Monday, November 17, 2014

How to archive and un-archive certificates

You are might aware that certificates can be flagged archived on a Windows machine. That has nothing (as in nada) to do with key archiving what is performed if configured on the Certification Authority.
The archive flagged is used to make certificates invisible to applications without deleting them from a user or machine store. E.g. auto-enrollment sets this flag to an certificate if a new certificate has been enrolled.
In this post I want show you how to set and unset this flag.

First of all we want see if we have a certificate in the certificate store with the archive flag set. I work on my machine as local administrator and so should you.

1. Open for that a MMC and add the Certificate snap-in for either your user or the local machine, or both if you like.

Then enable show archived certificates. That is like an advanced view setting that you might know from Active Directory Users and Computers.


Note: You have to enable the Archived certificate view for each snap-in separately. So in the picture above I made that for Certificates - Current user and for Certificates (Local Computer)


Now you see archived certificates in the MMC



Note the letter A at the end. That is the sign that this certificate is flagged archived.


2. You can do the same by running a certutil command. The MMC does not give you an option to set the flag from there. So you have to use certutil to do that, see below.


Use certutil to see all certificates

certutil.exe -store my

will show you all certificates in the local machine store

...
================ Certificate 4 ================
Archived!
Serial Number: 3dc344f3e2cf6dab48d7085ecd1bb849
Issuer: CN=localhost
 NotBefore: 6/13/2012 2:17 PM
 NotAfter: 6/12/2022 5:00 PM
Subject: CN=localhost
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): 80 3e 7f 62 5a be 5b 14 52 e3 65 dd 72 4d 59 98 cb 8a 30 d3
  Key Container = IIS Express Development Certificate Container
  Unique container name: fad662b360941f26a1193357aab3c12d_42f2ea6e-c662-4d0b-8b56-2f094a3a3dc9
  Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test passed
....


So that certificate is number 4 in the certificate store. Lets write this down for later.


3. We will use certutil for un-archiving the certificate (and we can use it for archiving as well).

Here the file to set the archive flag.
- Create a new file with notepad and call it archive_set.inf
- paste these two lines to the archive_set.inf file

[Properties]
19 = Empty ;

- save the file





Here the file to remove the archive flag
- Create a new file with notepad and call it archive_remove.inf
- paste these 2 lines to the archive_remove.inf file

[Properties]
19 =          ;

- save the file




4. Now you can toggle the archive flag as you desire:

Now you need the number you have taken down from step 2 or use the certificate serial number instead.


flag on

certutil.exe -repairstore my 4 archive_set.inf


flag off

certutil.exe -repairstore my 4 archive_remove.inf





See also http://blogs.technet.com/b/pki/archive/2007/02/22/how-to-manually-set-the-archive-flag-for-certifictes.aspx




Friday, October 31, 2014

Disable SSL3 on a Windows Server

As an update to a former post I want  provide an updated registry file which turns of SSL3. You can do the same thing using the NARTAC tool or group policy settings.

Just a reminder, that will disable SSL3 for all services using the Microsoft Crypto API on that server. For other services, e.g Apache you have find out yourself what to do. See also the bettercrypto project at https://bettercrypto.org/


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000001
"DisableRenegoOnClient"=dword:00000001
"DisableRenegoOnServer"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA"

Thursday, July 31, 2014

PowerShell arrays with just one entry are not real arrays

Earlier this year I wrote about ADfind and PowerShell.

http://secattic.blogspot.com/2014/05/combine-adfind-and-powershell.html

So what I found is, that the LDAP result contains only one entry PowerShell is not creating an array, more like an single. string. I am not sure how to explain that better. But what happens is if you run e.g.

$content.length or $content.count it does not return any value at all.

or

if you have code where you want process all entries in a array e.g. with foreach and you access the array like this:

$content[i].uid

it is not working and you see an error "Unable to index into an object..."

So the resulting is to suround the array variable with an @(), e.g. @($content).count

or

$dn=@($content)[i].dn



Thursday, July 10, 2014

Sync between LDAP directories with LSC

Currently I am working on a Forefront Identity Manager IdM project. The client has a test environment what is a mirror of the production environment to a certain point. This includes AD LDS and multiple Active Directories. Because of bindproxy objects we cannot just export and import user objects because those rely on the objectSID in their environment and after the account creation we can only update entries unless we have too much time waiting to get tens of thousands of accounts recreated. So when we run management agents in the test environment we changed a lot of data in AD LDS. I was looking for a way to turn back changes and also to get fresh data from production and also to get data from production we do not handle with our management agents in test. For example street address, location and zip code of users, just to keep it simple for this post.
While exporting data from the production system into CSV and then reimprting was my first approach I really had a hard time to find tools for the import. Some great tools are just working for AD user objects, so no luck with my objects in AD LDS (http://www.wisesoft.co.uk/software/bulkadusers/default.aspx). For others I had first to find out if I want add a new attribute or change an existing attribute value. I considered that as too much effort to implement (ADfind/ADmod). I spent also some time with PowerShell but I was not really successful either. So finally I asked around in our team and I got a recommendation for LSC (http://tools.lsc-project.org/news/49). I installed it on Windows 2008 R2 and even all documentation guides to Linux it is working well on Windows because of Java. The developer website has an article describing how to run it on Windows but I guess it is outdated. I did not needed Maven or Ant to get version 2.10 running.
Just in case I need it again I post here the configuration file I use to sync from prod to test (AD LDS to AD LDS). In my example I sync only accounts for user with the last name Mueller. You can change that of course. ;-)

Many thanks to the LSC team ! And thanks to Kevin pointing me into the right direction!

Install steps:

- Install Java
- set JAVA_HOME
- Create a new folder and copy the logback.xml from the examples there
- Create the lsc.xml (feel free to be a copy cat)
- Run from the bin directory: lsc.bat -f <folderwherelsc.xmlis>-s all -c all -n

(with -n it will start a dry-run)


lsc.xml

<?xml version="1.0" ?>
<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd" revision="0">
  <connections>
    <ldapConnection>
      <name>LDAPsource</name>
      <url>ldap://source.mydomain.com:389/o=mydomain.com</url>
      <username>username@mydomain.com</username>
      <password>password</password>
      <authentication>SIMPLE</authentication>
      <referral>IGNORE</referral>
      <derefAliases>NEVER</derefAliases>
      <version>VERSION_3</version>
      <pageSize>1000</pageSize>
      <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
      <tlsActivated>false</tlsActivated>
    </ldapConnection>
    <ldapConnection>
      <name>LDAPdestination</name>
      <url>ldap://destination.mydomain.com:389/o=mydomain.com</url>
      <username>uid=svc_acct,OU=admins,O=mydomain.com</username>
      <password>password</password>
      <authentication>SIMPLE</authentication>
      <referral>IGNORE</referral>
      <derefAliases>NEVER</derefAliases>
      <version>VERSION_3</version>
      <pageSize>1000</pageSize>
      <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
      <tlsActivated>false</tlsActivated>
    </ldapConnection>
  </connections>
  <tasks>
    <task>
      <name>People</name>
      <bean>org.lsc.beans.SimpleBean</bean>
      <ldapSourceService>
        <name>LDAPsource-service</name>
        <connection reference="LDAPsource" />
        <baseDn>ou=users,o=mydomain.com</baseDn>
        <pivotAttributes>
          <string>uid</string>
        </pivotAttributes>
        <fetchedAttributes>
          <string>uid</string>
          <string>street</string>
          <string>l</string>
          <string>postalCode</string>
          <string>C</string>
          <string>mobile</string>
 <string>userCertificate</string>
        </fetchedAttributes>
        <getAllFilter>(sn=mueller)</getAllFilter>
        <getOneFilter>(&amp;(objectClass=person)(uid={uid}))</getOneFilter>
        <cleanFilter>(&amp;(objectClass=person)(uid={uid}))</cleanFilter>
      </ldapSourceService>
      <ldapDestinationService>
        <name>LDAPdestination-service</name>
        <connection reference="LDAPdestination" />
        <baseDn>ou=users,o=mydomain.com</baseDn>
        <pivotAttributes>
          <string>uid</string>
        </pivotAttributes>
        <fetchedAttributes>
          <string>uid</string>
          <string>street</string>
          <string>l</string>
          <string>postalCode</string>
          <string>c</string>
          <string>mobile</string>
 <string>userCertificate</string>
         </fetchedAttributes>
        <getAllFilter><![CDATA[(objectClass=person)]]></getAllFilter>
        <getOneFilter><![CDATA[(&(objectClass=person)(uid={uid}))]]></getOneFilter>
      </ldapDestinationService>
 <propertiesBasedSyncOptions>
        <mainIdentifier>"uid="+srcBean.getDatasetFirstValueById("uid") + ",ou=users,o=mydomain.com"</mainIdentifier>
        <defaultDelimiter>;</defaultDelimiter>
        <defaultPolicy>FORCE</defaultPolicy>
<conditions>
          <create>false</create>
          <update>true</update>
          <delete>false</delete>
          <changeId>false</changeId>
        </conditions>
<dataset>
<name>uid</name>
<policy>KEEP</policy>
<createValues>
 <string>srcBean.getDatasetFirstValueById("uid")</string>
</createValues>
</dataset>
      </propertiesBasedSyncOptions>
    </task>
  </tasks>
</lsc>







Tuesday, May 6, 2014

Combine ADfind and PowerShell


I really love adfind.exe (http://www.joeware.net/freetools/tools/adfind/index.htm) to search in AD and AD LDS, also if not all these machines part of AD or a different AD. Especially the CSV export is really powerful and so I was wondering how I can feed the adfind CSV output directly in a PowerShell array for further processing.


PS C:\System> $content= (tools\adfind -h dir.server.com:389 -b "o=mycompany" -u "username" -up "userpass" -maxe 25 -csv -csvdelim "|" -f "(objectclass=*)" cn | ConvertFrom-Csv -delimiter "|" )

So the command line above will run adfind to search for all entries on dir.server.com regardless what the object class is, but it will only return the first 25 entries. You can adjust the maxe option. I am working on mostly larger projects so I found the 25 entries limitation convenient and time saving.
Then all results will be available in the content array for further processing with PowerShell, e.g. counting, sorting, check for duplicates on specific attributes, ... ,you name it.




Saturday, April 26, 2014

Welcome MIM

Welcome Microsoft Identity Manager!

after MMS, MIIS, CLM, ILM and FIM we got a new acronym: MIM - Microsoft Identity Manager.

http://blogs.technet.com/b/server-cloud/archive/2014/04/23/forefront-identity-manager-vnext-roadmap-now-microsoft-identity-manager.aspx

Perhaps because I never understood why it was called Forefront .. Microsoft thought simpler is better.
So then the only question is why FIM did become MIM and not CIM - Cloud Identity Manager. Perhaps one day we all have just one ID in the cloud and there is no need for  identity management anymore. Nice dream.

.