UseSubjectAltName and smartcard logon

On Windows 7 clients, if a smartcard certificate contains a Subject Alternate Name (SAN) it will by default be used for implicit mapping against a user in AD and whatever has been imported to the AltSecurityIdentities attribute in X509 format (the UPN SAN is special as that looks directly at the UserPrincipalname attribute). If you want…

2

Event 6398 and Forefront Server Security

  Customers may get this issue from time to time on every Sharepoint WFE server except one whenever the antivirus applications on the servers successfully update their antivirus definitions. This only happens when more than one load-balanced Sharepoint WFE is involved and configured to update at exactly the same time and the antivirus application is…


The Smartcard Removal Policy Service and VPN

The ScPolicySvc service works by monitoring a specific registry key (See Deconstructing the Smartcard Removal Policy Service). The VPN client (Connection Manager aka CM) on the other hand doesn’t use the Credential Provider architecture, it uses its own code for picking which certificate from the smartcard will be used for logon. The VPN component not…

2

Why living in the future is bad when you’re a CA server (aka the story of 0x800b0101 CERT_E_EXPIRED)

I worked on the following case recently: We can’t seem to enroll for certificates from our Windows 2008 OCS Servers, the error we get is “A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.”.  We have no problems requesting certificates from…

2

New features in Windows 7

My 3 favorites: – Virtual Windows XP AKA ‘XP Mode’ (not all SKU’s) This is basically a small Virtual PC within the Windows 7 OS that allows you to run the application in it’s own contained environment, fully mimicking Windows XP while seemingly sitting on the desktop.Should make compatability issues of legacy applications during migration…


New AD features in Windows Server 2008 R2

My three favorites are: Cross-forest certificate autoenrollmentMakes it possible to share a CA server between multiple forests, will work for XP/2003 clients and later OS’s. HTTP certificate enrollmentThis is effectively a reverse-proxy enrollment feature via HTTP, can also be configured to only allow renewals via HTTP while maintaining the old enrollment behaviour internally.This is however a…

3