Cupfighter.net » Active Directory

CA will not start… What do you mean, cannot download CRL…

Frank Breedijk — Wed, 20 Jan 2010 22:50:05 +0000

As part of my work I was installing a Microsoft PKi infrastructure with two tiers. A root CA and an issuing CA.

Since the root CA is in another domain then the issuing CA, it took some fiddling and tweaking around with my CDP and AIA extensions, but that is another blogpost all together.

I knew I was in for some fun when when the following happened:

I installed my Issuing CA and generated the certificate request
I issued the request to my Root CA and generated the Issuing CA certificate
I tried to install the Issuing CA certificate and got the following error:

Cannot verify certificate chain. Do you whish to ignore the error and continue? The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2168885613)

My first reaction was to call one of the network guest and notify him that I needed http access to the Issuing CA to the CDP location. But whil on the phone, I decided to try and to my surprise I was actually able to manually pull down the crl.

Intregued, I decided to check a few things:

I could download the CRL from both CDP locations with Internet Exporer
I could open the downloaded CRLs
I could telnet to port 80 of the both webservers
I could telnet to port 80 manually issue the GET /crl/CRLname.crl HTTP/1.0 command and get data back

O.K. what is going on here… Lets open PKI view, which is now included in Windows 2008 and Vista and can be downloaded for Windows 2000 and 2003.

It seemed that PKI view as in agreement, it too could not download the CRL from the CDP location

PKI view shows "Unable To Download" for both CDP locations

This did sent me on a wild goose chase:

Microsoft own documentation, clearly blames it on unavailability of the CDP location, something I, by now, had triple checked four times and refused to believe
This “Network Builders” forum and many others, simply suggest to turn off revocation checking, but that is clearly not a worthy solution either.
Apparently there is also an issue with serving delta CRLs threw IIS because the + sign at the end of the basename of a delta CRL file leads to so called “double escaping”. I could rule this out by looking at the IIS logs.
In the end this technet forum post, about OCSP reponders Brian Komar points out:

But, as stated, I would use certutil to get the “best” answer on how is my configuration.
Certutil -verify -urlfetch “certfile.cer” will check *every* CDP and AIA URL (including OCSP) and tell you how they are all doing *at that specific instance in time” since it goes to the URLs immediately.
Brian

I exported the Issuing CA certificate from the certificate database of the Root CA and ran the command against is and this is what I found

E:\>certutil -verify -urlfetch .cer
Issuer:
CN=Root CA
Subject:
CN=Issuing CA
Cert Serial Number: 115d5f6400020000000b

—————- Certificate AIA —————-
Verified “Certificate (0)” Time: 0
[0.0] http://IIS1.domain1local/crl/Root-CA.crt

Verified “Certificate (0)” Time: 0
[1.0] http://IIS2.domain1.local/crl/Root-CA.crt

—————- Certificate CDP —————-
Wrong Issuer “Base CRL (13)” Time: 0
[0.0] http://IIS1.domain1.local/crl/Root-CA.crl

Wrong Issuer “Base CRL (13)” Time: 0
[1.0] http://IIS2.domain1.local/crl/Root-CA.crl

E:\>

So while PKI view and the other error messages I was getting all pointed to the most common cause, it actually turned out that the CRl did get downloaded, but was not cryptographically relevant to what the system believes is the Root CA certificate.

Root cause

Inspection of the CRLs generated and the Root certificates installed showed what had caused the problem. In order to test the CDP extensions I had reissued the Root CA certificate, causing the Root CA to have three active certificates. Each with a different key.

This CA has three CA certificates

When validating the Issuing CA certificate, validation would end at the last certificate issued, however the CA still signs its CRLs with the key pair of the first certificate.

I guess for me there is nothing left but to reinstall the entire chain.

What’s Windows Server 2008 R2 hold for Active Directory?

Patrick van den Berg — Mon, 09 Nov 2009 23:30:35 +0000

Remote Management.
Well finally, PowerShell v2 is included and holds an AD Module, so the Quest ActiveRoles Management Shell for Active Directory is now ‘sort of’ native. A comprehensive set of AD cmdlets for AD DS and AD LDS administration, configuration and diagnostic tasks.

PowerShell drives for AD will simplify navigation in AD Directory Services. And most of all: certain tasks can only be achieved through PowerShell hurrah for the shell.

AD Web services (ADWS) will create a web service ‘gateway’ for managing windows 2008 R2 servers through PowerShell. Be sure you have port 9289 opened on the firewalls and your home free.

For backward compatibility Active Directory Management Gateway Service (ADMGS) is available for Windows Server 2003 and 2008, however this does not support instances of AD Mounting Tool (get-PSdrive)

AD Administrative Center
The users and computers interface is enriched by progressive disclosure of data, which means, the interface builds up navigation history and anticipates on tasks you’re about to do and fill the interface accordingly. Big plus is that you can connect to multiple domains at the same time.

Managed Service Accounts
Currently using built in accounts for services does not provide service isolation. And in case we run the services using standard user accounts with some extensive privileges. But then again, changing services account passwords on a regular basis did cause some unexpected service failures.

So managed service accounts are presented, though the accounts must be created and managed through Windows PowerShell. J. It’s delivered in three steps. The sweet thing is that a reset of the password is done on a regular basis (default by 30 days) by the system itself.

However:
1: Service / application requiring managed account must be running on Windows 7 or Server 2008 R2
2: Managed accounts cannot be shared across multiple servers

The latter is a major setback since the whole security of the password changes are embedded, so why don’t enable it cross hosts, so keep it simple and transparent does not apply here.

Djoin.exe
Now, Windows 7 or Windows 2008 R2 machines can be joined to a domain while offline, it’s not PowerShell driven though. During deployment the machine has already domain joined the domain at startup, so no reboot required. This will definitely speed up deployment of VMs and scripted installs. The sysprep process will create a new section in unattended.xml to supports offline domain joins which will actually simplifies domain joins to RODCs.

Recycle Bin for AD
Here it is: a fast and decent failsafe of accidently deletion of AD objects; the recycle bin for AD.
You need to promote to 2008 R2 Forest functionality and, of course, it’s PowerShell driven.
Bear in mind, once enabled it cannot be disabled, but then again, it restores all attributes including linked attributes. Of course it will impact storage, but no more than 5 -10% increase of the AD database. Here is how it will work:

Kerberos Based SSO and Apache

Roeland Kuipers — Tue, 30 Jun 2009 09:51:33 +0000

Similar as OpenSSH Authentication Using Kerberos, but now Transparent Kerberos Authentication via Apache against Active Directory using mod_auth_kerb. This enables SSO from IE and Firefox on Apache, IE and Firefox configurations to enable this are also described in the document.

Abstract: The Apache authentication module mod_auth_kerb allows Apache to authenticate users against a Kerberos KDC including one from ActiveDirectory. Kerberos itself can be fairly complex to set up. This guide will attempt to show the specific steps required to make this possible as well as discuss security limitations specific to the interoperability matters. This guide assumes a basic understanding of Kerberos V and that the Active Directory domain controller is properly configured prior to starting this process.

Technical Analysis: Apache with mod_auth_kerb and Windows Server

OpenSSH Authentication using Kerberos

Roeland Kuipers — Tue, 30 Jun 2009 09:07:09 +0000

An interesting paper on how to authenticate against Active Directory using Kerberos and OpenSSH. This will enable SSO capabilities between Linux and windows, if used in combination with an Kerberos enabled SSH. And maybe even 2-factor authentication if combined with smartcards, haven’t tested this but should be working in theory if you use an SSH client from windows at least.

Components used:

On linux:

openssh
openssh-server
samba-common
samba-client
krb5-workstation
krb5-libs

On Windows:

Windows Support Tools

OpenSSH on Linux using Windows/Kerberos for Authentication

Putty With Kerberos

DFSR Debug Logging Explained

Roeland Kuipers — Thu, 18 Jun 2009 11:55:10 +0000

While troubleshooting some DFSR today, I came across this very nice and detailed post from the Directory Services Team.

From: http://blogs.technet.com/askds/archive/2009/03/23/understanding-dfsr-debug-logging-part-1-logging-levels-log-format-guid-s.aspx

Ned here again. Today begins a 21-part series on using the DFSR debug logs to further your understanding of Distributed File System Replication. While there are specific troubleshooting scenarios that will be covered, the most important part of understanding any products logging is making sure you are comfortable with it before you have errors. That way you have some point of reference if things go wrong.

As you can probably guess, these posts were a long time in development. They are based on an internal DFSR whitepaper I have worked on for six months, and which went through review by a number of excellent folks here in Support, Field Engineering, and the Product Group itself. Except for the removal of all private source code references, this series is otherwise unchanged.

I’ll start with a couple posts on the logs themselves, how they are formatted, how they can be controlled, etc. Then I’ll dig into scenarios in detail, for both Windows Server 2003 R2 and Windows Server 2008. Don’t feel like you have to read and memorize everything – this series is a reference guide as well.

ILM 2007 FP1 & MS Identity Management Jungle

Roeland Kuipers — Sun, 14 Jun 2009 21:17:10 +0000

Rebranding products is hip! So a small post to explain the real products behind ILM 2007 FP1, what they do and some links to more in depth info.

ILM 2007 Feature Pack 1 is actually a suite of two products, an updated version of Microsoft Identity Integration Server (MIIS) and Certificate Lifecycle Manager (CLM), previously idNexus which Microsoft obtained after acquiring Alacris.

MIIS is probably most famous as a tool to assist in Cross-Forest Exchange topologies (two separate exchange instances in their own forest glued together). MIIS is then used to synchronize the Exchange Global Address List (GAL), which enables a consistent addressbooks, mail routing and sharing a SMTP namespace between Exchange organizations.

CLM is the Microsoft product to manage the lifecycle of (x509) Certificates and Smartcards.

MIIS 2003, ILM 2007 and ILM 2007 FP1 will cost you money.
But Identity Integration Server for Microsoft Active Directory (SP2) (IIFP) is FREE and can be downloaded here.

This is a lightweight version of MIIS 2003 which can only be used with Active Directory but can be used to setup GAL synchronisation.
There is catch with Exchange 2007; the ILM 2007 version will run the powershell cmdlet update-recipient automatically for you. IIFP won’t do this, so you’ll have to setup this yourselves ,which is not a big deal.

A new version of ILM is underway and for now called “ILM 2″.

More details.

Technet July 2009 – Managing Active Directory users with ILM 2007

“ILM 2″ Product Page

Introducing Certificate Lifecyclemanager

ILM 2007 FP1 Product Page

How to deploy Exchange 2007 in a cros-forest topology

VMWare ESX Timekeeping and Active Directory

Roeland Kuipers — Thu, 11 Jun 2009 21:47:26 +0000

Some nice articles which explain timekeeping on vmware and how to virtualize Active Directory safely on VMWare time wise.

Time synchronisation on Active Directory is particularly important because of Kerberos, if clocks are more then 5 minutes (Default value) out of sync from the Domain Controller authentication fails. NTP is your friend here.

Timekeeping in VMWare virtual machines
TAC 9710 -Virtualizing a Windows Active Directory Domain Infrastructure (From 2006 but still usefull especially the Active Directory related inf0)