Tag Archives: Certificate Services

Direct Access Computers Can’t Ping Domain Controller on Internal Network?

Can’t ping the domain controller via FQDN while on the internal network?  Trouble accessing any of the internal domains that are available via Direct Access while on your internal network?

This is a quick blog post to document an error I encountered that took me a while to figure out, as is typical with errors that are caused by configuration mistakes, yes self-inflicted.  In the Microsoft Unified Access Gateway administration documentation for configuring Direct Access (DA), it says 2 things that are extremely important but does not emphasize just how important they are, or the errors that will be encountered if they are not followed.

Your Network Location Server (NLS), which must be able to serve HTTPS requests, is used by your DA clients to determine whether they are on the internal network, this site must not and cannot be accessible through DA or any other means from outside your network, so make sure the HTTPS resource is NOT something you need to access from external networks.  If your clients can access the NLS then they will not attempt a DA connection.  If they cannot access the server, then they will attempt a DA connection.  There are a few key points to this server that also cannot be overlooked.

Continue reading Direct Access Computers Can’t Ping Domain Controller on Internal Network?

Free SSL Certificates for Public Domains and Sub-Domains via StartSSL

I’ve been using internally generated SSL certificates for testing and publishing, as most developers, IT pros, and DIY people have, and though it works, it can be a little frustrating when dealing with CRLs and OCSP Responders if you don’t want to receive warnings from browsers and applications about them being untrusted.  For public facing sites, there’s a vendor that is now providing free certificates and an excellent toolbox for managing them.

StartSSL logo
Read on for more info or take the link: https://www.startssl.com.

Continue reading Free SSL Certificates for Public Domains and Sub-Domains via StartSSL

Enable Web Server Certificate Requests On Windows Server 2008R2 CA Server

So I’ve run into this problem multiple times and ‘hacked’ my way around it various ways, but there is a better way that doesn’t require the use of certutil.exe or any other console utilities.  This scenario applies under the following conditions:

  • CA (Certificate Authority) Server is running on Windows Server 2008 R2
  • Web Server is running on Windows Server 2008 R2
  • Both servers are members of the same domain
  • You want to use the Certificates snap-in
  • You want to stay away from the console if you can

By default, you cannot generate a web server certificate request directly from your servers and you are presented with this screen based on the default Active Directory Enrollment Policy:

001 denied

As you can see from the screenshot, most of the certificate templates are unavailable with the exception of the computer certificate template.

Continue reading Enable Web Server Certificate Requests On Windows Server 2008R2 CA Server

Extending The Life of Your VMware vCloud Director Appliance and Changing Certificates

vCloudDirectorVMware is distributing a limited usage vCloud Director virtual appliance to facilitate and support evaluation of the product.  I wanted to stand it up in my lab as a test-bed and to get to know the product better, but after checking into it, it’s not just the eval licenses that will expire.  The http certificates will also expire within 60 days of the certificates being generated since it uses the Java ‘keytool’ utility and it’s configured to.  As a VMware partner and I have access to licenses to extend the life of the appliance but due to my environment, I cannot work with expired certificates.

Continue reading Extending The Life of Your VMware vCloud Director Appliance and Changing Certificates

Windows Server 2008 and Subversion over HTTPS

Here’s the scenario, I decided to try out Subversion as a source control repository on a Windows Server 2008 server, attached to a Win Server 2008 domain, with ISA Server forwarding HTTP traffic.  After doing a little bit of research, I decided to give VisualSVN Server a try.  If you don’t know it, it’s a very small footprint product produced by VisualSVN Limited, that installs Subversion and an Apache server, on Windows, to handle the HTTP connection to SVN (Subversion).

The product installed and configured very easily, ‘hats off’ to VisualSVN, and I was immediately able to connect to it from internal on my network.  There are a few self-explanatory questions that are posed in the installation wizard.  Tough things like where do you want to store your repositories. ;)  (If you’re going to use a file share as a repository, make sure that you use the UNC and not a mapped drive.)

websiteshot

I’m amazed that I’ve come across yet another tech product that is actually behaving as advertised.  Is it just me, or is that odd???

Not the fault of VisualSVN, I began to run into configuration issues when I tried to route the traffic through ISA Server.

Keep Reading…

Continue reading Windows Server 2008 and Subversion over HTTPS

Install Certificate Services on Windows Server 2008 R2

This post picks up where the last post left off.  In the last post, we created a Windows Server 2008 R2 Active Directory Domain Controller and stopped short of going on to add Certificate Services into the mix.

If you’re not sure if you need certificate services for your environment, it never hurts to have it available.  It does not add much overhead so for development environments and small businesses you can consider adding the role to a DC (domain controller) as we are here.  Certificate Services will allow you to issue certificates to your internal resources, use client/server certificates for authentication, and set up SSL enabled websites.

I believe best practice is, and I’m sure someone will correct me if I’m wrong, to set up an Enterprise Root CA (Certificate Authority), then set up one or more subordinate CA’s.  You can then make your Root CA unavailable for access and have the subordinates handle all of the traffic without fear of compromising your Root CA.  In this tutorial, we’ll just be installing and configuring a Root CA, but the process is basically the same for the subordinates.

Now that you’ve got some background information, onto the installation/configuration of Windows Server 2008 R2 Certificate Services.

In ‘Server Manager’, select Roles in the left pane, then Add Roles in the right pane.  Place a check mark in the checkbox for Active Directory Certificate Services.  Then click Next.

002

Keep reading…

Continue reading Install Certificate Services on Windows Server 2008 R2