Symptoms:
After replacing Exchange 2010 Certificate , the following error may appear during accessing Exchange 2010 OWA (Outlook Web Access): “Page Cannot be Displayed”.
Reason:
The imported certificate may not contain a “Private key”.
Solution:
During certificate export process, verify that “Export Private Key” checkbox has been marked. After completing the new certificate, import it the Exchange 2010 server and assigned it to the relevant services.
Mr. Eyal Estrin wrote an excellent guide on “Windows 2008 R2 Certification Authority installation guide”.
This guide provides a step by step guide how to install a Offline Root Certificate Authority and then setup a Enterprise Subordinate Certificate Authority.
The guide can be obtain from the following link.
DSConfigDN and DSDomainDN are two objects that should be taken care while designing PKI implementation (specially in case of using a Stand Alone Root CA and a Enterprise Sub CA).
The following output provides you instructions how to obtain the required values from your Certificate Authority:
C:\Users\administrator>certutil -getreg ca\DSConfigDN
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\lyncd
omain-SRV5-CA\DSConfigDN:
DSConfigDN REG_SZ = CN=Configuration,DC=lyncdomain,DC=local
CertUtil: -getreg command completed successfully.
C:\Users\administrator>certutil -getreg ca\DSDomainDN
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\lyncd
omain-SRV5-CA\DSDomainDN:
DSDomainDN REG_SZ = DC=lyncdomain,DC=local
CertUtil: -getreg command completed successfully.
Note: A Stand Alone Root CA / Stand Alone Sub CA details (e.g. Certificate, CRL, AIA etc.) could be published into the Active Directory by using the following commands:
“CertUtil -dsPublish -f RootCACertificate.cer RootCA “
“CertUtil -dsPublish -f SubCACertificate.cer SubCA “
To publish CRL into the Active Directory you should use the following command:
“certutil -dspublish-f MyCRLFile.Crl “
Reference:
How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store
If you are using a PKI (Public Key Infrastructure), you may found out that Root Certificate and Intermediate Certificate may need be installed manually for Workgroup computers.
Also, in case that you don’t use Active Directory (e.g. GPO etc.) to publish the Root Certificate and Intermediate Certificate details, you may need to add this certificates manually.
To accomplish this task, please use the following commands:
Installing Root Certificate: “Certutil -addstore -f Root MyRootCACertificate.crt”
Installing Intermediate Certificate: “Certutil -addstore -f CA MySubCACertificate.crt”
You can use the following commands to review the result of the previous commands:
“certutil -v –store my > LocalCertStore.txt“ or “certutil –verifystore root” / “certutil –verifystore CA”
To Publish Root Certificate and Intermediate Root Certificate in Active Directory, please use the following commands:
Root certificate: certutil -dspublish -f RootCACertificate.crt RootCA
Intermediate certificate: certutil -dspublish -f SubCACertificate.crt SubCA
To publish the certificate/s to NTAuth store, please review the following knowledgebase:
How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store
Note: NTAuth store point to: CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=MyDomain,DC=com
The following error/s may appear in the Exchange 2010 Management Console:
“Exchange 2010 Certificate Revocation Checks and Proxy Settings” or “The Certificate Status could not be determined because the revocation check failed”
Cause:
1. You may use a Proxy server that block access to the CRL.
2. The CRL isn't available.
How to Debug this issue:
Obtain any (current) certificate from the Certificate Authority and run the following command:
“certutil –verify –urlfetch C:\CertificateName.cer >Log.txt”
Usually you may find out issues like errors messages on expired CRL or Offline CA.
Resolutions:
1. Review Proxy settings by using “netsh winhttp show proxy”
You can reset the proxy settings by using the commands:
“netsh winhttp reset proxy”
”netsh winhttp reset tracing”
Note: You can also add Proxy exceptions (e.g. The CRL location) by using the following commands:
“netsh winhttp import proxy ie”
“netsh winhttp set proxy proxy-server=http://192.168.1.1:80 bypass-list="crlserver.DomainName.local"
“netsh winhttp set proxy proxy-server=http://192.168.1.1:443 bypass-list="crlserver.DomainName.local"
2. Review the current CRL settings in the Active Directory by using:
Quick Check on ADCS Health Using Enterprise PKI Tool (PKIVIEW)
Usually, if you are using a Offline CA (Root CA for example), you may find out that the current CRL was expired.
Usually its recommended to change the CRL expire date in the relevant CA and then re-publish the CRL.
Then, import the CRL into the Active Directory by using the command:
“certutil -f -dspublish CRLFileName.crl”
3. If the CRL is published to a File Share and/or Web Server (HTTP/s), please verify that the URL paths exits and aren't blocked by third party system (e.g. Firewall, Antivirus, IPS etc.) Its also recommended to verify that no NTFS/Share permissions blocked access to the CRL.
4. Reset urlcache by using the following power shell commands:
“certutil -urlcache ocsp delete”
”certutil -urlcache crl delete”
5. Reset the Exchange Internet Web Proxy to null by using the following power shell command:
“Set-ExchangeServer -InternetWebProxy $NULL”
6. Delete MMC cache files from:
“C:\Users\%username%\AppData\Roaming\Microsoft\MMC”
7. Verify that CRL for Root & SubCA URL’s/Paths are current. Also,
8. Verify that the Root CA Certificate was added to the computer Trusted Root CA Store.
Also, verify that the SubCA Certificate was added to the computer Intermediate CA Store.
9. As a temporary workaround, you can enable the required certificate by using Exchange Power Shell command: Enable-ExchangeCertificate
However, this workaround wouldn’t resolved the error message, but would enable you to assign the certificate to the Exchange services.
For farther information, please review: Certificate Revocation and Status Checking
Microsoft SCE 2010 is a light edition of Microsoft System Center products line. Monitoring Workgroup computers by using SCE 2010 is cover by the following Microsoft post:
How to Prepare the Essentials Management Server to Manage Workgroup-Joined Computers
However, you may found out that no information is available on the correct process to create a server certificate (that used for mutual authentication).
The following Microsoft post cover the process how to create a server certificate.
Note1: The SCE 2010 Agent Installation wizard should be used for importing the following certificates:
1. Trusted Root Certificate Authority.
2. WSUS certificates.
3. Server certificate of the workgroup computer.
Note2:To assign exiting certificate to the SCE 2010 agent, please use the utility: “MOMCertImport” (from SCE 2010/SCOM 2007/2007 R2 media) – after completing the Agent installation.
The renewal process of user/computer certificate require (in the most of the cases) to implemented changes in the application side (e.g. IIS,Outlook etc.),
As a workaround for this “limitation”, the renewal process of the User/computer certificate can be set to use exiting certificate key.
However, using exiting certificate key may reduce the system security level, and this may lead to system/certificate compromise.
Warring: To reduce the security risk of implementing changes in the Enterprise PKI (Public Key Infrastructure), its highly recommended to test this changes in a lab - before making changes in the production environment.
To renew the certificate by using exiting certificate key, please use the following instructions:
A. PKI Prerequisites:
1. Depending on the certificate template type/settings, the Certificate Authority security settings should allow the user that renew the certificate to have the following privilege: “Request Certificates”.
2. Depending on the certificate template type/settings, the user that renew the certificate may require the following privilege on the relevant Certificate Template: “Enroll” and/or “Autoenroll”.
B. The renewal process:
1. Logon to the computer.
2. Navigate to “Start” –> “Run” and type “mmc” and click “OK” to launch the Management Console
3. Navigate to “File” > “Add/Remove” Snap In… , select “Certificates” and click “Add”.
4. Select “Computer Account” (or “User Account”) and click “Next”. Then", click “Finish”. Once back on the Snap In screen, click “OK”.
5. Expand “Certificates” > “Personal” and click on “Certificates”.
6. Right-click on the required certificate and select “All Tasks” > “Advanced Operations” > “Renew This Certificate with the Same Key”.
7. Click “Next”, and then “Enroll”. Once complete, click “Finish”.
“IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2003, 2008 and 2012. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click and test your website. “
IIS Crypto can be download from the following link.
Please note that IIS Crypto isn’t supported by Microsoft.
“Microsoft Message Analyzer (v. 1.1) is the current versioned tool for capturing, displaying, and analyzing protocol messaging traffic and other system messages. Message Analyzer also enables you to import, aggregate, and analyze data from log and trace files. It is the successor to Microsoft Network Monitor 3.4 and Message Analyzer 1.0. Message Analyzer is a key component in the Protocol Engineering Framework (PEF) that was created by Microsoft for the improvement of protocol design, development, documentation, testing, and support. With Message Analyzer, you can choose to capture data live or load archived message collections from multiple data sources simultaneously.
Message Analyzer enables you to display trace, log, and other message data in numerous data viewer formats, including a default tree grid view and other selectable graphical views that employ grids, charts, and timeline visualizer components which provide high-level data summaries and other statistics. It also enables you to configure your own custom data viewers. In addition, Message Analyzer is not only an effective tool for troubleshooting network issues, but for testing and verifying protocol implementations as well. “ Microsoft Message Analyzer 1.1 can be download from the following link.
“The IE WebDriver Tool enables developers to create automated tests that simulate users interacting with webpages and report back results in Internet Explorer 11. It can also manage testing across multiple windows, tabs, and webpages in a single session.” IE WebDriver Tool for Internet Explorer 11 can be download from the following link.
“EMET version 5.1 released with fix for compatibility issues that were discovered with the upcoming November security update with Internet Explorer 11, either on Windows 7 or Windows 8.1. As included in the SR&D blog, other issues fixed include:
“Several application compatibility issues with Internet Explorer, Adobe Reader, Adobe Flash, and Mozilla Firefox and some of the EMET mitigations have been solved.
Certain mitigations have been improved and hardened to make them more resilient to attacks and bypasses.
Added “Local Telemetry” feature that allows to locally save memory dumps when a mitigation is triggered.”
EMET 5.1 can be download from the following link.
“Microsoft® Virtual Machine Converter (MVMC) is a Microsoft-supported, stand-alone solution for the information technology (IT) pro or solution provider who wants to convert virtual machines and disks from VMware hosts to Hyper-V® hosts and Windows Azure™ or alternatively convert a physical computer running Windows Server 2008 or above server operating systems or Windows Vista or above client operating systems to a virtual machine running on Hyper-V host
MVMC can be deployed with minimal dependencies. Because MVMC provides native support for Windows PowerShell®, it enables scripting and integration with data center automation workflows such as those authored and run within Microsoft System Center Orchestrator 2012 R2. It can also be invoked through the Windows PowerShell® command-line interface. The solution is simple to download, install, and use. In addition to the Windows PowerShell capability, MVMC provides a wizard-driven GUI to facilitate virtual machine conversion.
New Features in MVMC 3.0
The 3.0 release of MVMC adds the ability to convert a physical computer running Windows Server 2008 or above server operating systems or Windows Vista or above client operating systems to a virtual machine running on Hyper-V host.
Standard Features
“RDCMan manages multiple remote desktop connections. It is useful for managing server labs or large server farms where you need regular access to each machine such as automated checkin systems and data centers. It is similar to the built-in MMC Remote Desktops snap-in, but more flexible. The RDCMan 2.7 version is a major feature release. New features include: – Virtual machine connect-to-console support – Smart groups – Support for credential encryption with certificates – Windows 8 remote action support – Support for Windows 8, Windows 8.1 / Windows Server 2012, Windows Server 2012 R2 “
Remote Desktop Connection Manager 2.7 can be download from the following link.
“BinScope Binary Analyzer is a verification tool that analyzes binaries to ensure that they have been built in compliance with the SDL requirements and recommendations. Microsoft BinScope was designed in order to help detect potential vulnerabilities that can be introduced into Binary files. The tests implemented in BinScope examine application binary files to identify coding and building practices that can potentially render the application vulnerable to attack or to being used as an attack vector. “
BinScope 2014 can be download from the following link.
Introduction
The article bellow cover the Basic Setup Commands of Fortigate-VM (build 5.x) for lab purpose.
The information in this article was tested by using FGT_VM64-v5-build0642-FORTINET.
Note: In production environment its highly recommends to use a dedicated port for management purpose.
Fortigate-VM in a NAT Mode Basic Setup Commands
a. Logging locally to the Fortigate-VM console
User: admin
Password: n/a
b. Set a Static Route to Port1 (management interface) & Enable Management Services on port1
config system interface
edit port1
set ip 192.168.1.200/255.255.255.0
set allowaccess http https ssh ping
end
show system interface
c. Set Default Gateway & Egress Port
config router static
edit 1
set gateway 192.168.1.254
set device port1
end
show router static
d. Set DNS Servers
config system dns
set primary 8.8.8.8
set secondary 8.8.4.4
end
show system dns
e. Update License key & Product Signatures
exexcute update-now
f. Settings Saving
execute cfg save
Fortigate-VM in a Transparent Mode Basic Setup Commands
Fortigate-VM in a Transparent Mode is a special deployment and the Basic Setup Commands slights different from the above commands.
Please remember that in Transparent Mode all the ports are in L2 layer mode, while a virtual IP is set to be use for a management purpose.
a. Set a static IP (Virtual Management Interface) & Static Route
configsystem settings
set manageip 192.168.1.200/255.255.255.0
set gateway 192.168.1.254
end
show system settings
show route static
b. Enable Management Services on port1
config system interface
edit port1
set allowaccess http https ssh ping
end
show system interface
c. Set DNS Servers
config system dns
set primary 8.8.8.8
set secondary 8.8.4.4
end
show system dns
d. Update License key & Product Signatures
exexcute update-now
e. Settings Saving
execute cfg save
NAT Mode to Transparent Mode
config system settings
set opmode transparent set
set manageip 192.168.1.200/255.255.255.0
set gateway 192.168.1.254
end
Troubleshooting
execute ping 8.8.8.8
For further information please review: