Blog

AGPM Configuration and Use

AGPM Provisioning There are 4 Roles within AGPM: AGPM Administrator: The AGPM Administrator has full control of AGPM including the AGPM archive. Reviewer: The reviewer simply has the ability to view GPOs, they can also run comparisons on GPOs. Editor: In addition to the reviewer permission, Editors also have the ability to Check In GPOS, […]

LDAPS / Domain Controller Certificates

Background and References So, today I’m going to discuss implementing certificates for Secure LDAP on Active Directory Domain Controllers. First of all, some helpful links. This article talks about the requirements for secure LDAP as listed below: The LDAPS certificate is located in the Local Computer’s Personal certificate store (programmatically known as the computer’s MY […]

Offline Root CAs / Two Tier Hierarchy

Background I have come across many questions in regard to whether when deploying a PKI if a two tier PKI hierarchy and whether an offline root should be used. The answer is yes an offline Root should be used in pretty much all environments. So, why? Some might ask, I have a super small environment, […]

PKI Tools: Certutil -url

Hello, There are several tools you can use to troubleshoot certificate validation. The best tool is certutil -verify -urlfetch. That tool is the best because it checks all certificates in the chain and gives us a lot of validation information. You can find information on how to use that tool, at the end of the […]

Certificates

1              Certificates 1.1                 Background This blog posting covers certificates. The purpose of this post is for those who would like to better understand certificates, their structure, and their contents. This blog post also covers basic management of certificates. 1.2                 What is a certificate? A certificate is a digital document that binds an identity to a […]

Certificate Validation

1              Certificate Validation and Revocation 1.1                 Background One important concept to understand when troubleshooting certificates. This blog covers the basics of understanding certificate validation. Then towards the end, I cover troubleshooting steps. 1.2                 Identity Validation Certificates bind an identity to a public key.  And one of the reasons that we use certificates is to ensure […]

The problematic “Publish certificate in Active Directory” option

Disclaimer I am writing this blog  and others to explain how things work and some ways deployment and operational tasks can be handled. In other words, these postings are for demonstration purposes only. Since I am not familiar with your organization or environment I do not know if these steps are applicable to your environment […]

Troubleshooting Active Directory Replication

Disclaimer I am writing this blog  and others to explain how things work and some ways deployment and operational tasks can be handled. In other words, these postings are for demonstration purposes only. Since I am not familiar with your organization or environment I do not know if these steps are applicable to your environment […]

Replacing the NDES Service Account

Replacing the NDES Service Accounts There may be times when you need to replace the service account for the NDES service. One scenario is if your organizations gets compromised. After a compromise it is common to change the passwords for service accounts and in some cases to replace the service accounts entirely. Of course, there […]

Remove Deprecated Certification Authorities from Active Directory

Disclaimer I am writing this blog  and others to explain how things work and some ways deployment and operational tasks can be handled. In other words, these postings are for demonstration purposes only. Since I am not familiar with your organization or environment I do not know if these steps are applicable to your environment […]

NDES Test Tool

I wanted to draw some attention to an NDES test tool that I have been using for a while. My thanks to the author (Hasain Alshakarti) of the toolbox and steps as it is one of the few ways that I am aware of to test NDES without access to actual hardware or an MDM […]

Resetting the NDES Service Account Password

The following steps are the steps to reset the NDES service account password. This is pretty simple and straight forward. Step 1: As a Domain Administrator or a user that has been delegated the ability to reset passwords open up Active Directory Users and Computers (dsa.msc) Step 2: Locate the service account Step 3: Right-click […]

PKI Best Practices

This blog posting is just a list of PKI best practices and common practices. If you are implementing your own PKI or simply assessing your own PKI you can use this list to determine if your design or implementation is inline with industry best practices. This is by no means an exhaustive list, just common […]

Steps for renewing NDES Service Certificates

Hello, this blog covers the process I developed to renew the NDES Service Certificates. I thought I had also created a blog with steps to enable these to autoenroll, but I can’t find it at the moment. Basically, NDES uses a CEP Encryption certificate and Exchange Enrollment Agent certificate. Unless things have changed recently there […]

Implementing Certificate Autoenrollment and Automatic Rebind for IIS (TLS/Server Auth) Certificates

Background In this blog posting I will cover the steps to enable autoenrollment for TLS certificates. Basically, in order to get this working you need to perform the following steps: configure autoenrollment GPO, create a certificate template with the proper settings, enroll for a certificate, configure IIS to use that certificate, and then enable re-binding […]

Viewing Certificate Requests in the CA Database

Viewing Certificate Requests in the CA Database In this blog I will show you how to view certificate requests in the CA database. This can be useful when troubleshooting. It is especially helpful if scenarios where you have to identify what process is requesting the certificate. Step 1: Open the Certification Authority MMC (certsrv.msc) Step […]

Advanced Group Policy Management (AGPM) Installation

This article covers the installation of AGPM. The steps are for an older version of AGPM, but as far as I know they are accurate for current versions as the product has not changed much as far as I know. I will post a blog in the future that covers the configuration of AGPM. DNS […]

NDES Installation Walkthrough

This blog is a simple walkthrough of the installation of NDES. The intent of this blog is just to show the steps so that an administrator could follow along with the installation. For prerequisites and additional information on NDES see: https://social.technet.microsoft.com/wiki/contents/articles/9063.active-directory-certificate-services-ad-cs-network-device-enrollment-service-ndes.aspx Preparing Certificate Templates for NDES Step 1: Open the Certification Authority MMC (certsrv.msc) Step […]

Troubleshooting Account Lockout

Below is a blog I wrote quite a long time ago, but never posted. Hopefully, this is helpful. Account Lockout Settings The first thing that you will want to contemplate is your Account lockout threshold.  If you have this setting set two low this can lead to accounts being locked out.  This is because users […]

Using Autoenrolled Certificates with Palo Alto VPN

So, I recently did some work with an organization that uses the VPN features of the Palo Alto firewall. The desired configuration was to have users use autoenrollment to get user certificates that would be used to connect to the VPN. If for some reason a user was not able to autoenroll for a certificate […]

Kerberos Primer

Overview Below is a brief introduction to Kerberos Authentication.  This introduction is by no means complete.  This introduction is included because it will help you understand why the security enhancements to Windows authentication have been made and how they improve security. Kerberos is the default method of authentication in Windows.  It is authentication between security […]