Browse by Tags

Tagged Content List
  • Blog Post: Migrating your Certification Authority Hashing Algorithm from SHA1 to SHA2

    Hey all, Rob Greene here again. Well it’s been a very long while since I have written anything for the AskDS blog. I’ve been heads down supporting all the new cool technology from Microsoft. I wanted to see if I could head off some cases coming our way with regard to the whole SHA1 deprecation...
  • Blog Post: Troubleshooting Credential Roaming

    Hi. Jim here again from Directory Services with a follow up to my Understanding Credential Roaming blog post. To review, credential roaming makes it possible to roam the user's credentials in a manageable, secure manner that is ultimately transparent to the user. What follows is a deeper dive into the...
  • Blog Post: iPad / iPhone Certificate Issuance

    Hey all, Rob here again. It’s been a while since I have written a blog post, and this one was too interesting to pass up. I recently worked a case around deploying certificates to Apple iPhones and iPads to secure their network communications. The investigation uncovered that Apple devices can...
  • Blog Post: Friday Mail Sack: The Gang’s All Here Edition

    Hi folks, Ned here again with your questions and our answers. This is a pretty long one; looks like everyone is back from vacation, winter storms, and hiding from the boss. Today we talk Kerberos, KCC, SPNs, PKI, USN journaling, DFSR, auditing, NDES, PowerShell, SIDs, RIDs, DFSN, and other random goo...
  • Blog Post: Certificate Authority disaster recovery steps when smartcard logon is required but no valid CRL can be published

    [Editor’s note: this is a reprinted post from the AD Troubleshooting Blog . If you’re not already a subscriber to that blog, you absolutely need to add it to your feed. Ingolfur is a Sr. Support Escalation Engineer in Sweden and a very smart dude - with rather odd hair - who deserves your attention....
  • Blog Post: Successful Errors Installing Windows Server 2008 Certificate Authority

    Oxymoron - a figure of speech by which a locution produces an incongruous, seemingly self-contradictory effect, as in “cruel kindness” or “succeeded with errors.” Hi, Ken here. Recently I encountered an issue where the customer was trying to install certificate services on...
  • Blog Post: Friday Mail Sack: 1970’s Conversion Van Edition

    Hello folks, Ned here again with another ridiculously overdue Friday Mail Sack. This week we talk about patching, admin rights, Kerberos, hiring, ADMT, and PKI. Next week we talk about… nothing. I will be out celebrating an Important Wife Birthday™ and unless Jonathan takes pity on you,...
  • Blog Post: Custom Certificate Request in Windows Vista

    James Carr here and I would like to discuss creating custom certificate request in Windows Vista. When requesting certificates from a Windows 2000/2003 Enterprise Certification Authority, we will use one of the built-in certificate templates. Certificate Templates are used to tell the CA what information...
  • Blog Post: Certificate Concepts

    Hi, Brantley here. I would like to share some information with you about how digital certificates work. Understanding the concepts about how certificates work is important when troubleshooting PKI issues. Let’s start by defining digital certificate: digital certificates are electronic credentials...
  • Blog Post: I’ll take NDES in the DMZ, for 1000 Alex

    Hello. Jim here yet again to talk to you about deploying Windows Server 2008 R2 with the Network Device Enrollment Services (NDES) role in a secure perimeter network. Let's consider the scenario. You have an internal PKI hierarchy consisting of an Offline Root Certificate Authority (CA), a policy CA...
  • Blog Post: Windows 2008 R2 Standard Edition supports Version 2 and 3 Templates

    Chris here again. This time I have a quick post. For those looking for reasons to either implement a PKI or potentially upgrade a PKI to Windows Server 2008 R2, the Standard Edition now supports Version 2 and 3 templates. Prior to Windows Server 2008 R2 the Certification Authority role had to be installed...
  • Blog Post: Certs On Wheels: Understanding Credential Roaming

    Hi. Jim here again from the Directory Services team. Today I will break down some of the core components of credential roaming and how it functions. To secure critical transactions such as signing, encrypting, and decrypting e-mail or authenticating identity, many environments rely on certificates. The...
  • Blog Post: Friday Mail Sack – Missed Week Edition

    Hiya folks. The mail sack was a no-show last week since I was out of town; I hope you can find it in your heart to forgive me. If not… well, you get what you pay for. To make up for it, this one is longer than usual. Here are some interesting issues from the past two weeks (both from the Internet...
  • Blog Post: Friday Mail Sack: Barbados Edition

    Hello world, Ned here again. I’m back to write this week’s mail sack – just in time to be gone for the next two weeks on vacation and work travel . In the meantime Jonathan and Scott will be running the show, so be sure to spam the heck out of them with whatever tickles you. This week...
  • Blog Post: Enabling CEP and CES for enrolling non-domain joined computers for certificates

    Hey all, Rob here again. I thought I would expand upon my last blog describing Certificate Enrollment Web Services by covering some of the different configurations that are possible. As a refresher, Certificate Enrollment Policy and Certificate Enrollment Services abstracts certificate Policy and...
  • Blog Post: How to configure the Windows Server 2008 CA Web Enrollment Proxy

    Hi all, Rob here again. I had a case recently where the customer wanted to have the Windows Server 2008 Certificate Authority website loaded on another machine. For those of you that do not know, you can install the Windows Server 2008 CA web site pages on an alternate server from the CA. One reason...
  • Blog Post: Friday Mail Sack: Guest Reply Edition

    Hi folks, Ned here again. This week we talk: CA migration from 1 to 2 tier ADAM/ADLDS P2V ABC 123 Managing AGPM security filters Multiple IIS App pools and Kerberos AGPM multi-domain comparison ADUC domain password weirdness DFSR deletion conflict handling Stale account deletion...
  • Blog Post: Extended Validation support for websites using internal certificates

    Hey all Rob here again. One feature that that is new with Windows Server 2008R2 / Windows 7 is the ability to configure your internal certification authority hierarchy in order to issue certificates that can show as Extended Validation certificates. So for those of you who do not know, this means...
  • Blog Post: Working with Certificates in Active Directory PowerShell

    http://blogs.msdn.com/adpowershell/archive/2009/04/26/working-with-certificates.aspx
  • Blog Post: Designing and Implementing a PKI: Part I Design and Planning

    The series: Designing and Implementing a PKI: Part I Design and Planning Designing and Implementing a PKI: Part II Implementation Phases and Certificate Authority Installation Designing and Implementing a PKI: Part III Certificate Templates Designing and Implementing a PKI: Part IV Configuring SSL for...
  • Blog Post: The Certificate Template Manager Hangs Indefinitely

    Hey ladies and gents, Sean here again. Recently I ran into an issue with Windows Server 2003 that caused the Certificate Template Manager to hang. I’ll discuss the problem and provide solutions so you don’t get stuck wondering what’s going on if this happens to you. First, let’s talk about the symptoms...
  • Blog Post: Designing and Implementing a PKI - Series Wrapup and Downloadable Copies

    Hi all, Ned here again. We usually get asked for a more portable version of our multi-part blog posts so - for once - I am creating it before the yelling starts. Chris’ “Designing and Implementing a PKI” series is included below in a few common file formats: Download in DOX format...
  • Blog Post: Windows Server 2008 R2 CAPolicy.inf Syntax

    Greetings! This is Jonathan again. I was reviewing Chris’ excellent blog post series on designing and implementing a PKI when I realized that it would be helpful to better document the CAPolicy.inf file. The information in this post relies heavily on the information published in the Windows Server...
  • Blog Post: Replacing an Expired DRA Certificate

    Hi, Tom here from the Directory Services team. One of the most common EFS issues we see is for an expired Domain Data Recovery Agent (DRA) certificate. It is also one of the easiest things to resolve. You may have seen the error Recovery Policy for this system contains an invalid recovery certificate...
  • Blog Post: Implementing an OCSP responder: Part II - Preparing Certificate Authorities

    Chris here again. In Part I we covered some of the basics and background information on the reason for the OCSP Responder and a basic understanding of how the OCSP Responder functions. So now we look towards implementing the OCSP Responder. However, before we move forward with the Install of the OCSP...