I was setting up some HTTPS/SSL inspection this week and while testing it, I ran into this problem;
Firefox Certificate Settings
So the machine I’m using DOES trust the CA that issued that certificate, (it’s a FortiGate firewall) But the BROWSER does not. (Firefox maintains its own list of certificates, and more importantly which CA certificates it will trust). Essentially the browser is trying to protect you from a MITM attack.
Browse to about:prefernces#privacy > Certificates > View Certificates.
Import.
Navigate to the CA certificate for the authority that signed the certificate(s) you are having a problem with, and import it > Select ‘Trust this CA to identify websites” > OK
Related Articles, References, Credits, or External Links
The actual configuration of ADFS depends largely on what you intend to do with it. Here I’m using it to broker connections from my Microsoft Web Application Proxy. This article is just to ‘join the dots’ and covers just the installation of the role itself.
Solution
Before you Start: Make sure you have a certificate ready to use for ADFS. I typically use a wildcard cert for this, it’s better if you have purchased one, or if you use certificate services, here’s how to create a wildcard certificate.
Note: You can add adfs.{your-domain} to your wildcard as a SAN, (Subject Alternative Name), Also add certauth.adfs.{your-domain}. Yes, even on a wildcard certificate!
For example: adfs.petenetlive.com and certauth.adfs.petenetlive.com.
You can either create a service account for ADFS to run under, or use a GROUP MANAGED SERVICE ACCOUNT.
What’s a Group Managed Service Account?
It’s an AD object that acts as a service account, and you don’t need to worry about entering a password for it.
Create a Group Managed Service Account
Before you can have a GSMA account you need a KDS Root Key in active Directory, to set that up, execute the following command;
[box]
If you have only one domain controller;
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
If you have more than one domain controllers;
Add-KdsRootKey –EffectiveImmediately
If you use the second option you must then WAIT 10 HOURS!
[/box]
Then go to a Domain Controller, and issue the following command;
In case you are interested, you will then see it appear in Active Directory.
Then ON the ADFS Server, run the following command;
[box]
setspn -a host/localhost {GSMA-Account-Name}
[/box]
Deploying Active Directory Federation Services
Server Manager > Manage > Add Roles and Features > Next > Next > Select the server > Next > Server Roles > Select Active Directory Federation Services > Accept all the defaults and install the role.
Launch the configuration wizard > Create the first federation server in a federation farm > Next.
I’m setting this up while logged on as the domain administrator, so I’ll use that account to connect to AD > Next.
WARNING: If you use a wildcard cert like me it will choose the name of *.{domain-name}. THIS IS BAD! Change the federation service name to something sensible, like adfs.domain.com. The ‘Federation Service Display Name‘ is what will be shown to the users as they authenticate. > Next.
Make sure the federation server DNS name can be resolved in DNS! Remember if your Web Application Proxy server is in your DMZ, or outside the firewall, it will also need to be able to resolve this name, (I put them in the ‘hosts‘ file on my DMZ servers for this reason).
Enter your Group Managed Service Account, (created above) > Next.
Create a database. (Note; If you are reinstalling it will discover any existing databases, and ask if you want to overwrite them) > Next.
Next
Configure.
Close. (Note: I’ve got some warnings but all is well, trust me!)
To test, open a web browser and go to https://{FQDN-Of FS-Service}/adfs/ls/idpinitiatedsignon and log in.
Note: If using Server 2016 or Server 2019, you have to enable this, or it will error! See the link below.
At this point, how you proceed depends on what you are using Active Directory Federation Services for. You would set up either a relying or a claims provider trust next.
As said above I’m using this for Web Application Proxy. When that article is complete, I’ll put the link at the bottom of this article.
Related Articles, References, Credits, or External Links
I wonder how many hours Ive lost trying to get browsers to connect to things, and the browser has not been happy? This week I needed to connect to a vCenter (6.5) web console with Firefox and was greeted with this.
Your connection is not secure
The owner of {site} has configured their web site improperly. To protect information being stolen, Firefox has not connected to this website.
Error Code: , SEC_ERROR_UNKNOWN_ISSUER
Normally I use Firefox, because if there’s a problem I can simply add an exception and all is well, but this time there was no way to connect at all.
Solution
Browse to about:config, and then search for security.enterprise, set it to true.
Now it will work
Related Articles, References, Credits, or External Links
About a month ago I was with a client to do some investigation/consultancy, they were a large company with their head office in the UK and a number of other offices around the world. They had a number of domains and sub domains and wanted to consolidate them all into a new domain.
Well that’s all OK, but the UK company has been purchased by a large American company, who were putting a lot of pressure on them to ‘get this done’.
So what was the problem? Well the American company had a domain called olduscomp.com, and were undergoing their own migration (not yet started) to newuscomp.com. The UK company wanted to use ukcomp.newuscomp.com
Me: Thats OK once newuscomp.com is built, we will make ukcomp a child domain of that, that’s not a problem.
Client: Well that might not be built for quite some time, the guys in the states have problems of their own.
Me: OK we will build it here, then build our child domain, then we can then give them the root domain?
Client: That probably wont fly either, can we just build ukcomp.newuscomp.com here, them make it a child domain later?
Me: No, (the fist DC in a child domain needs to be a member of the parent domain).
Client: OK can we build ukcomp.newuscomp.com, and then when the US guys build newuscomp.com, can we get the domains to trust each other?
Me: I dont think so, (they have a similar namespace), I don’t think that will work? I would need to test it to see if it was possible.
The problem was dancing about on my mental ‘back-burner’ for the next few weeks, so in my free time, I thought I would investigate if it was possible.
Solution
Well I built both the domains, my usual procedure to creating a domain trust is;
Create a conditional DNS forwarder in domain A for domain B
Create a conditional DNS forwarder in domain B for domain A
Go to Active Directory Domains and Trusts and setup the trust
As you can see from the diagram above I used subdomain.domain.com for the first domain, and I used domain.com for the second domain. So when I started, the only thing these domains shared is some namespace.
Creating a conditional forwarder in subdomain.domain.com for domain.com went without a hiccup.
However when I tried to create a conditional forwarder in domain.com for subdomain.domain.com this happened;
A problem occurred when trying to add the conditional forwarder. A zone configuration problem has occurred.
However it does say I can delegate the namespace to another DNS server, would that work? If you don’t know what a delegation is read this article.
Then I setup the trust, and validated it.
So yes it does work, but you need to remember that these are two different domains that trust each other they just share a common piece of namespace. If it was a parent and child domain then when you were assigning permissions you would see something like this;
But instead, in our case when assigning permissions you will see;
So yes it works and it looks like a sub domain, you can even call is a subdomain, but it isn’t, it’s just another domain that you can trust.
Related Articles, References, Credits, or External Links
I put a ‘net use’ command in a logon script for a client today, and the drive refused to appear. So I executed the offending line and saw the following error;
System error 1935 has occurred
The computer you are signing into is protected by an authentication firewall. The specified account is not allowed to authenticate the computer.
Solution
This error is seen because the user, (or group the user is a member of), has been granted the correct rights to access the share. BUT the share is in another domain, and even though that domain trusts the one the user is coming from, the trust was set up with ‘selective authentication’.
Go to the domain that’s providing the share, log into a domain controller > Open ‘Active Directory Users and Computers’ > View > Advanced Features > Locate the COMPUTER you are trying to authenticate TO > Properties > Security > Add in the user (or group) that requires access > Grant the “Allowed to authenticate” right > Apply > OK.
Related Articles, References, Credits, or External Links
You see the following error in your event log (seen here in the system log on a domain controller).
Log Name: System
Source: NETLOGON
Date: 15/11/2012 06:00:35
Event ID: 5719
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Servername.Domain-Name.com
Description:
This computer was not able to set up a secure session with a domain controller in domain (domain-name) due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
Solution
Note: In this case the domain it could not contact was NOT my live domain name it was a different domain name. If your error is referencing your live domain name then you have a different problem.
Cause: In my case the problem was being caused because I had a domain trust to a domain that was no longer contactable, (one of my colleagues has set it up in the past to do some testing). So I simply needed to remove the trust.
Warning: In this case that trust is no longer required – Check!
1. On a domain controller > Windows Key+R > domain.msc {enter}
2. Right click the domain name > Properties > Trusts > Select the problem domain > Remove > Yes > OK.
Related Articles, References, Credits, or External Links
While browsing to a website with an https:// address you may come across the following error;
There is a problem with this website’s security certificate.
The security certificate presented by this website was not issued by a trusted certificate authority
and/or
The security certificate presented by this website was issued for a different website address.
Security certificate problems may indicate an attempt to fool you or intercept data you send to the server.
We recommend that you close this webpage and do not continue to this Web site.
Solution
Before you proceed: Most of the time, if you see this error a LOT, the date and time are probably set incorrectly on your computer.
This may look like a very scary error and the default action, (from the little green tick option) is NOT to proceed. But let’s look at this error sensibly. If you are on a website and you have your credit card out ready to buy something, STOP! Or you are about to enter some personal details into something then again STOP!
However if you are going to a website that your IT department has told you to go to for something (email access, or a corporate website, etc) then click the RED option, Continue to this website (not recommended).
Why are you seeing this error?
Well it’s to do with the digital certificate this website is presenting to your browser. If you ever shopped online you may have been told to look for the small padlock to make sure the site is secure.
That’s because that website is presenting you with a certificate and you ‘TRUST’ that certificate. If there was a problem with the certificate, and you didn’t trust it you would be presented with the error above.
OK So What Is a Certificate?
As far as web browsing is concerned a Digital Certificate does two things;
1. Encryption: It makes sure the information exchanged between your browser, and the server you are talking to is encrypted. This will happen if you trust the certificate or not.
2. Identity: It is used to prove, that the server you are talking to is who they say they are.
The error you are seeing is related to Identity, this DOES NOT necessarily mean the site is a fake, (but if your unsure let’s tread carefully). On the original error above it’s telling us two things;
The security certificate presented by this website was not issued by a trusted certificate authority
This means your computer does not trust the CA (Certification Authority) that created and issued this certificate. Anyone can setup a CA, (have a search on this site I’ve set them up for Exchange Email server VPNs and a ton of other reasons). These certificates are usually referred to as ‘Self Signed’. So if I (or anyone else) sets up a CA, and issues a certificate your browser will not trust it. Without a lengthy and boring description of how PKI works, you trust every CA that you have a ‘Trusted CA Root Certificate’ for. Once you have this you will trust every certificate issued by that CA.
To prove it let’s inspect the PayPal example above, and take a look at the certificate it’s presenting.
This certificate is trusted because;
1. Issued to: This name MUST match the URL you typed in the browser.*
2. Issued By: The people who signed and issued it, we trust (VeriSign).
3. Valid From: It is in date, (certificates expire). So if the date and time are very wrong on your computer, you will see loads of these errors!
*Note: It is possible to add more names to a certificate in another section called Subject Alternative Name (SAN), but these are NOT generally used for web sites.
So Who Do We Trust?
Your PC comes ‘pre-loaded’ with a bunch of trusted CA certificates, which get updated and renewed periodically. If you want to see them do the following;
Note: You need to be a computer administrator to do this. If you are NOT, then in IE Tools > Internet Options > Content > Certificates > Trusted Root Certification Authorities. You will see the same thing.
3. Computer Account > Next > Local Computer > Finish > OK.
4. Expand Certificates (Local Computer) > Trusted Root Certificates > Certificates > Down near the bottom you while see the VeriSign CA certificates that you trust.
To Summarise, The PayPal website works (without an error) because;
I’ve had very little exposure to JUNOS and Juniper equipment, and later in the year I have to deploy some for a client in a failover cluster. So I had a good look round on the Internet, and found loads of good blog posts and KB articles like this one. The problem is they are all geared to setting up a cluster, they ASSUME you then know about security zones, how to add default routes, and setup NAT etc. So they don’t cover that. Yes you then can set up a cluster, but it has no IP addresses, and you cant pass any traffic though it! Hopefully this will redress the balance.
Solution
Before you start, you obviously need two physical firewalls running the same OS, and this whole procedure is carried out from command line, (I’m using the console cable).
Things that took me a while to grasp, that you need to know.
1. The SRX240 has 16 ports numbered ge-0/0/0 to ge-0/0/15, when you cluster them the ports on the secondary firewall (node1) are renumbered to ge-5/0/0 to ge-5/0/16.
2. As soon as you cluster the firewalls the first port (on both) is reserved for management. That’s ge-0/0/0 and ge-5/0/0 they are then refereed to as fxp0.
3. As soon as you cluster the firewalls the second port (on both) is reserved for the firewalls control plane. That’s ge-0/0/1 and ge-5/0/1 they are then refereed to as fxp1.
4. You need to dedicate another port on both firewalls for the firewalls data link this can be any port, but to keep things simple I’ll use the next free port on both firewalls (ge-0/0/2 and ge-5/0/2). These will then be referred to as fab0 and fab1 (respectively).
Thats the clustering side of things, what about the networks I’m going to connect to the firewall. Take a look at this diagram;
Both the firewalls have a connection to each network (which makes sense if they are going to fail over). I’ve got an ‘outside’ network that connects to the Internet. ‘Inside’ I’ve got two networks, (most people reading this will have one, but remember this is practice for a live client, and they have two data LANS).
As all the networks are connected in two places, where do you assign IP addresses? Well above you can see the outside connections are plugged into ge-0/0/4 and ge-5/0/4. You add both these physical interfaces to a Reth (Redundant Ethernet Interface), and you assign the IP to that. So I have three Reth interfaces, (Reth0 for outside, Reth1 for the first inside network, Reth2 for the second inside interface).
So only Reth interfaces have IP addresses? Well no, the two fxp0 interfaces on each physical firewall, also get an IP address (for out of band management), and it’s a different one for each firewall.
Step 1: SRX240 Setup a Chassis Cluster.
1. Before we start you need to delete the existing interfaces from the config (ALL of them), otherwise you will get some errors later on when you try and commit (save) the firewall config. Also remove the hostname, we will set that in a minute.
[box] delete interfaces ge-0/0/0
delete interfaces ge-0/0/1 —Repeat for the rest of the interfaces—
delete interfaces ge-0/0/14
delete interfaces ge-0/0/15
delete system host-name[/box]
2. Connect ge-0/0/0 to management network > Connect ge-5/0/0 to management network >
Connect ge-0/0/1 on Primary to ge-5/0/1 on Standby, (this can’t be changed and will be the fxp0 connection) > Connect ge-0/0/2 on Primary to ge-5/0/2 on Standby (this can be changed but will be the fab0 and fab1 connection).
3. Carry out the following procedure on BOTH firewalls. This sets the host names of the firewalls and the IP addresses of the management interfaces.
[box]set groups node0 system host-name FW-A
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.254.1/24
set groups node1 system host-name FW-B
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.254.2/24
set apply-groups “${node}”[/box]
4. On FW-A (the primary node0) turn on clustering.
6. Back on FW-A (the remainder of the config will be done on node0), set the configuration for the data link, notice I’m deleting the interface again, (I had a lot of bother with this so let’s play it safe). Then I’m saving the changes with a ‘commit’ command, because at this point if something is wrong it will tell you.
[box]delete interfaces ge-0/0/2
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-5/0/2
commit[/box]
Step 2 Create Redundancy Groups
1. Redundancy group 0 is created by default so set the priority for that one first.
[box]root@FW-A# set chassis cluster redundancy-group 0 node 0 priority 100
root@FW-A# set chassis cluster redundancy-group 0 node 1 priority 1[/box]
2. Create a new redundancy group that the Reth interfaces will use.
[box]root@FW-A# set chassis cluster redundancy-group 1 node 0 priority 100
root@FW-A# set chassis cluster redundancy-group 1 node 1 priority 1[/box]
Step 3 Define and Add Physical Interfaces to the Reth Interfaces
1. Define the number of Reth interfaces (two inside and one outside).
[box]root@FW-A# set chassis cluster reth-count 3[/box]
2. Allocate Reth0 to the physical interfaces (for outside).
{primary:node0}[edit interfaces]
root@FW-A# set ge-0/0/8 gigether-options redundant-parent reth1
root@FW-A# set ge-5/0/8 gigether-options redundant-parent reth1
root@FW-A# set reth1 redundant-ether-options redundancy-group 1
root@FW-A# set reth1 unit 0 family inet address 192.168.20.1/24 [/box]
6. Setup Reth2 (inside). Add the physical interfaces, and apply redundancy group 1 (again) then save the changes.
1. To get traffic out to the Internet. the cluster needs the IP of its ‘next-hop’, (usually the router supplied by your ISP).
Note: If you’re anything like me after you enter this you will try and ‘ping’ the router from the firewall, or ping an Internet. IP address, at this point that wont work, (you need to allocate interfaces to security zones first).
[box]root@FW-A# set routing-options static route 0.0.0.0/0 next-hop 123.123.123.1[/box]
Step 5 Add interfaces to Security Zones and Allow Traffic Out
Note: I’m simply allowing all traffic out.
1. Make sure the Security Zones ‘Trust’ and ‘Untrusted’ Exist
[box]root@FW-A# show security zones or
root@FW-A# run show security zones[/box]
2. Add the Reth0 Interface to the Untrusted zone.
[box]root@FW-A# set security zones security-zone untrust interfaces reth0.0 [/box]
3. Allow traffic.
[box]{primary:node0}[edit]
root@FW-A# set security zones security-zone untrust host-inbound-traffic system-services all
root@FW-A# set security zones security-zone untrust host-inbound-traffic protocols all[/box]
4. You can check the changes before you commit them.
5. Then add Reth1 and Reth2 to the Trusted zone and repeat the process to allow all traffic.
[box]root@FW-A# set security zones security-zone trust interfaces reth1.0
root@FW-A# set security zones security-zone trust interfaces reth2.0
root@FW-A# set security zones security-zone trust host-inbound-traffic system-services all
root@FW-A# set security zones security-zone trust host-inbound-traffic protocols all[/box]
6. Let’s check to see all that worked.
[box]
{primary:node0}[edit]
root@FW-A# show security policies from-zone trust to-zone untrust
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
{primary:node0}[edit]
root@FW-A# show security policies
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
[/box]
Step 6 Allow Remote Management
1. We have two interfaces dedicated to out of band management, and we gave them an IP address earlier. Here I’m allowing remote administration via web to the J-Web console.
[box]root@FW-A# set system services web-management https interface fxp0.0[/box]
Step 7 Perform NAT on ‘Outgoing’ traffic.
1. Here we are doing what Juniper call ‘Source NAT‘ where we translate many addresses to one, (as in this case, but it can be a ‘pool’ of IP addresses). For the Cisco heads (like me) we are doing PAT.
Note: If you see Juniper mention ‘Destination NAT‘ they are usually talking about NATTING inbound traffic to one (or more) internal IP addresses.
[box] set security nat source rule-set TRUST-TO-UNTRUST from zone untrust
set security nat source rule-set TRUST-TO-UNTRUST to zone trust
set security nat source rule-set TRUST-TO-UNTRUST rule PAT-INTERFACE match source-address 192.168.0.0/16
set security nat source rule-set TRUST-TO-UNTRUST rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set TRUST-TO-UNTRUST rule PAT-INTERFACE then source-nat interface [/box]
Related Articles, References, Credits, or External Links
This used to quite common when attempting to contact the HP Management Homepage, (or the local insight manager page) you can no longer get access.
ERROR: Username and password do not match
Solution
With much older versions of the Systems Management Homepage (before it used domain user names and passwords) you could simply copy over the CPQHMMD.DLL file from a server you knew the password for, and then you could get in.
Then they switched to domain authentication, and when that broke you could navigate to C:compaqwbemhomepage, edit the cpqhmmd.ini file with the following entries;
Then restart the Server (or the HP Services if that’s easier) and you could log in.
With newer versions of the HP Management Homepage those files no longer exist!
1. Head over to www.hp.com and do a drivers/software search for the model of your server, select the operating system you are using and look in the “Software – System Management” section. Locate, download, and install the HP Management homepage software.
Note: Don’t panic this will not need a reboot.
2. It says Administrators always gets access but I still add it in anyway (Note: If this is a domain controller, the local Administrators group is the domain admins group anyway).
3. Set as follows.
4. I’m leaving mine open from any server.
5. Now we are in! (hooray!) and I’ve got a broken BBWC (boo!).
Related Articles, References, Credits, or External Links
You want to establish a site to site VPN from a site with a Cisco ASA firewall, to another site running a Juniper SRX firewall. I had to do this this week, and struggled to find any good information to help.
In the example below I’m configuring the whole thing from a laptop (172.16.254.206) that’s on the Juniper’s site. Use the diagram below, and substitute your own IP addresses and subnet addresses, to get a workable solution for your site.
When the process is complete, I will test it by pinging the host behind the Cisco ASA on the remote site (10.254.254.5).
Solution
Before you begin, I will assume both firewalls are functioning properly and the clients behind them can access internet services (where allowed) through them already.
5. Enter the Local (behind the ASA) network > Then the Remote (behind the Juniper) network > Next.
Note: You can type them in, but if you use the pick-list button you can select ‘inside-network’ for the local, and define a network object for the remote network.
6. Enter a pre shared key, (remember this, you need to enter it on the Juniper).
8. Enable PFS > Tick the box to exempt traffic from NAT > Next.
9. Review the settings > Finish
11. Save the changes > File > Save running Configuration to Flash.
Step 2 – Configure the Juniper SRX (Route Based VPN)
Model used SRX100B version 11.2R4.3
The SRX support two types of VPN
Route based VPN – VPN selection is done based on the route. In this you define a route pointing to the tunnel interface (st0 interface) bound to the VPN.
Policy based VPN – VPN is selected based on the policy.
15. Give the tunnel a name > Set the local zone to trust > Add in the local subnet (behind the Juniper) > Name the Secure Tunnel Interface (just put in a zero) > Set the secure tunnel zone to Untrust > Enter the physical address the VPN will be terminating on, (usually the fe0/0/0.0 interface, but it does not have to be) > Next.
Note: On the Juniper, when specifying a subnet use the short subnet notation, i.e. 192.168.1.0 255.255.255.0 would be 192.168.1.0/24 (if you get stuck use my subnet calculator).
16. Supply the public IP address of the ASA > and add in the subnet at the far end of the tunnel (behind the ASA) > Next.
17. Set the IKE (phase 1) settings to Compatible, Main Mode, enter the same pre shared key you setup in Step 1 (number 6) > Set the IPSEC (phase 2) settings to Compatible, IPsec Perfect Forward Secrecy (PFS) to group 2 > Next.
20. Navigate to IPsecVPN > Auto Tunnel > Phase II > Select your tunnel > Edit > IPsecVPN Options > Tick ‘use proxy identity’ > Enter the local and remote subnets > OK.
21. Navigate to Security > Zones/Screen > Select the untrust zone > Edit > Host Inbound traffic – Interface > Select the physical address that the VPN is terminating on (usually fe-0/0/0.0) > Add IKE as an Interface service > OK.
22. To save the changes > Action > Commit.
23. Test the VPN by attempting to ping a host on the other end.
Juniper SRX Command Line
On the Cisco firewalls I prefer to work at command line. The Juniper Firewall also supports CLI, you can check the VPN config with the following commands;
If you want you can execute the below commands on CLI to get the “set” commands
show security ike | display set
show security ipsec | display set
show | display set | match <external interface configured in ike>
show | display set | match <st.x>
Above commands will give you the “set” commands for cli.
Related Articles, References, Credits, or External Links
Special thanks to Kalanidhi Tripathi at JTAC for his assistance.