Active Directory Certificate Services with Azure Key Vault Virtual HSM
Hi all (an I hope also Microsoft folk in the security and AD CS arenas), With Azure adoption etc and the GA a while ago of Azure Key Vault virtual HSM it seems to me that it would make a significant enhancement of AD CS security to use Azure Key Vault virtual HSM to host the AD CS server certificate keys. Most third party (virtual) HSMs come with instructions, agents, custom key service providers etc to enable the external hosting and access from the windows host to the certificate key. I can only find (quite old) information for SQL which adds a custom KSP to SQL seemingly rather than to the OS. Has anyone else had a go at or implemented this yet?
Unable to change DCOM permissions. Any changes are being reverted. Enrollment of Certificates errors
After 10 years, our Root/Enterprise CA stopped enrolling certificates with a generic access denied message. After several weeks and a lot of hours spent trying to solve for ourselves we decided to open a paid support case at MS So, with the help of Microsoft Premier Support we started a new brand-new/fresh PKI, with two Win2022 servers, Root/Std and SubEnterprise... but the errors are exaclty the same But no avail, it was frustrating because the MSPS was not capable of achieving anything in theirs almost 27 hours of time spent, besides doing the same of check all over again and again, collecting logs to see that it was a access denied error and only using public KB articles and the same set of basic stuff that has been done before Now, I discovered that the issue is related to computer permissions for DCOM (dcomcnfg.exe) on which we give the proper permissions and after some hours, the DCOM permissoes are forcibly back to their original state. So, when e add some entities with rights on DCOM, the enrollment of certficates works very well, but after some time, stops again. So, now I can accelerate the procces and doing a simple "gpupdate", EVEN WITH NO GPOs applied, AT ALL, the DCOM permission changes are reverted back to its orignal ones and the enrollment stops again Tracing with procmon: RegOpenKey HKLM\SOFTWARE\Microsoft\OLE Desired Access: Query Value, Set Value So, the moment of the permissions getting back to its original permissions, are here, and the proccess is : C:\Windows\system32\svchost.exe -k DcomLaunch -p, so, the DCOM itself, it appears to me So: How to avoid this? The closest thing I was able to find, someone with the same problem, there is an article for a DCOM app called Matrikon (RPC tunneled app) saying that if we add a "dummy" user to the permissions, it should solve, but in my case. it doens´t work So.. any adice? Anything I should try? No useful info on EventViewer system/App logs Similar problem, another App https://honeywellprocess.my.site.com/opcsupport/s/article/CHECKWhy-wont-my-DCOM-changes-stick-REF-KB-408 "... If you are changing the Security settings from Default to Customize and it is not necessary to add any new users, when you leave DCOM configuration it will change the settings back to default. ..."
CertEnroll folder permission needs a change
Currently, we are using Windows Server 2019 for Certificate Services and as of now, this folder's permissions are set to "Everyone" as read-only. We wanted to change this permission to the "authenticated users". if would change this permission to "authenticated users" will this change breaks anything?
