see sharp RSS 2.0
# Wednesday, 16 March 2011

If you have to parse the Subject Alternative Name (aka SAN) of a Certificate CertGetNameString is your friend:

[DllImport("crypt32.dll", EntryPoint = "CertGetNameString", CharSet = CharSet.Auto, SetLastError = true)]
static extern UInt32 CertGetNameString(
    IntPtr CertContext, 
    UInt32 lType, 
    UInt32 lFlags, 
    IntPtr pTypeParameter, 
    StringBuilder str, 
    UInt32 cch);

private const int CERT_NAME_EMAIL_TYPE = 1;
private const int CERT_NAME_UPN_TYPE = 8;
private const int CERT_NAME_NO_FLAG = 0;
private const int SIZE = 255;

private static void ParseSan(X509Certificate2 cc)
{
    Oid oid = new Oid("2.5.29.17");
    X509Extension ext = cc.Extensions[oid.Value]; // get the SAN extension

    if (null != ext)
    {
        StringBuilder Buffer = new StringBuilder(SIZE);               

        UInt32 nChars = CertGetNameString(cc.Handle,
                CERT_NAME_EMAIL_TYPE,
                CERT_NAME_NO_FLAG,
                IntPtr.Zero,
                Buffer,
                SIZE);
        if (nChars == 1)
        {
            nChars = CertGetNameString(cc.Handle,
                CERT_NAME_UPN_TYPE,
                CERT_NAME_NO_FLAG,
                IntPtr.Zero,
                Buffer,
                SIZE);
        }
                
        Console.WriteLine("{1}:'{0}'", Buffer.ToString(), cc.Thumbprint);

               
    }
}
Wednesday, 16 March 2011 15:34:13 (Mitteleuropäische Zeit, UTC+01:00)  #    -
C# | CAPI | Certificates | P/INVOKE
# Thursday, 18 November 2010

You can extend the lifetime of FIM CM OTP's.

All that needs to be done is:

  • Select the Custom Password Provider option in your policy 
  • set the type to Microsoft.CLM.BusinessLayer.DefaultSecretProvider
  • the Password provider data controls the OTP generation.
    the format is in the form of
    <numberofotp>,<length,<lifetime>
    • numberofotp can be 0,1 or two
    • i did not see a technical limit (yeah its possibly an int32, so there IS a limit) for length or lifetime

Samples:

  • 1,8,40 will generate one OTP with a length of '8' and a lifetime of 40 days
  • 2.8.8,40 will generate two OTPs, both with a length of 8 and a lifetime of 40 days

It seems that adding 'm' to the lifetime will make it minutes, not days.

 

 

Thursday, 18 November 2010 11:22:46 (Mitteleuropäische Zeit, UTC+01:00)  #    -
CLM | FIM
# Wednesday, 11 August 2010

If you are working with (b)leeding edge technologies like Outlook 2007, and you have to create plugins that are to be installed for ALL users on a machine you might want to read this:

http://blogs.msdn.com/b/mshneer/archive/2007/09/04/deploying-your-vsto-add-in-to-all-users-part-i.aspx

The one line I overread for (very) a long time said:

"in order for the instruction to execute we need to make sure that HKLM's Count value is different from HKCU's Count value"

So you create your settings staring with something like:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\12.0\User Settings\<you_name_it>]

"Count"=dword:00000004

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\12.0\User Settings\<you_name_it>\Create\Software\Microsoft\Office\Outlook\AddIns\<you_name_it_again>]

"Description"="My Fancy Plugin"

"FriendlyName"="My Fancy Plugin"

"LoadBehavior"=dword:00000003

"Manifest"="[TARGETDIR]My Fancy Plugin.vsto|vstolocal"

 

This works perfectly unless you need to change things. Nothing gets provisioned if you just modify, lets say, the description. The following entry is causing office to ignore our

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\User Settings\<you_name_it>]

"Count"=dword:00000004

Provisiong only starts when the values are different, so delete the HKCU key or change its value.

 

Wednesday, 11 August 2010 16:14:43 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
Registry
# Monday, 03 May 2010

Registry files can be fun, and everyone knows how to add things to the registry via reg files.

But you can also remove entries;

Prefix the key with '-' to remove it, set the value to '-' to remove it.

Samples:

[-HKEY_LOCAL_MACHINE\Software\Foo] will remove the complete key 'Foo'.

and

[HKEY_LOCAL_MACHINE\Software\Foo]

Bar=-

will leave the key 'Foo' and remove the value 'Bar'

Keep in mind:

The registry is a central element in windows. Messing around with it may cause unpredictabele results and the whole system may fail.

So pleas double check what you are doing to the registry!!!

 

Monday, 03 May 2010 14:20:49 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
Registry
# Thursday, 22 April 2010

Troubleshooting a custom MA for FIM2010 starts usually with looking into the eventlog :-)

So in this case there was not much to see, so I added my .NET Trace statments to the code. Easy, but where to configure the switches? 

Finally i found that the MA is loaded by the FIM server itself so theres the config file too.

The server is still called MIISSERVER.EXE and located in

C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin

So just edit C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\miiserver.exe.config and add you listener and switches:

<system.diagnostics>
    <trace autoflush="true" indentsize="4">
      <listeners>
        <add name="mylog"
             traceOutputOptions="ThreadId"
             type="System.Diagnostics.TextWriterTraceListener"
             initializeData="c:\logs\mylog.log" />
      </listeners>
     
    </trace>
    <switches>
      <add name="MySwitch" value="4"/>
    </switches>
  </system.diagnostics>
Thursday, 22 April 2010 15:05:00 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
FIM | Tracing
# Saturday, 20 March 2010

MAC Addresses are unique to the networkcard and can be used to identify your PC.

You can view your MAC addresses by typing ipconfig /all

Ethernet adapter Loopback:
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Microsoft Loopback Adapter
  Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  IPv4 Address. . . . . . . . . . . : 111.111.111.111(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 0.0.0.0
  DNS Servers . . . . . . . . . . . : 111.111.111.111
  NetBIOS over Tcpip. . . . . . . . : Enabled

to view other machines MAC addresses you can ping them and then type arp -a which wil result in a list similar to this:

Interface: 192.168.1.200 --- 0xb
  Internet Address      Physical Address      Type
  192.168.1.1           00-04-0e-f6-17-55     dynamic
  192.168.1.2           00-04-0e-aa-88-ab     dynamic
  192.168.1.3           00-01-db-09-55-42     dynamic

The first three bytes identify the manufacturer of the card, the remainder identifies the card itself. 

you can look those up here:

 I wrote a small tool that parses a file and returns the manufactuer

MACTool.zip (632.92 KB)
Saturday, 20 March 2010 12:15:35 (Mitteleuropäische Zeit, UTC+01:00)  #    -
anything else
# Friday, 19 March 2010
Friday, 19 March 2010 19:08:58 (Mitteleuropäische Zeit, UTC+01:00)  #    -

# Thursday, 11 March 2010

To enable foreign key import on a MS CA you need to set the registry accordingly:

certutil –setreg ca\KRAFlags +KRAF_ENABLEFOREIGN

then, after a restart of the CA service, you can start importing:

certutil -f -importKMS /?
Usage:
  CertUtil [Options] -ImportKMS UserKeyAndCertFile [CertId]
  Import user keys and certificates into server database for key archival
    UserKeyAndCertFile -- Data file containing user private keys and certificates to be archived.  This can be any of the following:
            Exchange Key Management Server (KMS) export file
            PFX file
            Outlook key export (EPF) file
    CertId -- KMS export file decryption certificate match token.  See -store.
    Use -f to import certificates not issued by the CA.
Options:
  -f                -- Force overwrite
  -gmt              -- Display times as GMT
  -seconds          -- Display times with seconds and milliseconds
  -silent           -- Use silent flag to acquire crypt context
  -split            -- Split embedded ASN.1 elements, and save to files
  -v                -- Verbose operation
  -privatekey       -- Display password and private key data
  -config Machine\CAName    -- CA and Machine name string
  -p Password               -- Password
  -symkeyalg SymmetricKeyAlgorithm[,KeyLength] -- Name of Symmetric Key Algorithm with optional key length, example: AES,128 or 3DES
CertUtil -?              -- Display a verb list (command list)
CertUtil -ImportKMS -?   -- Display help text for the "ImportKMS" verb
CertUtil -v -?           -- Display all help text for all verbs

 

Thursday, 11 March 2010 08:51:53 (Mitteleuropäische Zeit, UTC+01:00)  #    -
CA
# Thursday, 22 October 2009

http://www.moserware.com/ has great posts about programming.

amongst them a nice explanation of the AES encryption

Check it out...

Thursday, 22 October 2009 17:09:31 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
C#
# Wednesday, 02 September 2009

I often have to diagnose CA 'misbehaviours' and its even more often when I have to lookup where the hell the logfiles are and hor to enable the logging. So a bit of googelingbinging and found this http://blogs.msdn.com/windowsvistanow/archive/2008/04/08/troubleshooting-certificate-enrollment.aspx

Certification Authority Settings

  • Enable Certificate Services Debug Logging by running the following commands on the CA:
    certutil.exe -f -setreg ca\debug 0xffffffff
    Net Stop Certsvc && Net Start Certsvc
  • The following log files will be created:
    %SystemRoot%\certsrv.log (Certsrv.exe) Certificate Services
    %SystemRoot%\certutil.log (Certutil.exe)
    %SystemRoot%\certreq.log (Certreq.exe)
    %SystemRoot%\certmmc.log (Certmmc.dll) Certificate Services MMC snap-in
    %SystemRoot%\certocm.log (Certocm.dll) Certificate Services Setup

take a look, there are is more useful information there...

 

Ah, and if you use CLM/FIM this might be of interest as well:

http://technet.microsoft.com/en-us/library/cc720663(WS.10).aspx#BKMK_TraceModules

Wednesday, 02 September 2009 20:49:27 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
CLM | Tracing | CA
Archive
<2011 March>
SunMonTueWedThuFriSat
272812345
6789101112
13141516171819
20212223242526
272829303112
3456789
About the author/Disclaimer

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.
Any link on this site may lead to an external website that is not under my control and that external website might show an opinion that is not mine.

© Copyright 2017
Hannes Köhler
Sign In
Statistics
Total Posts: 39
This Year: 0
This Month: 0
This Week: 0
Comments: 1
All Content © 2017, Hannes Köhler
DasBlog theme 'Business' created by Christoph De Baene (delarou)