Announcement

Collapse
No announcement yet.

Certifiacte Authority; Do I need it?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Certifiacte Authority; Do I need it?

    All,

    Very happy to be a new member of the forums. I have (silently) used the forums for some time and managed to find my answers without posting. However, I was not able to find a good answer for this one:

    I recently took over a Windows Server 2003 Domain with three DCs, a file and Exchange Server (2003).

    I built a new Exchange Server and successfully migrated everything to the new server. Everything has been working fine for three weeks so I shutdown the old exchange server for a week just to be sure that everything worked before removing it from the domain. (this has been a successful practice for me for sometime and I am now reminded why)

    After a week I started to notice event ID 20 showing up in the DC event logs.

    The text of the events "The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain''s public key infrastructure. The chain status is in the error data."

    After a little research I found that the old Exchange server had been configured as a (the) Certificate Authority for the Domain. This was performed by the previous admin in a failed attempt to create SSL Certs for RPC over HTTP. Anyway, I powered the old server back up, restarted Kerberos on the DCs and all is well. I discovered that each DC has a Domain Controller certificate from the old exchange server. These are currently the only valid certificates showing in the CA snap-in.

    Because I have never needed nor used CAs in any domains I managed prior to this I have to guess that they are not ~required~ for DCs to authenticate unless Smart Cards or other is used, which we are not.

    I also verified that no other CAs exist in the domain.

    Now my questions:

    Can I remove this CA?

    If so how do I do so without generating event 20s and/or impacting user/computer/server authentication?

    If I ~must~ retain a CA how can I successfully move it to another server?

    Thanx in advance!!

    Michael

  • #2
    Re: Certifiacte Authority; Do I need it?

    If there's a CA in the domain and autoenrollment is enabled DCs will always pull certs for smart cards and smtp replication. If you're not using these I would just backup and then delete the certs off the DCs.

    Comment


    • #3
      Re: Certifiacte Authority; Do I need it?

      Originally posted by Garen View Post
      If there's a CA in the domain and autoenrollment is enabled DCs will always pull certs for smart cards and smtp replication. If you're not using these I would just backup and then delete the certs off the DCs.
      Thank you for the quick reply!

      I checked the DC Group Policies and do not find that autoenrollment is enabled through policy. Can I assume that it is enabled by default or perhaps the previous admin enabled them?

      Is simply disabling autoenrollment before revoking and removing the CA a suitable solution?

      What would the pros/cons be to disabling autoenrollment altogether?

      Thanx again!

      Comment


      • #4
        Re: Certifiacte Authority; Do I need it?

        Autoenrollment isn't enabled by default.
        you can also check the permissions of the certificates in the Certificate console to see if any certificate is enabled for auto enrollment.
        You can few that in the security tab of the certificate.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Certifiacte Authority; Do I need it?

          Originally posted by Dumber View Post
          Autoenrollment isn't enabled by default.
          you can also check the permissions of the certificates in the Certificate console to see if any certificate is enabled for auto enrollment.
          You can few that in the security tab of the certificate.

          Excuse me please, I mis-spoke. Believing that only DCs were using the CA I only looked into the domain controller policy. Following your response I went back to check again and found that, in fact, autoenrollment is enabled in the 'default domain policy'. Here are the relevant entries:

          Enroll certificates automatically: Enabled
          Renew expired certificates, update pending certificates, and remove revoked certificates: Disabled
          Update certificates that use certificate templates: Disabled

          So, if I simply disable the first I should be able to revoke the existing certs then decommission the CA and press on with pride. Right?

          Thanx!!

          Michael

          Comment


          • #6
            Re: Certifiacte Authority; Do I need it?

            Well, I disabled "Auto-enrollment" then revoked and deleted the Domain Controller Certificate on one of my DCs to see what would happen. Once I did this I began to see KDC errors, this time Event ID 7:

            "The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was <username>@<DOMAIN.LOCAL> and lookup type 0x20."

            I researched this error and find only references to time sync problems and passwords. Neither of which are likely to be the cause based primarily on timing not to mention the Domain time is accurate and I did not change any passwords.

            Advice?

            Direction?

            Thanx in advance!!

            Michael
            Last edited by sjcadmin; 25th March 2009, 12:16. Reason: Changed text size to default

            Comment


            • #7
              Re: Certifiacte Authority; Do I need it?

              Michael,
              Keep the text size to the default settings.

              Also are the certificates on removed/revoked on the clients?
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: Certifiacte Authority; Do I need it?

                Originally posted by Dumber View Post
                Michael,
                Keep the text size to the default settings.

                Also are the certificates on removed/revoked on the clients?
                Sorry about the text size. I did not intentionally change it. Must have happened with the copy/pasting of the error text.

                Anyhow, when you say 'clients' are you referring to the DC or the client computer for the user listed in the text of the error log?

                I do not show ~any~ certificates issued to clients (except my three DCs) by this, the only CA in my organization.

                Thanx in advance!!
                Michael

                Comment


                • #9
                  Re: Certifiacte Authority; Do I need it?

                  Hi,

                  Is this any good: http://support.microsoft.com/kb/889250
                  Or this: http://support.microsoft.com/kb/555894
                  Caesar's cipher - 3

                  ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                  SFX JNRS FC U6 MNGR

                  Comment


                  • #10
                    Re: Certifiacte Authority; Do I need it?

                    Originally posted by L4ndy View Post
                    Thanx L4ndy!

                    I have seen both and guess I just need to go for it and do the first. Perhaps its just me ignorance of CA, but I have always been concerned about one thing though:

                    If I remove this, the only certificate authority in my domain, will user or computer login be negatively impacted?

                    Thanx again!!

                    Michael

                    Comment


                    • #11
                      Re: Certifiacte Authority; Do I need it?

                      I woudn't have thought so unless Certificate-based authentication is required (i.e.Smart cards, wireless..)
                      Afaik, Kerberos is used during the logon process.
                      However, keeping a backup just in case won't do any harm.
                      Caesar's cipher - 3

                      ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                      SFX JNRS FC U6 MNGR

                      Comment


                      • #12
                        Re: Certifiacte Authority; Do I need it?

                        Well I am stuck already... <sigh>

                        I am decommissioning the CA using the process detailed in http://support.microsoft.com/kb/889250

                        When I get to step 6-1 in which I am to find the CACommonName using LDP.EXE I get the following error:

                        "Cannot Open Connection"

                        Is there another way (ADSIEDIT?) to determine the CACommonName?

                        or

                        Is there a way to get past the LDP.exe error?

                        Thanx in advance!

                        Michael

                        Comment

                        Working...
                        X