August, 2009

Hey all Rob here again. One feature that that is new with Windows Server 2008R2 / Windows 7 is the ability to configure your internal certification authority hierarchy in order to issue certificates that can show as Extended Validation certificates.

So for those of you who do not know, this means that you will get a shaded green bar within Internet Explorer proving that a site is ‘extra trustworthy’. If you want to learn more about extended validation click here. The feature works on the following operating system / IE Versions:

• Windows XP SP3/ 2003 SP2 – Internet Explorer 8.
• Windows Vista SP1/Windows Server 2008 – Internet Explorer 7 and 8.
• Windows 7/2008R2 – Internet Explorer 8.

Enabling this feature is a two step process to configure:

Create a new “Issuance Policy” on a certificate template to support EV certificates:

The below steps require you to be logged in as an Enterprise Admin unless you have modified the permissions on your certificate templates.

1. Open the Certificate Templates MMC (CertTmpl.msc).

2. Create a new Version 2 or Version 3 template (or modify an existing v2/v3 template).

3. Click on the Extensions tab.

4. Select Issuance Policies, and click on the Edit button.

5. Click the Add… button.

6. Click New… button.

7. Type in a name for the new Extended Validation Policy. The name for the policy can be anything you like. In my example I used “Contoso Extended Validation (EV)” as the name.

8. Type in the URL to the Certificate Practice Statement (CPS) for your extended validation policy.

NOTE: When you create a certificate policy you should have a practice statement defining how the certificate type is to be used, how the certificate type is approved to be issued, and what the requirements are to be fulfilled before issuance. CPS’s are beyond the scope of this blog however and you should do your due diligence in crafting a CPS.

9. The Object Identifier field will be filled out. You can of course replace this with an custom OID (that you obtained) from an internet authority that manages OIDs. Be sure to document and copy this OID for later use.

10. Click OK

11. Highlight the Issuance Policy you just created and click OK.

12. Do not check “Make this extension critical” and click OK.

13. Click “OK” to close the certificate template dialog box.

Create / modify a Group Policy to support the feature:

It’s actually pretty easy to setup, you will need either a Windows Server 2008R2 / Windows 7 client with RSAT tools (GPMC) installed, or a 2008R2 server with the Group Policy Management feature added .

It is important to note, that it is not required that you have a Windows Server 2008 R2 domain controller, you only need the ability to manage group policies from the newer operating system.

1. Launch Group Policy Management (GPMC.MSC).

2. Edit an existing policy / create a new policy.

3. Navigate to the following location: Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities

4. Right click on Trusted Root Certification Authorities and select Import

5. You need to import your internal Root Certification Authority certificate using the import wizard.

6. Once the Root Certification Authority certificate has been imported, right click on the certificate and select “Properties”

7. Click on the Extended Validation tab.

8. Paste in the OID from Issuance Policy you created above.

9. Click the Add OID button.

10. Click OK.

Have fun with Extended Validation and enjoy your green validated address bar in Internet Explorer.

- Rob ‘OID vey!’ Greene

Remoter Server Administrations Tools are RTM, come and get 'em.

http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en

Some things to keep in mind:

1. This version is only for Windows 7 (Business, Professional, and Ultimate).
2. Make sure to uninstall any RC/Beta/whatever copies of RSAT for Win7 you had previously installed.
3. Make sure to remove any hacked up Vista RSAT copies you might have installed.
4. Make sure to remove any hacked up Win2003 ADMINPAK copies you might have installed.

Have fun.

- Ned 'Snap in to a Snap-In' Pyle

KB

Blogs

· CRM and Kerberos

· Mapping One Smartcard Certificate to Multiple Accounts.

· Split IO and Intermittent “File Not Found” Errors

· Debug 101: What does !analyze do?

· Microsoft delivers test versions of SQL Server 2008 R2

· Managing W2K3 AD domain through Windows Vista or Windows Server 2008 (R2)

· CentOS, OpenSUSE & More Linux Distros on Hyper-V R2!

· NET TIME and w32time

· Windows Server 2008 and Windows Server 2008 R2 Automate Metadata Cleanup

· OldCMP and the dreaded LDAP Error 0×50 “OTHER”

· Two Minute Drill: Debugging – lm, not just Alphabet Neighbors

· Cool Articles: Group Policy Modeling, Windows 7 / Server 2008 R2 functionality

· Federation Services and Direct Access

· Windows 7: Windows XP Mode Release Candidate Now Available

· ADFS Event ID 111

· Finding the SQL server ADFS is using

· Active Directory Federation Services (the server formerly known as Geneva)

· Enabling Logging in ADFS

· Different GPOs for HUBs and for Branch DCs

· Forward-links, Back-links and how these are maintained

Hi, Ned here again. If you have spent any time in the DFSR debug logs, you’ll probably found that getting a file’s full path is a bit of a pain. For example, examine this sample debug log of a file being replicated – see if you find the folder’s path in here anywhere. Go ahead, I’ll wait.

You didn’t find anything because the debug logs won’t tell you. DFSR uses an ESE database to keep track of file and folder paths as part of their IDRECORD information. If you were to examine the database rows directly, you’ll find that its tables don’t contain the full path either. Instead, a record of each ‘object’ (file or folder) is stored as a Unique Identifier (UID) and its relationship with its parent and children UID’s is stored as well. So when you look in the debug logs, you see:

So what if you want to actually get the real path of a file? That is useful in large environments where file name uniqueness gets less common.

In Windows Server 2003 R2 and Windows Server 2008

Just provide the UID to this well-hidden WMI Method in a CMD prompt:

Wmic.exe /namespace:\\root\microsoftdfs path dfsridrecordinfo.Uid="your uid here" call getfullfilepath

For example:

Wmic.exe /namespace:\\root\microsoftdfs path dfsridrecordinfo.Uid=”{EDE2D64E-1306-4C7C-B568-449A98371AA2}-v29" call getfullfilepath

Which would tell you:

Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
FullPath = "C:\\testrf\\somefile.txt";
ReturnValue = 0;
};

Sorta ugly, but it gets the job done.

In Windows Server 2008 R2

So much easier now! DFSRDIAG.EXE now supports the IDRECORD option.

DFSRDIAG IDRECORD /UID:some_uid

For example:

C:\>dfsrdiag idrecord /uid:{EDE2D64E-1306-4C7C-B568-449A98371AA2}-v29

File name : somefile.txt
Path : c:\testrf\somefile.txt
UID : {EDE2D64E-1306-4C7C-B568-449A98371AA2}-v29
GVSN : {{EDE2D64E-1306-4C7C-B568-449A98371AA2}-v29

Not ugly at all. Read more about this and other new DFSRDIAG features here:

DFS Replication: What’s new in Windows Server™ 2008 R2

-    Ned ‘Breadcrumbs’ Pyle

Good morning world, Paul Fragale here to bring you the latest trend in smart card logon requests. Some people have been reading on our TechNet pages, such as Smart Card Authentication Changes, about the ability to allow users to have one smart card, one certificate on that smart card, and map to multiple users. This one certificate will allow them to authenticate both to a user account and to an account with special privileges (like an administrator). Why would they want to do this, you ask? They do not want to give administrator permissions to the user accounts but still need to be able to track who made the changes. This will effectively reduce the number of administrator accounts on the machine or environment.

However, this comes with a cost to administrative overhead. To set this up correctly, some steps must be done manually by an administrator that has access to the Active Directory Users and Computers Snap-in.

Also Windows Server 2008 DCs are required for the smartcard authentication. Smart card logon authentication requirements for Windows Server 2003 DCs have a strict User Principal Name (UPN) requirement. That means that a UPN has to be provided in the certificate for proper authentication. This restriction prevents the ability to log on using the name mapping feature that is required for this scenario.

The rest of this blog post contains the step by step for setting up this environment.
To enable this ability the following things will have to be done:

• Create Smartcard user Certificate Template that does not include the UPN as an alternate subject name.
• Enable the Group Policy for "User Name Hint"
• Create smart card certificate for a user using the new template.
• Export the user smart card certificate.
• Enable Name Mapping to both accounts.

Environment Required:

• Clients: Windows Vista or later
• Domain Controllers: Windows Server 2008 or later (Any Domain or Forest Functional level.)
• Certification Authority: Windows Server 2003, Windows Server 2008 or later Enterprise Issuing CA (Smartcard User or Smartcard Logon template is required)

Note: The CA must be running on an Enterprise Edition of the Operating System to meet this requirement.

Create Smart card Certificate Template

Creating a smart card template for this scenario is 90% the same as creating a duplicate template for any other function. The one exception is in step 7 of the procedure. The certificates issued must not reference a UPN for any mapped user or the authentication for the other mapped accounts will fail.

On the Certificate Authority perform the following tasks:

1. Open certsrv.msc.
2. Expand the name of the CA.
3. Right click Certificate Templates and choose Manage.
4. Right click the Smartcard User or Smartcard Logon template and choose Duplicate Template:

Note: If you are using a Windows 2008 CA you will be prompted to select the minimum CA for your new template. You can select either template option.

5. Provide a name for the smartcard template and set the validity period that you desire for the environment.
6. On the Subject tab, deselect User Principal Name (UPN):

7. On Issuance Requirements tab, do the following

    a. Select The number of authorized signatures: and set it to 1.
    b. Under Policy type required in signature, select Application Policy.
    c. Under Application Policy select Certificate request Agent:

  

8. Click Apply and then OK.
9. Close Certificate Templates console.
10. In the Certificate Authority snap-in, right click Certificate Templates folder and select New.
11. Select "Certificate Template to Issue”:

12. Select the new template and click Ok:

13. Restart Certificate Services.

Note: It is important to restart the CA services to ensure the CA is processing all the latest information.

Enable Group Policy for "User Name Hint"

Now that we have created and added the smart card certificate template, we need to configure the clients to show the Username Hint upon logon.

To enable the Allow user name hint Group Policy setting, follow these steps on a

Domain controller:

1. Open the Group Policy Management Console.
2. Right click the domain name and choose Create a GPO in this domain, and Link it here….
3. Name it something like "Smart card Auth Policy".
4. Right click the policy and choose Edit:

5. Expand Computer Configuration >Policies > Administrative Templates > Windows Components, and then expand Smart Card.
6. Double-click Allow user name hint":

7. Click Enabled and then click OK:

8. Run Gpupdate /force to update group policies on the workstations with smart card readers.

Create smart card certificate for a user using the new template

1. Log on to system that has a smart card reader with a user that has an Enrollment Agent certificate.
2. Start certmgr.msc
3. Expand Personal, and then right-click on the Certificates folder.
4. Select All Tasks > Advanced Operations > Enroll on behalf of from the context menu:

5. Click Next.
6. When prompted, browse to the signing certificate for the enrollment agent. Click Next:

7. Select the certificate template you created, and click Next:

8. Browse and select the user name (This will be the subject of the smartcard certificate.) Click Enroll:

Export the user smart card certificate

Ok, so we’ve got a certificate on a smart card; now we have to associate it with the accounts we want the user to be able to use. We first need to export the certificate. You can do this from the client, Active Directory Users and Computers or the Certificate Authority that issued the cert. One way of accomplishing this can be found at the following TechNet article: http://technet.microsoft.com/en-us/library/cc779668(WS.10).aspx

Enable Name Mapping to both accounts

Now that we have the certificate file we can map the certificate to our user’s accounts.

1. Open Active Directory Users and Computers.
2. Click View and select Advanced Features:

3. Navigate to the user account.
4. Right click the user account and choose Name Mappings:

5. Click Add and select the certificate file that was exported. Click Open:

6. Click Ok.
7. Click Ok.

8. Repeat steps 3-7 to add the same certificate file to each additional account that that the user logs on with.

That is all there is to it. Now when that user inserts his smart card, they will have a Username Hints window. The user simply types the name of the account he wants to logon as and the PIN for his smartcard. The added benefit is that the user does not need to know two different passwords. They simply have to know the pin for the smartcard.

Until next time,

- Paul ‘One Cert to Rule Them All’ Fragale

Ned here again. Are you using MS Dynamics CRM? Be sure to check this excellent blog post from our colleagues Jeremy Morlock and Henning Petersen on how CRM uses Service Principal Names and what you need to get it all working:

http://blogs.msdn.com/crm/archive/2009/08/06/configuring-service-principal-names.aspx

It covers the following scenarios, step by step:

• Host header added to site
• Change CRM Application Pool to run as Domain User
• Change CRM Application Pool to run as Domain User when other application pools run under separate domain user accounts

Nice work guys!

- Ned 'you SPN me right round' Pyle

Two years ago the AskDS blog was created. A few days later we had our first post. A huge thanks to you for all of your questions, comments, and kind words over the years; we really appreciate them.

Ned 'Chuck E. Cheese' Pyle

KB Articles

Blogs

• Tracking a Remote File Deletion Back to the Source
• Using Group Policy to set default printers in Windows 7
• Three Module Extensions (DC Health, Trust Management and Demo Script)
• Recommended settings for event log sizes in Windows Server 2003 and in Windows Server 2008
• Fun update for AdMod… Alternate working title, long overdue update for AdMod…
• Security Audit Events for Win7 and R2 – download now available
• Security Filtering, WMI Filtering, and Item-level Targeting in Group Policy Preferences
• Find account based on a given SID
• A way of finding the local admin account by searching SIDs
• How to get the SID of an account