Spat's WebLog (Steve Patrick)

When things go wrong...

Browse by Tags

Tagged Content List
  • Blog Post: Love the tubes..thank you Kiran Patil - base64 won't trick me again :)

    Thank God for the tubes!! I was banging my head against some errors today in some code which seemed pretty straightforward. Take some data - encrypt it via 3DES - encode it in base64 Toss it over to some other system - decode - decrypt. However, randomly I would fail here: System...
  • Blog Post: HowTo: Map a user to a certificate via all the methods available in the altSecurityIdentities attribute

    Today I am going to talk a little bit about certificate mapping. This topic is somewhat related to my last post about disabling mapping, but you once you disable the UPN mapping what type of mapping is available to you? The image below ( stolen from MSDN ) outlines the mapping of user accounts to...
  • Blog Post: HowTo: Disable UPN mapping for SmartCard logon

    <rant> good lord this is an ugly blog... I need to find the time to customize this hideous new theme </rant> It’s been a while since I’ve blogged about something around smartcards ( ha! ) , so here goes. Here is the basic setup. The smartcard certificate has the following...
  • Blog Post: Delete certificate from smartcard with Base Smart Card provider

    Just a reminder Certutil -scinfo will list all the cert on the card: ================ Certificate 3 ================ --- Reader: Gemplus USB Smart Card Reader 0 --- Card: Axalto Cryptoflex .NET Provider = Microsoft Base Smart Card Crypto Provider Key Container = le-AuthMultiOID-e6c02f48-c2ee-4c0...
  • Blog Post: WSFederationAuthenticationModule (WSFAM) CryptographicException auth failure

    As you may have guessed from my recent posts, I was working on a first stab at some WIF work recently.. and the app was failing with the following error. The system cannot find the file specified. Description: An unhandled exception occurred during the execution of the current web request. Please...
  • Blog Post: Just a quick post on IIS7 cert mapping setup

    Install the role service under IIS At the Server level - enable DS mapping under authentication: Create the web site. Enable it for HTTPS ( bindings ) Set the site to require certs under: Enable the site : C:\Windows\SysWOW64\inetsrv> appcmd unlock config /section:clientCertificateMappingAuthentication...
  • Blog Post: Cool new features in 2k8 R2 for Certificate Services

    I really dont like posting about another post.. but its too cool not to in this case :) There are some really awesome new features for Cert Services in 2k8 R2.. check it out in the Certificate Enrollment Web Services Whitepaper Original post: http://blogs.technet.com/pki/archive/2009/09/15/certificate...
  • Blog Post: Joining a domain via Smartcards

    http://technet.microsoft.com/en-us/library/cc721959.aspx undefined A snip from the article: Smart card root certificate requirements for use when joining a domain When using a smart card to join a domain, the smart card certificate must comply with one of the following conditions: The smart...
  • Blog Post: Honey, I lost the (private) keys -- EFS keys missing?

    Interesting EFS issue the other day.. Customer was rolling out EFS so they set up DRA's and this worked great. When they encrypted files the DRA's showed up just fine in the file information. However, when they went to decrypt a file via the assigned DRA account – it failed to recover the file. ...
  • Blog Post: Get Serial number, expiry date, subject name and subject alternative names in script

    The question was something like this: ..."What I need to be able to do is iterate through each certificate in the Local Machine’s Personal store and spit out at least the serial number, expiry date, subject name and subject alternative names." Here is the output: ------------------...
  • Blog Post: How to use Certificate Services Web enrollment pages together with Windows Vista or Windows Server 2008

    Wheww!! we finally have the matrix for what works, what doesnt and how to fix it :) http://support.microsoft.com/kb/922706/en-us SUMMARY The Windows Server 2003 Certificate Services Web enrollment functionality relies on an ActiveX control that is named Xenroll. This ActiveX...
  • Blog Post: EFS failures after upgrade to 2008

    FYI .. ( havent had time to finish the kerb posts.. but here is an important FYI ) http://www.microsoft.com/downloads/details.aspx?FamilyID=fd786261-d278-40db-baf8-70f42d786223&displaylang=en Overview When a user encrypts a file stored on a Windows file server the actual encryption of the...
  • Blog Post: Putting CAPI2 logging to good use...

    So there was a problem with a printer which you could connect to via SSL in order to print via IPP. You go in and configure the printer via a web page like so: Create New Self-Signed Certificate Create a new self-signed certificate. Warning: This operation will overwrite the currently...
  • Blog Post: Is there any debug logs or tracing logs can help us to monitor certificate importing or EFS decrypting?

    This is a recent question I saw ... You can track detailed EFS events such as EFS decrypt\encrypt and EFS engine cert enrollment via the EFS debug logging in Vista. In addition – Vista has new DPAPI logging for auditing its usage ( DPAPI is what EFS uses to protect its keys so you should...
  • Blog Post: Notify users of cert expiration...

    A recent mail thread was asking about querying for cert about to expire and notifying the users of this. You could do it a few ways.. Run some kind of svc\logon script etc.. on the clients - which tracked the stores and cert data. Query the CA DB directly for certs about to expire. I thought...
  • Blog Post: Credential Roaming hotfix...

    Just a slight detour from our debugging stuff for some new info on credential roaming\DIMS ... http://support.microsoft.com/?id=934797 The size of the Ntds.dit file on the domain controller grows continually larger after you enable the "Credential Roaming" feature for Windows Vista-based client...
  • Blog Post: EFS and Vista... and XP

    I just wanted to make sure folks realized that Vista and XP EFS files aren't exactly compatible... Here was a snip from a recent question: " I’m asking this question on behalf of another colleague. He’s having problems accessing encrypted files on a removable HDD in XP. He encrypted the folder...
  • Blog Post: New Security code samples...

    Dan, over at JWSecure has written a bunch of new samples for some difficult to use API's ( previously he also wrote some cred prov samples ) The new batch includes a CNG plugin to implement a new cipher algorithm in Vista - cool stuff. I especially liked his section on 'kicking the tires' and a little...
  • Blog Post: Smartcard logon over Terminal Services ( RDP redirection ) pII ( vista FYI )

    It seems I do spend a fair bit of time with smartcards lately, but I have some other interesting posts planned as well. Anyway, this is kind of a heads up to an interesting issue with Vista. We changed some of the way things work ( for the better ) in Vista. You may have noticed that scredir.dll...
  • Blog Post: LH Beta 3 OCSP doc..

    This white paper describes the concepts behind and steps needed to install, configure, and troubleshoot the Microsoft Online Responder, a role service that is used to implement online certificate status protocol (OCSP) revocation checking in Active Directory Certificate Services environments. http...
  • Blog Post: Support WebCast: Credential Roaming Basics

    If you want to know more about DIMS ( credential roaming ) this may be interesting to you. Webcast on April 26th - see http://support.microsoft.com/kb/935441 spatdsg
  • Blog Post: Corrupted EFS Files...

    Be aware of this - http://entkb.symantec.com/security/output/n2007020810462848.html spat keyword: corrupt efs encrypted file system corrupted
  • Blog Post: SSPI failures due to stack size.

    I was recently engaged by a SQL dev in order to help out on a tough nut they were working on. A customer had written a service to connect to SQL 2005 it failed with an error: SQL message [[Microsoft][ODBC SQL Server Driver][DBMSLPCN]ConnectionOpen (SECDoClientHandshake()).] The SQL folks already...
  • Blog Post: Troubleshooting PKI Problems on Windows Vista

    CAPI2 Diagnostics is a feature in Windows Vista™ and Windows Server® Code Name "Longhorn". This feature provides administrators with the ability to troubleshoot PKI problems by collecting detailed information about certificate chain validation, certificate store operations, and signature verification...
  • Blog Post: EFS and Vista.... and backup ( or lack thereof )

    EFS and Vista…One word of warning. Backup with Vista does *not* backup your encrypted files. Let’s see this demonstrated here… Here are 2 files one encrypted and one is not. I just finished a backup as you can see Now we delete them… Restore files… QAdd files from … ...
Page 1 of 2 (46 items) 12