Quantcast
Channel: Yuval Sinay
Viewing all 565 articles
Browse latest View live

Error “Page Cannot be Displayed” may appear after replacing Exchange 2010 Certificate

$
0
0

Symptoms:

After replacing Exchange 2010 Certificate , the following error may appear during accessing Exchange 2010 OWA (Outlook Web Access): “Page Cannot be Displayed”.

Reason:

The imported certificate may not contain a “Private key”.

Solution:

During certificate export process, verify that “Export Private Key” checkbox has been marked. After completing the new certificate, import it the Exchange 2010 server and assigned it to the relevant services.


Windows 2008 R2 Certification Authority installation guide

$
0
0

Mr. Eyal Estrin wrote an excellent guide on “Windows 2008 R2 Certification Authority installation guide”.

This guide provides a step by step guide how to install a Offline Root Certificate Authority and then setup a Enterprise Subordinate Certificate Authority.

The guide can be obtain from the following link.

Finding DSConfigDN and DSDomainDN values by using Certutil

$
0
0

DSConfigDN and DSDomainDN are two objects that should be taken care while designing PKI implementation (specially in case  of using a Stand Alone Root CA and a Enterprise Sub CA).

The following output provides you instructions how to obtain the required values from your Certificate Authority:

C:\Users\administrator>certutil -getreg  ca\DSConfigDN


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\lyncd
omain-SRV5-CA\DSConfigDN:

  DSConfigDN REG_SZ = CN=Configuration,DC=lyncdomain,DC=local


CertUtil: -getreg command completed successfully.

C:\Users\administrator>certutil -getreg  ca\DSDomainDN
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\lyncd
omain-SRV5-CA\DSDomainDN:

  DSDomainDN REG_SZ = DC=lyncdomain,DC=local
CertUtil: -getreg command completed successfully.

 

Note: A Stand Alone Root CA / Stand Alone Sub CA details (e.g. Certificate, CRL, AIA etc.) could be published into the Active Directory by using the following commands:

“CertUtil -dsPublish -f RootCACertificate.cer RootCA “


“CertUtil -dsPublish -f SubCACertificate.cer SubCA “

 

 

image

 

image

 

To publish CRL into the Active Directory you should use the following command:

certutil -dspublish-f  MyCRLFile.Crl

 

image

Reference:

Configure an offline root certification authority to support certificate revocation with Active Directory

How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store

How to add Root Certificate and Intermediate Certificate to a Windows Operating System

$
0
0

If you are using a PKI (Public Key Infrastructure), you may found out that Root Certificate and Intermediate Certificate may need be installed manually for Workgroup computers.

Also, in case that you don’t use Active Directory (e.g. GPO etc.) to publish the Root Certificate and Intermediate Certificate details, you may need to add this certificates manually.

To accomplish this task, please use the following commands:

 

Installing Root Certificate: “Certutil -addstore -f Root MyRootCACertificate.crt


Installing Intermediate Certificate: “Certutil -addstore -f CA MySubCACertificate.crt

 

You can use the following commands to review the result of the previous commands:

certutil -v –store my > LocalCertStore.txt“ or “certutil –verifystore root” /  “certutil –verifystore CA

How to Publish Root Certificate and Intermediate Root Certificate in Active Directory

$
0
0

To Publish Root Certificate and Intermediate Root Certificate in Active Directory, please use the following commands:

Root certificate: certutil -dspublish -f RootCACertificate.crt RootCA


Intermediate certificate: certutil -dspublish -f SubCACertificate.crt SubCA

 

To publish the certificate/s to NTAuth store, please review the following knowledgebase: 

How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store

 

Note: NTAuth store point to: CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=MyDomain,DC=com

How to resolve Exchange 2010 error message: The Certificate Status could not be determined because the revocation check failed

$
0
0

The following error/s may appear in the Exchange 2010 Management Console:

Exchange 2010 Certificate Revocation Checks and Proxy Settings” or “The Certificate Status could not be determined because the revocation check failed

Cause:

1. You may use a Proxy server that block access to the CRL.

2. The CRL isn't available.

How to Debug this issue:

Obtain any (current) certificate from the Certificate Authority and run the following command:

certutil –verify –urlfetch C:\CertificateName.cer >Log.txt

Usually you may find out issues like errors messages on expired CRL or Offline CA.

Resolutions:

1. Review Proxy settings by using “netsh winhttp show proxy

You can reset the proxy settings by using the commands:

netsh winhttp reset proxy
netsh winhttp reset tracing

Note: You can also add Proxy exceptions (e.g. The CRL location) by using the following commands:

netsh winhttp import proxy ie

netsh winhttp set proxy proxy-server=http://192.168.1.1:80 bypass-list="crlserver.DomainName.local"

netsh winhttp set proxy proxy-server=http://192.168.1.1:443 bypass-list="crlserver.DomainName.local"

2. Review the current CRL settings in the Active Directory by using:

Quick Check on ADCS Health Using Enterprise PKI Tool (PKIVIEW)

Usually, if you are using a Offline CA (Root CA for example), you may find out that the current CRL was expired.

Usually its recommended to change the CRL expire date in the relevant CA and then re-publish the CRL.

Then, import the CRL into the Active Directory by using the command:

certutil -f -dspublish CRLFileName.crl

3. If the CRL is published to a File Share and/or Web Server (HTTP/s), please verify that the URL paths exits and aren't blocked by third party system (e.g. Firewall, Antivirus, IPS etc.) Its also recommended to verify that no NTFS/Share permissions blocked access to the CRL.

4. Reset urlcache by using the following power shell commands:

certutil -urlcache ocsp delete
certutil -urlcache crl delete

5. Reset the Exchange Internet Web Proxy to null by using the following power shell command:

Set-ExchangeServer  -InternetWebProxy $NULL

6. Delete MMC cache files from:

C:\Users\%username%\AppData\Roaming\Microsoft\MMC

7. Verify that CRL for Root & SubCA URL’s/Paths are current. Also,

8. Verify that the Root CA Certificate was added to the computer Trusted Root CA Store.

Also, verify that the SubCA Certificate was added to the computer Intermediate CA Store.

9. As a temporary workaround, you can enable the required certificate by using Exchange Power Shell command: Enable-ExchangeCertificate

However, this workaround wouldn’t resolved the error message, but would enable you to assign the certificate to the Exchange services.

For farther information, please review: Certificate Revocation and Status Checking

Monitoring Workgroup computers by using SCE 2010

$
0
0

Microsoft SCE 2010 is a light edition of Microsoft System Center products line. Monitoring Workgroup computers by using SCE 2010 is cover by the following Microsoft post:

How to Prepare the Essentials Management Server to Manage Workgroup-Joined Computers

However, you may found out that no information is available on the correct process to create a server certificate (that used for mutual authentication).

The following Microsoft post cover the process how to create a server certificate.

When you try to install a System Center Operations Manager 2007 agent on a workgroup computer without using a gateway server, Operations Manager 2007 cannot see the workgroup computer

Note1: The SCE 2010 Agent Installation wizard should be used for importing the following certificates:

1. Trusted Root Certificate Authority.

2. WSUS certificates.

3. Server certificate of the workgroup computer.

 

WorkgroupAgent_Installation

 

Note2:To assign exiting certificate to the SCE 2010 agent, please use the utility: “MOMCertImport” (from SCE 2010/SCOM 2007/2007 R2 media) – after completing the Agent installation.

How to renew User/Computer certificate without require to do application side changes

$
0
0

The renewal process of user/computer certificate require (in the most of the cases) to implemented changes in the application side (e.g. IIS,Outlook etc.),

As a workaround for this “limitation”, the renewal process of the User/computer certificate can be set to use exiting certificate key.

However, using exiting certificate key may reduce the system security level, and this may lead to system/certificate compromise.

Warring: To reduce the security risk of implementing changes in the Enterprise PKI (Public Key Infrastructure), its highly recommended to test this changes in a lab - before making changes in the production environment.

To renew the certificate by using exiting certificate key, please use the following instructions:

A. PKI Prerequisites:

1. Depending on the certificate template type/settings, the Certificate Authority security settings should allow the user that renew the certificate to have the following privilege: “Request Certificates”.

image

2. Depending on the certificate template type/settings, the user that renew the certificate may require the following privilege on the relevant Certificate Template: “Enroll” and/or “Autoenroll”.

image

B. The renewal process:

1. Logon to the computer.

2. Navigate to “Start” –> “Run” and type “mmc” and click “OK” to launch the Management Console 

3. Navigate to “File” > “Add/Remove” Snap In… , select “Certificates” and click “Add”.

4. Select “Computer Account” (or “User Account”) and click “Next”. Then", click “Finish”. Once back on the Snap In screen, click “OK”.

5. Expand “Certificates” > “Personal” and click on “Certificates”.

6. Right-click on the required certificate and select “All Tasks” > “Advanced Operations” > “Renew This Certificate with the Same Key”.

7. Click “Next”, and then “Enroll”. Once complete, click “Finish”.


מדריך מהיר להגדרת Site to Site VPN באמצעות Cisco Routers

Microsoft Adds IoT, Big Data Orchestration Services to Azure

IIS Crypto

$
0
0

“IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2003, 2008 and 2012. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click and test your website. “

IIS Crypto can be download from the following link.

Please note that IIS Crypto isn’t supported by Microsoft.

Microsoft Message Analyzer 1.1

$
0
0

“Microsoft Message Analyzer (v. 1.1) is the current versioned tool for capturing, displaying, and analyzing protocol messaging traffic and other system messages. Message Analyzer also enables you to import, aggregate, and analyze data from log and trace files. It is the successor to Microsoft Network Monitor 3.4 and Message Analyzer 1.0. Message Analyzer is a key component in the Protocol Engineering Framework (PEF) that was created by Microsoft for the improvement of protocol design, development, documentation, testing, and support. With Message Analyzer, you can choose to capture data live or load archived message collections from multiple data sources simultaneously.
Message Analyzer enables you to display trace, log, and other message data in numerous data viewer formats, including a default tree grid view and other selectable graphical views that employ grids, charts, and timeline visualizer components which provide high-level data summaries and other statistics. It also enables you to configure your own custom data viewers. In addition, Message Analyzer is not only an effective tool for troubleshooting network issues, but for testing and verifying protocol implementations as well. “ Microsoft Message Analyzer 1.1 can be download from the following link.

IE WebDriver Tool for Internet Explorer 11

$
0
0

“The IE WebDriver Tool enables developers to create automated tests that simulate users interacting with webpages and report back results in Internet Explorer 11. It can also manage testing across multiple windows, tabs, and webpages in a single session.” IE WebDriver Tool for Internet Explorer 11 can be download from the following link.

EMET 5.1 is available

$
0
0

“EMET version 5.1 released with fix for compatibility issues that were discovered with the upcoming November security update with Internet Explorer 11, either on Windows 7 or Windows 8.1. As included in the SR&D blog, other issues fixed include:
“Several application compatibility issues with Internet Explorer, Adobe Reader, Adobe Flash, and Mozilla Firefox and some of the EMET mitigations have been solved.
Certain mitigations have been improved and hardened to make them more resilient to attacks and bypasses.
Added “Local Telemetry” feature that allows to locally save memory dumps when a mitigation is triggered.”

EMET 5.1 can be download from the following link.

Microsoft Virtual Machine Converter 3.0

$
0
0

“Microsoft® Virtual Machine Converter (MVMC) is a Microsoft-supported, stand-alone solution for the information technology (IT) pro or solution provider who wants to convert virtual machines and disks from VMware hosts to Hyper-V® hosts and Windows Azure™ or alternatively convert a physical computer running Windows Server 2008 or above server operating systems or Windows Vista or above client operating systems to a virtual machine running on Hyper-V host
MVMC can be deployed with minimal dependencies. Because MVMC provides native support for Windows PowerShell®, it enables scripting and integration with data center automation workflows such as those authored and run within Microsoft System Center Orchestrator 2012 R2. It can also be invoked through the Windows PowerShell® command-line interface. The solution is simple to download, install, and use. In addition to the Windows PowerShell capability, MVMC provides a wizard-driven GUI to facilitate virtual machine conversion.
New Features in MVMC 3.0
The 3.0 release of MVMC adds the ability to convert a physical computer running Windows Server 2008 or above server operating systems or Windows Vista or above client operating systems to a virtual machine running on Hyper-V host.
Standard Features

  • Converts virtual disks that are attached to a VMware virtual machine to virtual hard disks (VHDs) that can be uploaded to Microsoft Azure.
  • Provides native Windows PowerShell capability that enables scripting and integration into IT automation workflows.
    Note The command-line interface (CLI) in MVMC 1.0 has been replaced by Windows PowerShell in MVMC 2.0.
  • Supports conversion and provisioning of Linux-based guest operating systems from VMware hosts to Hyper-V hosts.
  • Supports conversion of offline virtual machines.
  • Supports the new virtual hard disk format (VHDX) when converting and provisioning in Hyper-V in Windows Server® 2012 R2 and Windows Server 2012.
  • Supports conversion of virtual machines from VMware vSphere 5.5, VMware vSphere 5.1, and VMware vSphere 4.1 hosts Hyper-V virtual machines.
  • Supports Windows Server® 2012 R2, Windows Server® 2012, and Windows® 8 as guest operating systems that you can select for conversion.
  • Converts and deploys virtual machines from VMware hosts to Hyper-V hosts on any of the following operating systems:
  • Windows Server® 2012 R2
  • Windows Server® 2012
  • Windows Server 2008 R2 SP1
  • Converts VMware virtual machines, virtual disks, and configurations for memory, virtual processor, and other virtual computing resources from the source to Hyper-V.
  • Adds virtual network interface cards (NICs) to the converted virtual machine on Hyper-V.
  • Supports conversion of virtual machines from VMware vSphere 5.5, VMware vSphere 5.0, and VMware vSphere 4.1 hosts to Hyper-V.
  • Has a wizard-driven GUI, which simplifies performing virtual machine conversions.
  • Uninstalls VMware Tools before online conversion (online only) to provide a clean way to migrate VMware-based virtual machines to Hyper-V.
    Important MVMC takes a snapshot of the virtual machine that you are converting before you uninstall VMware Tools, and then shuts down the source machine to preserve state during conversion. The virtual machine is restored to its previous state after the source disks that are attached to the virtual machine are successfully copied to the machine where the conversion process is run. At that point, the source machine in VMware can be turned on, if required.
    Important MVMC does not uninstall VMware Tools in an offline conversion. Instead, it disables VMware services, drivers, and programs only for Windows Server guest operating systems. For file conversions with Linux guest operating systems, VMware Tools are not disabled or uninstalled. We highly recommend that you manually uninstall VMware Tools when you convert an offline virtual machine.
  • Supports Windows Server and Linux guest operating system conversion. For more details, see the section “Supported Configurations for Virtual Machine Conversion” in this guide.
  • Includes Windows PowerShell capability for offline conversions of VMware-based virtual hard disks (VMDK) to a Hyper-V–based virtual hard disk file format (.vhd file).
    Note The offline disk conversion does not include driver fixes.”
  • Microsoft Virtual Machine Converter 3.0 can be download from the following link.

Remote Desktop Connection Manager 2.7

$
0
0

“RDCMan manages multiple remote desktop connections. It is useful for managing server labs or large server farms where you need regular access to each machine such as automated checkin systems and data centers. It is similar to the built-in MMC Remote Desktops snap-in, but more flexible. The RDCMan 2.7 version is a major feature release. New features include: – Virtual machine connect-to-console support – Smart groups – Support for credential encryption with certificates – Windows 8 remote action support – Support for Windows 8, Windows 8.1 / Windows Server 2012, Windows Server 2012 R2 “

Remote Desktop Connection Manager 2.7 can be download from the following link.

BinScope 2014

$
0
0

“BinScope Binary Analyzer is a verification tool that analyzes binaries to ensure that they have been built in compliance with the SDL requirements and recommendations. Microsoft BinScope was designed in order to help detect potential vulnerabilities that can be introduced into Binary files. The tests implemented in BinScope examine application binary files to identify coding and building practices that can potentially render the application vulnerable to attack or to being used as an attack vector. “

BinScope 2014 can be download from the following link.

Windows 10 Technical Preview November Update

Basic Setup Commands of Fortigate-VM (build 5.x)

$
0
0

Introduction

The article bellow cover the Basic Setup Commands of Fortigate-VM (build 5.x) for lab purpose.

The information in this article was tested by using FGT_VM64-v5-build0642-FORTINET.

Note: In production environment its highly recommends to use a dedicated port for management purpose.

Fortigate-VM in a NAT Mode Basic Setup Commands

a. Logging locally to the Fortigate-VM console

image

User: admin

Password: n/a

b. Set a Static Route to Port1 (management interface) & Enable Management Services on port1

config system interface
edit port1
    set ip 192.168.1.200/255.255.255.0
    set allowaccess http https ssh ping
end

show system interface

c. Set Default Gateway & Egress Port

config router static

edit 1

    set gateway 192.168.1.254

    set device port1

end

show router static

d. Set DNS Servers

config system dns

    set primary 8.8.8.8

    set secondary 8.8.4.4

end

show system dns

e. Update License key & Product Signatures

exexcute update-now

f. Settings Saving

execute cfg save

 

Fortigate-VM in a Transparent Mode Basic Setup Commands

Fortigate-VM in a Transparent Mode is a special deployment and the Basic Setup Commands slights different from the above commands.

Please remember that in Transparent Mode all the ports are in L2 layer mode, while a virtual IP is set to be use for a management purpose.

a. Set a static IP (Virtual Management Interface) & Static Route

configsystem settings
    set manageip 192.168.1.200/255.255.255.0

    set gateway 192.168.1.254

end

show system settings

show route static

b. Enable Management Services on port1

config system interface
   edit port1
   set allowaccess http https ssh ping
end

show system interface

c. Set DNS Servers

config system dns

    set primary 8.8.8.8

    set secondary 8.8.4.4

end

show system dns

d. Update License key & Product Signatures

exexcute update-now

e. Settings Saving

execute cfg save

 

NAT Mode to Transparent Mode

config system settings

    set opmode transparent set

    set manageip 192.168.1.200/255.255.255.0

    set gateway 192.168.1.254

end

 

Troubleshooting

execute ping 8.8.8.8

 

For further information please review:

FortiGate VM Installation Guide – Fortinet Document Library

Transparent Mode (5.2)

Outlook 2010 Support Now MAPI over HTTP protocol

Viewing all 565 articles
Browse latest View live