If you have a Macbook or iMac or Miniserver (I get one for me too) then might you are interested to see that you can consume and create RMS protected documents on your preferred OS as well. I think that is the first non-Windows platform support for RMS from Microsoft. I published a few screenshots here:
http://www.prorms-alliance.org/home/featured/rms-and-mac-office-2011
Thursday, August 25, 2011
Friday, August 19, 2011
Outlook connection issues with Exchange 2010 mailboxes because of the RPC encryption requirement
With Exchange 2010 RTM Microsoft enabled the RPC encryption on the server side, so users had to enable that in their Outlook profile as well, what is the case with Outlook 2007 and 2010, but not with Outlook 2003.
So might Microsoft got so many complains from Outlook 2003 users (or administrators) that they decided to make RPC encryption optional on the Exchange Server side again.
How odd is this?!
source: http://support.microsoft.com/kb/2006508
So might Microsoft got so many complains from Outlook 2003 users (or administrators) that they decided to make RPC encryption optional on the Exchange Server side again.
How odd is this?!
source: http://support.microsoft.com/kb/2006508
Tuesday, August 9, 2011
Wildcard vs. CN certificates or how to reduce the pain of management of SSL certificates
If you use reverse proxy, e.g. with Apache or Microsoft ISA Server/TMG 2010 you might already ran into one of those:
- some certificates are public signed, others are from the internal CA
- validity of certificates is from 1 year to 3 years, and nobody knows why not all are good for 3 years
- every certificate has a another validity start date and expiration date
- it is exhausting to renew certificates with Subject Alternative names
- each web site or ssl listerner has its own certificate
- no (semi)-automatic certificate renew process
May you can run this with 5 web sites in this way, but what if you have 20,40,180 and more websites on your reverse proxy.
So what?
- Request next time only 2048bit RSA certificates
- Secure internal-only and external-facing websites with public certificates
- Don't buy certificates on a daily basis, get as many as you can from one public CA. Makes troubleshooting much easier.
- Request one wildcard certificate, so instead of www.domain.com use *.domain.com
- Wildcard certificates do not work with all services, if so use at least SAN entries
- Buy/request certificates for 3 year instead of 1 year
- Renew certificates in a bulk, e.g. every January and start the renew process early
- create a script with openssl or a certreq.inf file
e.g. a inf file to request a certificate from a internal Windows CA
[NewRequest]
Subject="CN=win4012.crypto-live.org"
Exportable=TRUE
KeyLength=2048
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE
SMIME = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2
[RequestAttributes]
CertificateTemplate = CLWebServer ;Omit line if CA is a stand-alone CA
SAN="dns=win4012.crypto-live.org&dns=cl4000.crypto-live.org"
And here we are with the batch file, to complete this post.
echo ================ >> certreq.log
certreq -f -NEW win4012.inf win4012.csr >> certreq.log
CertReq -f -Submit -f -config "win4011.crypto-live.org\AAA Crypto Live 4000" win4012.csr win4012.cer >> certreq.log
CertReq -accept win4012.cer >> certreq.log
- some certificates are public signed, others are from the internal CA
- validity of certificates is from 1 year to 3 years, and nobody knows why not all are good for 3 years
- every certificate has a another validity start date and expiration date
- it is exhausting to renew certificates with Subject Alternative names
- each web site or ssl listerner has its own certificate
- no (semi)-automatic certificate renew process
May you can run this with 5 web sites in this way, but what if you have 20,40,180 and more websites on your reverse proxy.
So what?
- Request next time only 2048bit RSA certificates
- Secure internal-only and external-facing websites with public certificates
- Don't buy certificates on a daily basis, get as many as you can from one public CA. Makes troubleshooting much easier.
- Request one wildcard certificate, so instead of www.domain.com use *.domain.com
- Wildcard certificates do not work with all services, if so use at least SAN entries
- Buy/request certificates for 3 year instead of 1 year
- Renew certificates in a bulk, e.g. every January and start the renew process early
- create a script with openssl or a certreq.inf file
e.g. a inf file to request a certificate from a internal Windows CA
[NewRequest]
Subject="CN=win4012.crypto-live.org"
Exportable=TRUE
KeyLength=2048
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE
SMIME = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2
[RequestAttributes]
CertificateTemplate = CLWebServer ;Omit line if CA is a stand-alone CA
SAN="dns=win4012.crypto-live.org&dns=cl4000.crypto-live.org"
And here we are with the batch file, to complete this post.
echo ================ >> certreq.log
certreq -f -NEW win4012.inf win4012.csr >> certreq.log
CertReq -f -Submit -f -config "win4011.crypto-live.org\AAA Crypto Live 4000" win4012.csr win4012.cer >> certreq.log
CertReq -accept win4012.cer >> certreq.log
Thursday, August 4, 2011
Forefront Identity Manager 2010 R2 beta available
If you were ever interested what the next version of FIM would be, it is an R2 version.
btw my favorite was FIM V.next ;-)
The GA is planned for first half of 2012. To highlight:
- web based password reset
- Outlook 2010 support
From the beta release notes I couldn`t find to much about the certificate management in FIM 2010 R2. If there is something new I will post it as soon I have the beta running. Beta is public available, so go and try it by yourself.
http://blogs.technet.com/b/forefront/archive/2011/08/01/key-improvements-in-forefront-identity-manager-r2.aspx
Beta test on Certificate Management:
- same schema extensions as before
- still needs IIS 6 management compatibility
- no news on CA modules
...so nothing new here at all.
Beta test on Certificate Management:
- same schema extensions as before
- still needs IIS 6 management compatibility
- no news on CA modules
...so nothing new here at all.
Subscribe to:
Posts (Atom)