Thank God for the tubes!! I was banging my head against some errors today in some code which seemed pretty straightforward. Take some data - encrypt it via 3DES - encode it in base64 Toss it over to some other system - decode - decrypt. However, randomly I would fail here: System...

Today I am going to talk a little bit about certificate mapping. This topic is somewhat related to my last post about disabling mapping, but you once you disable the UPN mapping what type of mapping is available to you? The image below ( stolen from MSDN ) outlines the mapping of user accounts to...

<rant> good lord this is an ugly blog... I need to find the time to customize this hideous new theme </rant> It’s been a while since I’ve blogged about something around smartcards ( ha! ) , so here goes. Here is the basic setup. The smartcard certificate has the following...

Just a reminder Certutil -scinfo will list all the cert on the card: ================ Certificate 3 ================ --- Reader: Gemplus USB Smart Card Reader 0 --- Card: Axalto Cryptoflex .NET Provider = Microsoft Base Smart Card Crypto Provider Key Container = le-AuthMultiOID-e6c02f48-c2ee-4c0...

As you may have guessed from my recent posts, I was working on a first stab at some WIF work recently.. and the app was failing with the following error. The system cannot find the file specified. Description: An unhandled exception occurred during the execution of the current web request. Please...

Install the role service under IIS At the Server level - enable DS mapping under authentication: Create the web site. Enable it for HTTPS ( bindings ) Set the site to require certs under: Enable the site : C:\Windows\SysWOW64\inetsrv> appcmd unlock config /section:clientCertificateMappingAuthentication...

I really dont like posting about another post.. but its too cool not to in this case :) There are some really awesome new features for Cert Services in 2k8 R2.. check it out in the Certificate Enrollment Web Services Whitepaper Original post: http://blogs.technet.com/pki/archive/2009/09/15/certificate...

http://technet.microsoft.com/en-us/library/cc721959.aspx undefined A snip from the article: Smart card root certificate requirements for use when joining a domain When using a smart card to join a domain, the smart card certificate must comply with one of the following conditions: The smart...

Interesting EFS issue the other day.. Customer was rolling out EFS so they set up DRA's and this worked great. When they encrypted files the DRA's showed up just fine in the file information. However, when they went to decrypt a file via the assigned DRA account – it failed to recover the file. ...

The question was something like this: ..."What I need to be able to do is iterate through each certificate in the Local Machine’s Personal store and spit out at least the serial number, expiry date, subject name and subject alternative names." Here is the output: ------------------...

Wheww!! we finally have the matrix for what works, what doesnt and how to fix it :) http://support.microsoft.com/kb/922706/en-us SUMMARY The Windows Server 2003 Certificate Services Web enrollment functionality relies on an ActiveX control that is named Xenroll. This ActiveX...

FYI .. ( havent had time to finish the kerb posts.. but here is an important FYI ) http://www.microsoft.com/downloads/details.aspx?FamilyID=fd786261-d278-40db-baf8-70f42d786223&displaylang=en Overview When a user encrypts a file stored on a Windows file server the actual encryption of the...

So there was a problem with a printer which you could connect to via SSL in order to print via IPP. You go in and configure the printer via a web page like so: Create New Self-Signed Certificate Create a new self-signed certificate. Warning: This operation will overwrite the currently...

This is a recent question I saw ... You can track detailed EFS events such as EFS decrypt\encrypt and EFS engine cert enrollment via the EFS debug logging in Vista. In addition – Vista has new DPAPI logging for auditing its usage ( DPAPI is what EFS uses to protect its keys so you should...

A recent mail thread was asking about querying for cert about to expire and notifying the users of this. You could do it a few ways.. Run some kind of svc\logon script etc.. on the clients - which tracked the stores and cert data. Query the CA DB directly for certs about to expire. I thought...

Just a slight detour from our debugging stuff for some new info on credential roaming\DIMS ... http://support.microsoft.com/?id=934797 The size of the Ntds.dit file on the domain controller grows continually larger after you enable the "Credential Roaming" feature for Windows Vista-based client...

I just wanted to make sure folks realized that Vista and XP EFS files aren't exactly compatible... Here was a snip from a recent question: " I’m asking this question on behalf of another colleague. He’s having problems accessing encrypted files on a removable HDD in XP. He encrypted the folder...

Dan, over at JWSecure has written a bunch of new samples for some difficult to use API's ( previously he also wrote some cred prov samples ) The new batch includes a CNG plugin to implement a new cipher algorithm in Vista - cool stuff. I especially liked his section on 'kicking the tires' and a little...

It seems I do spend a fair bit of time with smartcards lately, but I have some other interesting posts planned as well. Anyway, this is kind of a heads up to an interesting issue with Vista. We changed some of the way things work ( for the better ) in Vista. You may have noticed that scredir.dll...

This white paper describes the concepts behind and steps needed to install, configure, and troubleshoot the Microsoft Online Responder, a role service that is used to implement online certificate status protocol (OCSP) revocation checking in Active Directory Certificate Services environments. http...

If you want to know more about DIMS ( credential roaming ) this may be interesting to you. Webcast on April 26th - see http://support.microsoft.com/kb/935441 spatdsg

Be aware of this - http://entkb.symantec.com/security/output/n2007020810462848.html spat keyword: corrupt efs encrypted file system corrupted

I was recently engaged by a SQL dev in order to help out on a tough nut they were working on. A customer had written a service to connect to SQL 2005 it failed with an error: SQL message [[Microsoft][ODBC SQL Server Driver][DBMSLPCN]ConnectionOpen (SECDoClientHandshake()).] The SQL folks already...

CAPI2 Diagnostics is a feature in Windows Vista™ and Windows Server® Code Name "Longhorn". This feature provides administrators with the ability to troubleshoot PKI problems by collecting detailed information about certificate chain validation, certificate store operations, and signature verification...

EFS and Vista…One word of warning. Backup with Vista does *not* backup your encrypted files. Let’s see this demonstrated here… Here are 2 files one encrypted and one is not. I just finished a backup as you can see Now we delete them… Restore files… QAdd files from … ...