CAPI2 event ID 11 retake

A customer put the following questions to one of my colleagues: On a lot of our Windows 7 clients we've noticed they periodically try to download a CAB file from Windows Update, but as our workstations are required to access the Internet via Proxy and they aren't able to authenticate against it the download fails and…

2

Credential Roaming and NTDS.dit bloat

Following up on a previous post about Credential Roaming (aka DIMS): http://blogs.technet.com/b/instan/archive/2009/05/26/considerations-for-implementing-credential-roaming.aspx With a recent DCR to Windows 7 & W2k8 R2 (http://support.microsoft.com/kb/2520487) it is now possible to filter out specific types of credentials from the credentials that will roam to your AD database. Post-hotfix default behaviour is to not roam unaffiliated keys, unused keys…


Smartcard logon using certificates from a 3rd party on a Domain Controller and KDC Event ID 29

  I was looking at the Windows Server 2008 R2 KDC architecture with my colleague Jan earlier today concerning an issue when using smart cards with 3rd party domain controller certificates. Our customer that Jan was working with had requested and received a certificate for their DC from Verisign but the W2k8 R2 DC just plainly…


Setting up ADFS 2.0 as an IDP for Visma Proceedo

I’ve put together a Word document with the details on how to set up a federation trust between Visma Proceedo acting as a Relying Partner (RP) and ADFS 2.0 acting as the Identity Provider (IDP). The document can be downloaded on http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-63-78/3021.Federation-trust-with-Visma-Proceedo.docx.   Further details:http://www.visma.se/


The CA certificate that disappeared after the CMOS battery died

A colleague on our PKI Server alias got the following question from a partner: Our newly installed Windows Server 2008 R2 CA server got the time settings on it accidentally reset back to the BIOS defaults (1/1/2011) when the batteries on the motherboard were temporarily removed. When the CA server was restarted afterwards we noticed that…


Why is autoenrollment only happening if initiated manually through the MMC?

We resolved the following case recently: On our W2k8 R2 Domain Controllers, autoenrollment is not working even if all the permissions are correct and the CA’s are allowed to issue the correct templates.  The funny thing is that if we open the Certificates MMC snap-in, right-click the Certificates node, choose All Tasks/Automatically Enroll and Retrieve…


Why can’t I see any certificate templates when creating a certificate request within the IIS 7.x MMC?

My colleague Jan had the following case recently:Customer verbatim: We’ve created a custom web server certificate template that we want to use to enroll certificates from for our web servers.  We’ve also removed the original Web Server template from the list of templates our CA is allowed to issue.However, when we now go to the IIS 7/7.5 MMC root,…


Smartcard Redirection Diaries

Last month we finally closed two bugs that I’ve been engaged in on and off for well over a year and released two related hotfixes in the February hotfix release batch. In late 2009, our Professional Support team got the following case from one of our ISV Partners (an established provider of security products, among…

2

Remote EFS decryption and Trusted for Delegation requirements

One of our customers reported the following: We have been evaluating EFS on Windows 7 as part of our upgrade from Windows XP project and have discovered that if you share a folder and encrypt a file within it locally, the same user is able to decrypt it remotely without the workstation being trusted for…

1

Everything you wanted to know about Extended Validation but were afraid to ask

Well, maybe not quite… but hopefully it helps explain the concept better. SSL is not the trusted stamp of approval that it was maybe 10-15 years ago, business requirements and competition between CA vendors has moved it away from being a cumbersome, manual and lengthy process to the point where you can point and click your…