Skip Ribbon Commands
Skip to main content

Ondrej Sevecek's English Pages

:

Engineering and troubleshooting by Directory Master!
MCM: Directory
December 04
How to remove expired user certificates from Active Directory user accounts using PowerShell

The certification authority software of Active Directory Certificate Services (ADCS) running in the enterprise installation mode (AD integrated CA) can publish user certificates which it generates into the respective AD user account so that other users can find the certificates for their colleagues and use them for encryption. This function is usually completely unnecessary because only few environments use user certificates for any data encryption at all.

But yes, the default User certificate template has the setting called Publish certificate in Active Directory enabled by default which is then also the case for all duplicates created from this default User template.

The issued certificates get published in their DER binary form into the userCertificate multivalued attribute of their respective AD user object. Expired certificates are not removed automatically. If you want to find all user accounts in the local AD domain and remove any expired certificates from the accounts, you can use the following PowerShell script. The script not only deletes the expired certificate from the user account, it also saves the certificate into TEMP if that was for anything.

Note that the script handles only the published certificates stored in the userCertificate attribute (public certificates without private keys). It does not clean the certificates nor their private keys from the private credentials roaming msPKI attributes.

$ErrorActionPreference = [System.Management.Automation.ActionPreference]::Stop

[object[]] $usersWithCerts = Get-ADUser -LDAPFilter '(userCertificate=*)' -Properties userCertificate

Write-Host ('Found user accounts with any certificate: #{0}' -f $usersWithCerts.Length)
foreach ($oneUserWithCert in $usersWithCerts) {

  Write-Host ('One user: {0} | certs = #{1} | {2}' -f $oneUserWithCert.sAMAccountName, $oneUserWithCert.userCertificate.Count, $oneUserWithCert.distinguishedName)

  foreach ($oneCertBin in $oneUserWithCert.userCertificate) {

    $oneCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
    $oneCert.Import($oneCertBin)

    $isExpired = $oneCert.NotAfter -lt ([DateTime]::Now)
    Write-Host ('  certificate: {0} | expires = {1} (valid = {2}) | usage = {3}' -f $oneCert.Subject, $oneCert.NotAfter.ToString('yyyy-MM-dd HH:mm:ss'), (-not $isExpired), ($oneCert.EnhancedKeyUsageList -join ', '))

    if ($isExpired) {

      $saveExpired = Join-Path $env:TEMP ('expired-cert-{0}-exp{1}-{2}.cer' -f $oneUserWithCert.sAMAccountName, $oneCert.NotAfter.ToString('yyyy-MM-dd-HH-mm-ss'), $oneCert.Thumbprint)
      [void] ([System.IO.File]::WriteAllBytes($saveExpired, $oneCert.Export('Cert')))
      Write-Host ('  removing: saved = {0}' -f $saveExpired)

      Set-ADUser -Identity $oneUserWithCert -Certificates @{ Remove = $oneCert }
    }
  }
}

 

July 24
How to disable Windows Admin Center pop-up in Server Manager in registry

The Server Manager console on Windows Server 2019 now pop-ups by default with an annoying dialog box offering the option ty Try managing servers with Windows Admin Center (WindowsAdminCenter). If you want to disable this message by using registry key somewhat centrally, you can set the following registry value DoNotPopWACConsoleAtSMLaunch to 1:

HKLM\SOFTWARE\Microsoft\ServerManager
DoNotPopWACConsoleAtSMLaunch = DWORD = 1
May 27
Users get error message when connecting to RDP host using RemoteGuard

RemoteGuard is a fine new technology for RDP running to and from Windows 2016 and Window 10.1607 which allows for some basic credential protection of users' NTLM password hashes and TGT tickets. In order to use the remote guard feature you must either start mstsc client with /remoteGuard command line switch or have that feature enforced by a client machine group policy setting.

It is a documented fact that the sole use of the /remoteGuard switch requires the connecting user to be member of local Administrators group on the remote RDP host. In case the user is not member of the local Administrators group on the remote RDP host machine, the user receives the following error message displayed on the remote desktop screen after connecting:

The requested session access is denied

If you want your users to connect while not being members of local Administrators group on the remote RDP server then you have to enforce the RemoteGuard use on the client side by using group policy (local or GPO) setting:

Computer Configuration
  Policies
    Administrative Templates
      System
        Credentials Delegation

Restrict delegation of credentials to remote servers
    Enabled + Require Remote Credential Guard

Yes, weirdly enough, but really the /remoteGuard command line switch is apparently different from the GPO setting. And yes, both are client side matters. The only thing that you need to enable on the RDP server host is the DisableRestrictedAdmin registry value which is the same for both remote guard and restricted admin features.

HKLM\System\CurrentControlSet\Control\LSA
DisableRestrictedAdmin = DWORD = 0
February 06
Rolling upgrade of Windows 2012 R2 failover cluster right up to Windows 2019

No. It is not supported​ to join Windows 2019 nodes into the 2012 R2 failover cluster. You can join there Windows 2016 but not the newer 2019.

Windows 2019 being added to an existing cluster expects the cluster to be running at the Windows 2016 functional level at least.

The newer 2019 version expects the cluster nodes to have self-signed certificates (ClusInfraCert) generated for their intra-cluster SChannel (TLS) communication on port TCP 3343. Which is not the case with the older 2012 R2 version nodes that only use Kerberos for node authentication and communication protection.

If you want to join the Windows 2019 into the 2012 R2 cluster you will get an error (after some timeout) stating simply that the 2019 cannot communicate with any node of the existing cluster.

August 22
How to disable all existing Windows Firewall rules with a single NETSH command

This simple it is in fact:

NETSH ADVFIREWALL FIREWALL SET RULE all NEW enable=no

Cheers!

December 13
RD Gateway error event 210 caused by NLB configured with no affinity

You may get the error 210 in the TerminalServices-Gateway Admin log on a Remote Desktop Gateway server (RD Gateway) saying that Http transport: IN channel could not find a corresponding OUT channel. This error may happen if you operate a load balanced RD Gateway farm and the load balancing mechanism does not use any affinity. RD Gateway requires at least the single affinity to be used.

The no affinity setting means that any TCP connection being established from a client may end up at any load balanced farm member. The RD Gateway on the other hand must establish two TCP connections, one for inbound and the other for outbound transport, while both connections must hit the same RD GW farm member. Thus we must configure the load balancing technology (usually the NLB) to connect all TCP connections from a single client to the same NLB farm member.

November 23
Cannot install group managed service account - unspecified error

If you try to install a group managed service account (gMSA) on a server by using the Install-ADServiceAccount cmdlet you may receive an error message saying:

Cannot install service account. An unspecified error has occured

 

This may happen if you didn't create the group managed service account by using the parameter -KerberosEncryptionType with value of AES128 or AES256. The Kerberos etype parameter is not mandatory and need not to be specified if you do not restrict possible Kerberos etypes on the server. But if the server, which you plan to install the service account on, restricts Kerberos encryption types to AES only, you have to configure the encryption types on the gMSA as well.

If you want to check if your server restricts the available Kerberos etypes, you can check the following local security policy value:

Security settings - Local Policies - Security Options
    Network Security: Configure encryption types allowed for Kerberos

 

If you see that only AES encryption types are allowed in the server's policy, you must use the -KerberosEncryptionType parameter and specify either the AES128 or the AES256.

August 29
How to install Windows 10 (1511, 1607, 1703) UI languague packs

You can install user interface language pack (MUI pack, UI pack) into any default language mutation of Windows 10 of any build. You can even install English (en-us) language pack into a non-English Windows 10.

First you naturally need to download the language pack. In my MVP/MCT case, I downloaded it from MSDN subscriber downloads portal. It comes in the form of ISO file containing all the available language packs in the form of individual CAB files both for x64 and x86 builds.

ISO can be opened within Windows Explorer so no problem mounting it from GUI and accessing its contents from command line later.

Then, you run the following command against your desired MUI CAB pack to be installed:

dism /online /add-package:"E:\x64\langpacks\Microsoft-Windows-Client-Language-Pack_x64_en-us.cab"

After DISM finishes you must restart the operation system and only then you should be able to open the Languages control panel and select the newly installed UI language as the primary choice.

April 20
Very slow RDP remote app start over Remote Desktop Gateway connections

I have just solved one interesting case. The customer has a great powerful RDP session-based application farm based on Windows 2012 R2. The farm runs several session collections with RemoteApps. The RDP RemoteApps are published through RDWeb and connected over RD Gateway when access from the internet. Everything is using trusted TLS/SSL certificates bought from a public CA such as GlobalSign or Symantec etc.

Everything worked smoothly and fast except for the application startup time when accessed from the internet. RDWeb itself was fast enough. But once you clicked an application it sometimes took even three minutes to start the application. After that, smooth play, no delays anymore. Apparently the RD Gateway was the problem because this didn't happen from LAN when you avoided the RD gateway, at least not that severely.

Digging deeper into the problem, both the RD Gateway and the RD Connection Broker were both had some of their own part in the problem.

The reason was certificate revocation checking which timed-out

The reason identified itself when I enabled auditing for windows firewall connections (the Filtering Platform Connection audit subcategory) and compared and correlated it with the events in the TerminalServices-Gateway/Operational event log. The Security event log showed repeated and frequent TCP connections to remote port 80 (HTTP apparently) started by system processes such as lsass.exe or svchost.exe. Weirdly the connections were going to public internet IP addresses.

And yes, when I checked the TLS/SSL certificate CRL paths and their URLs, these IP addresses showed to be the CRL distribution points of the public CAs which issued their RDP certificates.

Ok, it seemed like the system was trying to verify certificate revocation of its own server certificates (why the hell?) by downloading their respective CRL files. The problem was the farm servers didn't have internet access actually. So all the connections were only starting (SYN-SENT), then each was timing-out for 21 seconds (as is the standard TCP connection establishment timeout) and failed. And again and again with every client connection being established.

As it appears, the RDP gateway and sometimes even the RD connection broker servers are trying to verify its own server certificates revocation status by downloading CRLs.

The solution

The solution could be either to allow the servers download the public CRL files from internet over HTTP TCP 80 (if you need, you can configure them to use an HTTP proxy server with netsh winhttp commnad).

Or to make sure that they either cannot resolve their public DNS names at all.

Or if the servers must be able to resolve the public DNS names, then make sure that the following TCP connection fails immediatelly, instead of waiting for the 21 seconds timeout.

If you have a network firewall in place, you must change the blocked port setting from stealth or drop to reject. Or you can configure an explicit blocking Outbound Rule in the servers' Windows Firewall. The outbound blocking rules are good in this regard as they prevent the blocked TCP connection immediatelly and do not let the applications time-out.

March 31
Windows registry values (NoAutoMount) for forensic disk imaging

You may want to use disk imaging tools such as my favourite WinHex for capturing forensically sound disk images from arbitratily attached USB/SATA/mSATA/M.2/SAS/etc. harddrives even if you do not have a hardware based write-blocker device. In order to prevent the operating system from switching the just attached disks to Online mode and mounting any file systems, you should configure the following registry values:

HKLM\System\CurrentControlSet\Services\mountmgr
  NoAutoMount = REG_DWORD = 1

HKLM\System\CurrentControlSet\Services\partmgr\Parameters
  SanPolicy = REG_DWORD = 3

Note that the NoAutoMount value goes really directly into the mountmgr registry key, while the SanPolicy value must be set in the Parameters subkey of the partmgr driver.

If you have the registry configured this way, the newly attached disk drives remain in the default Offline mode which means that thay are read/only.

If you want to switch the disks to the writable Online mode, you can always do so with diskpart's command online disk. Note although that making disk Online means immediate mounting any respective filesystem even if no disk letter may be assigned yet.

If you wanted to mount any file system while keeping the disk in read/only mode, you can achieve this with diskpart's command attributes disk set readonly prior to switching the disk into the online mode.

Thus having the disk in the offline mode means always read/only, while having the disk in the online mode may mean read/only or writable, depending on the disk's attribute setting which you can change yet before making the disk online.

A sample DISKPART transaction may look like this:

DISKPART

  list disk
  REM :the previous command listed your disks, the newly attached disk should be offline, note its number

  select disk XX
  REM :select the number of your offline attached disk instead of typing XX

  attributes disk
  REM :the previous command should have displayed some attributes, mainly the fact that the disk is in read/only state

  attributes disk set readonly
  REM :we make the read/only setting permanent for the selected disk by storing this information in the local computer registry
  REM :note that this does not modify anything on the disk yet and note also that the setting stays in the local computer registry
  REM :and does not roam with the disk if unplugged and moved to another computer

  online disk
  REM :makes the disk online allowing file systems to be mounted, although the disk remains in read/only mode and thus the file systems
  REM :are read only as well. No disk letters assigned yet due to the NoAutoMount registry value

  assign
  REM :only now disk letters assigned, the disk and its file systems still remain in read/only mode

1 - 10Next
 

 About this blog

 
Ondrej Sevecek 

Ondrej Sevecek is technical consultant, writer and speaker specialising in network security, PKI, identity management and Active Directory on Microsoft Windows platform. Ondrej is Microsoft Certified Master (MCM:Directory and MCSM:Directory) and the  Most Valuable Professional (MVP: Enterprise Security). He also maintains his CISA and CHFI:Computer Hacking Forensic Investigator and CEH:Certified Ethical Hacker certifications.

Ondrej is also MCT and gives lectures in the greatest of European training centers GOPAS.