Announcement

Collapse
No announcement yet.

Certificates in AD

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Certificates in AD

    Hi all,

    I have two DC windows 2008 standart. DC1 and DC2.
    on DC2 i installed CA. I had problem with error messages in event log

    Product: Windows Operating SystemID: 29Source: Microsoft-Windows-Kerberos-Key-Distribution-CenterVersion: 6.0Symbolic Name: KDCEVENT_MISSING_KDC_CERTIFICATEMessage: The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

    So i generate certificates for both DC. I used tempalte Domain Controller and Domain controller Authentification. After cert has been generated I installed them into personal store on each DC. Cert ticicate od CA id deployed into Trusted root certification authority by group policy. I had problem that after
    certutil.exe -dcinfo verify I got this:

    certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider

    I resolve this problem with this:
    certutil.exe -enterpride -addstore NTauth cert.cer

    After this command DC2 was working correctly and event id 29 didnt display again. But on DC1 problem was still. I can see the on DC2 certificates has got private key. On DC1 dont have private key. I tried to delete rootCA certificate and import CA with private key exported from DC2. But now i have problem with this on DC1


    *** Testing DC[1]: DC1
    ** Enterprise Root Certificates for DC DC1
    No certs in Ent Root store!
    Enterprise Root store: Cannot find object or property. 0x80092004 (-214688562
    ** KDC Certificates for DC DC1
    Certificate 0:
    Serial Number: 2762bc2d000000000010
    Issuer: CN=alz-DC2-CA, DC=alz, DC=lcl
    NotBefore: 25.4.2009 11:16
    NotAfter: 25.4.2010 11:26
    Subject: CN=dc1.alz.lcl
    Certificate Template Name (Certificate Type): DomainController
    Non-root Certificate
    Template: DomainController, Domain Controller
    Cert Hash(sha1): f0 a9 64 ed 15 20 36 9a 49 f6 26 a2 81 f9 a9 aa d1 8a 63 cb
    dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
    Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_NT_AUTH
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwRevocationFreshnessTime: 4 Days, 18 Hours, 38 Minutes, 23 Seconds
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwRevocationFreshnessTime: 4 Days, 18 Hours, 38 Minutes, 23 Seconds
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
    Issuer: CN=alz-DC2-CA, DC=alz, DC=lcl
    NotBefore: 25.4.2009 11:16
    NotAfter: 25.4.2010 11:26
    Subject: CN=dc1.alz.lcl
    Serial: 2762bc2d000000000010
    SubjectAltName: DNS Name=dc1.alz.lcl
    Template: DomainController
    f0 a9 64 ed 15 20 36 9a 49 f6 26 a2 81 f9 a9 aa d1 8a 63 cb
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 26:
    Issuer: CN=alz-DC2-CA, DC=alz, DC=lcl
    1d ec 90 16 e1 e6 a9 d1 a6 21 86 e1 e7 74 67 21 76 4b 08 2d
    Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
    Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=alz-DC2-CA, DC=alz, DC=lcl
    NotBefore: 29.10.2008 21:01
    NotAfter: 29.10.2023 21:11
    Subject: CN=alz-DC2-CA, DC=alz, DC=lcl
    Serial: 7448a8e9cf2ce4a54bff3fd59861e85c
    Template: CA
    f6 65 71 1f c1 b4 b1 0c 56 e7 05 81 cf cc ff e3 44 78 15 7b
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Exclude leaf cert:
    2f ea 55 3c 14 97 75 a0 fc a5 ba b6 16 8e ee 58 98 45 02 59
    Full chain:
    63 84 99 01 00 2a 26 cc cc 9c c4 78 18 96 ce d5 0d cc fa 39
    ------------------------------------
    Verified Issuance Policies: None
    Verified Application Policies:
    1.3.6.1.5.5.7.3.2 Client Authentication
    1.3.6.1.5.5.7.3.1 Server Authentication
    Certificate 1:
    Serial Number: 318c3c3e000000000011
    Issuer: CN=alz-DC2-CA, DC=alz, DC=lcl
    NotBefore: 27.4.2009 10:37
    NotAfter: 27.4.2010 10:47
    Subject: CN=dc1.alz.lcl
    Non-root Certificate
    Template: DomainControllerAuthentication, Domain Controller Authentication
    Cert Hash(sha1): 52 61 f1 d8 69 98 c6 32 3b b6 bd ae fc 14 53 4b 1a 63 df c4
    dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
    Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
    Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_NT_AUTH
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwRevocationFreshnessTime: 4 Days, 18 Hours, 38 Minutes, 23 Seconds
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwRevocationFreshnessTime: 4 Days, 18 Hours, 38 Minutes, 23 Seconds
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
    Issuer: CN=alz-DC2-CA, DC=alz, DC=lcl
    NotBefore: 27.4.2009 10:37
    NotAfter: 27.4.2010 10:47
    Subject: CN=dc1.alz.lcl
    Serial: 318c3c3e000000000011
    SubjectAltName: DNS Name=dc1.alz.lcl
    Template: Domain Controller Authentication
    52 61 f1 d8 69 98 c6 32 3b b6 bd ae fc 14 53 4b 1a 63 df c4
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 26:
    Issuer: CN=alz-DC2-CA, DC=alz, DC=lcl
    1d ec 90 16 e1 e6 a9 d1 a6 21 86 e1 e7 74 67 21 76 4b 08 2d
    Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
    Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
    Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=alz-DC2-CA, DC=alz, DC=lcl
    NotBefore: 29.10.2008 21:01
    NotAfter: 29.10.2023 21:11
    Subject: CN=alz-DC2-CA, DC=alz, DC=lcl
    Serial: 7448a8e9cf2ce4a54bff3fd59861e85c
    Template: CA
    f6 65 71 1f c1 b4 b1 0c 56 e7 05 81 cf cc ff e3 44 78 15 7b
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Exclude leaf cert:
    6b cd 54 13 eb a6 15 8c 33 9a e6 cc 66 d3 55 04 5c c7 7e 79
    Full chain:
    a4 ed c9 f7 6b e3 39 71 d9 df 7e 08 d6 d0 a3 ab ad c7 fb 49
    ------------------------------------
    Verified Issuance Policies: None
    Verified Application Policies:
    1.3.6.1.5.5.7.3.2 Client Authentication
    1.3.6.1.5.5.7.3.1 Server Authentication
    1.3.6.1.4.1.311.20.2.2 Smart Card Logon
    2 KDC certs for DC1
    CertUtil: -DCInfo command FAILED: 0x80092004 (-214688562
    CertUtil: Cannot find object or property.

    Does anybody know how to fix it?

    Thanks for Help

    Caspi
    Thanks

    Caspi

  • #2
    Re: Certificates in AD

    Hi again

    Problem with No certs in enterpise store was solved by:

    Certutil -enteprise -addstore Root certifikat.cer

    But on DC1 is still Event id 29.

    This is certutil.exe -dcinfo verify

    0: DC2
    1: DC1
    *** Testing DC[1]: DC1
    ** Enterprise Root Certificates for DC DC1
    Certificate 0:
    Serial Number: 7448a8e9cf2ce4a54bff3fd59861e85c
    Issuer: CN=alz-DC2-CA, DC=alz, DC=lcl
    NotBefore: 29.10.2008 21:01
    NotAfter: 29.10.2023 21:11
    Subject: CN=alz-DC2-CA, DC=alz, DC=lcl
    Certificate Template Name (Certificate Type): CA
    CA Version: V0.0
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Template: CA, Root Certification Authority
    Cert Hash(sha1): f6 65 71 1f c1 b4 b1 0c 56 e7 05 81 cf cc ff e3 44 78 15 7b
    ** KDC Certificates for DC DC1
    Certificate 0:
    Serial Number: 2762bc2d000000000010
    Issuer: CN=alz-DC2-CA, DC=alz, DC=lcl
    NotBefore: 25.4.2009 11:16
    NotAfter: 25.4.2010 11:26
    Subject: CN=dc1.alz.lcl
    Certificate Template Name (Certificate Type): DomainController
    Non-root Certificate
    Template: DomainController, Domain Controller
    Cert Hash(sha1): f0 a9 64 ed 15 20 36 9a 49 f6 26 a2 81 f9 a9 aa d1 8a 63 cb
    dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
    Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_NT_AUTH
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwRevocationFreshnessTime: 4 Days, 19 Hours, 51 Minutes, 6 Seconds
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwRevocationFreshnessTime: 4 Days, 19 Hours, 51 Minutes, 6 Seconds
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
    Issuer: CN=alz-DC2-CA, DC=alz, DC=lcl
    NotBefore: 25.4.2009 11:16
    NotAfter: 25.4.2010 11:26
    Subject: CN=dc1.alz.lcl
    Serial: 2762bc2d000000000010
    SubjectAltName: DNS Name=dc1.alz.lcl
    Template: DomainController
    f0 a9 64 ed 15 20 36 9a 49 f6 26 a2 81 f9 a9 aa d1 8a 63 cb
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 26:
    Issuer: CN=alz-DC2-CA, DC=alz, DC=lcl
    1d ec 90 16 e1 e6 a9 d1 a6 21 86 e1 e7 74 67 21 76 4b 08 2d
    Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
    Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=alz-DC2-CA, DC=alz, DC=lcl
    NotBefore: 29.10.2008 21:01
    NotAfter: 29.10.2023 21:11
    Subject: CN=alz-DC2-CA, DC=alz, DC=lcl
    Serial: 7448a8e9cf2ce4a54bff3fd59861e85c
    Template: CA
    f6 65 71 1f c1 b4 b1 0c 56 e7 05 81 cf cc ff e3 44 78 15 7b
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Exclude leaf cert:
    2f ea 55 3c 14 97 75 a0 fc a5 ba b6 16 8e ee 58 98 45 02 59
    Full chain:
    63 84 99 01 00 2a 26 cc cc 9c c4 78 18 96 ce d5 0d cc fa 39
    ------------------------------------
    Verified Issuance Policies: None
    Verified Application Policies:
    1.3.6.1.5.5.7.3.2 Client Authentication
    1.3.6.1.5.5.7.3.1 Server Authentication
    Certificate 1:
    Serial Number: 318c3c3e000000000011
    Issuer: CN=alz-DC2-CA, DC=alz, DC=lcl
    NotBefore: 27.4.2009 10:37
    NotAfter: 27.4.2010 10:47
    Subject: CN=dc1.alz.lcl
    Non-root Certificate
    Template: DomainControllerAuthentication, Domain Controller Authentication
    Cert Hash(sha1): 52 61 f1 d8 69 98 c6 32 3b b6 bd ae fc 14 53 4b 1a 63 df c4
    dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
    Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
    Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_NT_AUTH
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwRevocationFreshnessTime: 4 Days, 19 Hours, 51 Minutes, 6 Seconds
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwRevocationFreshnessTime: 4 Days, 19 Hours, 51 Minutes, 6 Seconds
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
    Issuer: CN=alz-DC2-CA, DC=alz, DC=lcl
    NotBefore: 27.4.2009 10:37
    NotAfter: 27.4.2010 10:47
    Subject: CN=dc1.alz.lcl
    Serial: 318c3c3e000000000011
    SubjectAltName: DNS Name=dc1.alz.lcl
    Template: Domain Controller Authentication
    52 61 f1 d8 69 98 c6 32 3b b6 bd ae fc 14 53 4b 1a 63 df c4
    Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 26:
    Issuer: CN=alz-DC2-CA, DC=alz, DC=lcl
    1d ec 90 16 e1 e6 a9 d1 a6 21 86 e1 e7 74 67 21 76 4b 08 2d
    Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
    Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
    Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
    Issuer: CN=alz-DC2-CA, DC=alz, DC=lcl
    NotBefore: 29.10.2008 21:01
    NotAfter: 29.10.2023 21:11
    Subject: CN=alz-DC2-CA, DC=alz, DC=lcl
    Serial: 7448a8e9cf2ce4a54bff3fd59861e85c
    Template: CA
    f6 65 71 1f c1 b4 b1 0c 56 e7 05 81 cf cc ff e3 44 78 15 7b
    Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
    Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x
    Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    Exclude leaf cert:
    6b cd 54 13 eb a6 15 8c 33 9a e6 cc 66 d3 55 04 5c c7 7e 79
    Full chain:
    a4 ed c9 f7 6b e3 39 71 d9 df 7e 08 d6 d0 a3 ab ad c7 fb 49
    ------------------------------------
    Verified Issuance Policies: None
    Verified Application Policies:
    1.3.6.1.5.5.7.3.2 Client Authentication
    1.3.6.1.5.5.7.3.1 Server Authentication
    1.3.6.1.4.1.311.20.2.2 Smart Card Logon
    2 KDC certs for DC1
    CertUtil: -DCInfo command completed successfully.


    Thanks
    Thanks

    Caspi

    Comment


    • #3
      Re: Certificates in AD

      Thanks for the feedback. Glad it's sorted.

      Comment


      • #4
        Re: Certificates in AD

        I need to help with CA in Windows 2008 I can only create custom request from certifikates snap-in. If I tried to use cert fo new request i got: Certificate types are not available. How can i enable them? I found certificate templates in mmc a make copy of domain controler teplate for windows 2008. In security tab i ussued right for administrator. I still cannot use.
        Thanks

        Caspi

        Comment


        • #5
          Re: Certificates in AD

          I solved problem by uninstalling Standalone Root CA and installing Enterprise Root CA.
          Thanks

          Caspi

          Comment

          Working...
          X