Certificate Autoenrollment and RDS cause a certificate flood

All,

I love using machine certificates for RDP SSL as well. This week I came across an issue where I first thought autoenrollment is freaking out and generates on every reboot or gpupdate /force a new certificate.

After I found tons of articles why autoenrollment is not working at all but nothing about issuing to many certificates. I luckily found an article about the GPO settings for RDP.

http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/382774a9-5b2c-4d54-9abb-03357adccc08

RDP GPO settings http://technet.microsoft.com/en-us/library/cc771869(WS.10).aspx

So it seems that this "known" issue is not yet fixed. Or perhaps it is and I just do not know the KB article number.

Solution in short: Keep "Template Display Name" and "Template Name" with the exact same spelling and no spaces. See below.

New study about Validating SSL Certificates in Non-Browser Software

Scientist from The University of Texas and the Stanford University have published a study about SSL encryption in several products and services.
Even applications using data encryption they do not perform an proper identity verification of the sender or receiver. I have seen this before for online backup services, password sync tools etc.
So that is not a new thing, but it is amazing that we still have to deal with that.

Read the article http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

1-2-3 : See what is in a SAML response

1. Get Fiddler 2 installed http://www.fiddler2.com/fiddler2/version.asp, downlaod  and active HTTPS inspection (HTTPS inspection can break the communication for some services when it is activated, e.g. Outlook using RPC over HTTP)

2. Download XML Notepad from here http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=7973


3. Start Fiddler, hit F8 to see the Inspectors

4. Log on to your SaaS application

5. Go back to Fiddler. Click on the first entry in Web Sessions what is hiting the SaaS vendor, click on Inspectors and RAW on the right hand side. Copy the SAMLresponse from the RAW tab to https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php

and click on "Decode"

6. Copy the decoded  SAMLresponse to the clipboard.

7. Open XML notepad and hit CTRL-V.

certlm.msc - Short cut to open the certificate store for the local machine

Sometimes even small a thing can be a time saver.
So in Windows 2012 you can just type certlm.msc to start the certificates MMC with the local machine store.

SharePoint 2013 gets native RMS support

Microsoft SharePoint 2013 supports Information Rights Management (IRM) protection of PDF documents. With that support, users can upload PDF documents to IRM-protected libraries, and upon download, the files will be protected using Microsoft Office IRM.

http://officepreview.microsoft.com/en-us/sharepoint-help/sharepoint-compatible-pdf-readers-that-support-microsoft-information-rights-management-services-HA102925502.aspx

The first compatible PDF reader comes from Foxit (http://www.foxitsoftware.com/) and other vendors are welcome to make their readers compatible.


Native Support for PDF is one of the top 5 questions from clients about RMS.

Message: This account can't be used to access Outlook.com

Today I ran into an issue accessing the Office 365 Outlook Web Access.

First of all, I made the Office 365 setup for a new tenant. The school of my kids decided to test Office 365, right now they are on Google and they want teach the kids more then one cloud application.

For ADFS we already have a Windows Server 2012. So ADFS works great but the MSOL powershell commands are not working with 2012. But only this server has a public certificate, and the URL is used for other services as well. So I just added ADFS 2.0 to another server, moved the signing cert over and started the MSOL powershell commands. Then I just played copycat to get the relying party settings over to the 2012 ADFS server. After ADFS done I installed and ran DirSync. To verify my doing I went to http://outlook.com/domain.org and after ADFS authentication: BUMMER!

"This account can't be used to access Outlook.com"

So I did some web search, but nothing really helpful came up.
So I compared the relying party settings between the ADFS 2.0 server and the 2012 server and found that I missed to configure the hash algorithm to SHA-1. If it is SHA256 you will see the message above.

I suppose this is only one reason when you see that message because the message is kind of generic.

ADFS 2.0 update rollup update 2

Microsoft released another update for ADFS 2.0 as rollup update. So we are now at rollup update 2.

Unlike rollup updates for Exchange the rollup updates for ADFS 2.0 are released as hotfixes and you have to request them first and you cannot just download them.

The Update Rollup 2 update is a cumulative update package that contains all the fixes and new features that were contained in Update Rollup 1.

http://support.microsoft.com/kb/2681584

RU2 has a new feature: support for RelayState.

Before you had to develop your own workaround. Jonas Syrstad published an article about this before:

http://syrstad.blogspot.com/2011/02/adfs-saml-and-relaystate.html

For RU2 Microsoft published an good article about RelayState

http://technet.microsoft.com/en-us/library/jj127245(v=ws.10).aspx

If you now ask what RelayState is, well it is an additional parameter in an IdP-initiated scenario what tells the resource provider where to go next after authentication verification. 

SharePoint 2013 has a built-in capability to protect PDF

Microsoft announced a new feature for SharePoint 2013. You can upload unprotected PDF files and on the download of those PDFs SharePoint will add RMS protection. For now you can read these PDFs with Foxit PDF reader but this is an open format and other software vendors can adopt their readers.

http://officepreview.microsoft.com/en-us/sharepoint-help/sharepoint-compatible-pdf-readers-that-support-microsoft-information-rights-management-services-HA102925502.aspx

In-place migration Windows 2008 R2 to Windows 2012 Certification Authority

I migrated a couple of machine from Windows 2008 R2 to Windows 2012. Greatly it was working well also for remote machines and even a remote access server came back after a while and I could dial in again (Note: I had a SSH connection to the host for backup to get in - I am not that brave.)

Last migration I did was a CA and after migrating I could request certificates and I saw new CRLs. So all is good. Almost, I could not see the MMC for certificate templates and the certification authority.
I had to manually install them first.

or take the shortcut:

c:\>dism /online /enable-feature /featurename:CertificateServicesManagementTools

Small thing but good to know.

DHCP server migration - Error 32: Feature DHCP Server could not be exported.

During a DHCP Server 2008 R2 to Windows 2012, moving from one virtual machine to a new virtual machine I ran into error 32 during exporting the DHCP configuration from the source server.

btw: I like SMIG because it also moves all the active leases to the new server. A regular backup/restore don't.



PS C:\system\smig> Export-SmigServerSetting -FeatureID dhcp -path c:\system\dhcp
3 -verbose


cmdlet Export-SmigServerSetting at command pipeline position 1
Supply values for the following parameters:
Password: **********
Export-SmigServerSetting : Error 32: Feature DHCP Server could not be exported.
At line:1 char:25
+ Export-SmigServerSetting <<<<  -FeatureID dhcp -path c:\system\dhcp3 -verbose
    + CategoryInfo          : InvalidOperation: (:) [Export-SmigServerSetting]
   , Exception
    + FullyQualifiedErrorId : 32,Microsoft.Windows.ServerManager.Migration.Com
   mands.ExportSvrMigSettingCommand




           ItemType ID                              Success DetailsList
           -------- --                              ------- -----------
     WindowsFeature DHCP                              False {DHCP}
VERBOSE: Details:
VERBOSE:
VERBOSE: ID: DHCP.
VERBOSE: Title: DHCP Server
VERBOSE: Result: Failed
VERBOSE: Error 32: Feature DHCP Server could not be exported.
VERBOSE:
Export-SmigServerSetting : Gathering the specified migration data failed.
The migration operation encountered an error that could not be skipped.
At line:1 char:25
+ Export-SmigServerSetting <<<<  -FeatureID dhcp -path c:\system\dhcp3 -verbose
    + CategoryInfo          : InvalidOperation: (:) [Export-SmigServerSetting]
   , MigrationException
    + FullyQualifiedErrorId : Microsoft.Windows.ServerManager.Migration.Comman
   ds.ExportSvrMigSettingCommand
PS C:\system\smig> 


I did that many times before to migration from 2003 to 2008 R2. This time I just forgot to stop the DHCP service on the source server before running Export-SmigServerSetting.

Good luck!

How to find a good name for your Certificate Authority

It is a often ask question. How should I name my new Certificate Authority. Well, this is not an easy job but I want share my thoughts.


Think this name should be used for next 10 or 20 years from now and is not changeable (or a name change would be very hard to do)


Items to consider:

• Should have some sort of identification between 
• Should not include brand names from others, may also not from your company
• Should be short and simple to read (even for your end-users)
• Avoid special characters or signs, best is characters A-Z, a-z and numbers 0-9
• Remember: a company name or legal form can change
• Probably you will have more than one root CA over the years, as a second PKI or as a replacement for the CA you plan today, so add some version information or a generation name to the CA name e,g, R1

- R1 (Root generation 1) or P1 (Policy CA generation 1) or I1 (Issuing CA generation 1)



bad example: My Root CA

better: SEC Root CA R1 (Security Attic Root CA generation 1)


And if you use acronyms you can flexible read or interpret them in the future. :-)

TEC2012: What is new in Windows 2012 for RMS

Updates for RMS in Windows 2012

- stronger key encryption (RSA 2048 SHA256) - patch available for Windows 2008 R2
- Logging is not using MSMQ anymore, writes straight to the database. Sounds like a little bit more overhead for logging but lessen the time for troubleshooting MSMQ
- As a result of the new server manager you can install RMS cluster from a single console
- RMS cluster servers can be core servers, installed from a server with full server version -OR-
- install RMS running the server gui and then switching to core server (switching between core and full is a new feature in Windows 2012)
- Delegation for e-mail protection, so the assistant can read the e-mail sent to the manager - available as patch for Windows 2008 R2

TEC2012: Windows 2012 Dynamic Access Control

Dynamic Access Control is a new feature in Windows Server 2012 (aka Windows 8).
It gives you:
- centralized policies
- rules to define attributes on user object, device object and resource object

user.departement == "HR" and device.managed=true and file.department=="HR" -> allow access

So if a user logs from manged machine in the office her/she can access that data, if he/she trys to access the data from their home computer he/she will get an access denied error.

Btw: the Acess Denied error dialog got some improvements as well, so the user can now request access from the dialogue. Let's see if the FIM product group is implementing this into the group membership management as well.

Dynamic Access Control is a integrated feature with Windows Server 2012.

http://technet.microsoft.com/en-us/library/hh831717.aspx