Export/Import ADCS Certificate Templates in Windows 2012


Todays a few words about importing and exporting certificate template data with Active Directory.
This data is stored within Configuration partition of Active Directory and therefore it is common for whole Active Directory Forest.
But there are also situation, when you would like to move them between forest, for example from pre-production environment to your production one.
It can be done on two different ways. First is obvious, but dirty, and sometime can lead to serious problems with moved Items.
But after Windows 2008 R2 was released, there was introduced new feature – Windows AD CS Web Enrollment Services.
It can be used for cross forest CA publication with only External Forest AD Trust enabled.
More details about those protocols can be found here.
On the mentioned site, there are two great scripts written in powershell, what would export and import Certificate Template data to and from xml files in MS-XCEP format.
However, Those scripts have two bugs and one issue within when running on Windows 2012:

  1. There is some kind of error during using them as normal cmd-lets on Windows 2012. Instead, you should comment out first function declaration and cmd-let binding declaration. After this modification, you can use scripts as normal with additional input, as required.
  2. Export function in one place tries to figure out, if there is one of attributes. The line:
    $superseded = if ($temp.Settings.SupersededTemplates -eq 0) {
    should look as follow:
    $superseded = if ($temp.Settings.SupersededTemplates.Length -eq 0) {
    Just replace it, and scripts will run very well on W2k12.
  3. Last thing is those scripts are depending on external powershell module. As far, as I know, it is possible to remove this dependecy, but it will subject of next post.

Mentioned earlier dirty method is old ldifde command with required flags for export:
ldifde -m -v -d cn=%Template1%,%LDAP% -f %Template1%.ldf
Most important part of this command is -m switch, which will result in “forest free” ldf output.
For import you should use the similar command:
ldifde -i -k -f %Template1%.ldf
And this should work from the begining, starting from Windows 2000 Version.


Retrieving properties embedded in WMI object (C#)

Today fast review of rules for querying for embedded object within another WMI object.
Basic WMI search query returns collection of System.Management.ManagementObjectCollection. This collection contains a set of System.Management.ManagementObject. Each of them has filled in only a subset of all possible properties. This are those, what are simple WMI data types (String, Int, Bool). When we want to retrieve complex Class based property, the embedded object is missing and the code returns NULL value.
To archieve filling in these object fields, there is class method called Get()
This method is described here. It can be used for quick retrieval of single object, but also it is used during handling any modification of object.
The side effect is filling in the whole object including any embedded structured complex types instances.
Following code ilustrates the case:

// for kerberos konstrained delegation
ConnectionOptions wmiOptions = new ConnectionOptions();
wmiOptions.Authentication = AuthenticationLevel.PacketPrivacy;
wmiOptions.Impersonation = ImpersonationLevel.Impersonate;
// for connection to remote host
ManagementScope scope = new ManagementScope("\\\\" + serverName + "\\root\\SMS\\Site_" + siteCode, wmiOptions);
// for performing query to wmi
WqlObjectQuery wmiQuery = new WqlObjectQuery(query);
ManagementObjectSearcher searcher = new ManagementObjectSearcher(scope, wmiQuery);
// performing search itself
ManagementObjectCollection Colls = searcher.Get();
ManagementBaseObject[] rules = null;
ManagementObject coll = null;
//retrieving objects from collection, in this example we assume only one result
foreach (ManagementObject o in Colls)
coll = o;
// coll["CollectionRules"] == null
// after previous call it is filled in
rules = (ManagementBaseObject[])o["CollectionRules"];


How to remotelly trigger run advertisement on SCCM 2012 Client

Hello Everybody,

there is many questions on the web about remote invoking SCCM actions on the client via scripting.
Within official SCCM 2012 SDK, there is absolutelly nothing about such client actions. Within the 2007 version it is demonstrated, but with local script and invoking the CPAppletMgr in conjuction with UIResourceMgr COM object class. But configuration of DCOM for accepting remote request for this objects is at least tricky and useless because it is dummy to beleve this classes will not change in the future.
Most natural way for SCCM to do this is create apropriative WMI calls.
And here Microsoft makes new troubles for all of us, scripting guys – in new SCCM 2012 SDK is dry description of classes witin CCM namespace. But also absolutelly nothing as notes for using this.
Finally I have found brilliant tool: SMSCLICTR, what encapsulates all of settings within simple to use .NET assemblies. This can also be used within Powershell, but sometimes usage such external modules is prohibited.
So I have made own piece of code in Powershell for doing this manually.

  1. First of all I had to enforce current Machine policy refresh. I is done by following function:

    function ForceMachinePolicyRefresh
    param($clientname, $username, $userpass, $PolicyID)
    $ms = new-object system.management.managementscope
    $ms.Path = "\\$clientname\root\CCM"
    $ms.options.username = $username
    $ms.options.password = $userpass
    $mc = new-object system.management.managementclass($ms, 'SMS_Client', $null)
    $mc.invokeMethod("TriggerSchedule", $PolicyID)
    return $mc

    There are several things to explain within this code:

    • It connects to namespace with explicity manner, without any casting, because of credentials passing. This code can be invoked only remotelly, because setting $ms.options.username is supported only with remote connection.
    • It is general function for enforcing any scheduled action. So it can be used not only for Machine policy refresh, but also applying changes within localconfig, as you can see later.
    • Last thing connected with this small piece of code is fact it can be used as a base for manipulating any of published method within SMS_Client WMI class. Now the MS refrence from SDK can be helpfull.
  2. So, when we have this defined we can go further. Now the function for invoking exact advertisement of specified Package. Function takes all necessary arguments:

    function InvokeOptionalAdvertisement
    Param($clientname, $username, $userpass, $advertID, $packID)
    $mc = ForceMachinePolicyRefresh -clientname $clientname -username $username -userpass $userpass -PolicyID "{00000000-0000-0000-0000-000000000021}"
    $ms = new-object system.management.managementscope
    $ms.path = "\\$clientname\root\ccm\policy\Machine\ActualConfig"
    $ms.options.username = $username
    $ms.options.userpass = $userpass
    $query =new-object System.Management.ObjectQuery
    $query.QueryString = "Select * From CCM_SoftwareDistribution where ADV_AdvertisementID = '$advertID' and PKG_PackageID = '$packID'"
    $searcher = new-object system.management.managementobjectsearcher($query)
    $searcher.Scope = $ms
    $advs = $searcher.Get
    $enum = $advs.GetEnumerator()
    $adv = $enum.Current
    $adv.SetPropertyValue("ADV_RepeatRunBehavior", "RerunAlways")
    $adv.SetPropertyValue("ADV_MandatoryAssignments", "True")
    $query1 = new-object System.Management.ObjectQuery
    $query1.QueryString = "Select ScheduledMessageID FROM CCM_Scheduler_ScheduledMessageID like '" + $adv.ADV_AdvertisementID + "-" + $adv.PKG_PackageID + "%'"
    $searcher1 = new-object System.management.managementobjectsearcher($query1)
    $searcher1.scope = $ms
    $scheds = $searcher1.Get()
    $scheds | Foreach-Object { $mc[1].invokeMethod("TriggerSchedule", $_.ScheduledMessageID) }
    return $adv

    So now a word of comment for this function:

    • On the beginning we invoke machine policy refresh with our previously defined function
    • Next we define new management scope with namespace of actual config, what is used by CCM.
    • After that we need the ObjectQuery instance for encapsulating correct WMI Query. This query select all CCM_SoftwareDistribution objects, what matches our conditions
    • by usage of searcher object we obtain all required object to $advs variable
    • trick with enumerator and him Current property gives us only one object, instead of containing it collection
    • now we do main Job. We modify two properties, what ensures that optional assigment is now mandatory and will run on next schedule of this Advertisement
    • last part of the script gets proper objects of schedulers for our Advertisement and Package.
    • finally we trigger the schedules and task sequence runs properly.

Eagle2KiCad Library Converter Script Update

Today I had an issue with converting standard eagle scripts, which are distributed by Farnell (Element14) as description of their products. Because there is several version of conversion scripts for Eagle to create proper KiCad Library files, I had found the newest one from http://www.modulbot.com/download.html.
The only issue is that I have Eagle 6.3, what is now available for download as the standard one.
Resulting libraries have elements 32 times bigger than it should be.
I had new update of this scripts, and library components are now correctly scaled.
Because I didn’t found an ‘e’ version, I have named it this way.
The script is available here: eagle-lbr2kicad-0.9e.ulp


RSA Token Cloning? Not even close…

Yesterday, on well known polish security blog niebezpiecznik.pl, there was published new entry stated (in translation):

“Team of several scientists just demonstated method for `cloning` RSA tokens”

This scary post linked to this article.
I have read the original article, prepared by Bardou, Focardi, Kawamoto, Simionato, Steel and Tsay. This was interesting lecture, what describes several improvements to well known attack by D. Bleichenbacher. This attack allows to obtain sensitive material by serie of calls to standard PKCS#11 API function C_UnwrapKey.

First imporant thing to explain is term Sensitive material. This is information existing outside the token in encrypted form. Most often this are symmetric cryptographical keys (e.g. AES keys), which are used for fast enryption of big amount of data. It is done this way, because symetrical encryption is much faster then asymetrical). Of course, the sensitive material can be also data for direct RSA encryption.
API Calls used in referenced document are indented for managing symetrical keys, so the term Key is used instead Sensitive material. That is why it can be misunderstanded as RSA keys can be compromised. It doesn’t work this way!

The originally described method was slow enough to call it “milion messages attack”, and it was marginalized. New poposition of impovements is importand because it significantly decreases required amount of token calls in really tricky way. The final amout of calls is small enough to successful attack in few hours or often minutes.



“The AD RMS installation could not determine the certificate hierarchy.” error during AD RMS Reinstall

There are rare situations, when you have to reinstall the RMS Cluster node. Most common case causing such need is unsuccessfull provisioning process. It usual fails because of really obvious things, such as already binded SSL certificate to Web Site in IIS. After unsuccessfull provisioning task, you have to uninstall whole AD RMS role and after the server restart you can try again with installation. Unfortunatelly sometimes there are the errors during uninstall too. This hidden errors causes subsequent issues during next attempt.
The error cited in post title has several different potential resons and solutions. Most of them is improper registry settings, which stayed after previous install. One thing, what you have to always remember, is that you have to check twice need of every registry change. Inproper registry edition can causes whole server operating system damage.
Namely described error can be caused by one of the following reasons:

  1. Wrong Service Connectin Point – it happens because of improper value in Active Directory container under following path CN=SCP, CN=RightManagementService, CN=Services, CN=Configuration, DC=domain, DC=lab, what point to nonexiting RMS Cluster service URL. More information about this cause you can obtain here. This reason is explicite mentioned in error message shown at the end of role installation wizard.
  2. Second possible issue is described in Application log entry with Log ID 204. This is because of lack of one value in the registry. The mentioned article provides procedure for recreation of missing registry values.
  3. If no of previous solutions helps, I found third one. You need to verify content of following registry hive HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRMS. If there is any value or key this can cause an error. You have to examine it and remove any value, which is pointing to non existing service URL. After this hive clean up, there should be only one value. This is the (default) one.

If your situation doesn’t follow any of described cases, please fell free to put me message in a comment.


Microsoft Enterprise CA doesn’t allow to publish templates V2 and V3

Under some circumstances after installation Windows Enterprise Operating System and configuration of AD Certification Services as Enterprise CA, the CA Services still doesn’t allow publication of certificate templates in versions higher than V1. This is because of misconfiguration of registry entries, which determines type of CA installation as Standard.
Okno Publikacji szablonu
The solution for this problem is proper setup of bit flag in the CA configuration. It can be done with following command:
certutil -setreg ca\setupstatus +512
After registry update, there is necessity of restart CA service.
More over, there is possibility of manual edition of the templates list, which is used by CA for certificates enrollment. It is possible by edition of attribute certificateTemplates in object pKIEntrollmentService. These objects are available under following path CN=Internal Issuing CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=contonso,DC=lab


Installing Service Pack 1 for Windows 2008 R2 by MDT 2010 U1 mechanizm

Today post is about why sometimes using manual can harm your things.
It is normal, that if you doesn’t know how invoke application in other way than simple double click on exe file, you call the command line
aplikacja.exe /? or aplikacja.exe /help
In the response we obtain in any form some information about command line switches handled by this program. Especially, we can obtain in this way information about advanced method of calling standalone windows operating system updates.
The Windows 2008 R2 Service Pack 1 installator responses with following:
Dialog window with help for Windows 2008 R2 Service Pack 1
For import process to Microsoft Deployment Toolkit, you have to unpack in any way the exe file to the Windows Standalone Update (msu or cab) files form. On the screen there is no such option.
But after several unsucessful tries I figured out that this command line:
windows6.1-KB976932-X64.exe /extract
fires up exactly this extraction process without any error message. First simptom of right execution was dialog window with directory tree for choosing proper location for extracted files. There is also the cab file, what is necessary for update usage with MDT 2010 U1.

I am only curious, why Microsoft doesn’t add it to the help screen.


DHCP configuration in Windows 2008 R2 Core

Sorry, this entry is only available in Polski.


MCTS Exam 70-620 – Windows Vista

Today, the moment of glory comes. I am glad to tell you about my success. From now I am Microsoft Certificated Technical Specialist – Windows Vista.
The exam is not the hardest one, but i need to forewarn all who prepare for this not to take take Windows built-in applications and installation procedures topics lightly. These are the hardest parts imo.