adcs

Delta CRLs are Not Accessible via HTTP When Hosted on IIS

If you are running a Microsoft PKI in your environment then chances are you will have (or at least you should have) configured at least one HTTP based distribution point (CDP) for your Certificate Revocation Lists. If you are only publishing full CRLs then you will have no problems however if you are publishing Delta CRLs, the smaller, faster to process kind which list only certificates revoked since the last full publish then you may encounter an issue if you are using an IIS website to publish these.

The problem lies in the filename used for the CRLs. In my lab for example, my Certificate Authority issues a CRL file name rjglab-CA.crl and the delta files are named the same as the full CRL but they are appended with the plus character making the file name rjglab-CA+.crl. In it’s native configuration, IIS does not permit the use of the plus character because that character falls into the realms of IIS Request Mapping and the request handler.

HTTP Error Downloading Delta CRL

We can see in the screenshot above what the error code and message given by IIS is when we try to download the Delta CRL in the default configuration.

For an IIS webserver hosting your CRL and Delta CRL, we need to change the behaviour of IIS to allow this plus character to be permitted which luckily is easily done. First off, open IIS Manager on the server which is hosting and making available to clients your Delta CRL file. From the server home in IIS, open the Request Filtering page and from this page, select the Edit Feature Settings button in the Actions bar.

Request Filtering Settings in IIS

On the Edit Request Filtering Settings page under the General section, by default, Allow Double Escaping is disabled. Enable this option and then press OK.

Once you have made the change, try to download the Delta CRL file and you should find that the file is available and you can successfully download it.

Delta CRL Downloaded OK

Extended Validation (EV) with an Internal Certificate Authority

As IT Pro’s, we know that Extended Validation or EV on web server certificates doesn’t actually add a security layer or harden our web servers in any way but it does give users the warm fuzzy feeling that the website they are using is definitely trustworthy and given that we want our users to believe everything we do internally in IT is trustworthy, it would be great to have our internal web services use Extended Validation certificates for user facing websites.

If you are using a Windows Active Directory Certificates Services (ADCS) certificate authority for issuing your certificates then the great news is that we can do this and it can be made to work in an existing environment so you don’t need to build a new Root CA or setup new servers for it to work, we just need to create a new Certificate Template and a Group Policy Object in the domain.

Configure the Certificate Authority

The first step is to create the Certificate Template. On your ADCS server where you issue your Web Server certificates, open the Certificate Authority MMC console. From the console, right-click on the Certificate Templates folder and select Manage.

Manage Certificate Templates

Once you have clicked this, another window will open with the list of Certificate Templates configured in the environment. Find the Web Server certificate, right-click it and select the Duplicate Template option.

New Template Properties

At the Properties for New Template dialog, enter a display name that is appropriate such as “Web Server with EV” or “Web Server Extended Validation”. From here, click the Extensions tab.

New Template Properties Extensions

On the Extensions tab, highlight the Issuance Policies list item and select Edit. At the window which appears, select the New button to add a new Issuance Policy.

EV Issuance Policy

Give your new issuance policy a name such as “EV Issuance Policy” and if you have one (which you should do for production) enter your Certificate Purpose Statement URI. If you don’t know what a Certificate Purpose Statement (CPS) is then I would suggest the TechNet article Certificate Policies and Certificate Policy Statements as a first primer however in a nutshell, it’s a webpage which gives people information about how the certificates can be used.

Before you hit OK on the New Issuance Policy dialog, note the final field OID. Copy this OID to your clipboard and keep it their for the time being or better yet, save it to a text document in a safe place as we need this for the steps later.

Once you have this, hit OK on the dialog and change any other settings on the template you may need to such as the validity period, the key length or whether you want to allow the private key to be exported. Once you have created the new template, we need to configure the CA to be able to issue it.

CA Certificate Template to Issue

As shown above, back in the Certificate Authority console, right-click on the Certificate Templates folder and this time, select New followed by the Certificate Template to Issueoption. From the list of templates, select the new template you just created for Web Server with Extended Validation.

After this, the Certificate Authority is configured with a new template that can be used for Extended Validation and the CA is configured to issue certificates based on that template however it’s no good having the certificates if the clients do not know to trust it to the extent required to display the green address bar.

Configure Group Policy in Active Directory

With the CA configured, we need to configure clients to trust this certificate for Extended Validation and the best method for this is going to be Group Policy. If you have an existing Group Policy to apply certificate related settings then use that policy otherwise create a new one and link it either at the root of your domain to apply it to all computers on the domain or to a particular OU if you only want it to apply to sub-set of clients. Just for clarity, I would not recommend putting certificate related settings in the Default Domain Policy nor would I recommend putting any settings into that policy. The Default Domain Policy and the Default Domain Controllers Policy should be left untouched and new policy objects should be created for any settings you want to apply.

In your Group Policy Object, expand the view in Computer Configuration followed by Security Settings, Public Key Policies and finally Trusted Root Certification Authorities. If you are using an existing policy, you should have here a valid copy of the public key portion of the certificate for your Root CA. If you are creating this as a new policy, you will need to import the public key portion of your Root CA certificate.

GPO Trusted Root Certificataion Authorities GPO Trust Root CA Extended Validation Properties

Once your certificate is added, right-click it and select the Properties. From the properties, you need to select the Extended Validation tab. On this tab, add the OID that you earlier copied or saved to a text document. Any OIs in this list are considered trusted for Extended Validation when a certificate contains the Issuance Policy matching that OID and the certificate issued by a CA that is part of the issuing or subordinate chain below the specified Root CA.

Once you have applied the GPO to your clients, you can issue a new certificate for a web site with the Web Server Extended Validation template and when browsing to that site from a client computer which both trusts your Root CA and understands the OID applied to the Issuance Policy, you will get the green address bar.

Website with EV Certificate

Windows Server 2012 Essentials Initial Admin Thoughts

I spend my days working with Windows Servers and more increasingly Windows Server 2012. Whilst I may not know everything there is to know (and who does after all), I like to think I know quite a bit on the subject and therefore my understanding of what’s good and proper is generally sound. Once the installation of Windows Server 2012 Essentials completed I was drilling through some of the back-end interfaces to dig up parts of how it worked and was strung together and these are my opinions based on those views as an administrator.

Active Directory Domain Services (ADDS)

As we know, Windows Server 2012 Essentials unlike Windows Home Server 2011 creates a domain. It does this with the greatest of ease for the end-user driving the install, but with ease, you lack control, evident here.

The domain is created with a Windows Server 2012 Domain and Forest Functional Level which is good, however the Active Directory Recycle Bin feature, added in Windows Server 2008 R2 ADDS is disabled which I think it should be to help people out who accidently delete users or computer accounts.

The domain is created with a .local domain suffix which for me is not nice as they can end up causing you problems depending on what you are trying to do with the domain environment. If you read some of the literature for Office 365 they don’t support federation using ADFS with .local domains.

The case sensitivity of the installer has big implications on the domain name created. I personally like to see a lowercase domain name (FQDN) with an uppercase Pre-Windows 2000 domain name (NetBIOS) but the installer uses the same name for both. From my previous post on installing Windows Server 2012 Essentials, whatever you type in the Internal Domain Name text field will be used for both, so be careful with that. You can change the Pre-Windows 2000 domain name using Active Directory Users and Computer (ADUC) or the PowerShell Cmdlets, but whether this will have implications for the Dashboard and other Essentials functionality is not clear without testing.

When new users and computers are added/connected to the domain using the dashboard and the client computer connector software, the new objects are placed in the Users and Computers containers respectively. I tried using redirusr and redircmp to move the new object creation to an OU, but this didn’t work and everything still hits the containers. Manually moving the objects later seems to cause no issues, but I think it’s very bad that the installer doesn’t at least create initial OUs for these objects as objects in containers can’t be linked to GPOs.

In Active Directory Sites and Services, no IP Subnets are configured to link to the site and the site is left with the standard name of Default-First-Site-Name. I don’t see any problems in renaming this and adding the subnets.

DNS

The DNS role is installed as a requirement for ADDS. The installation is basic, very basic. One Forward Lookup Zone is created for the DNS domain name specified in the installer, but no Reverse Lookup Zone. No Forwarders are configured so all recursive lookups will be hitting the Root Hints servers unless you are configuring the Essentials server to use the ISP router as its DNS server, which brings the next point, linked to DHCP. Clients will be receiving DHCP leases normally from a self-bought or an ISP router which will be configuring the clients with itself as the sole DNS server.

Unless the connecter client does something very nasty like configure a static DNS server on the NIC in use for the Essentials server, how will it be able to resolve DNS records on the server as it will be relying on the records from the router?

Lastly on DNS is that Scavenging is disabled, so if you do use DHCP and have your clients leasing addresses directly from the Essentials server (which I would recommend) then the stale records won’t get cleaned up.

Certificate Authority (CA)

The installer configures an Enterprise Root CA on the server which is an online root and issuing CA in this instance. Anyone who knows PKI knows that an online root CA is bad news. I know it’s the only option as you can’t expect people to drop two servers, one to remain powered off for it’s life as an offline root CA, but doesn’t stop it from being horrid.

The most annoying thing here is the name that the CA is given. [DomainName]-[ServerName]-CA. This is totally unfriendly and looks ghastly in any of your certificates. The CA isn’t configured to grant the account you specify as the administrator account during the installer as a KRA or a DRA so hope that nobody in your house or office tries to be clever and EFS encrypt their documents before losing the private key to open them.

Network Access Protection (NAP)

This role is installed to assign policy for the VPN and Remote Web Access. The administrative console for it is not installed to keep your blind to its configuration, but you can easily install this using Server Manager by adding the RSAT Feature for NAP.

Remote Desktop Services (RDS) Gateway

This component is used for the Remote Web Access. As with NAP, the console is not installed to keep you in the dark, but you can again install this using Server Manager by adding that RSAT Feature for RDS Gateway Tools.

Oddbox

Other random bits and pieces I noticed whilst poking around where as follows:

  • Memory Usage for the base install is 1.4GB and CPU Usage while idle was 4% on my Hyper-V 3.0 VM from my Core i3 desktop PC. It will be interesting to see how my physical AMD E-350 Zacate Home Server processor handles it or how the processor in the HP Microserver would fare?
  • No Group Policy Objects are configured aside from the two default domain policies. Do not rename either of the default policies as options in the Dashboard update the configuration of the policies and if the dashboard is looking for them based on name and not GUID, then you will hit problems.
  • The Server Backup feature  within the dashboard relies on a dedicated and assigned local disk. There is no option for making use of Windows Azure Cloud Backup which is now supported in the Windows Server 2012 iteration of Windows Server Backup. I think Microsoft are missing a trick here as there are other 3rd parties already cashing in on the cloud backup market a la Windows Home Server 2011, such as Cloudberry.
  • Deleting any of the default server shares such as Recorded TV or Company (if you aren’t a company and you aren’t using Media Center for Live TV Archiving to the Essentials Server) for example causes warnings of missing folders in the Dashboard and causes Critical status alerts in the alert panel. There is a workaround for this courtesy of  Philip Churchill at http://www.mswhs.com/2012/09/remove-default-shares-in-ws2012-essentials/.