Announcement

Collapse
No announcement yet.

Certificate Services gone rogue!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Certificate Services gone rogue!

    When experimenting with the Certificate Services Security settings I managed to delete all user/admin groups and set the rights of the local administrator (server admin) to only the enroll option. So as of now there is no group/user/admin who has either the "manage" nor "read" option. Meaning I can't even access the CA anymore, the service is completely unaccessible.

    When I try to open the Certifice Services the system responds with: Access is denied. 0x80070005 (WIN32:5).

    When I tried to uninstall the service it said: "An error was detected while configuring Certificate Services. The Certificate Services Setup wizard will need to be rerun to complete the configuration. Certifcate Services setup failed with the following error: Access is denied. 0x80070005 (WIN32:5) "

    I have already rebooted the server multiple times with no change.

    As of now, Certificate Services is neither to be found in the Administrative tools nor in the Services windows, which makes me believe the service is completely uninstalled. But still when trying to reinstall the service the same error occurs.


    Is there anyway to completely remove Certificate Services that I haven't tried yet?


    Thanks in advance,

  • #2
    Re: Certificate Services gone rogue!

    I assume you are playing with the Enterprise CA since you are talking about Auto-Enrollment.
    Well in that case have a look at this article:
    http://support.microsoft.com/kb/555151
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Certificate Services gone rogue!

      Yes, I'm trying to uninstall the enterprise CA.
      But since I have no access to the service anymore this seems an impossible task.
      The problem has nothing to do with auto-enrollment though.

      I need to be able to reset the access control settings to the default ones for certificate services.
      Is it possible to set the restrictions on using a particular service to the default by deleting their location in the registry? If so how would this be done.
      Last edited by Amaryd; 1st October 2009, 15:27.

      Comment


      • #4
        Re: Certificate Services gone rogue!

        If you go into ADSIEdit and browse through to Configuration\Services\Public Key Services and open properties and look at the security do you have access? If not perhaps you could take ownership.

        Comment


        • #5
          Re: Certificate Services gone rogue!

          What Scott said, if its Enterprise restore the permissions with ADSIedit, if its standalone just rebuild the server.

          Comment


          • #6
            Re: Certificate Services gone rogue!

            Granting myself permissiontrough ADSIEdtit doesn't seem to make a difference.
            Even when I give every user full control, then still I get the
            access denied 0x5 (5) error when trying to access anything that has to do with certificate Services.

            Rebuilding the server is not an option as it's the primary domain controller.

            Comment


            • #7
              Re: Certificate Services gone rogue!

              Darn, thought that would work. Did you push the permissions down to all child objects? If you did, I think that rules out the directory.

              The other place I guess I'd check is HKLM\System\CurrentControlSet\Services\CertSrv. I originally installed our Enterprise CA and it's got my Enterprise Admin ID in there.

              Comment


              • #8
                Re: Certificate Services gone rogue!

                Yeah I pushed them all down to child objects aswell.

                I did check HKLM\System\CurrentControlSet\Services\CertSrv but not sure what u mean with ur enterprise admin ID is in there.
                What am I supposed to do in there?
                Change the security binary key? And to what value would I be changing it to?

                I Installed windows server 2000 on a standalone server for testing purposes atm. I copied the security key from HKLM\System\CurrentControlSet\Services\CertSrv, saved in a .txt file.
                Then I reproduced the problem by rmeoving all permissions from the security tab in certificate services to the point Not even the system administrator can access it. Then I went to check the security key again in HKLM\System\CurrentControlSet\Services\CertSrv and did notice it was a different set. Though copying the old (working one) security key over didn't changed one thing. The access denied error 05 still roams freely on my server! Help!

                Comment


                • #9
                  Re: Certificate Services gone rogue!

                  so you don't have permssions on the registry keys you need?
                  Can't you take the ownership of they keys?
                  Marcel
                  Technical Consultant
                  Netherlands
                  http://www.phetios.com
                  http://blog.nessus.nl

                  MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                  "No matter how secure, there is always the human factor."

                  "Enjoy life today, tomorrow may never come."
                  "If you're going through hell, keep going. ~Winston Churchill"

                  Comment


                  • #10
                    Re: Certificate Services gone rogue!

                    I do have access to the registry key, as I said in my previous post I managed to change the registry key, but it didn't solve the problem.

                    Comment


                    • #11
                      Re: Certificate Services gone rogue!

                      Can you clarify where it was that you modified the ACL. I tried to recreate your problem on a sandbox VM. I went into the Certificate Authority snap-in, then the properties of the CA, and in the security tab attempted to remove the Administrators group and close out. I received an error that "At least on security principle must have permission to manage this CA."

                      Comment


                      • #12
                        Re: Certificate Services gone rogue!

                        That's exactly where the ACL is that locked me out.
                        So you should remove all usergroups except the administrator one, which you obviously can't remove completely.
                        But then you can manage the administrator group by clicking the checkboxes next to MANAGE, ENROLL, READ. If you play around a bit with these checkboxes it is possible to apply only the enroll permission to the administrator group, which then succesfully locks you out the certificate service. It might take you a couple of times of pressing the apply / ok button, but the system will allow it.
                        And if it does, welcome in hell

                        Comment


                        • #13
                          Re: Certificate Services gone rogue!

                          If I go into the properties of the CA and view the security tab, the only permissions I have are Read, Issue and Manage Certificates, Manage CA, and Request Certificates. In my experience Enroll is a certificate template permission.

                          In any case, I think if you just wanted to dig it out and start over you could use the KB article Dumber posted at the beginning.

                          Comment


                          • #14
                            Re: Certificate Services gone rogue!

                            Are you sure you are using Windows Server 2000? As I only have 3 permissions options in that security tab. Manage / Enroll / Read.

                            Comment


                            • #15
                              Re: Certificate Services gone rogue!

                              I did already try the KB article dumber posted in the beginning of this thread. And while I can complete the steps with success, I still can't uninstall the CA completely nor can I reinstall it. The same access denied error keeps popping up.

                              Comment

                              Working...
                              X