Thursday, August 25, 2011

RMS protection on the Mac OS with MS Office 2011

If you have a Macbook or iMac or Miniserver (I get one for me too) then might you are interested to see that you can consume and create RMS protected documents on your preferred OS as well. I think that is the first non-Windows platform support for RMS from Microsoft. I published a few screenshots here:

Friday, August 19, 2011

Outlook connection issues with Exchange 2010 mailboxes because of the RPC encryption requirement

With Exchange 2010 RTM Microsoft enabled the RPC encryption on the server side, so users had to enable that in their Outlook profile as well, what is the case with Outlook 2007 and 2010, but not with Outlook 2003.
So might Microsoft got so many complains from Outlook 2003 users (or administrators) that they decided to make RPC encryption optional on the Exchange Server side again.
How odd is this?!


Tuesday, August 9, 2011

Wildcard vs. CN certificates or how to reduce the pain of management of SSL certificates

If you use reverse proxy, e.g. with Apache or Microsoft ISA Server/TMG 2010 you might already ran into one of those:
- some certificates are public signed, others are from the internal CA
- validity of certificates is from 1 year to 3 years, and nobody knows why not all are good for 3 years
- every certificate has a another validity start date and expiration date
- it is exhausting to renew certificates with Subject Alternative names
- each web site or ssl listerner has its own certificate
- no (semi)-automatic certificate renew process

May you can run this with 5 web sites in this way, but what if you have 20,40,180 and more websites on your reverse proxy.

So what?
- Request next time only 2048bit RSA certificates
- Secure internal-only and external-facing websites with public certificates
- Don't buy certificates on a daily basis, get  as many as you can from one public CA. Makes troubleshooting much easier.
- Request one wildcard certificate, so instead of use *
- Wildcard certificates do not work with all services, if so use at least SAN entries
- Buy/request certificates for 3 year instead of 1 year
- Renew certificates in a bulk, e.g. every January and start the renew process early
- create a script with openssl or a certreq.inf file
e.g. a inf file to request a certificate from a internal Windows CA

ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC


CertificateTemplate = CLWebServer ;Omit line if CA is a stand-alone CA

And here we are with the batch file, to complete this post.

echo ================  >> certreq.log
certreq -f -NEW win4012.inf win4012.csr >> certreq.log
CertReq -f -Submit -f -config "\AAA Crypto Live 4000" win4012.csr win4012.cer  >> certreq.log
CertReq -accept win4012.cer  >> certreq.log

Thursday, August 4, 2011

Forefront Identity Manager 2010 R2 beta available

If you were ever interested what the next version of FIM would be, it is an R2 version.
btw my favorite was FIM ;-)
The GA is planned for first half of 2012. To highlight:
- web based password reset
- Outlook 2010 support

From the beta release notes I couldn`t find to much about the certificate management in FIM 2010 R2. If there is   something new I will post it as soon I have the beta running. Beta is public available, so go and try it by yourself.

Beta test on Certificate Management:
- same schema extensions as before
- still needs IIS 6 management compatibility
- no news on CA modules nothing new here at all.