Upgrading from ADFS 2.0 to ADFS 2.1

[Note: this is a shortcut variation on the steps in the Technet article on http://technet.microsoft.com/en-us/library/jj134039.aspx and should for now only be used in lab scenarios as it hasn’t been officially tested by the PG’s] The short version;  Add the AD FS role on Windows Server 2012, choose to add it to an existing farm. Make the new…


Fiddling with ADFS – end the infinite authentication loop

While working at a customer site the other day I was reminded of an article by Eric Lawrence on why you sometimes start seeing endless pop-up windows asking for credentials when using Fiddler to decrypt HTTPS traffic during troubleshooting. In short; If the web server has Extended Protection for Authentication enabled then it detects that…


Quick inventory of all certificates expiring in the next XX days

A simple command line using Certutil to dump out all issued certificates on the server about to expire in the next 60 days: certutil -view -restrict “NotAfter>now,NotAfter<=now+60,Disposition=20” -out RequestID,RequesterName,Request.CommonName,CommonName,UPN,NotBefore,NotAfter,SerialNumber,CertificateTemplate,CertificateHash   …creative uses: Schedule a monthly task in the Windows Task Scheduler with two Components; the first to generate the list and pipe it to a…


Setting up your first ADFS POC

Here are the steps for setting up a POC for ADFS: First of all, you need to decide on what your federation server farm will be called on the Internet. In the drawing below I’ve chosen the name fs.contoso.com – this will be registered in DNS as follows: in external DNS to point to the…


Tweaking ADCS performance

The default settings for ADCS are fine for smaller installations – however, once your CA database goes beyond the toddler stage and starts exceeding a few gigabytes you should consider tweaking a few knobs on it for better performance. Avoid ticking auditing for Startup/Shutdown of the ADCS service (this causes a hashing of the database…


TPM-CSP Autoenrollment failing with 0x8010002e SCARD_E_NO_READERS_AVAILABLE

We’re attempting to enroll for certificates using a TPM chip on a laptop – it fails when autoenrollment is involved but works when done manually via the MMC.   According to http://msdn.microsoft.com/en-us/library/bb905527.aspx on the Smart Card Resource Manager service: “By default, the service is configured for manual mode. Smart card reader driver authors must configure the…


ADCS has become site-aware in Windows Server 2012

One of the largely unheralded big new features of Active Directory Certificate Services is that it can now be configured to be site-aware! This is accomplished by following the detailed steps that are described on the ADCS Wiki link below. The short version is however as follows: set the CA to detect which AD site it is in by running the following…


Why am I seeing LsaSrv 45058 events on my client?

From Julio: I recently installed a new server running Windows 2008 R2 (as a DC) and the related computers running Windows 7 Pro. The computers are joined to the domain. In a computer, which is shared by two users (userA and UserB), I see the following event on the Event Viewer while userA was logged…


XP and W2k3 Clients are by default unable to enroll from W2k12 CA servers

RPC Packet-level Authentication is by default turned on in Windows 2012 CA’s. This can also be turned on in W2k8+ but defaults to off there. …..   From http://technet.microsoft.com/library/hh831373 When a certificate request is received by a certification authority (CA), encryption for the request can be enforced by the CA via the RPC_C_AUTHN_LEVEL_PKT, as described…


Installing NDES restarts CertSvc service on target CA server

During the installation of NDES, two certificate templates (“Exchange Enrollment Agent (Offline request)” and “CEP Encryption”) are added to the list of templates that the target CA is allowed to issue certificates from.The registry on the target CA server is also modified to add ‘DeviceSerialNumber’ with the OID to the SubjectTemplate’ list under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA name\SubjectTemplate….