Tag Archives: microsoft

ADCS Enrollment Web Service with Managed Service Accounts

Posted on by

This guide covers the deployment of the Active Directory Certificate Services (AD CS) Enrollment Web Service (CES) role using group Managed Service Accounts (gMSA) on Server Core. The Enrollment Web Service allows for automated certificate issuance to computers that are unable to directly reach the Certificate Authorities over the standard DCOM ports, such as external or DMZ housed computers. Users and computers can enroll for certificates from a CES server over HTTPS/443.

The Enrollment Web Service binds to an individual issuing Certificate Authority. To issue certificates from multiple CAs, multiple CES servers will need to be provisioned. The CES server requires that at least one Certificate Enrollment Policy Web Service (CEP) server be configured. The CES and CEP roles can both exist on the same system or can be deployed separately.

Requirements

  • Enterprise Administrator
  • Administrator permissions on the target Enterprise Certificate Authority.
  • A deployed and functional Enterprise PKI.
  • A deployed and enabled Certificate Enrollment Policy Web Service server.

Summary Steps

  • Enroll a Computer Certificate for the CES server IIS binding.
  • Install the Certificate Authority feature with the Enrollment Web Service role.
  • Create a group Managed Service Account (gMSA) for the IIS App Pool.
  • Assign the gMSA to the local IIS_IUSRS group on the CES server.
  • Assign a service principal name (SPN) to the gMSA.
  • Configure the gMSA for constrained delegation to the Certificate Authorities.
  • Assign the gMSA to the CES server IIS App Pool.

Continue reading

Pages: 1 2

Local and Domain NTP Overridden by Secure Time Service

Posted on by

Starting with Windows 10 1511, Microsoft introduced a new feature called Secure Time Seeding, part of the Secure Time Service (STS), as an upgrade to the W32TIME service. The STS uses information from SSL connections to validate NTP data. Information from this feature supersedes all other time sources, including locally configured NTP, domain controllers, and Hyper-V time synchronization.

I first noticed the feature when several of my Hyper-V virtual machines began shifting their system clocks backwards and forwards several times a minute. At first the time changes spanned a few hours, but as the machine uptime climbed, so did the time jumps. Eventually, the time was bouncing backwards and forwards by weeks, several times a minute. The Hyper-V time synchronization service was fighting with the new Secure Time Service and this wrecked havoc on authentication and any other services running on the systems.

Continue reading

Unifi VPN Radius Challenge Fails with Invalid Password

Posted on by

An issue exists between the Ubiquiti Networks Unifi software controller v5.10.19 and a Microsoft Radius or Network Policy Server (NPS) when NTLMv2 responses are forced on all Domain Controllers. When this condition exists, radius calls from the Unifi controller fail with error event that indicates the password is invalid. The security logs on the radius server report the following failure:

Failure Information:
     Failure Reason:     Unknown user name or bad password.
     Status:             0xC000006D
     Sub Status:         0xC000006A     (Account logon with misspelled or bad password)

The issue is limited only to VPN connections. WiFi connections using the same Radius connection profile and user account succeed.

Applying the registry key in Microsoft KB 2811487 to the Radius server resolves the issue.

Set DWORD:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy\Enable NTLMv2 Compatibility = 1