Upgrade Your Microsoft PKI Environment to SHA2 (SHA256)
KB ID 0001244 Problem This is pretty much PART TWO of two posts addressing the need to migrate away from SHA1 before February 2017. Back in PART ONE we looked at how to upgrade the ROOT CA. It does not matter if it’s an offline or online root CA the process is the same. In many organisations their PKI is multi tiered, they either have a RootCA <> SubCA, or a ROOTCA <> IntermediateCA <> IssuingCA. (which is...
Certificate Services – Migrate from SHA1 to SHA256
SHA1 to SHA256 KB ID 0001243 Problem It’s time to start planning! Microsoft will stop their browsers displaying the ‘lock’ icon for services that are secured with a certificate that uses SHA1. This is going to happen in February 2017 so now’s the time to start thinking about testing your PKI environment, and making sure all your applications support SHA2. Note: This includes code that has been signed using...
ADCS – Login Failure: The user has not been granted the logon type at this computer
KB ID 0001242 Problem Post By: Daniel Newton I was configuring a ADCS (Active Directory Certificate Services) on a DC (Domain Controller) for a client today and wanted to setup web-enrolment. I gave the Certificate Service User permissions to the IIS_USRS Group and everything was going well. Then, this error popped up when assigning the service account in setup. Solution This can be easily fixed, just follow these instructions and...
Error – The Computer You Are Signing Into Is Protected By An Authentication Firewall
KB ID 0001241 Problem I put a ‘net use’ command in a logon script for a client today, and the drive refused to appear. So I executed the offending line and saw the following error; System error 1935 has occurred The computer you are signing into is protected by an authentication firewall. The specified account is not allowed to authenticate the computer. Solution This error is seen because the user, (or group the user is a...
Cisco ASA – Adding New Networks to Existing VPNs
KB ID 0001240 Problem Note: To add new subnets to an AnyConnect Remote Access VPN, see the following article instead; Cisco ASA – Adding New Networks to AnyConnect VPNs I see this get asked in forums A LOT, so I though I’d get around to getting it written up. If you have an existing VPN to a remote site and then need to add another network how do you do it? Well that depends on where the new network is, and how it’s...
Cisco VPN – Split Tunnel Not Working?
KB ID 0001239 Problem Here I’m dealing with AnyConnect VPNs, but the principles are exactly the same for both remote IPSEC and L2TP VPNs. You connect to your VPN and can no longer browse the internet from your remote location. You can confirm that split-tunnelling is working or not by connecting with your VPN client and looking at the routing information. Solution Before proceeding are you sure Split-Tunnelling has ever been...
Changing Domain Users’ ‘User Logon Names’ and UPN’s
KB ID 0001238 Problem Changing a users UPN suffix is easy (as long as it’s been added – see below). There is some confusion about the User Login Name though. A few weeks ago I had a client that needed this done, (for an office 365 migration). But they had the added problem that some of their User Logon Names had spaces in them, they were in first-name{space}last-name format. What would happen if I changed their user...
Cisco ASA – Allowing Microsoft Activation
KB ID 0001237 Problem Activation occurs over TCP 80 and 443, so usually this will not trip you up. However if you are on a site with a very restrictive firewall config, then you might want to add the following. Solution I’ll break with the norm, and just post the config in its entirety, (just remove the comments in red.) !The Firewall needs a domain name of its own. ! domain-name petenetlive.com ! !Setup DNS Lookups so the...
AnyConnect – The VPN Connection Failed (Domain Name Resolution)
KB ID 0001236 Problem This is a pretty generic error to be honest. AnyConnect Secure Mobility Client VPN The VPN connection failed due to unsuccessful domain name resolution. Solution Firstly, (and obviously) the name you are typing in the AnyConnect window can be resolved can’t it? If not then you might want to consider some employment that does not involve computers. Secondly (this is what usually trips me up) did you copy...
Migrating Local Profiles to Domain Profiles
KB ID 0001235 Problem Moving a machine onto a Windows domain, is a simple task, I’ve done this for a lot of clients. The main complaint (post migration,) is that something is missing. This is because your-account-name on your PC or laptop, and your-account-name in the domain are TWO DIFFERENT ACCOUNTS, (even if they have the same name). Microsoft have produced some tools help you, but I challenge you to start reading the USMT...