4732 - "A member was added to a security-enabled local group" - system account as subject?
Hello, Windows security event log 4732: I see log entry's where it's clear 'user A' added 'user B' to 'group C'.... however I also see entries where instead of it being a user that is doing the adding to the group, it is 'nt authority\system', the…
Uninstall AD Certificate Services, then immediately reinstall AD CS same server?
Hi, folks. We have a domain controller with AD Certificate Services installed as our root CA, and I'd like to demote it from being a DC which requires first uninstalling AD CS. Can we backup CA private key and database, uninstall AD CS role, demote as…
Changing Windows PKI to issue SHA384 RSA 3072 certificates
Hi, We currently have a PKI infrastructure that's configured to generate SHA256 RSA 2048 certificates. We need to generate a SHA384 RSA 3072 certificate for one of our appliances. I believe these would be our options: 1.) Migrate the key size of the…
Computer Certificate autoenrollment not working
Hi, everyone! I have a problem with computer certificate autoenrollment and I've done a lot of search and troubleshooting and seems I'm stuck. I'm in an AD environment with internal PKI infrastructure, root ca is offline and there are two intermediate…
Getting error while installing Enterprise root Certificate Authority role in Child Domain
Error: Active Directory Certificate Services setup failed with the following error: The security ID structure is invalid. 0x80070539 (WIN32: 1337 ERROR_INVALID_SID) Environment: 1 Parent root domain (ABC.LOCAL) and 1 CHILD Domain (CHILD.ABC.LOCAL).…
Troubleshooting Security events in Server 2012
I am seeing alot of activity in the events log associated with the MSOL_xxxxx account especially off hours. Is this normal or should I be looking for a cause? The event logs samples are below. Security: A Kerberos authentication ticket (TGT) was…
How to trigger an event log entry when ADCS Role Separation is turned on or off
This article indicates that if you have the CA\AuditFilter property set t the max value (127) an event log entry would be triggered when we turn Role Separation on or off. The event ID should be 801: …
MSDN Forum: MS PKI Certificate based authentication on network access control device.
I have a 2 tier PKI infrastructure. With my SUB CA issuing certificates to machines(win 10) and user's through group policy. We are testing certificate based authentication with the NAC(aruba clearpass).The machine has user and the client certificate, we…
Offline ROOT CA - Can I simply roll out a new one to use for Subordinate request signing?
Hi All, After running low on resources in one of our VM environments a script was run to identify all offline VMs and delete them. This deleted my "Offline ROOT CA" servers in that environment. My basic understanding of the two tier online…
Hyper-V Extended ACL - Can ICMP be stateful or not?
Can you add stateful ACL rules (on a Hyper-V Virtual Switch) on the ICMP protocol? If not, this leaves you to either open ICMP to everyone or close ICMP to everyone including the VM itself. Neither is secure or practical for such an important and…
How to renew computer serfificates in AD gp based system before term ends?
Hello. We have internal CA server and AD based distibution of certificates to computers by group policy. I'ts all good and fine, but now we had to edit computer certificate template for certificate based autentication to network with radius. (yes…
Where can I download security patch for MS11-025, MS11-049 etc.?
My corporate security found some vulnerabilities MS11-025 and MS11-049 etc., and I found them in security bulletin, but there is no where in the bulletin I can find download link. So, where can I find those hot fix download?
certreq -Enroll
Hello I tried to use the below command in order to renew certificate but i have an error (The request contains no certificate template information) certreq -Enroll -cert certificateSerialNumber -machine Renew How can i solve this issue?
Signing an externally generated CSR with AD CS standalone
Hi, I am currently facing a quite blocking issue regarding the signature of a CSR emitted by a non-Microsoft PKI (EJBCA Community in my case) with a Root CA on AD CS (standalone version). What we want to do is to create a Sub-CA in EJBCA (the client…
Computer administrator
I am trying to load some older programs, but when they start to set up a warning message pops up, this installation was stopped by the administrator contact your administrator. I am the administrator and this is my personal computer so what is happening…
Transitive Network Logon attack - Account lockout
Hi all, I see a transitive Network Logon attack on my AD netlogon logs, however, the computer name that attacks are coming from not pingable or searchable internally. Is there any way to find this puzzle? Thanks, Lrok
Biometrics & Facial Recognition in the domain
I would like to use both username & password. But only after the PC verifies the facial identity to the username. I hope that makes sense? This i a domain environment and it would add security to our domain. The problem I run into in my career is…
WS2016 AD DC, unlock Windows session with smartcard, '... credentials could not be verified'
Hello, Scenario: ---------- Try open a Windows session with a smartcard on computer joined to a 2016 AD domain Technology: ------------ Involves a third party CSP library for the smartcard to work. the smartcard contains the…
SHA 1 to SHA 256
Hi to all Which will be steps to change SHA 1 to SHA 256 in CA Windows 2012 r2?
Hyper-V Live Migration using Kerberos from 2012 R2 to 2019 fails with error 0x80090322
Hello! I have a Windows Server 2012 R2 Hyper-V Failover Cluster and I'm trying to Live Migrate VM's to a Windows Server 2019 Hyper-V Failover Cluster. When I try to Live Migrate a non-clustered VM from one of the Windows Server 2012 R2 Hosts to one of…