Microsoft – NDES Site Shows ‘HTTP Error 500.0 – Internal Server Error’

KB ID 0001181

Problem

I was doing some testing for a client this week, a while ago I had deployed a three tier PKI solution for them, and as part of the rollout we deployed NDES for their network devices, (they were going to use certificates to secure site to site VPNs). The client was concerned, and wanted the auto renewal process testing. This could not be done on the live system. So myself and a colleague went to the test bench, I build a model off the three tier PKI, and then setup NDES, while my colleague did the comms/switches and routers.

When I was ready to go, he could not get any enrolments working with NDES. Troubleshooting NDES is usually a case of looking in event viewer, but the one check you can do is go to;

http://localhost/certsrv/mscep_admin

And I got this;

HTTP Error 500.0 – Internal Server Error
The page cannot be displayed because an internal server error has occurred.

The normal web enrolment site http://localhost/certsrv was up and working this was just NDES?

Solution

This took me a while, theres a ton of posts on this that suggest enabling local profiles logging in as the NDES service user, etc etc and non of them fixed the problem. 

This was happening to me because when NDES starts, the first thing it does is check its RA, (Registration Authority) certificate. It’s in the local computer certificate store if you want to look at it, (or you will find it in ‘issued certificates’ on the CA of course). 

Let’s take a look at that cert’s certificate chain;

You can see my three tier PKI solution, from the top, Offline Root > Intermediate CA (Sub CA) > Issuing CA (Sub CA) > My certificate.

But if I take a look in the CRL location (General Tab > Certificate Revocation  Information). I found the following;

What my clients see via http

For the un-initiated these are CRL files, the ones with a ‘+’ on the end are ‘delta url files’, (but that’s not important here). What is important is there is no CRL for my offline root CA in there. Luckily I had it on a disk, if you don’t you will have to bring the offline root CA online (turn it on). Then get a copy of the CRL. You can normally find it in C:\Windows\System32\Certsrv. If yours is not there, open ‘Certificate Services Management’ > Revoked certificates  > Publish.

Simply copy the CRL file into the CRL location;

Then I rebooted the NDES Server, (I could probably have restarted certsvc and IIS, but let’s be thorough). And the system burst into life.

Related Articles, References, Credits, or External Links

Windows Server 2012 – Install and Configure NDES

Cisco – Automatic Re-enrollment Fails to MSCEP/NDES

Cisco ASA – Enrolling for Certificates with NDES

Cisco IOS – Enrolling for Certificates with NDES

NDES – Fails to Issue Certificates (Signature Algorithm)

Event ID 53 – ‘The public key does not meet the minimum size required by the specified certificate template’

KB ID 0000967 

Problem

I’ve been doing a lot of PKI work over the last few days, testing device enrollment and NDES etc, and came across this problem being logged on my issuing/subordinate CA server;

Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Event ID: 53
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Description:
Active Directory Certificate Services denied request 35 because The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH). The request was for SERIALNUMBER=4279256517 + OID.1.2.840.113549.1.9.2="sprugal.testbench.local ". Additional information: Denied by Policy Module Resubmitted by TESTBENCHAdministrator

Solution

In addition on the server itself in the Certification Authority Management console, under failed requests, it was showing the same error;

By default the certificate that NDES / MSCEP used as a template for your network devices is called ‘IPSec (Offline request)’ I’ve cloned that and made my own called NDESTemplate, but if you take a look on the Cryptography tab you can see that the minimum key size is set to 1024.

The network devices that are attempting to enroll with my server must have a key-length that is shorter, how can you tell? Well my devices are all Cisco ones (Routers and Firewalls). The Cisco ASA will tell you what key length is uses, but there is no command in router IOS to let me know. However if you use Putty and open an SSH session to the device it will tell you.

In the example below, the key length on this device is 2048 so that should be fine;

But this one is only 768 bits long! This device would generate the sort of errors I’m seeing on my Windows server.

So how do you fix the problem on the device, if you have not got your trustpoint setup then simply issue the following commands;

[box]

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#crypto key zeroize rsa
% All RSA keys will be removed.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: yes
R1(config)#
*Jul 11 14:26:50.619: %SSH-5-DISABLED: SSH 1.99 has been disabled
R1(config)#

[/box]

If you have setup a trustpoint, simply remove the trustpoint and it removes all the keys

[box]

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no crypto pki trustpoint PNL-TRUSTPOINT
NOTE YOUR TRUSTPOINT WILL HAVE A DIFFERENT NAME!!

% Removing an enrolled trustpoint will destroy all certificates
received from the related Certificate Authority.

Are you sure you want to do this? [yes/no]: yes
% Be sure to ask the CA administrator to revoke your certificates.

No enrollment sessions are currently active.

R1(config)#

[/box]

Related Articles, References, Credits, or External Links

NA

Cisco – Automatic Re-enrollment Fails to MSCEP/NDES

KB ID 0000970

Problem

I’ve covered setting up NDES at length in the past, but what happens when your issued certificates expire? If you are using them for all your VPNs what then? Well thankfully you can get your devices to automatically re-enroll and before they expire, for example to renew the cert at 80% of its lifetime you would use the following;

[box]

crypto pki trustpoint PNL-TRUSTPOINT
enrollment url http://123.123.123.130/CertSrv/mscep/mscep.dll
usage ike
serial-number
ip-address 123.123.123.90
enrollment mode ra
revocation-check none
enrollment retry count 100
enrollment retry period 5
fqdn RTR2hr.testbench.local
rsakeypair PNL-TRUSTPOINT 2048
auto-enroll 80 regenerate

[/box]

However, there is a problem, if you are using Server 2008 there’s a hot-fix (and you need to make the following change as well) I’m on Server 2012 and mine was failing.

Solution

1. On the server running the NDES Server role > Open the registry editor and navigate to;

[box]
HKEY_LOCAL_MACHINESoftwareMicrosoftCryptographyMSCEP
[/box]

Create a new 32bit DWORD Value called DisableRenewalSubjectNameMatch and set its value to 1 (one).

2. Also ensure the certificate that you are using or NDES, has the following settings, here I’m using a custom template called NDESTemplete, If you are using the default one it will be called ‘IPSec (Offline request)‘. On the Subject Name tab make sure ‘Supply in the request’ is selected.

3. On the ‘Issuance Requirements’ tab, ensure ‘CA certificate manager approval’ is NOT selected.

 

Related Articles, References, Credits, or External Links

NA

Cisco IOS – Enrolling for Certificates with NDES

KB ID 0000948

Problem

To get your Cisco Router or Switch to enroll, and obtain a certificate from a Windows Server running NDES, this is the procedure you need to follow.

Solution

When dealing with certificates, it’s important that your device is maintaining the correct time. You can set this manually, but I’d recommend setting up NTP.

Setting IOS Time (Manually and via NTP)

1. Choose either of the options below, (as applicable). Note: I’m in the UK so my time is GMT, and I need to allow for daylight saving time, (so your settings ma vary depending on your locale).

[box]

Setting Time Manually

Petes-RTR(config)#clock timezone GMT 0
Petes-RTR(config)#clock summer-time BST recurring last Sunday March 01:00 last Sunday October 01:00
Petes-RTR(config)#exit
Petes-RTR#clock set 10:47:00 Apr 30 2014
Petes-RTR#show clock
10:47:05.499 BST Wed Apr 30 2014
Petes-RTR#

Setting Time via NTP

Petes-RTR#show clock
*15:36:38.383 PCTime Mon Feb 16 2009
Petes-RTR#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-RTR(config)#ntp server 87.124.126.49
APPLY THE 'CUP Of COFFEE RULE'

Petes-RTR#show clock
10:09:52.437 PCTime Wed Apr 30 2014
Petes-RTR#

[/box]

Enrolling via NDES

1. Make sure the device can contact the NDES server, (simply pinging it should suffice). Then set a hostname and domain name. These are required to generate an RSA Key-pair on the device before we start.

[box]

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#hostname RTR-1
RTR-1(config)#ip domain-name testbench.local
RTR-1(config)#crypto key generate rsa modulus 2048
The name for the keys will be: RTR-1.testbench.local

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

RTR-1(config)#
*Mar 1 01:01:47.491: %SSH-5-ENABLED: SSH 1.99 has been enabled

[/box]

2. Create a set of CA settings (a trustpoint), then authenticate to it.

[box]

RTR-1(config)#crypto pki trustpoint PNL-TRUSTPOINT
RTR-1(ca-trustpoint)# enrollment url http://192.168.80.130/CertSrv/mscep/mscep.dll
RTR-1(ca-trustpoint)#enrollment mode ra
RTR-1(ca-trustpoint)#revocation-check crl
RTR-1(ca-trustpoint)#enrollment retry count 3
RTR-1(ca-trustpoint)#enrollment retry period 5
RTR-1(ca-trustpoint)#fqdn RTR-1.testbench.local

RTR-1(ca-trustpoint)#exit
RTR-1(config)#crypto pki authenticate PNL-TRUSTPOINT
Certificate has the following attributes:
Fingerprint MD5: 0454B8F4 73374DE8 2FB034CB B887B1D4
Fingerprint SHA1: 2A542238 0CF3856B D0EF3E1A CBB57003 21C114F5

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
RTR-1(config)#
[/box]

3. If your NDES Server requires a password you can embed that.

NDES Server Removing or Enforcing Passwords

If you require a password you can obtain it from the NDES Server using the following URL.

http://{IP-or-name-of-NDES-server}/CertSrv/mscep_admin

This is the password you need to enter.

If it looks like (below), then password enforcement has been disabled, and you can skip the next step.

[box]

Firewall(config)# crypto ca trustpoint PNL-TRUSTPOINT
Firewall(config-ca-trustpoint)# password 24033E4BFF217D60[/box]

4. Enroll for a certificate.

[box]

RTR-1(config)#crypto pki enroll PNL-TRUSTPOINT
%
% Start certificate enrollment ..

% The subject name in the certificate will include: RTR-1.testbench.local
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: FTX0945W0MY
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate PNL-TRUSTPOINT verbose' commandwill show the fingerprint.

RTR-1(config)#
May 14 10:46:46.479: CRYPTO_PKI: Certificate Request Fingerprint MD5: 25E06B18 2BF6E2B7 780AA427 89AB9A15
May 14 10:46:46.483: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 044725E7 B34F6AF8 EFB4C28B 8E7CE192 230BDC9E
RTR-1(config)#
May 14 10:46:47.875: %PKI-6-CERTRET: Certificate received from Certificate Authority
RTR-1(config)#

[/box]

5. If you have a look on the Certificate Server you will also see that the certificate has been issued.

Oh Crap! It went wrong?

Possible errors you might see;

Error 1

[box]

RTR-1(config)#crypto key generate rsa modulus 2048
% Please define a domain-name first.

[/box]

To be honest, it couldn’t be more descriptive! You can’t generate an RSA key-pair without a hostname, and a domain name.

[box]

R1(config)#hostname RTR-1 RTR-1(config)#ip domain-name testbench.local[/box]

Error 2

[box]

RTR-1(config)#crypto pki authenticate PNL-TRUSTPOINT
% Error in saving certificate: status = FAIL

RTR-1(config)#%CRYPTO_PKI: Cert not yet valid or is expired -
start date: 13:18:46 UTC May 12 2014
end date: 13:28:46 UTC May 12 2019

[/box]

Certificates are time specific, make sure the device has its clock set correctly, (preferably via NTP). And the time on the Certificate Services Server is set correctly.

Windows – Setting Domain Time

Remember: We set the device to check the Certificate Servers CRL, make sure that’s setup properly, and the device can resolve its name.

Windows Certificate Services – Setting up a CRL

Related Articles, References, Credits, or External Links

Windows Server 2012 – Install and Configure NDES

 

Cisco ASA – Enrolling for Certificates with NDES

KB ID 0000948

Problem

To get your ASA 5500 firewall to enroll, and obtain a certificate from a Windows Server running NDES, this is the procedure you need to follow.

Solution

When dealing with certificates, it’s important that your firewall is maintaining the correct time. You can set this manually, but I’d recommend setting up NTP.

Cisco ASA – Configuring for NTP

1. Make sure the firewall can contact the NDES server, below I ping its IP address (192.168.1.10) . Then set a hostname and domain name for the firewall. These are required to generate an RSA Key-pair on the firewall before we start.

[box]

Petes-ASA# ping 192.168.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.80.130, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Petes-ASA# configure terminal
Petes-ASA(config)# hostname Firewall
Firewall(config)# domain-name testbench.local
Firewall(config)# crypto key generate rsa modulus 2048
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
Firewall(config)#

[/box]

2. Create a set of CA settings (a trustpoint), then authenticate to it.

[box]

Firewall(config)# crypto ca trustpoint PNL-TRUSTPOINT
Firewall(config-ca-trustpoint)# enrollment url http://192.168.1.10/CertSrv/mscep/mscep.dll
Firewall(config-ca-trustpoint)# revocation-check crl
Firewall(config-ca-trustpoint)# enrollment retry count 3
Firewall(config-ca-trustpoint)# enrollment retry period 5
Firewall(config-ca-trustpoint)# fqdn Firewall.testbench.local
Firewall(config-ca-trustpoint)# crypto ca authenticate PNL-TRUSTPOINT

INFO: Certificate has the following attributes:
Fingerprint: 0454b8f4 73374de8 2fb034cb b887b1d4
Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

[/box]

3. If your NDES Server requires a password you can embed that.

NDES Server Removing or Enforcing Passwords

If you require a password you can obtain it from the NDES Server using the following URL.

http://{IP-or-name-of-NDES-server}/CertSrv/mscep_admin

This is the password you need to enter.

If it looks like (below), then password enforcement has been disabled, and you can skip the next step.

[box]

 Firewall(config)# crypto ca trustpoint PNL-TRUSTPOINT
Firewall(config-ca-trustpoint)# password EC4C68382A504339

[/box]

4. Enroll for a certificate.

[box]

Firewall(config)# crypto ca enroll PNL-TRUSTPOINT
%
% Start certificate enrollment ..

IF YOU SUPPLIED A PASSWORD YOU WILL NOT BE ASKED THE FOLLOWING
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ********
Re-enter password: ********

% The fully-qualified domain name in the certificate will be: Firewall.testbench.local

% Include the device serial number in the subject name? [yes/no]: yes

% The serial number in the certificate will be: 123456789AB

Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
Firewall(config)# The certificate has been granted by CA!

Firewall(config)#

[/box]

5. If you have a look on the Certificate Server you will also see that the certificate has been issued.

Remember: We set the device to check the Certificate Servers CRL, make sure that’s setup properly, and the device can resolve its name.

Windows Certificate Services – Setting up a CRL

Related Articles, References, Credits, or External Links

Windows Server 2012 – Install and Configure NDES

 

Cisco AnyConnect – Securing with Microsoft Certificate Services

Part 1 (How to Configure Microsoft Certificate Services for AnyConnect)

KB ID 0001030 

Problem

I’ve done a lot of AnyConnect deployments, and I’ve even done them with certificates in the past. I’ve seen plenty of articles and blogs that say ‘It would be better to use a PKI deployment like Microsoft Certificate Services’, but there’s very little info out there on how to set it up.

I have a client that was going to deploy Microsoft Direct Access, but due to unforeseen circumstances has changed their requirements and wants to use AnyConnect instead, (with the following requirements).

  • The connection should be ‘always on’ for their remote clients.
  • It should use certificate based authentication that would use their existing PKI deployment.
  • They should be able to control the remote clients from their corporate location (if required).
  • They should be able to roll out the software using Microsoft SCCM.

So I disappeared with an ESXi server, a spare firewall, and a large mug of coffee.

Solution

I am going to send out both user and computer certificates, and I’m going to get the machines to ‘Autoenroll’ for the certificates with group policy. (You could just use ‘User’ certificates, but that would be too easy).

1. Remember certificates are time specific, make sure your Windows domain is keeping good time, I’ve written about this before, but to cut a long story short carry out the following on your PDC emulator at an elevated command prompt.

[box]

w32tm /config /manualpeerlist:ntp2d.mcc.ac.uk /syncfromflags:manual /reliable:yes /update
net stop "windows time"
net start "windows time"
w32tm /resync

[/box]

2. I’m assuming you have certificate services setup and have certificates setup for computers and users, if not see Installing Microsoft Certificate Services. Ensure you have templates published and they are configured correctly, like so;

User Certificate Template

Computer Certificate Template

3. Publish the Certificates.

4. Set up a Group Policy for Certificate Auto-enrolment.

5. For User certificate auto-enrollment go to:

[box]

User Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrolment

[/box]

6. For Computer certificate auto-enrollment go to:

[box]

Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrolment

[/box]

7. Ensure your target machines have their certificates,(user and computer).

***OPTIONAL STEP***

I’m using NDES to put the certificates on my Cisco ASA, and I want to use that same certificate on the ‘outside’ interface of my ASA. Now I could just manually get
a cert by creating a CSR and giving that to my certificate authority. Then use the ‘Web Server’ template and everything would be peachy. However I want NDES to do ‘EVERYTHING’ for me so I need to make a change to the certificate that NDES uses, (by default ‘IPSEC (Offline request)’). I need to add in the ‘Server Authentication’ Key usage, or when I enable the cert on the outside interface I will get an error. To that end, I need to create a new certificate template, and then get NDES to use that template instead.

1. Open the Certification Authority management console > Right click Certificate Templates > Manage.

2. Locate ‘IPSEC (Offline request)’ template and clone it.

3. Give the cert a name (in the ‘template name’ section leave no spaces or special characters). Then copy the template name to notepad, (you’ll find out why in a minute).

4. Extensions Tab > Application Policies > Edit.

5. Add > Locate and add ‘Server Authentication’ > OK > OK.

6. If you had NDES set up correctly your NDES service account should have enroll rights to this template already, but check to be on the safe side.

7. Save and publish the new template.

8. Remove the original IPSEC (Offline request) template.

9. To get NDES to use the new template you need to edit three registry values. Open ‘regedit’ an navigate to;

[box]HKLM > Software > Microsoft > Cryptography > MSCEP[/box]

Change the following keys to the new template name;

  • EncryptionTemplate
  • GeneralPurposeTemplate
  • SignatureTemplate

10. At this point you need to restart IIS, though in my case I just rebooted the server.

 

Related Articles, References, Credits, or External Links

In Part 2 – We will configure the ASA and AnyConnect.