All posts by user

Certificate Authority: Certification issuing in the Enterprise

Leave a comment

A quick bit of memory Refresh regarding Certificate Template best practice:

  • Do not change any of the default certificate used but create copies with a company prefix. These are easy to fine from the Corporate repository
  • Only issue Certificate the you need
  •  Control Access requests (I like to use Security Groups to control what server/users can request certs.)

I’m starting this from the point where an administrator requests a certificate and send you the request.

When you receive a Certificate Request,vfirst check the template requested. This can be done with the following command:

there will be a page or two of information and somewhere in that information there should be a line of information

We need to ensure this matches there template names that the CA issues. If it is the standard WebServer… either they haven’t requested the right cert… or the CA is issuing the standard Template.

Next we issue the request to the Certificate Authority. we need to add the CertificateTemplate to the request that we are making. This is done by adding an attribute as below then submitting the filename:

Here you must remember the requestID, the requestId is used to complete the certificate request and

next approve the request in the Certificate Authority Console

 

Kerberos tickets of the system account for Computer Group membership

Leave a comment

When changing the group membership of a computer account the group will not be added to the computer account until the computer account is re-authenitcated. Just as when you add new permission or User Object the person need to logout and back in to get the new permissions.

The easiest way to accomplish this is to reboot the server… however we all know that is not alway posable. A handy little tool to get the computer to renew the Ticket is

klist -li 0x3e7

you get a list of the system account’s ticket

klist -li 0x3e7 purge

you can delete all tickets and force the system to get new ones with updated group membership information without rebooting at all

 

Powershell send-mailmessage from task scheduler

Leave a comment

The other day I came across a curious function. I had a requirement in a script to send an email. Now, when I wrote the script and tested everything was working fine. However when I ran the script from the test schedule, the script executed fine but no email was sent!

After a few hours of searching the system of the exchange host.

Hold the phone! under my account it worked perfectly but under the service account running the task scheduler it failed.

after a few failed attempts I noticed that if I mistyped the username and password while passing the credentials to the using the -Credentials $Creds argument.. it actually work… WFT

so I quickly worked out that if I passed “dummy” credentials the script worked.

To c create a dummy credential I first had to create a secure string. Then I could pass this script type into a new credential object… as so:

in just included this at the top of the script when declaring variables.

WORKS!