ADCS Enrollment Web Service with Managed Service Accounts

Posted on by

This guide covers the deployment of the Active Directory Certificate Services (AD CS) Enrollment Web Service (CES) role using group Managed Service Accounts (gMSA) on Server Core. The Enrollment Web Service allows for automated certificate issuance to computers that are unable to directly reach the Certificate Authorities over the standard DCOM ports, such as external or DMZ housed computers. Users and computers can enroll for certificates from a CES server over HTTPS/443.

The Enrollment Web Service binds to an individual issuing Certificate Authority. To issue certificates from multiple CAs, multiple CES servers will need to be provisioned. The CES server requires that at least one Certificate Enrollment Policy Web Service (CEP) server be configured. The CES and CEP roles can both exist on the same system or can be deployed separately.

Requirements

  • Enterprise Administrator
  • Administrator permissions on the target Enterprise Certificate Authority.
  • A deployed and functional Enterprise PKI.
  • A deployed and enabled Certificate Enrollment Policy Web Service server.

Summary Steps

  • Enroll a Computer Certificate for the CES server IIS binding.
  • Install the Certificate Authority feature with the Enrollment Web Service role.
  • Create a group Managed Service Account (gMSA) for the IIS App Pool.
  • Assign the gMSA to the local IIS_IUSRS group on the CES server.
  • Assign a service principal name (SPN) to the gMSA.
  • Configure the gMSA for constrained delegation to the Certificate Authorities.
  • Assign the gMSA to the CES server IIS App Pool.

Continue reading

Pages: 1 2

Ubiquiti UniFi Security Gateway Disable NAT

Posted on by

This is a guide for disabling the Network Address Translation (NAT) function on the Ubiquiti Networks UniFi Security Gateway (USG). The NAT functionality can be disabled by a custom config.gateway.json file on the UniFi Controller. There is no User Interface option currently to disable NAT.

Note: These instructions apply to the Unifi Security Gateway (USG) line of products, which are end of life. The config.gateway.json method does not exist on the UDM and UXG line of products.

If you’re here looking to disable NAT on a UDM or UXG product line, know that there is now an option in the web interface. Ubiquiti added controls directly in the web interface starting with UniFi Network 8.3.32 to control or disable NAT.

Requirements

  • Unifi Security Gateway (USG)
  • SSH access to the UniFi Controller

Summary Steps

  • Create or update a custom config.gateway.json configuration file
  • Perform a manual device provision of the USG

Continue reading

IIS WMSvc Automated Certificate Management

Posted on by

I’ve added a new script to my GitHub PowerShell repository for managing the IIS WMSvc Certificate. The script WMSvc_InstallCertificate.ps1 is intended to be ran either by scheduled task or by command line and will attempt to detect when the Web Management Service (WMSvc) certificate needs to be replaced. Replacement certificates are sourced from an Enterprise Certificate Authority automatically. The IIS machine account must have privileges to enroll.

In my lab, this script is tied to a scheduled task that is automatically created by group policy on servers attached to the IIS role security group. This same security group is also granted enroll privileges on the certificate template. In effect, new servers created will automatically receive a trusted certificate for their management port and that certificate is rotated automatically before expiration.

Since my lab IIS installations run on Server Core, it is quite convenient to have the remote management service configured automatically.

VMware App Volumes Datastore Migration – 2.18

Posted on by

This is a guide for migrating App Volumes app stacks, metadata, and entitlements to a new datastore. I’ll also cover the clean up steps to remove references to the old location(s). What will not be covered are writable volumes.

These instructions are intended for App Volumes 2.18 and may be applicable to other versions in the 2.x branch. The steps for metadata cleanup were obtained through collaboration with VMware Business Critical Support.

Update: These steps continue to work through at least App Volumes 4.9 (2212).

Requirements

  • Administrator role in vSphere vCenter.
  • Administrator role in App Volumes Manager.
  • Administrator privileges to the App Volumes Manager operating system.
  • Access to the App Volumes database server, SQL Server Management Studio, and at least DBO privileges on the App Volumes database.
  • A recent database backup in case a rollback is required.

Summary Steps

  • Use Storage Groups to duplicate existing app stacks and metadata to a new datastore.
  • Remove the Storage Group after duplication has occurred.
  • Remove the old datastore.
  • Metadata cleanup

Continue reading

vCenter Storage Providers appear Offline after Host Certificates are Installed

Posted on by

I ran into an issue where configuring vSphere with an intermediate signing certificate and replacing certificates on all hosts would cause the storage providers to go offline. Refreshing host certificates would also cause the issue.

VMware support determined the cause was the removal of the vCenter SMS certificate in the hosts local trust store. This certificate is not pushed to the hosts when the trust store was refreshed. This behavior occurs at least on vSphere 6.7 and 7.0. To resolve the issue, it is necessary to manually add the SMS certificate to the hosts trust store.

Continue reading