Cupfighter.net

As part of my work I was installing a Microsoft PKi infrastructure with two tiers. A root CA and an issuing CA.

Since the root CA is in another domain then the issuing CA, it took some fiddling and tweaking around with my CDP and AIA extensions, but that is another blogpost all together.

I knew I was in for some fun when when the following happened:

• I installed my Issuing CA and generated the certificate request
• I issued the request to my Root CA and generated the Issuing CA certificate
• I tried to install the Issuing CA certificate and got the following error:

Cannot verify certificate chain. Do you whish to ignore the error and continue? The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2168885613)

My first reaction was to call one of the network guest and notify him that I needed http access to the Issuing CA to the CDP location. But whil on the phone, I decided to try and to my surprise I was actually able to manually pull down the crl.

Intregued, I decided to check a few things:

• I could download the CRL from both CDP locations with Internet Exporer
• I could open the downloaded CRLs
• I could telnet to port 80 of the both webservers
• I could telnet to port 80 manually issue the GET /crl/CRLname.crl HTTP/1.0 command and get data back

O.K. what is going on here… Lets open PKI view, which is now included in Windows 2008 and Vista and can be downloaded for Windows 2000 and 2003.

It seemed that PKI view as in agreement, it too could not download the CRL from the CDP location

PKI view shows "Unable To Download" for both CDP locations

This did sent me on a wild goose chase:

• Microsoft own documentation, clearly blames it on unavailability of the CDP location, something I, by now, had triplle checked four times and refused to believe
• This “Network Builders” forum and many others, simply suggest to turn off revocation checking, but that is clearly not a worthy solution either.
• Apparently there is also an issue with serving delta CRLs threw IIS because the + sign at the end of the basename of a delta CRL file leads to so called “double escaping”. I could rule this out by looking at the IIS logs.
• In the end this technet forum post, about OCSP reponders Brian Komar points out:

But, as stated, I would use certutil to get the “best” answer on how is my configuration.
Certutil -verify -urlfetch “certfile.cer” will check *every* CDP and AIA URL (including OCSP) and tell you how they are all doing *at that specific instance in time” since it goes to the URLs immediately.
Brian

I exported the Issuing CA certificate from the certificate database of the Root CA and ran the command against is and this is what I found

E:\>certutil -verify -urlfetch <certfile>.cer
Issuer:
CN=Root CA
Subject:
CN=Issuing CA
Cert Serial Number: 115d5f6400020000000b
<snip>

—————-  Certificate AIA  —————-
Verified “Certificate (0)” Time: 0
[0.0] http://IIS1.domain1local/crl/Root-CA.crt

Verified “Certificate (0)” Time: 0
[1.0] http://IIS2.domain1.local/crl/Root-CA.crt

—————-  Certificate CDP  —————-
Wrong Issuer “Base CRL (13)” Time: 0
[0.0] http://IIS1.domain1.local/crl/Root-CA.crl

Wrong Issuer “Base CRL (13)” Time: 0
[1.0] http://IIS2.domain1.local/crl/Root-CA.crl

<snip>
E:\>

So while PKI view and the other error messages I was getting all pointed to the most common cause, it actually turned out that the CRl did get downloaded, but was not cryptographically relevant to what the system believes is the Root CA certificate.

Root cause

Inspection of the CRLs generated and the Root certificates installed showed what had caused the problem. In order to test the CDP extensions I had reissued the Root CA certificate, causing the Root CA to have three active certificates. Each with a different key.

This CA has three CA certificates

When validating the Issuing CA certificate, validation would end at the last certificate issued, however the CA still signs its CRLs with the key pair of the first certificate.

I guess for me there is nothing left but to reinstall the entire chain.

Schuberg Philis has sent me and 4 colleagues to Berlin to attend the TECH-ED over there.

Together with another 7000 techies, this is a week of planning, running, eating, experiencing all kinds of (new) technologies presented by Microsoft guys.

Feeling some blisters already, because I’m not used to running so much on a day, especially with a Lenovo T500 on my shoulder. The Berlin Messe is a huge place. But the overall sense of the MCE’s is that we are enjoying the sessions. Not all session are that good, but for instance Mark Minasi is good fun to watch and hear.  The food and beverages (very important) are good and plenty.
Technically we are not always that challenged, in many occasions the depth is lacking, but then again, it is a mass-event and not everybody is a (potential) MCE.

Read more…

Late October PowerShell V2 was released for almost all Windows platforms. Check out http://support.microsoft.com/kb/968929 and download the version you need.

Happy scripting!

Some cupfighters are going to TechEd Europe 2009. In fact the company we work for, Schuberg Philis, organizes the dutch country drink together with Microsoft.

We will blog during this event, and try to post major announcements, being made during TechEd, on this site as fast as we can. So keep an eye on this site or twitter!

http://www.schubergphilis.com/countrydrink

Read more…

Every now and then Microsoft Outlook decides to show its reminders in a strangely deformed reminder window.

Sorry what do I need to remember?

As allways Google was my friend and pointed me to this post.

The key is the value  WindowPos in this registry key: HKCU\Software\Microsoft\Office\12.0\Outlook\Options\Reminders

If you delete this key from the registry and restart Outlook the reminders window is back to its normal size.

Another tip from Elianne van de Kamp, which I of course couldn’t keep to myself. Your Windows 2008 KMS key (replacement of the Volume License Key/VLK) can be registered for a maximum of ten times on six different machines. If you want to extend this you will have to file a request at your Microsoft representative with lots of information:

• Organization name
• Agreement number
• Authorization number
• Requester name, telephone, etc
• Product
• Last 5 digits of your KMS key
• Number of additional activations
• And last but not least: A good reason why you need extra activations.

The process takes 48 hours to complete, which means you have to wait that long before your extra activations are available. The first step to activate your KMS key is to register it with:

slmgr -ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

It will tell you the key is valid (or not, but you then have another problem). Then you have to activate it with:

slmgr –ato

When the key is out of activations it will respond with “ERROR: 0xc004c008: the key is valid, but cannot be activated.”

Instead of filing a 2 day taking request you can use a quick workaround:

• Enter the KMS key as the registration key on the KMS server.  (Control Panel – System – Change product key).
• Activate the key. You will get a message the key cannot be registered. Choose activation by phone.
• Call MS activation line. Enter the numbers into the automated response, and you will receive the 8 times 5 new key.
• Enter the numbers and you’re all done, the KMS server will now be activated.

You can check this with:

slmgr –dlv

Full credit for this goes to Elianne van de Kamp, who’s been busy with the investigation for quite a while. What happened?

On the 9th of September, together with the regular MS updates an update for WSUS 3.0 came in: Service pack 2. The first issue we encountered was the fact it was announced as an upgrade. It performs a re-install though. This means you have to reconfigure the basic setup of WSUS. The computer list and grouping definitions are safe in the database. Things like which updates and which language to download will have to be configured again though. Being prepared here by making a note of current settings will help.

We ran into a new issue the next morning. The upgrade of WSUS also upgrades all clients with the Windows Update Agent. This runs flawless on 32 bit windows clients. It causes an issue on 64 bit windows however: two files, NT5IIS.CAT and IASNT4.CAT are replaced, probably by 32 bit versions. When you connect to the console of the server it will tell you about this in the form of a Windows File Protection Error. The choice is yours to cancel this warning and ignore like we did, because it concerns a database server and the files will never be used (NT5IIS for web server, IASNT4 for internet authentication). You could also cancel and replace the files manually from CD or service pack. Fact is that the files copied with this update are dated 25-05-2005, so very old and will most like cause problems when you ever need them.

I thought I’d share this information as I’m sure other people will run into this problem as well. Would be a shame if they had to go through the same cycle!

Overview of Microsoft patches due today by Microsoft

Microsoft is even more vague than usual about the patches it plans to release today.

In this patch announcement Microsoft only states that it plans to release 5 patches.

This is the data currently known:

Read more…

Today Microsoft released two out of band patches. Remarkably one of the patches is a moderate patch in itself however, it turns out that this patch is for a flaw in Microsoft Active Template Library (ATL). If software is built using this ATL it contains a vulnerability which can be exploited easily and can lead to arbitrary code execution on a client e.g. when surfing to a malicious website. Interestingly the active content (ActiveX control) is executed even when a killbit for the ActiveX control has been set. A preview demonstration is available online and details will be disclosed on the BlackHat conference tomorrow 29-7-2009 3:25 PM (GMT-8).

Read more…

Interesting insights on the new Windows 7 UAC… (http://www.pretentiousname.com/misc/win7_uac_whitelist2.html)

From: http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

List of binaries which are allowed “auto-elevation” :

http://www.withinwindows.com/2009/02/05/list-of-windows-7-beta-build-7000-auto-elevated-binaries/