Clik here to view.
New features in Windows 7
My 3 favorites:- Virtual Windows XP AKA 'XP Mode' (not all SKU's) This is basically a small Virtual PC within the Windows 7 OS that allows you to run the application in it's own contained environment,...
View ArticleClik here to view.
Why living in the future is bad when you're a CA server (aka the story of...
I worked on the following case recently: We can't seem to enroll for certificates from our Windows 2008 OCS Servers, the error we get is "A required certificate is not within its validity period when...
View ArticleClik here to view.
The Smartcard Removal Policy Service and VPN
The ScPolicySvc service works by monitoring a specific registry key (See Deconstructing the Smartcard Removal Policy Service).The VPN client (Connection Manager aka CM) on the other hand doesn’t use...
View ArticleClik here to view.
Event 6398 and Forefront Server Security
Customers may get this issue from time to time on every Sharepoint WFE server except one whenever the antivirus applications on the servers successfully update their antivirus definitions.This only...
View ArticleClik here to view.
UseSubjectAltName and smartcard logon
On Windows 7 clients, if a smartcard certificate contains a Subject Alternate Name (SAN) it will by default be used for implicit mapping against a user in AD and whatever has been imported to the...
View ArticleClik here to view.
Everything you wanted to know about Extended Validation but were afraid to ask
Well, maybe not quite... but hopefully it helps explain the concept better.SSL is not the trusted stamp of approval that it was maybe 10-15 years ago, business requirements and competition between CA...
View ArticleClik here to view.
Remote EFS decryption and Trusted for Delegation requirements
One of our customers reported the following:We have been evaluating EFS on Windows 7 as part of our upgrade from Windows XP project and have discovered that if you share a folder and encrypt a file...
View ArticleClik here to view.
Smartcard Redirection Diaries
Last month we finally closed two bugs that I've been engaged in on and off for well over a year and released two related hotfixes in the February hotfix release batch.In late 2009, our Professional...
View ArticleClik here to view.
Why can't I see any certificate templates when creating a certificate request...
My colleague Jan had the following case recently:Customer verbatim:We've created a custom web server certificate template that we want to use to enroll certificates from for our web servers. We've...
View ArticleClik here to view.
Why is autoenrollment only happening if initiated manually through the MMC?
We resolved the following case recently:On our W2k8 R2 Domain Controllers, autoenrollment is not working even if all the permissions are correct and the CA’s are allowed to issue the correct templates....
View ArticleClik here to view.
The CA certificate that disappeared after the CMOS battery died
A colleague on our PKI Server alias got the following question from a partner:Our newly installed Windows Server 2008 R2 CA server got the time settings on it accidentally reset back to the BIOS...
View ArticleClik here to view.
Setting up ADFS 2.0 as an IDP for Visma Proceedo
I've put together a Word document with the details on how to set up a federation trust between Visma Proceedo acting as a Relying Partner (RP) and ADFS 2.0 acting as the Identity Provider (IDP).The...
View ArticleClik here to view.
Smartcard logon using certificates from a 3rd party on a Domain Controller...
I was looking at the Windows Server 2008 R2 KDC architecture with my colleague Jan earlier today concerning an issue when using smart cards with 3rd party domain controller certificates.Our customer...
View ArticleClik here to view.
Credential Roaming and NTDS.dit bloat
Following up on a previous post about Credential Roaming (aka DIMS): http://blogs.technet.com/b/instan/archive/2009/05/26/considerations-for-implementing-credential-roaming.aspxWith a recent DCR to...
View ArticleClik here to view.
CAPI2 event ID 11 retake
A customer put the following questions to one of my colleagues:On a lot of our Windows 7 clients we've noticed they periodically try to download a CAB file from Windows Update, but as our workstations...
View ArticleClik here to view.
The Legacy of the Past Tense
When working with Microsoft technologies you'll inevitably come across references to Legacy API's, Legacy OS's, etc.Have you ever wondered what that means in technical terms?Well, in technical terms...
View ArticleClik here to view.
Changing the Primary Domain DNS name of this computer to "" failed.
This is a bogus error message that can be safely ignored - it's caused by the domain join code ending up in a function which it doesn't need to run anyway during a domain join operation using the...
View ArticleClik here to view.
Deconstructing the KDC certificate processing functionality
For a DC to be able to service smartcard logons the DC must have a valid and suitable certificate present in the personal store of the computer account.This is typically autoenrolled for whenever a...
View ArticleClik here to view.
Alternative methods to getting a standalone CA to issue smartcard certificates
We want to implement a smartcard solution but we're not ready for an implementation internally. We considered implementing a standalone CA to avoid making changes to the Configuration partition but as...
View ArticleClik here to view.
New hotfix for intermittent OCSP revocation failure issues on domain...
A new hotfix for Cryptnet.dll on Windows Server 2008 R2 has been released which covers a scenario which could cause a Domain Controller (or any service doing frequent revocation checking of...
View Article