Hello carl,

I crosspost this to:
microsoft.public.windows.server.security

There is the better place for questions about CA. Or also choose this:
http://social.technet.microsoft.com/Forums/de-DE/australiasecurity/threads

Quote:

Am new to certificates, this might be a very basic question, but still... Have been asked to set up LDAPS for an instance of ADAM. I believe there is some application which will access this application using ldaps. Now i have few questions: 1.Should i install a CA Infrastructure for this setup or can i just procure a server type certificate for the ADAM server? Its not like the issuing authority should be reachable all the time right? 2.Since the app communicates with ADAM server, i beleive the app server will have need a cert? what time of cert would that be? client/server? 3.Is there a step by step as to how i can 1.Enable LDAP for an ADAM instance 2.What configuration should be done on app server for it to communicate with ADAM on LDAPS. If a client certificate should be installed, how should that be done Do we need to take 2 certificates?? This is really confusing.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

[[Forwarded to & Followup-To set for
microsoft.public.windows.server.security newsgroup]]

ftnico wrote:

Quote:

Hi there I have a problem with a rpc callback function with Windows 2008 x64 Server. The actual Situation is, that we use this windows 2008 x64 as terminal server with Citrix xenapp 5. On this server a application starts a connection to a remote server . until that point everything is fine.. Within this tool, there's an option to start a sub-application which is connecting to another service on a remote 2003 server. The service then accepts this connection and tries to open a new rpc call back (calback function) to the windows 2008 x64 (source) server, where the original connection came from. This connection should then bring up a "telnet emulation" window. With the Domain Admin everything works.. With a normal ts/citrix user (even if this user is part of the local admin group or the domain admins group) we run into a timeout and a security audit failure is generated. dcom security and access permission is given to the user with which the 2003 remote systems tries to open the callback connection. The same function with the same 2003 remote server is working fine on windows 2000 and windows 2003 terminal server / citrix installations. So, the final question is.. what has changed in the dcom config or with remote rpc (callback function) connections in 2008?

[[Forwarded to & Followup-To set for
microsoft.public.windows.server.security newsgroup]]

PaulLG wrote:

Quote:

An old 2003 DC with Root CA was decomissioned and replaced with a new 2008 server. The CA was backed up on the old server, and restored onto the new 2008 DC with the same name. The certificate database appears intact. We can request new user certificates via the web interface, but auto-enrolment fails. Nothing is shown in the Failed Requests list. User certificates can be requested via the MMC, but computer certificates fail with "The certificate requrest failed because of one of the following conditions: -The certificate requrest was submitted to a Certification Authority 9CA) that is not started. -You do not have the permissions ot request certificates from the available CAs." I have followed the troubleshooting guide http://blogs.technet.com/askds/archive/2007/11/06/how-to-troubleshoot-certificate-enrollment-in-the-mmc-certificate-snap-in.aspx (as I haven't found a 2008 version) and everything seems OK except for the guide's reference to the group CERTSVC_DCOM_ACCESS, which does not exist in our AD. The certutil -setreg fix does not create the group, and our correctly-working lab network does not contain the group either. The Application log on the client shows: Event Type: Error Event Source: AutoEnrollment Event Category: None Event ID: 13 Date: 24/08/2009 Time: 14:04:42 User: N/A Computer: FF8 Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x80070005). Access is denied. The System log on the client shows: Event Type: Error Event Source: DCOM Event Category: None Event ID: 10006 Date: 24/08/2009 Time: 14:04:42 User: N/A Computer: FF8 Description: DCOM got error "General access denied error " from the computer FF1.domain.local when attempting to activate the server: {D99E6E74-FC88-11D0-B498-00A0C90312F3} I have checked the DCOM permissions for "CertSrv Request" against our working lab server, and they are identical. Any idea what I'm missing? Paul

[[Forwarded to microsoft.public.windows.server.security newsgroup via
crosspost.]]

ADAMEKPA wrote:

Quote:

Hello NG, i have got a strange behavior regarding Kerberos in my SharePoint environment. I don't know why it works but i am quite shure it should not. here is my confuguration. i got a DC (windows server 2008) that has also SQL Server 2008 on it (WSS01. Then additionally i have a Server Server (WSS02) Express as a Front End Server (WFE). i confugured CNAMEs in DNS (I Know i should use A records but read on) site01, site02, etc. for the "portal" sites. i disabled the Kernel Mode Authentication in IIS7 for the relevant Web Applications. the SharePoint sites all run under a spperate domain account. now here is the interesting thing. i enable Kerberos on the webapplication in SharePoint Central Administration. no HTTP SPN Confugured so far. not for wss02 nor for site01, etc. i try to connect via a client to the sharepoint site (webapplication) via site01 . the client asks DNS for the ip of site01 and gets wss02 as A record back. so the clients tries to access wss02 (HTTP GET) and gets back an unauthorized. so the client request ticket for wss02 at the KDC. interestingly the client is getting this ticket from the KDC. remember that i havent configured the SPN / what account is used for creating the ticket??? then when the client sends the ticket to the server, the server reports an KRB_AP_ERR_MODIFIED error. perhapes because the server tries to enrypt via the sites application pool account. but the story goes an. no i create a new domaun user. no special rights. all standard. i set the SPN HTTP/wss02 to this user account. i DONT configure it as an application pool account or something like that. and now: KERBEROS is working... i really dont understand this... the webserver should not have access to the new users credentials (nessessary for decrypting the ticket). so why is it working? any ideas? thank you very much for your support. Best Regards Patrick

[[Forwarded to Windows Server Security newsgroup via crosspost]]

legpeg2008 wrote:

Quote:

Our users don't have the ability to add their own trusted sites in IE7 under windows 2003 terminal services. All users use roaming profiles. The sites button is greyed out. The icons in the security page are not the usual green tick, red cross etc they have a what appears to be an ie page icon with a key by the side of it. It is a though some settings through group policy (group policy runs in loopback mode) are still active (i have checked the site to zone assignments is not configured anymore - it used to be though). Could a reg entry have been left behind? How would I reset it with a user who is a roaming profile as i would need access to the user part of the registry? I have looked at a test user account (which is not an administrator) and that appears to be OK - I dont really want to go down the drastic route of deleting profiles to get round the prob.

Hello aconti,

For CA questions better use:
microsoft.public.windows.server.security

Will crosspost it.

Quote:

Hello I created a copy of a security certificate template but when I try to install it does not appear in the list of available templates to install. What can be the reason and can I do something about it ? Thank you http://forums.techarena.in

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Hi, what is the version of your OS? Is it Windows 2003 Enterprise Edition, or
Windows 2008 Enterprise Edition or Windows 2008 Standard Edition R2?

Regards

Martin

Meinolf Weber [MVP-DS] wrote:

Quote:

Hello aconti, For CA questions better use: microsoft.public.windows.server.security Will crosspost it. Hello I created a copy of a security certificate template but when I try to install it does not appear in the list of available templates to install. What can be the reason and can I do something about it ? Thank you http://forums.techarena.in Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

--
--
Replace nospam with google's mail for e-mail communication

"Martin Rublik" <martin.rublik@nospam.com> wrote in message
news:eAn7WRsNKHA.2036@TK2MSFTNGP06.phx.gbl...

Quote:

Hi, what is the version of your OS? Is it Windows 2003 Enterprise Edition, or Windows 2008 Enterprise Edition or Windows 2008 Standard Edition R2? Regards Martin

Martin,

Thank you for the correction and update. I looked it up in order to provide
everyone a link to read up on. I found the following, in slide #17 that
indicates a CA installed on 2008 Std R2 supports v1, v2 and the new v3
certificates.
http://download.microsoft.com/download/f/2/1/f2146213-4ac0-4c50-b69a-12428ff0b077/Windows_Vista_PKI_Enhancement_in_Windows_7_and_Windows_Server_2008_R2.pptx

So using 2008 Std R2 will work for Aconti, the original poster.

Thank you again!

Ace

Giving them the "debug" right and putting them in the Perf Mon Users
group allowed them to use pslist and pskill.

Thanks,
Chaz


--
capnjack
------------------------------------------------------------------------
capnjack's Profile: http://forums.techarena.in/members/136273.htm
View this thread: http://forums.techarena.in/server-security/555483.htm

http://forums.techarena.in

Hello Zachary,

I will crospost this to:
microsoft.public.windows.server.security

That's the better place for your question. Also think about using the Technet
Forum:
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads

Quote:

We currently have a Win2k server that we are looking to decommission so we can install it with windows 2008. This 2k server is a domain controller with no FSMO roles on it but CA is still running on the server. We currently have a 2008 server that is acting as our primary DC. Two questions: First, how can I check whether or not the CA is still being used? I have inherited this setup from a previous IT Group so I am unsure of what practices have been in place before I was here. Second, if I am unsure or if the services are still needed, can I move the CA to the 2008 server? I have reviewed these links already and none seem to directly apply to my situation since the scenario is 2000 and 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;298138 http://support.microsoft.com/default.aspx?scid=kb;en-us;555012 http://support.microsoft.com/kb/889250 Any insight would be greatly appreciated.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Thanks for the help on this.

<Meinolf Weber [MVP-DS]> wrote in message
news:6cb2911d5e038cc0805353e3576@msnews.microsoft.com...

Quote:

Hello Zachary, I will crospost this to: microsoft.public.windows.server.security That's the better place for your question. Also think about using the Technet Forum: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads We currently have a Win2k server that we are looking to decommission so we can install it with windows 2008. This 2k server is a domain controller with no FSMO roles on it but CA is still running on the server. We currently have a 2008 server that is acting as our primary DC. Two questions: First, how can I check whether or not the CA is still being used? I have inherited this setup from a previous IT Group so I am unsure of what practices have been in place before I was here. Second, if I am unsure or if the services are still needed, can I move the CA to the 2008 server? I have reviewed these links already and none seem to directly apply to my situation since the scenario is 2000 and 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;298138 http://support.microsoft.com/default.aspx?scid=kb;en-us;555012 http://support.microsoft.com/kb/889250 Any insight would be greatly appreciated. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

[[Forwarded to Server Security newsgroup via crosspost, if only for the
entertainment value.]]

joker197cinque wrote:

Quote:

Windows Server 2003, SP2, File server role. I am planning to install updates (and restart) to the the file server. It is some time I don't install them because of high availability issue, so I have many updates to install. What I want to do, is to install 4, 5 updates a time and collect information after each restart to see potential problems and fix them without a "one-bombing-updates-install" that sometimes produce a real unpredictable scenario. How can I safely deselect some updates and install only few of them a time ? Do I have to start deselect them from the top or the bottom ? In short, which is the order of the updates installation ? Any help much appreciated. Thanks for help.

On Sep 28, 8:05 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:

Quote:

[[Forwarded to Server Security newsgroup via crosspost, if only for the entertainment value.]]

Hi PA Bear,

I see that you posted the question also here: http://tinyurl.com/y9zdegp

I hope that someone can help me.

Regards.

joker197cinque wrote:

Quote:

PA Bear wrote: [[Forwarded to Server Security newsgroup via crosspost, if only for the entertainment value.]] Hi PA Bear, I see that you posted the question also here: http://tinyurl.com/y9zdegp

That's what crossposting means: A reply is posted in both newsgroups.

[Forwarded to Windows Server Security via crosspost. Please remove this
when you reply.]

Greg Casteel wrote:

Quote:

Windows Server 2003 SP2 and IE 7 are installed on a terminal server. The latest Microsoft security updates are routinely applied to the server. Enhanced security is disabled yet some users still receive the following message: Windows Internet Explorer's Enhanced Security Configuration is currently enabled on your server. This enhanced level of security reduces the risk of attack from web-based content that is not secure, but it may also prevent websites from displaying correctly and restrict access to network resources. These users are using their normal Active Directory domain accounts but the network applications that they can use from their desktop fail when they attempt to use them from the terminal server. A proxy server is used for the LAN but it is bypassed for local addresses. Any suggestions?

On Sep 30, 9:01 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:

Quote:

That's what crossposting means: A reply is posted in both newsgroups.

Can you help me with my question?

Thanks.

It appears that (in my case) it is a problem with the domain controller
of the system you want to connect with.
I had a similar problem with a virtual server, running on the laptop.
No problems to connect from the vm-server to the host, when situated in
the office. Working at home: "There are currently no logon servers
available to service the logon request".

After digging through the internet, netbeui settings, tcp/ip stack
rebuild, it didn't work!

Finally, I set up an vpn connection to the office network from the host
laptop and all of a sudden I could connect from the vm-ware server to
the host laptop!

I hope this is of use for others facing this problem.


--
lk247
------------------------------------------------------------------------
lk247's Profile: http://forums.techarena.in/members/140546.htm
View this thread: http://forums.techarena.in/server-security/727988.htm

http://forums.techarena.in

Start REGEDIT on the terminal server and check the folllowing
registry-setting:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Terminal
Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap]

If you find this IEHarden-value to be 1 ("IEHarden"=dword:00000001) then you
should change it to 0 ("IEHarden"=dword:00000000)

--
Peter 107641
Vista64 Ultimate Edition
Std Server 2003

Quote:

Greg Casteel wrote: Windows Server 2003 SP2 and IE 7 are installed on a terminal server. The latest Microsoft security updates are routinely applied to the server. Enhanced security is disabled yet some users still receive the following message: Windows Internet Explorer's Enhanced Security Configuration is currently enabled on your server. This enhanced level of security reduces the risk of attack from web-based content that is not secure, but it may also prevent websites from displaying correctly and restrict access to network resources. These users are using their normal Active Directory domain accounts but the network applications that they can use from their desktop fail when they attempt to use them from the terminal server. A proxy server is used for the LAN but it is bypassed for local addresses. Any suggestions?

Any idea please?


"PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message
news:%23WKLxt7QKHA.1268@TK2MSFTNGP04.phx.gbl...

Quote:

You missed microsoft.public.windows.server.security newsgroup! Sonia wrote: Hi!!! 1.- Evidence that security (intrusion) can perform an ISA Server 2006 from an outside network?. I need to audit that server. 2 .- Where can I download Forefront Thread Management Gateway (MSDN-Technet??) Thanks

I had to change the setting under each user in HKEY_USERS, so you might
check that too.

Ole Thomsen


"Peter Cox ~ 107641" <peter@simbatech.net> wrote in message
news:uqGySl4QKHA.4580@TK2MSFTNGP06.phx.gbl...

Quote:

Start REGEDIT on the terminal server and check the folllowing registry-setting:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap] If you find this IEHarden-value to be 1 ("IEHarden"=dword:00000001) then you should change it to 0 ("IEHarden"=dword:00000000) -- Peter 107641 Vista64 Ultimate Edition Std Server 2003 Greg Casteel wrote: Windows Server 2003 SP2 and IE 7 are installed on a terminal server. The latest Microsoft security updates are routinely applied to the server. Enhanced security is disabled yet some users still receive the following message: Windows Internet Explorer's Enhanced Security Configuration is currently enabled on your server. This enhanced level of security reduces the risk of attack from web-based content that is not secure, but it may also prevent websites from displaying correctly and restrict access to network resources. These users are using their normal Active Directory domain accounts but the network applications that they can use from their desktop fail when they attempt to use them from the terminal server. A proxy server is used for the LAN but it is bypassed for local addresses. Any suggestions?