see sharp RSS 2.0
# Thursday, 22 April 2010

Troubleshooting a custom MA for FIM2010 starts usually with looking into the eventlog :-)

So in this case there was not much to see, so I added my .NET Trace statments to the code. Easy, but where to configure the switches? 

Finally i found that the MA is loaded by the FIM server itself so theres the config file too.

The server is still called MIISSERVER.EXE and located in

C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin

So just edit C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\miiserver.exe.config and add you listener and switches:

<system.diagnostics>
    <trace autoflush="true" indentsize="4">
      <listeners>
        <add name="mylog"
             traceOutputOptions="ThreadId"
             type="System.Diagnostics.TextWriterTraceListener"
             initializeData="c:\logs\mylog.log" />
      </listeners>
     
    </trace>
    <switches>
      <add name="MySwitch" value="4"/>
    </switches>
  </system.diagnostics>
Thursday, 22 April 2010 15:05:00 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
FIM | Tracing
# Saturday, 20 March 2010

MAC Addresses are unique to the networkcard and can be used to identify your PC.

You can view your MAC addresses by typing ipconfig /all

Ethernet adapter Loopback:
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Microsoft Loopback Adapter
  Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  IPv4 Address. . . . . . . . . . . : 111.111.111.111(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 0.0.0.0
  DNS Servers . . . . . . . . . . . : 111.111.111.111
  NetBIOS over Tcpip. . . . . . . . : Enabled

to view other machines MAC addresses you can ping them and then type arp -a which wil result in a list similar to this:

Interface: 192.168.1.200 --- 0xb
  Internet Address      Physical Address      Type
  192.168.1.1           00-04-0e-f6-17-55     dynamic
  192.168.1.2           00-04-0e-aa-88-ab     dynamic
  192.168.1.3           00-01-db-09-55-42     dynamic

The first three bytes identify the manufacturer of the card, the remainder identifies the card itself. 

you can look those up here:

 I wrote a small tool that parses a file and returns the manufactuer

MACTool.zip (632.92 KB)
Saturday, 20 March 2010 12:15:35 (Mitteleuropäische Zeit, UTC+01:00)  #    -
anything else
# Friday, 19 March 2010
Friday, 19 March 2010 19:08:58 (Mitteleuropäische Zeit, UTC+01:00)  #    -

# Thursday, 11 March 2010

To enable foreign key import on a MS CA you need to set the registry accordingly:

certutil –setreg ca\KRAFlags +KRAF_ENABLEFOREIGN

then, after a restart of the CA service, you can start importing:

certutil -f -importKMS /?
Usage:
  CertUtil [Options] -ImportKMS UserKeyAndCertFile [CertId]
  Import user keys and certificates into server database for key archival
    UserKeyAndCertFile -- Data file containing user private keys and certificates to be archived.  This can be any of the following:
            Exchange Key Management Server (KMS) export file
            PFX file
            Outlook key export (EPF) file
    CertId -- KMS export file decryption certificate match token.  See -store.
    Use -f to import certificates not issued by the CA.
Options:
  -f                -- Force overwrite
  -gmt              -- Display times as GMT
  -seconds          -- Display times with seconds and milliseconds
  -silent           -- Use silent flag to acquire crypt context
  -split            -- Split embedded ASN.1 elements, and save to files
  -v                -- Verbose operation
  -privatekey       -- Display password and private key data
  -config Machine\CAName    -- CA and Machine name string
  -p Password               -- Password
  -symkeyalg SymmetricKeyAlgorithm[,KeyLength] -- Name of Symmetric Key Algorithm with optional key length, example: AES,128 or 3DES
CertUtil -?              -- Display a verb list (command list)
CertUtil -ImportKMS -?   -- Display help text for the "ImportKMS" verb
CertUtil -v -?           -- Display all help text for all verbs

 

Thursday, 11 March 2010 08:51:53 (Mitteleuropäische Zeit, UTC+01:00)  #    -
CA
# Thursday, 22 October 2009

http://www.moserware.com/ has great posts about programming.

amongst them a nice explanation of the AES encryption

Check it out...

Thursday, 22 October 2009 17:09:31 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
C#
# Wednesday, 02 September 2009

I often have to diagnose CA 'misbehaviours' and its even more often when I have to lookup where the hell the logfiles are and hor to enable the logging. So a bit of googelingbinging and found this http://blogs.msdn.com/windowsvistanow/archive/2008/04/08/troubleshooting-certificate-enrollment.aspx

Certification Authority Settings

  • Enable Certificate Services Debug Logging by running the following commands on the CA:
    certutil.exe -f -setreg ca\debug 0xffffffff
    Net Stop Certsvc && Net Start Certsvc
  • The following log files will be created:
    %SystemRoot%\certsrv.log (Certsrv.exe) Certificate Services
    %SystemRoot%\certutil.log (Certutil.exe)
    %SystemRoot%\certreq.log (Certreq.exe)
    %SystemRoot%\certmmc.log (Certmmc.dll) Certificate Services MMC snap-in
    %SystemRoot%\certocm.log (Certocm.dll) Certificate Services Setup

take a look, there are is more useful information there...

 

Ah, and if you use CLM/FIM this might be of interest as well:

http://technet.microsoft.com/en-us/library/cc720663(WS.10).aspx#BKMK_TraceModules

Wednesday, 02 September 2009 20:49:27 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
CLM | Tracing | CA
# Sunday, 19 July 2009

Matt Atkers has a nice Post on how to reboot your Zune:

http://forums.zune.net/0/1/231510/ShowPost.aspx#231510

It has worked on my first Zune, but for my 80G device I'm still trying to figure out to get rid of the Screens 5 and 3.
Sunday, 19 July 2009 20:10:04 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
Zune
# Wednesday, 24 June 2009

Sometime you need to get the integer value (or combination of values) for the Key Usage (i.e. for use in CertReq.EXE's INF files)

This is X509 Certificate Key Usage as defined in .NET:

Key Usage Description
0x0000 None
0x0001 EncipherOnly
0x0002 CrlSign
0x0004 KeyCertSign
0x0008 KeyAgreement
0x0010 DataEncipherment
0x0020 KeyEncipherment
0x0040 NonRepudiation
0x0080 DigitalSignature
0x8000 DecipherOnly

Of course it can be a combination of values :-)

To get it out of a certificate use this snippet (certificate is a valid X509Certificate2 object):

// either "Key Usage" or the OID "2.5.29.15" can be used here
string keyUsageOID = "2.5.29.15";

X509KeyUsageExtension keyUsageExtension = certificate.Extensions[keyUsageOID] as X509KeyUsageExtension;

if (keyUsageExtension != null)
{
   Console.WriteLine("Key Usage is 0x{0:x4}, {1}",
      Convert.ToInt32(keyUsageExtension.KeyUsages),
      keyUsageExtension.KeyUsages);

      // test for signature 
      bool hasSignatureKeyUsage = (keyUsageExtension.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.DigitalSignature;
      // just for fun: test for CRL signing too
      bool hasCrlSignKeyUsage = (keyUsageExtension.KeyUsages & X509KeyUsageFlags.CrlSign) == X509KeyUsageFlags.CrlSign;
}
// either Enhanced Key Usage or the OID 2.5.29.37
string enhancedKeyUsageOID = "2.5.29.37";

X509EnhancedKeyUsageExtension enhancedkeyUsageExtension = certificate.Extensions[enhancedKeyUsageOID] as X509EnhancedKeyUsageExtension;

if (enhancedkeyUsageExtension != null)
   foreach (Oid oid in enhancedkeyUsageExtension.EnhancedKeyUsages)
      Console.WriteLine("Enhanced Key Usage is {0} ({1})",
         oid.FriendlyName,
         oid.Value);
 
Wednesday, 24 June 2009 09:51:50 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
C# | Certificates
# Tuesday, 26 May 2009

Alejandro Campos Magencio has written a nice post on how to import a certificate without user interaction:

http://blogs.msdn.com/alejacma/archive/2008/01/31/how-to-import-a-certificate-without-user-interaction-c-c.aspx

It is built around CryptUIWizImport which is described here: http://msdn.microsoft.com/en-us/library/aa380598.aspx

Be sure to check all flags available:

 

Value Meaning
CRYPTUI_WIZ_NO_UI
0x0001

This function will perform the import based on the information in the CRYPTUI_WIZ_IMPORT_SRC_INFO structure pointed to by pImportSrc into the store specified by hDestCertStore without displaying any user interface. If this flag is not specified, this function will display a wizard to guide the user through the import process.

CRYPTUI_WIZ_IGNORE_NO_UI_FLAG_FOR_CSPS
0x0002

Suppress all user interfaces generated by cryptographic service providers (CSPs). This option can be overridden by the CRYPTUI_WIZ_NO_UI_EXCEPT_CSP option.

CRYPTUI_WIZ_NO_UI_EXCEPT_CSP
0x0003

Suppress all user interfaces except those generated by CSPs. This option overrides the CRYPTUI_WIZ_IGNORE_NO_UI_FLAG_FOR_CSPS option.

CRYPTUI_WIZ_IMPORT_ALLOW_CERT
0x00020000

Allow certificates to be imported.

CRYPTUI_WIZ_IMPORT_ALLOW_CRL
0x00040000

Allow CRLs to be imported.

CRYPTUI_WIZ_IMPORT_ALLOW_CTL
0x00080000

Allow CTLs to be imported.

CRYPTUI_WIZ_IMPORT_NO_CHANGE_DEST_STORE
0x00010000

Do not allow the user to change the destination certificate store represented by the hDestCertStore parameter.

CRYPTUI_WIZ_IMPORT_TO_LOCALMACHINE
0x00100000

Import the object to the certificate store for the local computer. This applies only to Personal Information Exchange (PFX) imports.

CRYPTUI_WIZ_IMPORT_TO_CURRENTUSER
0x00200000

Import the object to the certificate store for the current user. This applies only to PFX imports.

CRYPTUI_WIZ_IMPORT_REMOTE_DEST_STORE
0x00400000

Import the object to a remote certificate store. Set this flag if the hDestCertStore parameter represents a remote certificate store.


Tuesday, 26 May 2009 20:04:39 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
C# | CAPI | Certificates
# Friday, 15 May 2009

First you need to enable the CA to accept SAN requests by changing the registry:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

An nice description on how to enable SAN's on a MS CA can be found here.

http://support.microsoft.com/kb/931351/en-us

I used that as a base to request WebServer certificates with certreq, but I had to remove the EncipherOnly line and I changed the Exportable flag to true in the INF file:

[Version]
Signature="$Windows NT$

[NewRequest]
Subject = "CN=corpdc1.fabrikam.com"   
; must be the FQDN of domain controller
; EncipherOnly = FALSE
Exportable = TRUE         
; TRUE = Private key is exportable
KeyLength = 1024          
; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384
KeySpec = 1               ; Key Exchange
KeyUsage = 0xA0          
; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC

; Omit entire section if CA is an enterprise CA
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

[RequestAttributes]
CertificateTemplate = WebServer
;Omit  line if CA is a stand-alone CA
SAN="dns=.fabrikam.com&dns=ldap.fabrikam.com&dns=localhost"

 

The complete INF file syntax used by certreq can be found here: http://technet.microsoft.com/en-us/library/cc736326(WS.10).aspx

EncipherOnly seems not to work in my 2008 environment or some other flags made that invalid.

 

In addition on creating the request, I specified the CA on the certreq commandline:

certreq -new request.inf certnew.req
certreq -config mycaserver\myca -submit certnew.req certnew.cer

the last line outputs the requestid needed for the next certreq command. Then, on the ca, issue the certificate if it is not automatically issued (depends on the template used).
after that you can retrieve & accept the the certificate:

certreq -config mycaserver\myca -retrieve myidreturendfromsubmitcommand certnew.cer
certreq -accept certnew.cer

After that, you have a certificate with multiple SAN's in your computers machine store (we specified MachineKeySet) which can be used in IIS.


Just to mention:

It's easy to add multiple Websites to IIS using hostheaders, but if you want to use SSL on those sites you have to add the SSL binding. The easiest i found was using the commandline. the commands depend on the version of your IIS.

IIS6:

cscript.exe c:\inetpub\adminscripts\adsutil.vbs set /w3svc/mysiteid/SecureBindings ":443:myhostheader"

The hostheader is pretty obvious, and the mysiteid can be found when you click on the WebSites node in the IIS manager (Its the Identifier column).

IIS7:

appcmd set site /site.name:"mysite" /+bindings.[protocol='https',bindingInformation='*:443:myhostheader]
 

Friday, 15 May 2009 10:00:26 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
Authentication | Certificates | IIS
Archive
<2010 April>
SunMonTueWedThuFriSat
28293031123
45678910
11121314151617
18192021222324
2526272829301
2345678
About the author/Disclaimer

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.
Any link on this site may lead to an external website that is not under my control and that external website might show an opinion that is not mine.

© Copyright 2017
Hannes Köhler
Sign In
Statistics
Total Posts: 39
This Year: 0
This Month: 0
This Week: 0
Comments: 1
All Content © 2017, Hannes Köhler
DasBlog theme 'Business' created by Christoph De Baene (delarou)