Using S/MIME certificates for non-repudiation

Our current S/MIME certificate based on the User template allows users to both encrypt and sign email, I have however been tasked with making sure our S/MIME certificates comply with our organizational requirements for non-repudiation. The current certificate based on the User template is being archived for data recovery purposes – but this basically makes the non-repudiation value…

1

Deconstructing the KDC certificate processing functionality

For a DC to be able to service smartcard logons the DC must have a valid and suitable certificate present in the personal store of the computer account.This is typically autoenrolled for whenever a Windows CA server has been installed into the AD environment. The KDC service on W2k8 R2 monitors the personal certificate store…

0

CAPI2 event ID 11 retake

A customer put the following questions to one of my colleagues: On a lot of our Windows 7 clients we've noticed they periodically try to download a CAB file from Windows Update, but as our workstations are required to access the Internet via Proxy and they aren't able to authenticate against it the download fails and…

2

Event ID 29 when starting KDC service on Windows Server 2008 R2 DC’s

I got the following escalation the other week: We’re getting Event ID 29 on our new W2k8 R2 DC’s – our W2k3 DC’s in the same domain that do not get any error use Domain Controller Authentication certificates from the same SubCA and running certutil –verify –urlfetch <exported DC cert.cer> seems to verify all CDP…

0

Using Wevtutil to capture and view the CAPI2 Operational log

CAPI2 events are logged to Application LogsMicrosoftWindowsCAPI 2Operational. However, CAPI2 logging is off by default due to performance reasons.   To enable CAPI2 Operational logging, wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true To clear the log so we only get the latest CAPI2 events (optional): wevtutil.exe cl Microsoft-Windows-CAPI2/Operational   To restart the KDC service to capture CAPI events generated…

0

The effect on Cached Logons when Smart Card is required for interactive logon is set

I had a very interesting escalation last week: We want to require our users to log on to our Windows 7 workstations with smartcards when they are connected to the corporate network but we also want to allow them to logon using their previous username/password combination when offline.This isn’t working quite as we expected, the…

0

Credential Roaming and NTDS.dit bloat

Following up on a previous post about Credential Roaming (aka DIMS): http://blogs.technet.com/b/instan/archive/2009/05/26/considerations-for-implementing-credential-roaming.aspx With a recent DCR to Windows 7 & W2k8 R2 (http://support.microsoft.com/kb/2520487) it is now possible to filter out specific types of credentials from the credentials that will roam to your AD database. Post-hotfix default behaviour is to not roam unaffiliated keys, unused keys…

0

ADCS CA Server disaster recovery steps when smartcard logon is required but no valid CRL can be published

Consider the following disaster recovery scenario: The CA has become temporarily unavailable, the current CRL and Delta CRL have expired and revocation checking is failing which is preventing smartcard logons. You have the private/public key pair of the CA certificate available and want to quickly get a new valid CRL out for revocation checking to start…

0