TPM-CSP Autoenrollment failing with 0x8010002e SCARD_E_NO_READERS_AVAILABLE

We’re attempting to enroll for certificates using a TPM chip on a laptop – it fails when autoenrollment is involved but works when done manually via the MMC.   According to http://msdn.microsoft.com/en-us/library/bb905527.aspx on the Smart Card Resource Manager service: “By default, the service is configured for manual mode. Smart card reader driver authors must configure the…

0

ADCS has become site-aware in Windows Server 2012

One of the largely unheralded big new features of Active Directory Certificate Services is that it can now be configured to be site-aware! This is accomplished by following the detailed steps that are described on the ADCS Wiki link below. The short version is however as follows: set the CA to detect which AD site it is in by running the following…

1

Why am I seeing LsaSrv 45058 events on my client?

From Julio: I recently installed a new server running Windows 2008 R2 (as a DC) and the related computers running Windows 7 Pro. The computers are joined to the domain. In a computer, which is shared by two users (userA and UserB), I see the following event on the Event Viewer while userA was logged…

0

XP and W2k3 Clients are by default unable to enroll from W2k12 CA servers

RPC Packet-level Authentication is by default turned on in Windows 2012 CA’s. This can also be turned on in W2k8+ but defaults to off there. …..   From http://technet.microsoft.com/library/hh831373 When a certificate request is received by a certification authority (CA), encryption for the request can be enforced by the CA via the RPC_C_AUTHN_LEVEL_PKT, as described…

1

Installing NDES restarts CertSvc service on target CA server

During the installation of NDES, two certificate templates (“Exchange Enrollment Agent (Offline request)” and “CEP Encryption”) are added to the list of templates that the target CA is allowed to issue certificates from.The registry on the target CA server is also modified to add ‘DeviceSerialNumber’ with the OID 2.5.4.5 to the SubjectTemplate’ list under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA name\SubjectTemplate….

3

The tale of the phantom cached logon entry

We’re logging on with smartcards to our laptops but we’ve recently discovered that you’re also able to perform cached logons on to the laptops using a username/password combination even if you’ve only ever logged on using smartcards! This is by design, smartcard logons generate a secondary logon that creates an additional lscache entry that contains NTLM credentials….*UNLESS*…

0

The end of days [for XP support]

In case you missed it – there is now less than 18 months of extended support for the venerable Windows XP platform left.  The key takeway from that statement is that there will be no security updates for XP released after April 8th 2014. In the Enterprise space it’s not uncommon to have a migration…

0

Why doesn't a user get locked out after a number of invalid password attempts greater than the domain account lockout policy?

We have an account lockout policy of 5 bad password attempts but we’re seeing users presenting bad passwords up to several thousand times in the span of 15 minutes. I’m concerned about whether the policy is active or if we have a possible brute force password attack being attempted.   After investigating this closer we…

0

How to get email notifications about expiring certificates from FIM CM 2010

Just stumbled over this great article on how to do this over on the Technet Wiki at http://social.technet.microsoft.com/wiki/contents/articles/9353.using-the-fim-cm-2010-notification-api.aspx. Using this example you can have email notifications sent to a mailbox or distribution list to warn about certificates that are about to expire to give the administrators time to renew them ahead of time.   Using the…

0

How to bulk create 10000 users and groups for your test environment

For test lab scenarios where you quickly want to add a few thousand users you can run the following batch files in a DC: :Creates 10000 disabled user accounts with password Password1For /l %%t IN (1,1,10000) do net user BulkUser%%t Password1 /add /PASSWORDREQ:YES /ACTIVE:NO :Bulk create 1000 groupsFor /l %%t IN (1,1,1000) do net group Bulkgroup%%t /add…

3