All posts by Morgan Simonsen

App Controller and Azure HighMemory SKUs

We are all aware of the lag between the evolution of the Windows Server platform and the System Center suite. It always takes some time from when a new feature in Windows Server is released, before it is supported in the System Center products. Now, it seems, this applies to Windows Azure as well. Consider the following…

Recently I did a Windows Azure project for a customer which included the introduction of System Center App Controller 2012 SP1 in their environment. They were already using System Center Virtual Machine Manager 2012 SP1 to manage their Hyper-V hosts. We specifically wanted to use App Controller to be able to easily migrate VMs from on-premise Hyper-V into Windows Azure IaaS.

To add an Azure subscription to App Controller you need access to the subscription ID (obtained from the Azure portal e.g.) and a management certificate in PFX format, i.e. you need access to both the private and public keys of the certificate. This certificate needs to already be registered in the subscription. I my case adding the two subscriptions the customer used presented no problems. However, when I came back a few weeks later more instances had been created in the subscriptions and now we had the following error in App Controller under the Public Clouds heading:

* Service unavailable

The first I checked was the status of the App Controller Windows Azure Provider (cmazure) service. This Windows service is responsible for communicating with the Windows Azure platform through the REST API. On my server the service was not running. I started the service and refreshed App Controller, but got the same error. Checking the service status again I found that it had crashed!

The first remedy I tried was updating the App Controller installation with the System Center Service Pack 1 Update Rollup 2 (KB2802159). That did not prevent the cmazure service from crashing but now I had a new error in the App Controller console:

* Requested value ‘A6’ was not found.

A6 and A7 are the IDs of the new HighMemory SKUs introduced in Windows Azure back in April 2013. They are higher memory variants of the Large and Extra Large SKUs respectively. My next move was to check if App Controller knew about these newer SKUs. But first I had to determine if one of my subscriptions in Windows Azure were in fact using any A6 or A7 instances, and if so, remove that subscription. To do this I logged on to the portal, and it was indeed the case. One of the subscriptions had two A6 machines.

I deleted that subscription from App Controller so that I could test my theory that the reason for the error was that App Controller did not know about A6 and A7. Here is a screenshot of deploying a new VM to Azure from App Controller:

image

As you can see, the Instance size list does not contain the A6 and A7 SKUs. Mystery solved!

This case was very surprising to me in several respects. First, it seems strange that App Controller keeps its own definition files of what is available in Windows Azure (a platform that is updated every 4-6 weeks) instead for dynamically downloading that information on demand and caching it. Secondly it seems like bad code when the introduction of a new instance SKU actually crashes a Windows service. Surly that exception could easily be handled in the code.

Active Directory Domain Controllers and certificate auto-enrollment

Introduction to auto-enrollment

Auto-enrollment is a useful feature of Active Directory Certificate Services (AD CS). It allows the administrator to configure subjects to automatically enroll for certificates, retrieve issued certificates, and renew expiring certificates without requiring subject interaction. The subject does not need to be aware of any certificate operations, unless you configure the certificate template to interact with the subject. A subject in this case can be either a user account or a machine account. (And just a reminder; certificate auto-enrollment is only possible with version 2 certificate templates and these are only available with a Windows Server 2003 Enterprise based Certificate Authority or newer, and a domain with the Windows Server 2003 schema or newer.)

Auto-enrollment is configured through Group Policy and can be set for both types of subjects; users and computers. The location in a GPO is:

  • Computer: Computer ConfigurationWindows SettingsSecurity SettingsPublic Key PoliciesCertificate Service Client – Auto-enrollment
  • User: User ConfigurationWindows SettingsSecurity SettingsPublic Key PoliciesCertificate Service Client – Auto-enrollment

The dialog box is identical and looks like this when enabled:

image

Just for reference, here is how this dialog looked in Windows XP/Windows Server 2003:


Back then it was located under User/Computer ConfigurationWindows SettingsSecurity SettingsPublic Key PoliciesAutoenrollment Settings.

While in the computer part of the GPO you will also notice another setting which deals with auto-enrollment:

Computer ConfigurationWindows SettingsSecurity SettingsPublic Key PoliciesAutomatic Certificate Request Settings

This settings configures which types of certificates a computer should automatically enroll for; Computer, Domain Controller, Enrollment Agent (Computer) or IPSec. This setting has no value by default, instead you have to complete a short wizard to add a value to it by right-clicking and selecting New: Automatic Certificate Request. This will bring up the wizard:

image image image

The steps above will lead to the following setting:

image

The first setting mentioned, Certificate Service Client – Auto-enrollment, controls whether and how auto-enrollment should be performed. This setting, on the other hand, specifies which certificate template to request certificates for. In some cases the client know which templates it wants certificates from, and only needs to be told to auto-enroll. Other times you have to specify this setting as well to tell the client about the certificates templates you want it to auto-enroll based on. The Automatic Certificate Request Settings key is only available in a domain based GPO, not in local policy. For detailed information about this setting look here:

Auto-enrollment of certificates is triggered by one of these events:

  • Computer reboot and subsequent Group Policy application/refresh
  • Interactive logon and subsequent Group Policy application/refresh (Winlogon.exe calls userinit.exe that performs the auto-enrollment based on Group Policy.)
  • Group Policy refresh, either periodic or forced
  • certutil.exe –pulse command

By default there are no auto-enrollment settings configured in a Windows domain. Neither the Default Domain Policy nor the Default Domain Controllers Policy contain auto-enrollment settings so none of your computer or user accounts will automatically enroll for any certificates. There are, however, a few exceptions to this rule. One, of which, are  Domain Controllers.

Enhanced event logging for auto-enrollment

To understand certificate auto-enrollment it helps to enable enhanced logging. By default, auto-enrollment logs errors/failures and successful enrollments in the Application Event log on the client machine.

To enable enhanced logging of auto-enrollment processes, the following registry values must be created:

User Auto-enrollment

HKCUSoftwareMicrosoftCryptographyAutoenrollment

Create a new DWORD value named AEEventLogLevel; set value to 0.

Machine Auto-enrollment

HKLMSoftwareMicrosoftCryptographyAutoenrollment

Create a new DWORD value named AEEventLogLevel, set value to 0.

Note All failures and errors are automatically logged. It is not necessary to enable the registry key to turn on failure logging.

Certificate templates

According to TechNet: Enterprise certification authorities (CAs) use certificate templates to define the format and content of certificates, to specify which users and computers can enroll for which types of certificates, and to define the enrollment process, such as auto-enrollment, enrollment only with authorized signatures, and manual enrollment. Associated with each certificate template is a discretionary access control list (DACL) that defines which security principals have permissions to read and configure the template, as well as to enroll or auto-enroll for certificates based on the template. The certificate templates and their permissions are defined in Active Directory® Domain Services (AD DS) and are valid within the forest. If more than one enterprise CA is running in the Active Directory forest, permission changes will affect all enterprise CAs.

Read the whole text here.

Domain Controller related certificate templates

Domain controllers are interested in the following certificate templates, but depending on the DCs operating system version and the CA’s OS version it depends on what they prefer:

Name Description Key Usage Subject Type Applications used for enhanced key usage Application policies or enhanced key usage
Domain Controller Used by domain controllers as all-purpose certificates and is superseded by two separate templates: Domain Controller Authentication and Directory E-mail Replication Signature and encryption DirEmailRep Client authentication
Server authentication
4.1
Domain Controller Authentication Used to authenticate Active Directory computers and users Signature and encryption Computer Client authentication
Server authentication
Smart card logon
110.0
Directory E-mail Replication Used to replicate e-mail within AD DS Signature and encryption DirEmailRep Directory service e-mail replication 115.0
Kerberos Authentication New in Windows Server 2008, this template is similar to the Domain Controller Authentication template and offers enhanced security capabilities for Windows Server 2008 domain controllers authenticating Active Directory users and computers Signature and encryption Computer Client authentication
Server authentication
Smart card logon
KDC authentication
110.0

The Kerberos Authentication template deserves special mention. Again, from TechNet:

Kerberos Authentication Template

The purpose of the Kerberos Authentication template is to issue certificates to domain controllers, which present the certificates to client computers during user and computer network authentication. Certificates issued via this new template contain two specific attributes. Rather than relying on the DNS name of the computer, applications can verify the following:

  • The enhanced key usage extension of the certificate contains Key Distribution Center (KDC) authentication.
  • The domain name is in the subject alternative name extension of the certificate.

By the authority of the issuing CA, these attributes prove that the computer presenting the certificate is a domain controller for the domain contained in the subject alternative name. This new template is recommended for domain controllers running Windows Server 2008. For domain controllers running Windows Server 2003, the Domain Controller Authentication template or the Kerberos Authentication template can be used.

Client computers running Windows Vista, Windows Server 2008 or later can be configured to check for the new enhanced key usage entry by enabling strong KDC validation on the following registry entry:

HKLMSYSTEMCurrentControlSetControlLsaKerberosParameterskdcvalidation

The default value of 0 disables strong KDC validation. To enable strong KDC validation, set this DWORD value to 2.

The following table shows which certificate template can be used for CAs running different versions of Windows, based on which version of Windows the domain controller is running.

Domain Controller Windows2000 Server-based CA (version 1 only) Windows Server 2003-based CA Windows Server 2008-based CA
Windows 2000 Server (enroll for version 1 templates only) Domain Controller Domain Controller Domain Controller
Windows Server 2003 Domain Controller Domain Controller
or
Domain Controller Authentication
Directory E-mail Replication
Kerberos Authentication or Domain Controller Authentication
Directory E-mail Replication
Windows Server 2008 Domain Controller Domain Controller
or
Domain Controller Authentication
Directory E-mail Replication
Kerberos Authentication
Directory E-mail Replication
Windows Server 2012 Domain Controller Domain Controller
or
Domain Controller Authentication
Directory E-mail Replication
Kerberos Authentication
Directory E-mail Replication

Note

If the CA administrator has not manually assigned the Domain Controller Authentication and Directory E-mail Replication certificate templates to a Windows Server 2003–based CA or a Windows Server 2008–based CA, domain controllers running Windows Server 2003 still use the default Domain Controller certificate template. If a Windows Server 2008–based CA is available and configured to issue the Kerberos Authentication template, a domain controller running Windows Server 2003 or Windows Server 2008 will enroll for a Kerberos Authentication certificate, even if it already has a Domain Controller Authentication certificate.

The Kerberos Authentication certificate template is fully backward-compatible with the previous domain controller templates; for example, when the domain controller has a Kerberos Authentication certificate, smart card logon can be performed even with a client computer running Windows 2000 Professional.

The following table shows the default templates in Windows Server 2008 and Windows Server 2003.

Template name Windows 2000 Server Windows Server 2003 Windows Server 2008/2012
Directory E-mail Replication X
Domain Controller X X X
Domain Controller Authentication X
Kerberos Authentication X

Domain Controller auto-enrollment behavior

It depends when Domain Controllers auto-enroll for the different certificates listed in this post. All domain controllers are hard coded to automatically enroll for a certificate based on the Domain Controller template if it is available for enrollment at a certificate authority in the forest. Hard coded in this case means it is in the code, it is not configured in any local or domain based policy. This is one of the few cases where Windows will auto-enroll for a certificate without auto-enrollment being configured in Group Policy. If the Domain Controller certificate template is not available and enhanced logging for auto-enrollment is enabled you will see the following event in the Application log of a domain controller:

Event ID: 47

Message: Certificate enrollment for Local system could not enroll for a DomainController certificate.  A valid certification authority cannot be found to issue this template.

Unless you configure auto-enrollment; that is that. The DC will not auto-enroll for any other certificate on its own. However, if you do enable auto-enrollment, preferably at the domain level so the settings applies to all computers/users in your domain, the behavior changes.

To enable auto-enrollment you need to configure a domain GPO like this:

image

This will enable auto-enrollment, renew, update and remove certificates and do all these for certificates based on templates.

Now since auto-enrollment is enabled, the Domain Controllers change their behavior. After a new auto-enrollment is triggered we will the the following events (in reverse order) in the Application log of enhanced logging is enabled:

Event ID: 47
Message: Certificate enrollment for Local system could not enroll for a KerberosAuthentication certificate.  A valid certification authority cannot be found to issue this template.

Event ID: 47
Message: Certificate enrollment for Local system could not enroll for a DomainControllerAuthentication certificate.  A valid certification authority cannot be found to issue this template.

Event ID: 47
Message: Certificate enrollment for Local system could not enroll for a DirectoryEmailReplication certificate. A valid certification authority cannot be found to issue this template.

Event ID: 57
Message: The “Microsoft Platform Crypto Provider” provider was not loaded because initialization failed.

Event ID: 56
Message: Certificate enrollment for Local system for the template DomainController was not performed because this template has been superseded.

Let’s look  at these from bottom to top:

ID 56 indicates that the DC has now switched from the hard coded behavior of requesting a certificate based on the Domain Controller template. Since auto-enrollment is now enabled it knows that that certificate template has been superseded. The next events with ID 47 informs us that although the DC would now like to use the new templates, they are not available on any CA in the forest.

As we can see from a previous table in this post, all CAs have the Domain Controller template in their default template list, meaning they can all support the “legacy” hard-coded behavior of any DC to request a certificate based on that template. However, as we have seen, when auto-enrollment is enabled the DC’s preference changes to prefer templates that supersede this template. The Domain Controller E-mail Replication (v2) and Domain Controller Authentication (v2) templates both supersede the Domain Controller (v1) template, and if they are available a DC prefers those. The Kerberos Authentication certificate is even more preferred by DC and they will enroll for a certificate based on this template even if they already have a certificate based on either the Domain Controller (v1) template or the Domain Controller Authentication (v2) template. The Kerberos Authentication certificate is fully backwards compatible with the other templates and can be used for smart card logon. So lets enable the templates and see how the DC’s behavior changes.

First lets enable the legacy Domain Controller template:

On the CA: certutil.exe -SetCAtemplates +DomainController
On the DC: certutil-exe –pulse

This will change nothing since the DC is now configured for auto-enrollment as knows that the Domain Controller Template is superseded. The DC will log a warning that the Domain Controller template has been superseded and the the Domain Controller Authentication, Directory E-mail Replication and Kerberos Authentication templates are all unavailable. So let’s enable the next template; Domain Controller Authentication:

On the CA: certutil.exe -SetCAtemplates +DomainControllerAuthentication
On the DC: certutil-exe –pulse

The DC will now successfully auto-enroll for and receive a certificate based on this template. A new event will be generated in the Application log:

Event ID: 19
Message: Certificate enrollment for Local system successfully received a DomainControllerAuthentication certificate with request ID <#> from certification authority <CA Name>.

Warnings are still generated for the Directory E-mail Replication and Kerberos Authentication template based certs. They are still unavailable.

OK, let’s enable the next template; Directory E-mail Replication:

On the CA: certutil.exe -SetCAtemplates +DirectoryEmailReplication
On the DC: certutil-exe –pulse

The DC will now successfully auto-enroll for and receive a certificate based on this template. A new event will be generated in the Application log.

Event ID: 19
Certificate enrollment for Local system successfully received a DirectoryEmailReplication certificate with request ID <#> from certification authority <CA name>.

Again, there will be warnings for the Kerberos Authentication template certificate.

Last template: Kerberos Authentication:

On the CA: certutil.exe -SetCAtemplates +KerberosAuthentication
On the DC: certutil-exe –pulse

The DC will now successfully auto-enroll for and receive a certificate based on this template, even though it already has certificates based on the Domain Controller Authentication and Directory E-mail Replication templates. A new event will be generated in the Application log:

Event ID: 19
Certificate enrollment for Local system successfully received a KerberosAuthentication certificate with request ID <#> from certification authority <CA name>.

Still, there will be a warning about the Domain Controller template being superseded. This will happen as long as enhanced logging is enabled.

Now the DC will have three certificates based on the Domain Controller Authentication, Directory E-mail Replication and Kerberos Authentication templates. And just to make this perfectly clear; the DC will request always request a certificate based on each of these three templates if they are available.

Tips and tricks

  • If your want to check the status of the certificates on your DC; run certutil.exe –DCInfo. It will enumerate all your DCs and check their certificates.
  • To reinstall the default certificate templates that come with your version of Windows Server into the Configuration NC; run certutil.exe –InstallDefaultTemplates. Note: this will not set up any CAs to issue any templates, just reinstall the template definitions into your Active Directory forest. To list your current templates from Active Directory; run certutil.exe –Templates.

More information

Oh, and in case you are wondering, the other exception to the default “no auto-enrollment” behavior is EFS, which will always attempts to enroll for the Basic EFS template. The EFS driver generates an auto-enrollment request that Auto-enrollment tries to fulfill.

How to manage multiple Windows Azure subscriptions with PowerShell

You can have several Windows Azure subscriptions defined in Windows Azure PowerShell. This lets you easily manage several subscriptions from the same PowerShell console. These are the steps required to add a new Windows Azure Subscription to your Windows Azure PowerShell profile:

  1. Generate a management certificate:
    makecert.exe -pe -n “CN=<certificate subject>” -ss My –r <certificate filename>.cer
  2. Upload management certificate through Windows Azure portal (Settings->Management Certificates):
    image
  3. Copy the subscription ID:
    image
  4. Add subscription to default subscription data file:
    Set-AzureSubscription -SubscriptionName <subscription name> –SubscriptionId <subscription ID> –Certificate <path to cer file> –CurrentStorageAccount <storage account name>

Miscellaneous subscription related commands:

  • List all subscriptions currently defined in Windows Azure PowerShell profile:
    Get-AzureSubscription
  • List current subscription:
    Get-AzureSubscription –Default
  • Set current subscription:
    Set-AzureSubscription -DefaultSubscription <subscription name>
  • Do not specify a default subscription:
    Set-AzureSubscription –NoDefaultSubscription
  • Display currently selected subscription:
    Get-AzureSubscription –Current
  • Set a specific subscription as the active one:
    Select-AzureSubscription –SubscriptionName <subscription>

What does the “This certificate has an invalid digital signature.” message actually mean?

I recently got a new Asus RT-N66U Dark Knight. One of my main reasons for selecting this router was its ability to run the DD-WRT custom firmware. DD-WRT offers a host of cool features, among these is the ability to do web based administration on the router’s WAN interface. Basically you can fire up your favorite browser and log on to the web interface of the router from anywhere on the Internet. Of course you wouldn’t want to do that without encryption so the DD-WRT firmware comes with its own self signed SSL certificate. When trying to use this particular feature was when I started to have problems.

I navigated to my routers WAN address while on the Internet using Internet Explorer. I fully expected IE to throw an error regarding the certificate. The certificate in the router firmware was bound to be a generic certificate not containing either my WAN IP or my FQDN in its subject fields. IE lets you continue if there is a mismatch between what you have typed in your browser’s address field and what is specified in the certificate’s subject field. But instead IE gave me this:

image

As you can see the only option is to close the webpage. IE would not even let me see the certificate and look at the actual certificate error. At this point I switched to Google Chrome to see what it had to offer. This is what it said:

image

Chrome let me continue despite the certificate error and I could access the router’s web pages and also look at the certificate:

image

I exported the certificate and dumped it’s information with certutil.exe:

X509 Certificate:
Version: 1
Serial Number: f1509cfb65bfbb46
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Issuer:
E=info@dd-wrt.com
CN=NewMedia-NET GmbH
OU=DD-WRT
O=NewMedia-NET GmbH
L=Dresden
S=Saxon
C=DE
Name Hash(sha1): f03bcb463cb28f2c7a590ff0ea429861f2e974b1
Name Hash(md5): 3a7bd1dbec01065f788593f78810a3b5

NotBefore: 28.04.2013 05:46
NotAfter: 26.04.2023 05:46

Subject:
E=info@dd-wrt.com
CN=NewMedia-NET GmbH
OU=DD-WRT
O=NewMedia-NET GmbH
L=Dresden
S=Saxon
C=DE
Name Hash(sha1): f03bcb463cb28f2c7a590ff0ea429861f2e974b1
Name Hash(md5): 3a7bd1dbec01065f788593f78810a3b5

Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm Parameters:
05 00
Public Key Length: 512 bits
Public Key: UnusedBits = 0
0000  30 48 02 41 00 cf 8b 93  48 0c 3d b1 1e 77 bc 62
0010  0a b5 ac 2b 82 cc 10 1c  f0 57 97 9e 17 bc af 82
0020  41 66 6c e1 c2 6b 26 72  0a ea 88 6a d6 7a 51 32
0030  e9 53 99 e6 1b ce 53 10  59 16 74 89 9c 09 a4 0c
0040  3c 9d 13 80 81 02 03 01  00 01
Certificate Extensions: 0
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000  e7 73 70 c1 62 c8 74 7d  b8 25 66 e7 c7 99 94 cb
0010  8f db 52 82 66 24 d8 b8  3f 4e 3e 76 e3 2e 75 63
0020  af 3d d4 1c c7 4a 99 9d  c4 07 72 cd d3 19 f2 3c
0030  4d 99 a5 15 87 b8 9e 2f  82 1f 15 5d 93 3a 76 94
Signature matches Public Key
Root Certificate: Subject matches Issuer
Key Id Hash(rfc-sha1): be a4 73 4e 2a 56 40 36 ff 3f 2c 0d 35 32 c3 10 a7 24 b2 2a
Key Id Hash(sha1): a8 7e 4f 69 e0 8c 94 49 13 1a 81 c3 64 32 25 2f 3a ab 85 85
Key Id Hash(md5): d98943eba0509d9518cb725cfddc2024
Key Id Hash(sha256): a42184530c87d0045e4c1c32fa7c2561de9d5d5de477bdd3731a0d858d877dc0
Cert Hash(md5): db c8 74 6a 22 3e d5 ad cf 3d d5 1a bd e0 e4 dc
Cert Hash(sha1): 60 50 8a 06 eb 3e bb 37 df 52 8a a4 f0 96 21 af 5d f0 cb c4
Cert Hash(sha256): 92048e3aeb6fc644e930b4c9e3a1d447e52c346091b826a220717bc31e309993
Signature Hash: 05c91314bbe66b58e6f870f57733dfdb456eb5e0

I do not trust the issuer of this certificate (NewMedia-NET GmbH), but that is not what the message in the certificate properties mean. Neither was this a problem with validity since the certificate is valid for almost 10 years at the time of this writing. Even adding this certificate to the Trusted Root Certificate store will not resolve this problem. The reason is to be found in the Public Key Length field. In this certificate the public key is only 512 bytes. In August of 2012 Microsoft released an update that will block any certificates with RSA keys less than 1024 bits in length. This was done to make sure that a private key cannot be discovered using brute force methods and thus exposing private information. After the update the CryptoAPI, which builds a certificate trust chain and validates that chain by using time validity, certificate revocation, and certificate policies (such as intended purposes), implements an additional check to make sure that no certificate in the chain has an RSA key length of less than 1024 bits. Any such certificates will not be trusted.

Actually the error displayed by Internet Explorer; “The security certificate presented by this web site is not secure” makes more sense than the messages in the certificate properties (“This certificate has an invalid digital signature”). Because that is actually what is happening; the certificate is not good enough to protect whatever data your are transmitting between the client and the server. So how come, according to the CryptoAPI extension, the digital signature is not valid?

In public key cryptography the private key is generated from the public keys, or rather, the very large prime numbers selected to be the public key. That means that if the public key is weak, i.e. less than 512 bytes, the resulting private key would be as well. Since it is the issuing authority’s private key that is used to sign the issued certificate the signature itself would also be weak. And that is why the CryptoAPI displays the message “This certificate has an invalid digital signature”. What it should have displayed is something along the lines of “this certificates was signed with a weak private key etc.”.

If you are desperate to use certificates with key lengths less than 1024 bits you can override the restrictions imposed by the Microsoft update. How to do that is documented in the KB article accompanying the update. Here is the command I ran to test that I was on the right track and force IE to let me use the certificate:

certutil -setreg chainminRSAPubKeyBitLength 512

After running this IE have me this for the certificate:

image

As you can see the signature error is now gone (overridden) and we are back to a regular “this cert is not trusted” message.

But since I did not want to use any weak certs I removed the override and instead replace the certificate on the router with a proper V3 2048 bits certificate. This is the command to revert to the new behavior of blocking keys with less than 1024 bits:

certutil -delreg chainMinRsaPubKeyBitLength

More information:

How not to improve the security of your ADFS deployment

Introduction

I was involved in an ADFS deployment recently where the customer wanted to restrict access from the Internet to their ADFS proxy servers, located on their DMZ. They used ADFS to federate with Windows Azure Active Directory so they only wanted to allow traffic from the Microsoft Online Security Token Service (STS) servers into their ADFS. The rational behind this was that only a trusted party (Microsoft) should be able to communicate with an externally available service in their network. A good theory, but one doomed to failure. Let me explain why…

The WS-Federation Passive Requestor Profile

ADFS is Microsoft’s implementation of the OASIS group’s WS-* suite of protocols and mechanisms. A complete description of WS-*  is way beyond this post, but I will list some resources at the end of this post for the inquisitive among you. One of the purposes of the WS-* standard is to allow:

“different security realms to federate, such that authorized access to resources managed in one realm can be provided to security principals whose identities and attributes are managed in other realms”

In other words, to outsource authentication to somebody else that you trust.

The letters WS stand for Web Service, meaning that WS-* is created to work on the Internet, something e.g. Kerberos is not designed to do. Let’s look at a few pieces of WS-* terminology:

  • Requestor
    The client that wants access to some resource/content/service. Often a browser. Requestors are broadly split into two groups; those that can emit Web Service messages using SOAP and those that cannot. (Remember this last bit because it is important.)
  • Relying party (RP)
    The content provider that has something that a user wants access to. The RP has delegated the task of authentication to somebody else; the Identity Provider (IdP)/Security token Service (STS). The RP trusts the IdP/STS. In the Windows world an RP is often an IIS server with the Windows Identity Foundation (WIF) framework installed.
  • Identity Provider (IdP)
    A secure storage of identity information that also provides authentication mechanisms, allowing a Security Token Service (STS) to use it to authenticate. Active Directory is ADFS’ IdP.
  • Security Token Service (STS)
    A service that receives authentication requests from clients, authenticates them via its configured IdP, and issues tokens to clients, to be used at the RP.
  • Trust
    A relationship between the RP and the IdP/STS established with digital certificates whereby the RP trusts the IdP/STS.

A browser cannot emit web service requests, i.e. it cannot talk SOAP, so it uses something called the WS-Federation Passive Requestor Profile (PRP). WS-Federation is an extension to the WS-Trust specification that allows requestors that cannot talk SOAP to still exchange security information (tokens). They do this by being passive, meaning they rely on the RP and IdP to tell them what to do.

An implementation of this can look like this:

image

This is what happens when the passive requestor profile is used to obtain access to a resource:

  1. The requestor contacts the resource asking for access. The resource is the RP.
  2. The RP know the requestor’s security realm so it sends an HTTP redirect instructing the requestor to authenticate at its own realm.
  3. The requestor follows the redirect to its own realm where it is authenticated by its IdP/STS.
  4. In the request for authentication the requestor has included the URI of the resource it wants to access to. After the IdP/STS has authenticated the requestor, it sends another HTTP redirect back to the original resource. Included with the redirect is also a token, possession of which assures that the user has been authenticated.
  5. The requestor follows the redirect back to the original resource supplying the token and gains access to the resource.

The most important thing to note here is that when using the Passive Requestor Profile the RP and IdP/STS never need to communicate directly. It is only the requestor that needs to talk to all the involved parties.

Usually the RP is also an IdP/STS. In the case of Windows Azure Active Directory and federation with an on-premise Windows Server Active Directory the WAAD IdP/STS trusts your on-premise IdP/STS. This allows a single trust to be established. If not each RP would have to maintain its own trust with the IdP/STS.

So now that we know how the Passive Requestor Profile works how would this impact my customer’s request to only allow Microsoft’s STS to talk to its ADFS servers?

Security

Answer is that it would break it and no one would be able to access any resource in the Microsoft cloud. As we have seen it is not the WAAD STS that communicates with on-premise ADFS, or the other way around, it is the requestors, i.e. the clients. So restricting access would deny every client access to on-premise ADFS, and thus any resource they want to access. Don’t do that.

Other stuff and more info

The customer had actually started working on this “security improvement” before I got involved and had already discovered IPs they needed to allow. For the curious, the name of the Microsoft STS is login.microsoftonline.com, which is a CNAME that resolves to the A record login.microsoftonline.com.nsatc.net. The A record has several records (I do not know if this is a complete list):

  • 157.56.53.213
  • 157.56.58.13

To restrict access and always use least privilege is a very good idea, in this case it just backfired because how the system works was not known.

If you want to know more about WS-*, ADFS etc., you can have a look at these resources:

Be secure!

New PowerShell module for Windows Azure Active Directory

A new version of the PowerShell module for Windows Azure Active Directory is available. This module was previously know as the Microsoft Online PowerShell module. The cmdlets all have the word MSOL in them, and the modules are called MSOnline and MSOnlineExtended. The version is still 1.0.0 as were the previous module. New in this release is support for Windows Server 2012; you can install the module on Windows Server 2012 and also configure the version of ADFS in Windows Server 2012. The documentation has also been updated.

Understanding X.509 digital certificate thumbprints

Introduction

I got an interesting question about X.509 certificate thumbprints today from a colleague. Specifically, he wanted to know if you could renew a certificate and keep the thumbprint. The answer is no, unfortunately. So I thought I would explain why you can’t.

Certificate storage

The X.509 standard was first issued in 1988 and is described in several RFCs. It specifies, among other things, public key certificates, what we commonly refer to as X.509 certificates. X.509 certificates, in turn, currently come in three versions, v1, v2 and v3. The v3 certificates are described in RFC 5280. For the remainder of this post the terms certificate, public key certificate and X.509 certificate are used interchangeably.

X.509 certificates, as well as many other things in the X.509 standard, are described using Abstract Syntax Notation One (ASN.1). ASN.1 is a standard used to exchange information between systems independently of the systems’ encoding techniques. ASN.1 have several encoding rules:

  • Basic Encoding Rules (BER)
  • Canonical Encoding Rules (CER)
  • Distinguished Encoding Rules (DER)
  • XML Encoding Rules (XER)
  • Canonical XML Encoding Rules (CXER)
  • Extended XML Encoding Rules (E-XER)
  • Packed Encoding Rules (PER, unaligned: UPER, canonical: CPER)
  • Generic String Encoding Rules (GSER)

The original rules laid out for the ASN.1 standard were Basic Encoding Rules (BER), and CER and DER are more strict variants of BER. Digital certificates are usually stored in the file system as raw binary data, so DER (binary) is the most common. Certificates stored as raw binary usually have a .cer extension, but .der is also in use. Often the binary data is converted to Base64 ASCII files. This is called Privacy Enhanced Email (PEM), and these files commonly have one of these extensions: .pem, .crt, .cer, and .key.

Here is a screenshot of a DER encoded certificate opened in a HEX editor:

image

Here is the same cert encoded as Base64 also opened in a HEX editor:

image

Finally here is the same certificate in ASN.1 human readable form (this isn’t the whole cert):

image

So what does all this mean?

The RFC 5280 X.509 certificate definition

In RFC 5280 the basic syntax of a certificate (using ASN.1) defines three required fields:

Field Definition from RFC 5280
tbsCertificate The sequence TBSCertificate contains information associated with the subject of the certificate and the CA that issued it. Every TBSCertificate contains the names of the subject and issuer, a public key associated with the subject, a validity period, a version number, and a serial number; some MAY contain optional unique identifier fields.
signatureAlgorithm The signatureAlgorithm field contains the identifier for the cryptographic algorithm used by the CA to sign this certificate.
signatureValue The signatureValue field contains a digital signature computed upon the ASN.1 DER encoded tbsCertificate. The ASN.1 DER encoded tbsCertificate is used as the input to the signature function. This signature value is encoded as a BIT STRING and included in the signature field.

The tbsCertificate field is by far the largest containing also any extensions the certificate may have like key usage, alternate names etc. RFC 5280 lists all the possible extensions. signatureAlgorithm contains only one piece of data; the hashing algorithm used by the signing authority to sign this particular certificate. signatureValue contains the signature itself, calculated with the hashing algorithm from signatureAlgorithm.

The signature

To produce the certificate signature the signing authority takes the tbsCertificate field in ANS.1 DER encoded form (binary data) and applies the hashing algorithm to it. Inside the tbsCertificate field are some important fields. Specifically the subject name (CN), the hashing algorithm the signing authority used to sign the certificate and the subject’s public key. By signing all these fields the signing authority certifies that the subject in question does in fact own the public key in the certificate. It is a requirement that the signature field within the tbsCertificate field match the signatureAlgorithm field in the certificate. The important distinction here is that it is only the signature field inside the tbsCertificate field that is included in the signature, not the signatureAlgorithm field.

The Windows Cryptographic API

When a certain implementation uses the certificate it calculates and resolves a lot of information not included in the certificate itself. These are things like hash values of various fields and OIDs used to describe e.g. signing algorithms. Certificate Revocation checking is also usually performed and chaining and validation. One example of this behavior is the Windows CryptoAPI Cryptographic Shell Handler. This is the component that shows you a picture like the one below when you double click a certificate from Windows Explorer.

image

Legend

image Actual fields in the certificate
image Extensions in the certificate
image Computed fields not actually part of the certificate data

The certutuil.exe command line utility goes into even greater detail if you inspect (dump) a certificate:

X509 Certificate:
Version: 3
Serial Number: 6e9235460edbb5944d59f9f1a8f1cfe6
Signature Algorithm:
Algorithm ObjectId: 1.3.14.3.2.29 sha1RSA (shaRSA)
Algorithm Parameters:
05 00
Issuer:
CN=Morgan Simonsen
Name Hash(sha1): 935093f16909002acd98626df485fa22b41d9dfd
Name Hash(md5): c32bdd1ad8eaf126fd96b2f7f23f2b9f

NotBefore: 16.04.2013 10:57
NotAfter: 01.01.2040 01:59

Subject:
CN=Morgan Simonsen
Name Hash(sha1): 935093f16909002acd98626df485fa22b41d9dfd
Name Hash(md5): c32bdd1ad8eaf126fd96b2f7f23f2b9f

Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm Parameters:
05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
0000  30 82 01 0a 02 82 01 01  00 ac ed c3 1d 11 7f 63
0010  db 25 50 2e 9a c6 c1 f5  b7 23 c8 a0 71 a4 6e d6
0020  c8 29 17 8f 76 b6 8c 88  33 bf c9 0e 3d c8 0d 87
0030  11 60 e4 f0 77 ae e5 b4  47 6f b1 35 98 d3 44 d0
0040  52 c7 60 2e 7f e9 6c 3c  61 c2 36 3d a7 f5 32 88
0050  de 3c c4 79 62 91 b0 4b  24 78 a2 2e 6a 29 a9 ee
0060  0e 7a d8 0d 9e 12 7b b2  53 d1 17 8c 01 dc eb fb
0070  18 4d c0 ae df 61 7e 2b  dd 15 b5 65 b3 bc b9 25
0080  58 c9 ed 9e ef 9f 26 9b  79 c3 8e 13 92 9e 62 f3
0090  fe 8d ab 33 b4 40 a1 7b  0e b1 71 56 b4 9d 7b cb
00a0  61 9d 70 1d 9d b4 49 c9  46 42 fc 64 44 67 eb 8b
00b0  ea 7c 29 31 cb 4c 32 12  91 6c dd 04 59 07 51 6a
00c0  e6 40 fa ea 4e b2 ae 64  21 2e 6b 00 99 f0 7c 26
00d0  6e ad 6c 15 18 36 dc 81  61 e9 ce 28 7f f8 89 82
00e0  ee ed c5 ee 54 ee aa cd  01 72 75 71 59 fd fc cd
00f0  4d 53 3e 22 71 47 7f 24  e5 51 28 36 12 09 6b 0d
0100  af c9 37 9b e0 d1 00 67  11 02 03 01 00 01
Certificate Extensions: 1
2.5.29.1: Flags = 0, Length = 44
Authority Key Identifier
KeyID=b4 44 ec b5 97 5f 54 f8 ee e8 7b d0 1e c9 81 92
Certificate Issuer:
CN=Morgan Simonsen
Certificate SerialNumber=6e 92 35 46 0e db b5 94 4d 59 f9 f1 a8 f1 cf e6

Signature Algorithm:
Algorithm ObjectId: 1.3.14.3.2.29 sha1RSA (shaRSA)
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000  8b 55 a5 5f f2 b3 2d 19  36 e9 9c cc 92 16 4e 62
0010  18 19 19 3e 7d 76 93 dd  04 9b 5e 0e b7 80 d7 38
0020  9d 1f b9 18 c3 6c 28 be  d6 64 a3 be 04 60 fc 63
0030  6d 26 dc 68 2b 3d c0 88  6d 36 22 a7 e7 c4 15 dc
0040  2b af 18 61 10 bb 3b 32  78 a6 36 08 81 29 b5 6a
0050  3e a2 2d c7 d0 31 69 1f  f3 fc 67 b7 df 2d e0 4e
0060  5d 37 ab a4 d1 56 e2 96  55 d7 21 d2 68 74 dc 5f
0070  b2 e5 12 54 e2 34 ae a0  08 9e 26 2f e2 4e 4e 98
0080  86 f7 6e ac ef e0 43 1e  0b 9d 59 3d a3 3d 55 03
0090  11 7c f1 df 00 1d 47 35  43 32 91 2a dc 4d 4b 9e
00a0  22 bf a1 f5 1e 1d ad d0  ee 73 34 99 43 82 5d 9e
00b0  b6 aa db 93 25 77 42 0a  bd d2 b2 9a e9 0e 31 2d
00c0  63 4c 4a 37 51 b4 b6 81  47 a8 94 fd e7 43 82 f7
00d0  ee 66 f1 d0 00 ff cf 9f  b0 a6 40 08 05 b8 ff 94
00e0  0b cd cf 50 e3 73 6a 03  2f 6f 95 8e 1b 51 e7 a7
00f0  ac ff 39 84 8c bf b8 65  41 c9 82 38 93 7c cb ab
Signature matches Public Key
Root Certificate: Subject matches Issuer
Key Id Hash(rfc-sha1): 91 cb 09 47 49 10 66 f1 fb 5b bc 8b 5e 0b b1 43 2c d8 80 b2
Key Id Hash(sha1): 4a eb 50 03 a3 78 80 bd 20 a0 00 da c6 f9 ef 8d cc 07 98 52
Key Id Hash(md5): 6a993e53bd40f8f69483d6da66f22a8f
Key Id Hash(sha256): 6979da8247c3080de96e861e9f000a22d6120170a3982bea4e9f054598f6453f
Cert Hash(md5): 94 08 89 bf 34 7e 17 2f 46 d6 25 49 f8 80 1f 6b
Cert Hash(sha1): 0b 61 2f 71 4b 8d ef d5 59 2b d4 5d a9 fe 8c c5 bb ba 36 48
Cert Hash(sha256): 52c93aa9bd509f8b375e0ec8340d9219bac4386497b521d8a7b800eda22e850c
Signature Hash: dee3cb948ffb745c3047e4f393bcf9144863b733
CertUtil: -dump command completed successfully.

 

The Thumbprint

As you can see from the output of the Crypto Shell Extension and Certutil.exe the thumbprint is a computed field, i.e. not a part of the certificate data itself. In the GUI these are called Properties. In the shell extension the thumbprint is called thumbprint and in the Certutil output it is called Cert hash. From this we can surmise that the thumbprint is some kind of hash or one way function (OWF), whose friendly name is thumbprint. (The fact that the shell extension actually has a field called Thumbprint algorithm also helps.) Certutil is also kind enough to compute both a SHA1 and an MD5 hash for us, while the GUI will only do SHA1. As far as I can tell Windows always uses SHA1 to calculate the thumbprint hash, regardless of which signature algorithm is used in the certificate itself.

So what is the thumbprint a hash of? Turns out it is actually the whole certificate, i.e. the binary data representing the three required fields (tbsCertificate, signatureAlgorithm and signature). You can verify this by using a tool that can generate hashes directly from the certificate binary DER file in the file system. In the screenshot below I have used the HashCheck Shell Extension. This tool has a nice feature where you can paste a hash you have obtained from somewhere and see if it matches any of the computed hashes for the file. Here I have copied the thumbprint hash value from Certutil and pasted into the tool:

image

Since the thumbprint is a hash of the certificate in binary DER encoding this will not work if your certificate is stored in any other format than DER.

Conclusion

So now we have the answer to why you cannot request a new certificate, or renew an existing one, with the same thumbprint. Changing anything in the certificate data will produce a completely different hash result and thus a completely different thumbprint.

The thumbprints purpose is actually to make it easy to locate a particular certificate in the certificate store of a system. Let’s say you have a webserver that needs a certificate. Instead of specifying a certificate by subject name, validity or anything else you just supply the thumbprint to the webserver.

More information

To write this post I created a self signed certificate with my name as the subject. The command I used was this:

makecert.exe -pe -n “CN=Morgan Simonsen” -ss My -r morgan_simonsen.der

You can download all the various versions of the certificate from this post from the following link if you want to look in more detail and compare with what I have written.

There are four files in the archive:

File Format
morgan_simonsen.der Binary DER format
morgan_simonsen.crt PEM (Base64) format
morgan_simonsen.asn Raw ASN.1 ASCII data
morgan_simonsen.txt Certutil –dump –asn of the DER cert

Links

Norwegian content: How to integrate your on-premise Active Directory with Windows Azure Active Directory

I have published a 5 part blog series on the Norwegian Microsoft TechNet Blog, with step by step instructions for setting up integration between your on-premise Window Server Active Directory Directory Service and Windows Azure Active Directory. It covers concepts, single-sign on with ADFS, Directory Synchronization with the DirSync Tool and troubleshooting. So if you speak my native language; head on over:

Morgan

App Controller to SQL firewall requirements

So here’s a quick one…

App Controller needs the following services/ports open on the SQL server it is configured to talk to during install:

  • SQL (duh!) (Port TCP 1433)
  • Remote Service Management (RPC SCManager UUID 367ABB81-9844-35F1-AD32-98F038001003)
  • Windows Management Instrumentation (WMI)

If these are open the App Controller installer can automatically detect the SQL instance and you don’t get the pesky “The specified database has insufficient space” error:

image

How to opt in to Microsoft Update with PowerShell

For Windows to retreive updates from Microsoft Update, as opposed to Windows Update (which is the default), you have to opt in. This is usually done through the Windows Update GUI by selecting “Get updates for other Microsoft Products”:

image

This becomes tedious very quickly so here’s how you can do it with PowerShell:

https://gist.github.com/morgansimonsen/8039966

To see if this was successful you can query the Services property of the $MU object:

$mu.Services

You should see something like this:

Name                  : Microsoft Update
ContentValidationCert : {}
ExpirationDate        : 11/18/2014 1:27:43 AM
IsManaged             : False
IsRegisteredWithAU    : True
IssueDate             : 11/18/2011 1:27:43 AM
OffersWindowsUpdates  : True
RedirectUrls          : System.__ComObject
ServiceID             : 7971f918-a847-4430-9279-4a52d1efe18d
IsScanPackageService  : False
CanRegisterWithAU     : True
ServiceUrl            : https://fe1.update.microsoft.com/v6/
SetupPrefix           : mu
IsDefaultAUService    : True

Name                  : Windows Update
ContentValidationCert : {}
ExpirationDate        : 6/18/5254 9:21:00 PM
IsManaged             : False
IsRegisteredWithAU    : False
IssueDate             : 1/1/2003 12:00:00 AM
OffersWindowsUpdates  : True
RedirectUrls          : System.__ComObject
ServiceID             : 9482f4b4-e343-43b6-b170-9a65bc822c77
IsScanPackageService  : False
CanRegisterWithAU     : True
ServiceUrl            :
SetupPrefix           :
IsDefaultAUService    : False

If you only have the Windows Update entry something went wrong.

One of the major benefits of this is that you can do it remotely. I have yet to find another way to do this. If you know, leave a comment.