Windows Server 2008 CAs and Server 2003 DCs – are you seeing event ID 13 popping up every eight hours?

Posted on March 15th, 2011 in Deployment, Security, Server 2003, Server 2008 by alt-92

Be careful when implementing a Windows 2008 based Certificate Authority in a mixed 2003R2 and 2008(R2) environment. By default, the installation of the ADCS Role on a 2008 Server selects SHA2 type algorithms which are not quite compatible with Server 2003R2 SP2 or XP SP3.
You will need a hotfix.

While waiting for a new hardware setup I decided to jump the gun and upgrade my old 2003CA to 2008 in advance – a pretty straightforward process of decommissioning and deploying a new CA on a fresh 2008 install.  Both my Home Theatre setup and laptop are running Vista or 7, and there’s a virtualized Core 2008 Domain Controller as well. No problems there.
However, there is still one slight snag as I’m still using a 2003 machine as second physical DC (which hosts my DFS namespace and I haven’t gotten around to upgrading that one).
After a couple of days, that machine started spewing Event ID 13 errors every eight hours in the Application log: 

Event Type:    Error
Event Source:    AutoEnrollment
Event Category:    None
Event ID:    13
Date:        28-2-2011
Time:        18:14:37
User:        N/A
Computer:    MYDC
Description:
Automatic certificate enrollment for local system failed to enroll
for one Domain Controller Authentication certificate (0x80092009).
Cannot find the requested object.

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

Secure Channel for LDAP over SSL also breaks because of this, so you’ll see those warnings as well.

A quick look in the ADCS Snapin confirmed both the Directory Email Replication and Domain Controller Authentication certificates were trying to autoenroll but failing every 8 hours.

A search for "cannot find the requested object" quickly resolved that, pointing the way to http://support.microsoft.com/kb/968730.

After requesting the hotfix and rebooting, AutoEnroll properly processes the request again, and SSL enabled LDAP connections are restored.

More information is also available on the Windows PKI Technet Blog: http://blogs.technet.com/b/pki/archive/2011/02/08/common-questions-about-sha2-and-windows.aspx

Detecting and installing WSUS updates in Server 2008 Core

Posted on November 14th, 2009 in Deployment, Security, Server 2008 by alt-92

On a normal GUI-box, detecting or installing new updates after a fresh install is reasonably easy.
You just click the Updates Control panel item, or, for the more commandline orientated folks, run a wuauclt /detectnow and wait for the “There are new updates available” Systray icon to appear.

The problem with Server Core … there’s no way for you to see the “updates to install” notice in the system tray when you log on to the computer because, well, there’s no systray!

In comes a handy piece of VBscript that allows you to do a manual quick check and start off the installation process, using the in-box Windows Update Agent API.
http://msdn.microsoft.com/en-us/library/aa387102(VS.85).aspx

Although the MSDN article states it does not run against SUS 1.0 servers, you don’t have to worry because both Windows Update (site) and WSUS 3.x employ the WUA API.

Save and run the script in the command prompt as “cscript ” since the default script host is graphical (wscript) on a Core box.

01
02
Set updateSession = CreateObject("Microsoft.Update.Session")
03
Set updateSearcher = updateSession.CreateupdateSearcher()
04
 
05
WScript.Echo "Searching for updates..." & vbCRLF
06
 
07
Set searchResult = _
08
updateSearcher.Search("IsInstalled=0 and Type='Software'")
09
 
10
WScript.Echo "List of applicable items on the machine:"
11
 
12
For I = 0 To searchResult.Updates.Count-1
13
    Set update = searchResult.Updates.Item(I)
14
    WScript.Echo I + 1 & "> " & update.Title
15
Next
16
 
17
If searchResult.Updates.Count = 0 Then
18
WScript.Echo "There are no applicable updates."
19
WScript.Quit
20
End If
21
 
22
WScript.Echo vbCRLF & "Creating collection of updates to download:"
23
 
24
Set updatesToDownload = CreateObject("Microsoft.Update.UpdateColl")
25
 
26
For I = 0 to searchResult.Updates.Count-1
27
    Set update = searchResult.Updates.Item(I)
28
    WScript.Echo I + 1 & "> adding: " & update.Title 
29
    updatesToDownload.Add(update)
30
Next
31
 
32
WScript.Echo vbCRLF & "Downloading updates..."
33
 
34
Set downloader = updateSession.CreateUpdateDownloader() 
35
downloader.Updates = updatesToDownload
36
downloader.Download()
37
 
38
WScript.Echo  vbCRLF & "List of downloaded updates:"
39
 
40
For I = 0 To searchResult.Updates.Count-1
41
    Set update = searchResult.Updates.Item(I)
42
    If update.IsDownloaded Then
43
       WScript.Echo I + 1 & "> " & update.Title 
44
    End If
45
Next
46
 
47
Set updatesToInstall = CreateObject("Microsoft.Update.UpdateColl")
48
 
49
WScript.Echo  vbCRLF & _
50
"Creating collection of downloaded updates to install:" 
51
 
52
For I = 0 To searchResult.Updates.Count-1
53
    set update = searchResult.Updates.Item(I)
54
    If update.IsDownloaded = true Then
55
       WScript.Echo I + 1 & "> adding:  " & update.Title 
56
       updatesToInstall.Add(update) 
57
    End If
58
Next
59
 
60
WScript.Echo  vbCRLF & "Would you like to install updates now? (Y/N)"
61
strInput = WScript.StdIn.Readline
62
WScript.Echo 
63
 
64
If (strInput = "N" or strInput = "n") Then 
65
WScript.Quit
66
ElseIf (strInput = "Y" or strInput = "y") Then
67
WScript.Echo "Installing updates..."
68
Set installer = updateSession.CreateUpdateInstaller()
69
installer.Updates = updatesToInstall
70
Set installationResult = installer.Install()
71
 
72
'Output results of install
73
WScript.Echo "Installation Result: " & _
74
installationResult.ResultCode 
75
WScript.Echo "Reboot Required: " & _ 
76
installationResult.RebootRequired & vbCRLF 
77
WScript.Echo "Listing of updates installed " & _
78
"and individual installation results:" 
79
 
80
For I = 0 to updatesToInstall.Count - 1
81
WScript.Echo I + 1 & "> " & _
82
updatesToInstall.Item(i).Title & _
83
": " & installationResult.GetUpdateResult(i).ResultCode 
84
Next
85
End If


					




				



				

		

	




	



	
		

					


				
Opening .CHM files from network drives – the GPO way



				

					Posted on  December 11th, 2008 in Security, Server 2003, Vista by alt-92 				



				

					
Trying to read non-local HTML Help files since  Security Bulletin MS05-026 has always been a very frustrating process.

First, there is the common ‘Oh oh, you’re opening a potentially dangerous file’ popup:




Well, yes. I want to, it’s already stored on my network. I put it there. In fact, I already unblocked the content when I downloaded the file.




But still I get a blank page in the Helpfile:




So let’s go check the KB Article page to see what we can do.


Ah. While there is a helpful section explaining the registry keys needed to Make Things Work again regeditting manually is not everyones favourite pastime:




Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]

"MaxAllowedZone"=dword:00000001

"UrlAllowList"="\\\\alt-92.net"



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]

"MaxAllowedZone"=dword:00000001

"UrlAllowList"="\\\\alt-92.net"




No, the double \\ are no mistake. You need to escape backslashes.


Now repeat for every computer. Wash, rinse, repeat.


Time to get busy.

Using GPOs seems a likely solution. In fact, the KB article references GPO’s but in a very nasty way.

So why not use Vista’s new GPO Preferences?


To start off, create a new GPO (appropriately named GP_HTMLHelpFix ).

Dig down into the Computer Configuration tree, until you reach Preferences> Windows Settings > Registry.




Create new entries for the values needed:




You can use the UrlAllowList setting to enter DFS roots or local intranet domain.




After linking the Computer GPO to the proper OU and doing a gpupdate, you should see the results in the Registry Editor:




The above approach works in most cases. Except.. it’s still not working.




As it turns out, I not only need to configure the registry keys, but also need to properly  configure Internet Options to include the namespace in the local Intranet Zone.

Apparently, there is a problem in IE7 listed  in MSKB article 941001.


If you configure a policy setting to a value other than the default value, a local site may appear as “Local Intranet” even though you expect it to appear as “Internet,” or vice versa.


The default settings which should work but don’t:




So let’s tick off Autodetect, tick “Include all Network paths (UNCs)” since a drivemapping is also UNC..




Click Advanced, and enter the domain as a file://-based UNC path..




Re-tick autodetect, with the settings enabled and ‘Ok’ your way though.




Import these settings in the appropriate GPO object to control IE settings if you have them.


Bonus: Use a WMI filter to exclude or include the operating systems you wish to apply these settings to.  The Filter shown ensures the GPO only applies to XP desktops and Vista RTM or SP1 desktop machines, and not to any 2000 Pro or 2003 Server machines that inadvertently stray out of their OU.




By the way:


It worked!




					




				



				

		

	




	



	
		

					


				
Interview with Rafal Luckawiecki at IT Forum ‘07



				

					Posted on  January 28th, 2008 in Security by alt-92 				



				

					


Rafal Lukawiecki Security chat at IT Forum


					

    
				
  • 
												
    • 
			




				



				

		

	




	



	
		

					


				
Inherited Permissions and moving Folders don’t mix.



				

					Posted on  June 24th, 2007 in Security, Storage by alt-92 				



				

					
You know the reACL mayhem that ensues when your datashares are ACLled with different groups on different folders..

When you (accidentally) move a folder into another one with different security, the inherited permissions don’t apply. This tends to happen frequently when users drag ‘n drop a folder in the wrong place and lose sight or can’t seem to remember that ctrl+z is Undo.


Here’s why.


http://support.microsoft.com/kb/320246/en-us


					

    
				
  • 
												
    •