certificate
5 TopicsUser Certificate Template by Group Policy
I'm looking for a way to specify a certificate template to be autoenrolled for a set of users. What we did so far is : - defined a new user specific template. - defined the template security for the specific AD group the users belongs to with read,enroll,autoenroll. - defined a GPO to enable the autoenroll for the specific group. However the autoenroll, at login, does not work and a pop up notification appear saying that the user has to complete the enrollment. If the autoenroll is made manually it works, the template is shown and works fine1.6KViews0likes1CommentServer 2019 no "Server Hello" when using TLS_RSA_WITH_AES_ ciphers (TLS1.2) schannel 36874
Hi Hoping someone might have come across something similar as the support forum entries are filled with irrelevant responses and tumbleweed. A recently migrated CA cluster is not sending any TLS conversation completion when the client uses a cipher from the TLS_RSA_WITH_AES_* type (so TLS_RSA_WITH_AES_128_CBC_SHA256 or similar). This also seems to be negatively impacting RPC certificate enrolment from Windows 7 systems. Using Nartac tools and manually (double, triple, quadruple) checking the registry settings myself I can see that the ciphers are present in the list of supported/available ciphers. I can see that TLS1.2 is working. As soon as a client offers TLS_ECDH_* the server responds like an enthusiastic puppy. using TLS_RSA_WITH_AES_ it ignores the traffic (no server hello or attempt to negotiate) and logs Schannel Errors 36874 in the server event log. I have verified this using wireshark on client and server. Whilst these are hosted in azure there shouldn't be any network layer kit interfering with the connection. There is a standard load balancer which single routes all traffic to the active AD CS cluster node. No inspection or TLS termination should be occurring. There are no GPOs controlling anything to do with TLS or communication security (checked with gpresult and gpmc, along with repeated verification of the registry settings) has anyone seen anything like this before? yes I have been through the enabling TLS 1.2 articles a bajillion times and know where to enable TLS 1.2 for both schannel and .net In need of more straws to clutch at.1.1KViews0likes0CommentsRDS broker certificate warning
I am establishing a multiserver RDS setup. All users are domain users, but most clients are non-domain Windows and Macs, so I have a public 3rd party SAN certificate. It is not a .local domain. The SAN certificate Subject: desktop.mydomain.com SAN: rdsgateway.mydomain.com (gateway and web access server) rdsbroker.mydomain.com (broker) rds1.mydomain.com (desktop host) rds2.mydomain.com (desktop host) rds3.mydomain.com (desktop host) I have attached the SAN certificate to all roles in the deployment properties, and they all have a level of Trusted and status OK. Still, when i open the desktop collection rdp file in RDweb, i am prompted to accept the certificate for rdsbroker.mydomain.com. It is the correct certificate (desktop.mydomain.com) but it does not seem to accept the alternate name rdsbroker.mydomain.com.1.1KViews0likes0Comments2008 Certificate CA Server - Upgrade, Toss, Azure?
We have an Old Windows 2008 R2 VM that has a CA installed on it. It has been giving out <domain>\<Machine>$ and <domain>\<User> Certs. Nothing else on the Machine. I've never been a Fan of Upgrading Servers vs Fresh installs. There are no Certs on here besides the ones that it gave to the PCs and Users. No Special Templates or anything. I May have used it for an Exchange Server, though have a Wildcard Cert for that now. What is best to replace this CA. Do I need to replace it? Thanks!750Views0likes0Comments