCS11", pkcs11_provider);
  ks.load(null, "password".toCharArray());
  java.util.Enumeration obj_enumeration = ks.aliases();
  while (obj_enumeration.hasMoreElements()) {
  String str_certAlias = (String) obj_enumeration.nextElement();
  System.out.println("Alias : " + str_certAlias);
       pkcs11.cfg:
       name = Eracom
       library = G:\Eracom\cryptoki.dll
       slot = 0
       attributes(*, CKO_PRIVATE_KEY, *) = {
       CKA_TOKEN = false
       CKA_SENSITIVE = false
       CKA_EXTRACTABLE = true
       CKA_DECRYPT = true
       CKA_SIGN = true
       CKA_SIGN_RECOVER = true
       CKA_UNWRAP = true
       attributes(*, CKO_PUBLIC_KEY, *) = {
       CKA_ENCRYPT = true
       CKA_VERIFY = true
       CKA_VERIFY_RECOVER = true
       CKA_WRAP = true
  I also ran my program without specifying any attributes in configuration file, also tried many other combination, but in all cases (with or without attributes) only symmetric keys are loaded from HSM. I am able to get all keys (symmteric and asymmteric) and certificates from the same HSM using IAIK PKCS#11 Provider. Though, the Sun PKCS#11 Provider is working fine with SmartCard tokens (Rainbow, Alladin etc.)
  Any help to resolve my problem would be highly appreciated.
  Thanks in advance.

  I recently had a problem with ECDSA and the PKCS#11 library of nCipher. Here's info from one of their engineers about the PKCS11 library:
  "There are two separate issues - one is that our current pkcs11
  release doesn't support ECDSA signature with SHA-2 hashes
  (the v11.00 firmware adds support for it, but the main release version of
  the pkcs11 library hasn't been updated to take advantage of it yet).
  There is a hotfix version that does support SHA-2 hashes with some
  restrictions, talk to [email protected] for details, and V11.10
  should be out soon and have that merged in.
  But the issue with setting CKA_SIGN is that our underlying HSM API
  allows elliptic curve keys to be either key exchange (ECDH) or
  signature (ECDSA) keys, but not both at one.
  At the PKCS #11 level, if you specify CKA_DERIVE=true and let
  CKA_SIGN default, it will default to false, and vice versa.
  If you specify both CKA_DERIVE=true and CKA_SIGN=true, then we
  return CKR_TEMPLATE_INCONSISTENT because we can't do both with
  the same key. (However, the tests using C_GetMechanismInfo will
  show that we can do both mechanisms, because we can - so long
  as you use different keys, even though they have the same PKCS#11
  type.)
  I can't comment on when or how that will be changed."
  I was using the PKCS#11 library through NSS when I ran into the problem, but I imagine Java would run into similar problems also using the PKCS#11 library. I was able to generate keypairs but not create a CSR (which required making a signature, which required SHA-2).
  Can you just use the java classes to speak to the netHSM? I've never directly written code to do so myself, but I have used Corestreet's OCSP product that uses the java classes to speak to the nCipher HSMs (though not using EC). It might work better than going through the PKCS#11 layer. There should be a java directory under NFAST_HOME that contains some jars.
  Please post back if you figure anything out as I'll probably be playing with this stuff myself soon.
  Dave

• Print out of Inspection report and Certificates

  Hi Gurus,
  I want to take inspection reports and certificates printout.
  Is there any standard transaction other than QGA3 and QC21
  Please let me know
  Thanks and Regards
  Hari

  Hello Hari,
  You can take the certificates printout with QC21 or QC22 (as applicable). What information you are looking in inspection reports ? Then we can suggest the appropriate set of the reports
  Cheers
  Kaushik

• Winpe and USB drive, can one be mapped?

  I am creating a reference disk in Virtualbox that is Win7 and customized with the applications I would like for a standard image. I am trying to capture the image using imagex which is being loaded from an iso file. I first tried just writing the wim file
  to the VMs drive to later copy it to wherever I wanted it. I got to 90% and then it failed because of insufficient disk space. I didn't try writing the wim to a network repository because I already attempted that and the network connections are too slow, something
  not in my control. Is there a way to get Winpe to recognize a USB hard drive? Alternatively is it perhaps possible to "network" the write of the wim file to a folder on the host computer? I realize this is somewhat a mixed question between MS Winpe
  and Oracle Virtualbox, I so want to move to HyperV! Thanks for any help :)

  Hi! Ive been using virtualbox for many years to create my image. Please make sure you install the "Guest Additions". This will enable you to insert a usb and you will have to go to devices-->usb devices and select your usb drive in WinPE mode.... This
  will allow you to choose the correct drive letter using imagex.

• Webservice call failed during execution (SSL and certificates) on NetWeaver 7.30

  Hey experts,
  i need your help!
  We make webservice calls to sap me with our own software.
  We connect to our software via SSL and certificates e.g. https://host:50001/XMII/CM/POD/MEDialogsWeb.irpt
  At the beginning the software runs without any problems and than we become the following message on all our webservice:
  thats the webservice configurations
  (configuration - connectivity - single service administration):
  (configuration - security - authentication and single sign-on)
  if we restart the software after the error display, the webservice call runs successfully again.
  is it a timeout?
  can anybody help us?
  Thanks,
  Markus
  our system info:
  NetWeaver 7.30 Java
  SAP ME 6.0
  software runs log looks as following
  software doesn't runs log looks as following
  security Log Entry
  more info from security_00.0.log
  #2.0 #2014 06 06 14:51:17:136#+0200#Warning#/System/Security/WS#
  com.sap.ASJ.wssec.020142#BC-ESI-WS-JAV-RT#tc~sec~wssec~service#C0000A650AD826FF0000000100000BEC#3855850000000005#sap.com/me~ws#com.sap.engine.services.wssec.authentication#Guest#0##207092CAED7111E3A01A0000003AD5EA#23386e31ed7911e39d560000003ad5ea#23386e31ed7911e39d560000003ad5ea#0#Thread[HTTP Worker [@648881277],5,Dedicated_Application_Thread]#Plain##
  Received unsupported callback: com.sap.engine.interfaces.security.auth.SetLogonTicketCallback
  Received unsupported callback: com.sap.engine.lib.security.http.HttpSetterCallback
  Read data of type username and value  MEFLEX from wsse:Security header and set on module javax.security.auth.callback.NameCallback
  Read data of type username and value   from HTTP header and set on module javax.security.auth.callback.NameCallback
  Read data of type password and value  xxx from wsse:Security header and set on module javax.security.auth.callback.PasswordCallback
  Read data of type password and value  xxx from HTTP header and set on module javax.security.auth.callback.PasswordCallback
  Authentication for web service ShopOrderService, configuration ShopOrderService using security policy BASIC*SSO2*_*_*ws failed: Cannot authenticate the user.. (See SAP Note 880896 for further info).

  Hi,
  the authentication for the second call is failing. Have you tried suggest log level from note 880896 - Web Service authentication failure? I would also try to use something like SoapUI to test if the issue is caused by your application or something wrong on SAP side. Also coparing messages for the first and second calls might give you answer.
  Cheers

• Question concerning WebService and certificates

  Hi, well i'd like to get data from a WebService. Scenario is RFC to WebService in SAP XI.
  Therefore i also have to use user&pw and a certificate key i got previously!
  So i created the receiver channel and now i am stuck. There is the option User Authentification and Configure Certificate Authentication. What do i have to use and how to configure. I know i have to use the keystore-service in VisualAdmin, but how?!
  I already read this: /people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter but it does not fir my needs actually.
  Again, i have user&pw AND certificate-key (only key in plain characters!). how to use these 3?!
  thx in advance, br

  Hi Jens,
  Go through following pdf. It will clear some of you doubts.
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/964f67ec-0701-0010-bd88-f995abf4e1fc
  -Pinkle

• Does Anybody know how to keep the license files and Certificates in ISE-3315 During the upgrade.

  Hi,
  I have two ISE-3315 Appliances in production network.
  I need someone's help to explain, how to make the Secondary node as the primary admin note to reset-config.
  And then I would like to know how to keep the license files and Certificate during the Upgrade.
  Please help me to answer my questions.
  Thanks
  CSCO11872447

  The Cisco Identity Services Engine (ISE) provides distributed  deployment of runtime services with centralized configuration and  management. Multiple nodes can be deployed together in a distributed  fashion to support failover.
  If you register a  secondary Monitoring ISE node, it is recommended that you first back up  the primary Monitoring ISE node and then restore the data to the new  secondary Monitoring ISE node. This ensures that the history of the  primary Monitoring ISE node is in sync with the new secondary node as  new changes are replicated.
  Please  Check the below configuration guide for Secondary ISE- Nodes.
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.pdf

• How to push EAP-TLS configuration Profile and Certificates to Mac books and Iphones

  Hi Team,
  We were able to push the EAP-TLS configuration profiles and certificates to windows devices via group policy.  However, we're now looking to see how we can accomplish this for Mac book and iphones?  Is there an open source application or something we can leverage to do this?
  Thanks

  I think ammahend was looking for a rough count which is what my question was going to be. The reason I would ask this is that if the device count is low then you could manually provision certs on those devices. Not ideal since you will have to manually generate CSRs, get them signed and then installed on the machines.
  Another way to do this is if you have an MDM solution in place. You can have the MDM integrate with your CA via SCEP and then on-board devices that way. You don't have to integrate ISE with MDM (advanced licenses needed) as you can only have ISE check for the cert and only perform EAP-TLS authentications. 
  Hope this helps!
  Thank you for rating helpful posts! 

• WinPE and FullOS Issues with Disk Numbers

  So, I seem to have run into an issue where I'm trying to image up an HP Z15 laptop and it has dual HDD's in
  it.  While imaging it seems to just die after it boots into the full OS and try's to configure the SCCM Client. I've narrowed down the issue to the secondary HDD causing the issue. The Main drive is a SSD that's 256GB, and the additional drive in the
  DVD-Rom Bay is a 750 GB drive.
  When booting into WinPE Disk 0 is the SSD and Disk 1 is the 750GB. I can partition these
  up just fine in PE, but when it flips to the full OS, the drive numbers change, and then the 750 GB drive where the _SMSTASKSequence folder is located is no longer accessible until it's assigned a driver letter. I was able to look in WinPE and the driver are
  created correctly and look correct with drive letters and all, but once that reboot happens I was reading the PNP takes over and decides whatever it wants each disk number to be.
  I know someone will say something about the drivers, I've checked those and downloaded the latest drivers from
  HP for this model and nothing has changed. I've also seen where some have suggested that it's best to partition and format the main drive, then wait until in the full OS to format and partition the other drive but I need to find a way to find out which drive
  # isn't formatted so that I can automate this.  Part of the main issue with this whole thing is the fact that the encryption software we are using doesn't allow for a drive to be partitioned and formatted after it's installed. I'm able to image the system
  up fine if I disable the secondary HDD and then just format it when the image is complete.
  Any thoughts or recommendations would be appreciated. 
  Thanks!

  Hi,
  >>"once that reboot happens I was reading the PNP takes over and decides whatever it wants each disk number to be."
  Where were you reading this from? Logs? Is there any information in smsts.log?
  >>"the _SMSTASKSequence folder is located is no longer accessible until it's assigned a driver letter"
  If you reboot the computer after you assign a drive letter, does the disk still have a drive letter? If that is the case, you could try to add a startup diskpart script to assign a drive letter.
  Best Regards,
  Joyce

• Anyconnect 3.1 and certificate authentication

  I am doing a proof of concept with anyconnect and certificate authentication. with 3.0 i was able to do this with a certificate from my CA and a client cert in a smartcard. I have upgraded to 3.1 and now it doesnt work anymore ( i need 3.1 and Asa 9.0 because of IPv6 Split-tunneling).
  Reading the forum i got some info that the ASA cert must have a EKU value of 'Server Authentication' and the client cert must have a similar EKU (client Auth)
  Is this mandatory or is there a way around this?

  Just to add to this.
  Anyconnect 3.1 started KU enforcement, but typically it will drop a warning you can accept (annoying but not blocking).
  EKU, is something that for the time being ASA will not enforce, plus it's only needed to IKEv2/IPsec, AFAIR SSL will work without it unless there have been big changes I'm not aware of.
  One can also argue EKU enforcement will not be strictly speaking enforced in future of IKEv2.
  Vide:
  http://tools.ietf.org/html/rfc4945
  5.1.3.12.  ExtendedKeyUsage
  M.

• Transfer posting and Certificate of Analysis (BWUL)

  Moderator note:  I broke this off from discussion Transfer posting and Certificate of Analysis (BWUL)
  Please refer to the discussion for any background.
  This has been an interesting thread, and it's circling around the issue I am having, but I can't tell if this thread answers my question or not.  I'll ask here so as not to proliferate duplicate threads:
  I am in an environment where the business produces and tests finished goods in satellite plants and then moves them to a central DC via STO.  When I try to create COAs from the central DC, the COA program cannot find the results or specifications.
  I had the idea to change the profile to look at the production chain (thinking the batch in the production plant was part of the production chain of the identical batch in the DC).  When I did this, the program could not find the correct specifications.  I have been messing with the configuration around the results and specification origins with no success.
  I feel like this should be possible, but I can't figure out what I am missing.  Is SAP able to create a COA from a central DC for a material/batch that was produced in a satellite plant and sent via STO?
  Message was edited by: Craig S

  1) in the BWUL make sure in configuration setup it is set to include stock transports.
  2) You don't indicate where you maintain your specs.  In operations like this you should try to be reporting specs and results from the batch.  But I'm guessing you might be keeping the spec in the inspection plans only.
  3) in the COA profile, you can create your own custom FM for "results origin" and for "results specs".  You may need to create them if you keep your specs in the plans and not in the batch records.
  Craig

• Applets and certificates in jdk1.4

  Hello all...
  I have an applet which imports the java.awt.Robot class. I can not use the methods from a html page due to security restrictions...
  I've searched high and wide for documentation on how to overcome this (as i am only going to be running this applet from my own machine)...i know it involved signing and certificates - i've tried several methods but none seem to work.....does anyone have an idea of exactly how i would go about getting this working??
  Thanks in advance........
  Johnno

  Johno
  If you're only going to run this 'applet' on your own machine why not write a program instead ?

• ITunes Gift Cards and Certificates Code

  *** is this and how do i know what it is?? i just got my iphone4 today and trying to use the app store, but it wants my creditcard infos ect and  iTunes Gift Cards and Certificates Code. im lost and cant get further using my phone this way. HELP

  Launch iTunes on your computer. From the menu bar click Store / View My Account - Edit Payment Information.
  Apple will ask you to verify your billing information with every transaction, whether free or purchased media.

• NLB Unicast and certificate for the machine

  Hello,
  I have set up a two node nlb cluster, in unicast.
  On the other hand, I have a GPO with which every computer in the network gets a
  certificate from the CA, through auto enrollment.
  I am new to NLB , but from what I gather, the CA machine won't be able to issue any certificate to any of the two NLB nodes, because the virtual ip replaces to the actual ips's of the two machines ?. I am a bit confused.
  Thanks in advance !!
  Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)

  It's the Mac addresses that are (sort of) replaced, not the IP addresses. The two nodes of an NLB cluster can make outbound connections to a CA and other machines, and using the nodes' individual IP addresses each of them can still be contacted from other
  machine (in addition to using the cluster IP address).
  The only thing that does not work is: With unicast the nodes cannot communicate with each other over the network that has the shared IP address but you could use an additional NIC if you need inter-node communication.
  With multicast on the other hand there is a chance you run into
  this issue described here for CISCO routers (just have observed this myself); this article also gives an overview on how NLB works at the Mac address level.
  Re CA and certificates: Note that autoenrolled certificates will contain the nodes' individual names retrieved from AD. If you need a certificate that includes the cluster name you have to issue this certificate manually.
  Elke