The Validity Period of an Issued Certificate is Shorter than Configured

I recently passed with couple of scenarios where one of the issued Certificates in Microsoft PKI infrastructure solution has validity period shorter than the period already configured on the template of this certificate. The main reason of changing and increasing the validity period/years for several specific certificates is to avoid frequent renewal process. 

The scenario i passed by recently was when a user duplicated one of the templates and changed the Validity from the default 2 Years to 4 Years and issued the new Certificate however the issued certificate still reads 2 Years. This can be due to one of two reasons

1. The CA certificate period /Remaining Period (CA cannot issue a certificate that is longer than its own CA certificate) is less than the user certificate period. You cannot issue a user certificate which is 10 Years valid if your Root CA is 5 years only.
2. The default Validity Period that is allowed by CA (defined in CA reg)

To check for the CA Certificate period/Duration, you need to do the following

1. Open the CA Console
2. Right Click on the CA - Properties
3. From the General TAB click View Certificate and check the duration.

If the CA Remaining duration is less than the required user certificate duration then you need to increase the CA value and renew the CA certificate as follows:

1. Configure CAPolicy.inf that directly controls CA certificate.
2. Go to C:\Windows Folder, find the file CAPolicy.inf
3. Change the "RenewalValidityPeriodUnits" value to the appropriate period (10 or 15 Years)
4. Restart the CA Service
5. Renew the CA Certificate (Right Click on the CA - All Tasks - Renew CA Certificate)

If the CA Period/Duration is fine and longer than the user certificate need then we need to check the default Validity Period in the CA Registry by doing the following:

1. Open Admin CMD on the CA server and type certutil -getreg ca                                                                                                                                                                                    
2. Check the ValidityPeriodUnits which refers to the maximum period that this CA can issue. You can define this value according to your own requirements, but it won’t exceed the lifetime of CA.
3. From the Same CMD run certutil -setreg ca\ValidityPeriodUnits 5 (This will increase the validity to 5 years)
4. Stop and restart CA service.

Now try again to Enroll certificate again from client to check the validity period.

Read More

How to Publish New Certificate Revocation List (CRL) from Offline Root CA to Active Directory and Inetpub

Its highly recommended when building your Microsoft PKI (Public Key Infrastructure) to have your Root CA offline after issuing the Enterprise Sub CA certificates. Its recommended to minimize the access to the Offline Root CA as possible. The Root CA is not a domain joined machine and can be turned off without any problem.

One of the Key issue is the CRL generated from the Root CA, you need to set the CRL interval for a large value so that we don’t need to copy the CRL to an online location frequently and do not implement delta CRLs, because the publication of each delta CRL would require access to the offline root CA in order to copy the delta CRL to an online publication location. In order to change the CRL interval you need to:

1. Turn on the Offline Root CA and login with Admin account
2. Open the Certification Authority Console
3. Right Click on the "Revoked Certificates" and click Properties.
4. Set “CRL Publish interval” to a large value (Default is 26 Weeks) and  uncheck “Publish Delta CRL” check-box.

In order to Publish a new CRL from the offline Root CA to the Enterprise Sub CA you need to do the following:

1. Publish a new CRL on the Root CA, this can be done by Right Click the "Revoked Certificates" - All Tasks - Publish                                                                                                                                                                                                                                                          
   
                                                                                                                                                                    
2. Copy the CRL file from the Root CA located under %systemroot%\system32\certsrv\certenroll to the Sub CA Server
3. Turn off the Root CA
4. Copy the above file to the InetPub folder (HTTP Path) in the Sub CA server which is by default located under the C:\inetpub\wwwroot\Certdata
5. Open an Admin Command Prompt and run the following command to publish it to the Active Directory (LDAP Path).                                                                                           certutil -f -dspublish " C:\Inetpub\wwwroot\certdata\RootCA.crl

This process of renewing the CRL and publishing a new one is manually done since the Root CA is offline and thats why its better to make the CRL publish interval more than the default value so you won't do it frequently. You may also want to set an automated reminder before the next renewal date.

Read More

How to Manually Delete Old/Empty WSUS computer Group from Database

Recently i was trying to delete/Remove one of the old computer groups under WSUS Console - Computers - All Computers. This Group was an old group with no members/Clients or any pending approvals any more. I tried removing it from the GUI by Right licking the object and Delete but the server hanged and i got connection error as shown below.

This problem might occur in WSUS servers utilizing the internal DB which has several limits and with the huge number of updates and many groups you can face such issue.

To solve this problem and manually remove this Group you will need to work it from the database and edit couple of tables as follows:

1. Make Sure to take a backup from your WSUS server and WSUS DB.
2. Use SQL Management Studio to connect to Windows internal database \\.\pipe\MSSQL$Microsoft##SSEE\sql\query
3. We will mainly remove the old records from tbtargetgroupand tbflattenedtargetgroup tables
4. Run “select * from tbtargetgroup” to get the list of groups.
5. Identify the TargetGroupID of one of the groups that you want to delete
6. Run delete from tbflattenedtargetgroup where TargetGroupID = ‘<TargetGroupID for the group which is to be removed>’
7. Run delete from tbdeployment where targetgroupid = ‘<Previous step ID>’
8. Run delete from tbtargetgroup where TargetGroupID = ‘<Previous same ID>’

This should take care of the deletion of these groups. Again its always required to ensure you have full backup from your DB.

Read More

How to Clean Microsoft WSUS Content Folder from Old and unneeded Products

Microsoft WSUS administrators sometimes tend to select all given Products (Options - Products and Classifications) and by time the WSUS content folder grows dramatically till it fill all disk space. If the WSUS administrator tries to uncheck or deselect unneeded products later on, this won't save or minimize the current space.

So how do the WSUS updates gets downloaded/Propagated on the WSUS server ?

1. WSUS server contacts the Microsoft Update servers and will only downloads the metadata (Not complete Full Update Package)
2. The Binaries or the actual downloads are only downloaded when you approve them manually or if there is an Auto approval rule configured.

In order to clean the WSUS content folder from old/unneeded  or unused products you have to do the following:

1. Under Options - Update Files and Languages, Remove the check box for download Express Installation files (This is optional recommendation depending on your environment).
2. In the Options - Products and Classifications, select only the needed products.
3. On WSUS console- decline all approved updated which were either installed or not applicable.
4. Delete the WsusContent Folder.
5. Navigate to the C:/program files/updates services/tools on the WSUS server
6. Run WSUSutil.exe Reset

On the next download cycle it will download only the updates which have been listed in products and classifications and which have not been declined.

Also Its recommended to install all Latest WSUS updates and hotfixes.

Read More

Windows 7 UAG Direct Access Clients Cannot RDP Server 2012 Domain Controllers

After upgrading our domain Controllers, DNS and DHCP servers to the latest Windows Server 2012, I noticed that our Windows 7 UAG DirectAccess clients are not able to RDP (Remote Desktop/MSTSC) to the new Server 2012 Domain Controllers. The same client can ping the 2012 Domain Controller and 2012 DNS server without any problem however all RDP traffic fails.


The weird thing was that at the same time these clients (Windows 7 DirectAccess UAG clients) can ping and RDP/MSTSC any other Windows 2012 member server without any problem at all.

I did some intensive checks and research on the Internet but could not find anything regarding Server 2012 domain controllers issues with UAG based Direct Access, As per Microsoft Escalation team recommendation we did a full tracing scenario on both the UAG and Windows 7 client. 

I tried to reproduce the problem while turning simultaneous capture on both the client and the UAG server using the below Scenario

Netsh wfp capture start

netsh trace start scenario=directaccess capture=yes report=yes

Tried both RDP and Ping to the Problematic Windows server 2012 domain Controller

Netsh trace stop

Netsh wfp capture stop

After Analyzing the captured logs, it was noticed that the DA client is using an Expired Security Association when it cannot access the 2012 server. Tracing from UAG server showing the RDP traffic dropped on UAG Server due to the following error. 

“STATUS_IPSEC_WRONG_SA”

Resolution:

This problem was fixed by installing the hotfix for IKEEXT.dll on the UAG 2010 DA server and on the Windows 7 DA client. It should be noted that this fix is only for 2008R2 servers and Windows 7 Clients

2801453-Delay during IPsec renegotiation on a computer that is running Windows 7 or Windows Server 2008 R2

http://support.microsoft.com/kb/2801453/EN-US

After installing this fix on both the UAG server and Windows 7 client, i was able to RDP/MSTSC the 2012 Domain Controller/DNS without any problems.

Read More

The Card Supplied Requires Drivers that are not present on this System

I recently started getting the above mentioned Logon warning Message (Check below screen shot) while logging on my old 2003 and 2003R2 servers using Remote Desktop. I was using a fairly new Windows 8 Laptop.

This warning is mainly related to trying to redirect the smart card to the RDP session. This issue didn't occur with Server 2008 or 2008R2 because the driver store in 2008 and above is huge and incorporates a lot of drivers while mostly the 2003 system doesn't have the needed driver.

If you passed by this issue then you have three different options as follows:

1. Disable this device on the laptop (If its not used) and it won't be redirected.
2. Install the Smart Card driver on the 2003 server (You may face some problems for driver availability and compatibility).
3. Uncheck the smart card box in the MSTSC settings before establishing the RDP session.

I picked option 3 which was the safest and convenient option by unchecking the Smart Card from the MSTSC settings - Show Options - Local Resources - Local Devices and Resources - More - Uncheck the Smart Card option.

After that you can RDP normally to any old 2003 server without getting this warning.

Read More

A new MVP is here from Egypt

I am pleased to announce and share with you all that I have been awarded the prestigious Microsoft Most Valuable Professional (MVP) award in the Enterprise Security Area. It was a very exciting moment opening and going through the congratulations email.

Attached is the exact mail that I received.

“

Congratulations! We are pleased to present you with the 2013 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Enterprise Security technical communities during the past year.

“

I am really honored to be associated with a great group of technical people around the whole world.  I’ll be aiming to continue my efforts to support the IT community all over the world and especially in my country and region for the next coming years. 

Thanks to everyone who supported me for the last year. Thanks for all my Blog followers, readers, friends........etc. I won't have made it without your feedback and comments.

Thanks to Microsoft for their support to the IT community and for recognizing our efforts.

You may check my MVP Profile here.

Thanks again to everyone.

Read More