Windows Terminal Services Logon “Access Denied”

I would like to describe resolution of the problem with Terminal Services. When you are using Terminal Services in conjunction with License Server on separate machine, you may experience following symptoms:

  • During the Logon Process, user receives the message “Access denied.”. It is shown instead logon screen, just after the “Welcome” message.
  • Within application and system event logs, there is no related error messages.
  • Within the TerminalServices-LocalSessionManager event log, there is following message correlated with user logon attempt: “Session X has been disconnected, reason code 12”, where X means number of logon session granted to user logon try by Session manager.
  • This problem you may experience on Windows 2008 R2 as well on 2012 (R2).
  • GPO policy update failure often occurs simultaneously.

Temporary solution to this problem may be modifying the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\
IgnoreRegUserConfigErrors (DWORD) = 1

After addition of this registry value you need to reboot affected server.

After mitigation of poor user experience, you can peacefully start real diagnosis, what is wrong in your environment. In one of the cases, the real issue was mistake in windows firewall configuration of domain controlers, what was applied by GPO. In affecting GPO, there was rule denying “SMB over TCP” traffic.
It may be something different in your case, but always it must be something connect with domain controllers.

Certificate Request generation for Microsoft Enterprise CA by openssl

Long time ago I have written about generating Certificate Signing Requests from non-Windows machines. The main goal was to sign such request by Microsoft Enterprise CA. I have mentioned vSphere infrastructure as an example.
I have been recently asked a similar question. New vSphere versions require Alternative Name Extension to exist in the certificate. The question was how to configure openssl to implement both functionalities.
Reaching the goal was quite simple, but not trivial. We can define several sections containing settings for request extensions, however only one can be used for a specific certificate request generation.
It is a good practice to reorganize an openssl configuration file designed for generating a single server certificate. In this way, we obtain templates for each server instance.
An Example configuration file may look as follows:

openssl_conf = openssl_init

[ openssl_init ]
oid_section = new_oids

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ new_oids ]
MsCaCertificateTemplate =

[ v3_req ]
basicContraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:server01, DNS:server01.domena.test
MsCaCertificateTemplate = ASN1:PRINTABLESTRING:VMwareCertificate

[ req_distinguished_name ]
countrName = PL
stateOrProvinceName = Malopolskie
localityName = Krakow
0.organizationName = Firma
organizationalUnitName = Oddzial
commonName = server01.domena.test

Most important parts of the config file are:

  • Line 1. Identifies the global configuration section.
  • Line 4. Identifies the OIDs definitione section. This line is singleton in this section.
  • Line 13. Identifies the Extension definition section. Those extensions will be added to certificate request body.
  • Line 15. Defines OIDs section.
  • Line 16. Defines OID registered and used by Microsoft for marking certificate template extension.
  • Line 22. Defines alternative names of the server. Of course, we can use other than DNS prefixes.
  • Line 23. Defines the name of certificate Template, what is designed to use during signing the certificate. It is important to remember that we need to specify “Certificate Template Name”, as oposite to “Certificate Template Display Name”.

Rest of the file is standard body similar to every single config file designed for generation of requests.

Export/Import ADCS Certificate Templates in Windows 2012


Todays a few words about importing and exporting certificate template data with Active Directory.
This data is stored within Configuration partition of Active Directory and therefore it is common for whole Active Directory Forest.
But there are also situation, when you would like to move them between forest, for example from pre-production environment to your production one.
It can be done on two different ways. First is obvious, but dirty, and sometime can lead to serious problems with moved Items.
But after Windows 2008 R2 was released, there was introduced new feature – Windows AD CS Web Enrollment Services.
It can be used for cross forest CA publication with only External Forest AD Trust enabled.
More details about those protocols can be found here.
On the mentioned site, there are two great scripts written in powershell, what would export and import Certificate Template data to and from xml files in MS-XCEP format.
However, Those scripts have two bugs and one issue within when running on Windows 2012:

  1. There is some kind of error during using them as normal cmd-lets on Windows 2012. Instead, you should comment out first function declaration and cmd-let binding declaration. After this modification, you can use scripts as normal with additional input, as required.
  2. Export function in one place tries to figure out, if there is one of attributes. The line:
    $superseded = if ($temp.Settings.SupersededTemplates -eq 0) {

    should look as follow:

    $superseded = if ($temp.Settings.SupersededTemplates.Length -eq 0) {

    Just replace it, and scripts will run very well on W2k12.

  3. Last thing is those scripts are depending on external powershell module. As far, as I know, it is possible to remove this dependecy, but it will subject of next post.

Mentioned earlier dirty method is old ldifde command with required flags for export:

ldifde -m -v -d cn=%Template1%,%LDAP% -f %Template1%.ldf

Most important part of this command is -m switch, which will result in “forest free” ldf output.
For import you should use the similar command:

 ldifde -i -k -f %Template1%.ldf

And this should work from the begining, starting from Windows 2000 Version.

RSA Token Cloning? Not even close…

Yesterday, on well known polish security blog, there was published new entry stated (in translation):

“Team of several scientists just demonstated method for `cloning` RSA tokens”

This scary post linked to this article.
I have read the original article, prepared by Bardou, Focardi, Kawamoto, Simionato, Steel and Tsay. This was interesting lecture, what describes several improvements to well known attack by D. Bleichenbacher. This attack allows to obtain sensitive material by serie of calls to standard PKCS#11 API function C_UnwrapKey.

First imporant thing to explain is term Sensitive material. This is information existing outside the token in encrypted form. Most often this are symmetric cryptographical keys (e.g. AES keys), which are used for fast enryption of big amount of data. It is done this way, because symetrical encryption is much faster then asymetrical). Of course, the sensitive material can be also data for direct RSA encryption.
API Calls used in referenced document are indented for managing symetrical keys, so the term Key is used instead Sensitive material. That is why it can be misunderstanded as RSA keys can be compromised. It doesn’t work this way!

The originally described method was slow enough to call it “milion messages attack”, and it was marginalized. New poposition of impovements is importand because it significantly decreases required amount of token calls in really tricky way. The final amout of calls is small enough to successful attack in few hours or often minutes.

Continue reading

“The AD RMS installation could not determine the certificate hierarchy.” error during AD RMS Reinstall

There are rare situations, when you have to reinstall the RMS Cluster node. Most common case causing such need is unsuccessfull provisioning process. It usual fails because of really obvious things, such as already binded SSL certificate to Web Site in IIS. After unsuccessfull provisioning task, you have to uninstall whole AD RMS role and after the server restart you can try again with installation. Unfortunatelly sometimes there are the errors during uninstall too. This hidden errors causes subsequent issues during next attempt.
The error cited in post title has several different potential resons and solutions. Most of them is improper registry settings, which stayed after previous install. One thing, what you have to always remember, is that you have to check twice need of every registry change. Inproper registry edition can causes whole server operating system damage.
Namely described error can be caused by one of the following reasons:

  1. Wrong Service Connectin Point – it happens because of improper value in Active Directory container under following path CN=SCP, CN=RightManagementService, CN=Services, CN=Configuration, DC=domain, DC=lab, what point to nonexiting RMS Cluster service URL. More information about this cause you can obtain here. This reason is explicite mentioned in error message shown at the end of role installation wizard.
  2. Second possible issue is described in Application log entry with Log ID 204. This is because of lack of one value in the registry. The mentioned article provides procedure for recreation of missing registry values.
  3. If no of previous solutions helps, I found third one. You need to verify content of following registry hive HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRMS. If there is any value or key this can cause an error. You have to examine it and remove any value, which is pointing to non existing service URL. After this hive clean up, there should be only one value. This is the (default) one.

If your situation doesn’t follow any of described cases, please fell free to put me message in a comment.