Windows Tips & Tricks UPDATE, December 5, 2006

John Savill

December 16, 2006

20 Min Read
ITPro Today logo in a gray background | ITPro Today

Windows Tips & Tricks UPDATE, December 5, —brought to you by the Windows IT Pro Network and the Windows 2000 FAQ site
http://www.windows2000faq.com

Make sure your copy of Windows Tips & Tricks UPDATE isn't mistakenly blocked by antispam software! Be sure to add [email protected] to your list of allowed senders and contacts.

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Windows Tips & Tricks UPDATE.

NETWORK TESTING LABS COMPARES ARGENT TO MOM 2005
http://list.windowsitpro.com/t?ctl=CEED:380033

New On Demand Remote Access & Control
http://crossteccorp.com/ondemand/wp.html?utm_source=TandT1205&utm_medium=newsletter&utm_campaign=nod05

Sponsor: Argent

NETWORK TESTING LABS COMPARES ARGENT TO MOM 2005 Network Testing Labs, one of the world's leading independent research companies, concluded that "Argent's suite had a smaller footprint, was more scalable, supported more platforms, had a more responsive and intuitive user interface and gave us more useful reports," the report says. "Argent's suite of monitoring products emerged from our testing with flying colors." Download this FREE Comparison Paper now:
http://list.windowsitpro.com/t?ctl=CEED:380033

FAQs

  • Q. How can I verify that my Windows Server 2003 Certificate Authority (CA) deployment is correctly configured?

  • Q. How do I enable HTTP Secure (HTTPS) traffic on my Microsoft Internet Information Systems (IIS) 6.0 Web server site by using my local forest Certificate Authority

  • Q. How can I enable digital certificate autoenrollment in Windows Server 2003?

  • Q. How can I configure Microsoft Office Outlook 2003 for digital signatures and encryption?

  • Q. How can I export and import my private keys from one machine to another?

Sponsor: CrossTec

New On Demand Remote Access & Control New NetOp On Demand Remote Control is the Internet-based solution that lets Help Desk reps connect to end users’ machines in seconds. No pre-installing software. No configuring firewalls. No monthly charges. Offers stringent security: 256-bit AES encryption, authentication, and more. End user downloads 650K file, gets remote help, then upon exiting, the file removes itself from the user’s computer. For cost-effectiveness, it is licensed per Help Desk rep, not per end user or session. Robust feature set results in quicker problem resolution and increased customer satisfaction. Read the whitepaper today!
http://crossteccorp.com/ondemand/wp.html?utm_source=TandT1205&utm_medium=newsletter&utm_campaign=nod05

FAQs

Q. How can I verify that my Windows Server 2003 Certificate Authority (CA) deployment is correctly configured?

A. Microsoft provides the PKI Health Tool (PKView.exe) as part of the Windows 2003 Resource Kit Tools (http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en). PKView determines whether the Authority Information Access (AIA) and Certificate Revocation List (CRL) distribution point URLs are valid and reachable. The tool also determines whether the associated certificates are nearing expiration. To run PKIView, select Start, Run, and type pkiview.mscA Microsoft Management Console (MMC) instance will initiate. Select a CA to display the status of each CRL and AIA location, as Figure 1 shows. If you have more than one CA in your hierarchy, select each CA in turn to check the status of the whole hierarchy. The status field should display OK for all entries. If the publication point isn't correctly configured or the CA certificate or CRL isn't copied correctly to the publication point (i.e., missing), the status will show "Unable to Download." If the CA certificate or CRL is nearing expiration, the status column will display "Expiring."

Q. How do I enable HTTP Secure (HTTPS) traffic on my Microsoft Internet Information Systems (IIS) 6.0 Web server site by using my local forest Certificate Authority (CA)?

A. If you have Certificate Services installed in your Active Directory (AD) forest, enabling HTTPS traffic on a Web server is a simple exercise. To do so, perform these steps:

  1. Log on to the Web server as an account with local Administrator privileges (to allow certificates to be installed into the computer's local certificate store).

  2. Start the Internet Information Services Manager (Start, Programs, Administrative Tools, Internet Information Services--IIS--Manager).

  3. Expand Web Sites and right-click the Web site for which you want to enable HTTPS communication (e.g., Default Web Site) and select Properties.

  4. Select the Directory Security tab and click Server Certificate, as Figure 2shows.

  5. Click Next on the "Welcome to the Web Server Certificate Wizard" page.

  6. Select "Create a new certificate" and click Next.

  7. You now choose whether to immediately request the certificate or prepare a request to be submitted later. If the CA is correctly configured in the AD forest, select the "Send the request immediately to an online certificate authority." Click Next.

  8. Enter a name for the certificate (e.g., Exchange Web Server SSL), as Figure 3 shows. Leave the default values for bit length and cryptographic service provider (CSP). Click Next.

  9. Enter the organization's name and unit (e.g., SavillTech and IT) and click Next.

  10. Enter the common name (CN) of the certificate. This name must be the full name of how users will access the Web site (e.g., savdalex01.savilltech.com) and click Next.

  11. Enter the Country, State, and City and click Next.

  12. You'll be prompted for the port to be used for Secure Sockets Layer (SSL). Leave it as the default (443) and click Next.

  13. You'll see a list of CAs known to AD. Select one and click Next.

  14. You'll see a confirmation of the certificate request. Click Next.

  15. The screen displays a success message. Click Finish. After you install the certificate, Web clients will be able use HTTPS.

If you have concerns with this approach, you can use the Web-based enrollment method. (I know of people who were unable to get this auto enrollment process to work. Usually this occurs because firewall or server-side configuration issues on the certificate server prevent remote procedure call (RPC) from being available):

  1. Log on to the IIS server.

  2. Go to http:///certsrv/ .

  3. Click "Request a certificate."

  4. Click "Advanced certificate request."

  5. Click "Create and submit a request to this CA."

  6. Complete the Certificate Template form, ensuring that the Certificate Template is set to Web Server and the "Store certificate in the local computer certificate store" check box is selected, as Figure 4 shows. The Name field needs to match how the clients will connect to the server (the server part of the URL).

  7. Click Submit.

  8. Click Yes to the security warning.

  9. You'll see a new Web page. Select "Install this certificate" and click Yes to the security warning.

  10. You'll see a message saying the certificate was successfully installed

You can now click the Server Certificate button under the Directory Security of the Web site, then select "Assign an existing certificate" and select the installed certificate.

Q. How can I enable digital certificate autoenrollment in Windows Server 2003?

A. Autoenrollment is available to Windows 2003 and Windows XP domain members for version 2 certificate templates (which can be issued only by enterprise certificate authorities--CAs--running Windows 2003 Enterprise or Datacenter Edition). The autoenrollment process grants certificates based on certificate templates that are supplied with Read, Enroll, and Autoenroll permissions for the users, groups, or computers who require autoenrollment. A modification is made to Group Policy to initiate the process during a Group Policy refresh or interactive logon event. Make sure that the certificate templates to be configured for autoenrollment don't require user input because if they do, the autoenroll process will fail. In this example, we'll enable autoenrollment for certificates to be used for digital signatures and message encryption via Microsoft Office Outlook 2003:

  1. Start the Microsoft Management Console (MMC) Certificate Authority (CA) snap-in (Start, Programs, Administrative Tools, Certification Authority).

  2. Expand the CA server and right-click Certificate Templates. Select Manage from the displayed context menu.

  3. Right-click the Exchange Signature Only template and select Duplicate Template from the menu.

  4. Select the General tab and enter a name for the new template (e.g., Exchange Signature Only Custom). Don't enable digital signature publishing in AD (this is not needed for signatures because the certificate is enabled in the payload of the message sent).

  5. Under the Request Handling tab, set the purpose to Signature. Select "Enroll subject without requiring any user input" and select the "Allow private key to be exported" check box, as Figure 5shows. Alternatively, if you have archiving enabled, you can select the "Archive subject's encryption private key" (the option might be grayed out depending on the type of certificate you're duplicating). It's advisable to enable the key archival in case a private key is lost)

  6. Click the Subject Name tab and select "Build from this Active Directory information." Set "Subject name format" to "Fully distinguished name" and select the "Include e-mail name in subject name" check box.

  7. Select the Security tab and ensure that Read, Enroll, and Autoenroll are enabled for the users (e.g., Domain Users) who will autoenroll as Figure 6 shows. Some companies have a process whereby users are added to a group if they require certain certificate autoenrollments, which then are processed on their next logon or Group Policy refresh. Click OK.

  8. Repeat the above steps for Exchange User, except that under the General tab, you need to enable publishing to the AD (this results in the public certificate being placed in the user's userCertificate attribute for the user and is queried via the global catalog (GC) by the sending party and will be visible under the "Published Certificates" tab for the user in the Active Directory Users and Computers MMC snap-in). Also, under Request Handling, set the Purpose to Encryption.

  9. Close the Manage templates snap-in.

  10. Under Certificate Templates within the Certification Authority snap-in, right-click and select "New - Certificate Template to Issue." 11. Select a certificate that you want to issue and click OK, as Figure 7 shows. (Certificates that are already being issued aren't shown in the dialog box). Repeat this process for the certificates you just created (e.g., Exchange User Custom and Exchange Signature Only Custom.

Make sure you choose the copied template that you created and not the original (i.e., select Exchange User Custom, not Exchange User). The original template doesn't permit autoenroll. Next you need to enable the Group Policy for the autoenrollment. To do so, perform these steps:

  1. Open the GPO that applies to the container (e.g., domain or OU that will affect the users/computer requiring autoenrollment) or create a new GPO. (For example, open the MMC Active Directory Users and Computers snap-in, right-click the container, and select Properties. Select the Group Policy tab, select the GPO and click Edit, as Figure 8 shows.)

  2. Under the GPO's Computer Configuration and User Configuration main branches, expand Windows Settings, Security Settings, Public Key Policies and double-click the Autoenrollment Settings. (You want to set this at both computer and user level.)

  3. Enable the "Enroll certificates automatically" and select the two check boxes for renewing expired certificates and updating certificates that use certificate templates, as Figure 9 shows. Click OK

  4. Close the GPO editor.

When users next logon or have Group Policy applied, they should receive the certificates within 90 seconds. You can verify that users received the certificates by performing these steps:

  1. Start the MMC console (Start, Run, MMC).

  2. From the File menu, select Add/Remove Snap-in.

  3. Click Add from the Standalone tab of the Add/Remove snap-in dialog box.

  4. Select Certificates, click Add, then click Close, as Figure 10 shows.

  5. Click OK to the main Add/Remove Snap-in dialog. You'll now see the certificates under Certificates, Current User, as Figure 11 shows.

You can check the Application event log for information related to autoenrollment on the client. (You can also view Failed Requests in the Certificate Authority MMC snap-in.) Figure 12 shows a failed autoenrollment from the client Application event log.

The failed autoenrollment occurred because the remote procedure call (RPC) server wasn't available on the CA that was running on Windows Server 2003 Enterprise Edition with Service Pack 1 (SP1) installed. Because the CA was enabled on the server after the Security Configuration Wizard (SCW) had been run, the services and ports needed by certificate servers weren't enabled. To resolve the problem, run the SCW (Start, Programs, Administrative Tools, Security Configuration Wizard) and enable the Certificate Server in the Select Server Roles section and the "Ports used by System RPC applications" option in the "Open Ports and Approve Applications" section.

To view the certificates that have been issued from a certificate server, expand the Issued Certificates branch of the Certification Authority MMC snap-in, as Figure 13 shows.

Be careful when using autoenrollment for the Exchange User certificate, which is used to encrypt messages when users log on to more than one machine and access mail. Messages are encrypted with a generated symmetric key (i.e., the key is used to both encrypt and decrypt the message) and the symmetric key is transmitted with the message encrypted with the recipient's public key. This means that only the recipient's private key can decrypt the symmetric key and thus decrypt the message.

The problem is that if you use autoenrollment and a user logs on to multiple machines, each machine will generate a new set of private and public keys for that user (because a separate profile is used on each machine). Thus, depending on which public key is used to encrypt a message, the recipient will be able to open the message only on the computer with the paired private key. On all other machines the corresponding private key is missing and the message is unreadable.

The solution is to store these certificates (private keys) on smart cards that travel with the user instead of on the machines or use roaming profiles so that the user always has the same profile and thus no additional certificate enrollments will take place.

With Windows 2003 and Windows Vista, Digital Identity Management Service (DIMS) enables credential roaming, in which the certificates and private keys are stored in AD, avoiding the problem. You can find more information about this problem at http://technet2.microsoft.com/WindowsServer/en/Library/d052e2b5-fd73-4bd0-8018-7713049463ee1033.mspx.

Q. How can I configure Microsoft Office Outlook 2003 for digital signatures and encryption?

A After a user has the certificates required for digital signatures and encryption installed, enabling them in Outlook is relatively simple. To do so, perform these steps:

  1. Open Outlook and Select Options from the Tools menu.

  2. Select the Security tab and click Settings.

  3. If you're prompted to "Get a Digital ID," you don't have certificates. Otherwise, the dialog box will show "My S/MIME Settings ()" as the Security Settings Name, and S/MIME as the Cryptography Format, as Figure 14 shows.

  4. Click OK.

When an Outlook user sends email, the client displays two buttons that enable digital signing and encryption of messages, as Figure 15 shows.

When a user receives a digitally signed message, the user will see a padlock and ribbon icon above the message body. You can view the signature validation by clicking the ribbon icon, as Figure 16 shows.

To enable encrypted messages to be sent, both sender and recipients need each others' public keys, so a digitally signed message must have been sent in advance and a reply sent from the recipient (which shares the public keys). If keys are published in Active Directory (AD), you can send encrypted messages to a recipient with no prior communication. If you don't have access to the recipient's public key, you'll receive an error message stating which recipients had missing or invalid certificates.

You might also see the error message if you're using Outlook 2003 in cached mode and you're trying to mail someone who only recently acquired public key infrastructure (PKI) services (within the past 24 hours). Outlook 2003 cached mode queries the Offline Address Book (OAB), which it only downloads every 24 hours. If you know the recipient does have a certificate, force a download of the latest copy of the OAB (Tools, Send/Receive, Download Address Book). You might also need to force a rebuild of the OAB on the Exchange server (which by default is updated each day at 4 A.M.) To force a rebuild, open Exchange System Manager (ESM), select Recipients, Offline Address Lists. Right-click Default Offline Address List and select Rebuild. You should perform this rebuild before downloading the OAB from the Outlook client.

As with digital signatures, if a message is encrypted, a padlock icon appears on the message header. Click the icon to display more information, as Figure 17 shows.

Q. How can I export and import my private keys from one machine to another?

A. By default, private keys are stored in the requesting user's or computer's certificate store. If you use multiple machines, you might want your private key on multiple machines. To do so, perform these steps:

  1. Start the Microsoft Management Console (MMC) (Start, Run, MMC).

  2. From the File menu, select Add/Remove Snap-in.

  3. Select the Standalone tab and Click Add.

  4. Select Certificates and click Add. Click Close.

  5. Click OK to the main Add/Remove Snap-in dialog box.

  6. Select Certificates, Current User, Personal, Certificates.

  7. In the right pane, right-click the certificate you want to export (e.g., Exchange User) and select All Tasks, Export, from the context menu.

  8. Click Next to the Export Wizard welcome dialog box.

  9. Select "Yes, export the private key" and click Next.

  10. Leave the default export options and click Next.

  11. Enter a password for the export and click Next.

  12. Enter a location and name for the exported key and click Next.

  13. Click Finish in the summary dialog box.

  14. Click OK to the export confirmation dialog box.

Copy the export key file to another machine and perform the following steps to import the key:

  1. Start the MMC console.

  2. From the File menu, select the Add/Remove snap-in.

  3. Select the Standalone tab and click Add.

  4. Select Certificates and click Add, then click Close.

  5. Click OK to the main Add/Remove Snap-in dialog box.

  6. Select Certificates, Current User, Personal, Certificates.

  7. Right-click Certificates and select Import from the context menu.

  8. Click Next at the Import Wizard welcome screen.

  9. Enter the name of the file to import, as Figure 18 shows, and click Next.

  10. Enter the password for the export file and, optionally, select the check box to enable the key to be exportable again in the future. Click Next.

  11. Select the option to store the certificate in the default Personal store and click Next.

  12. Click Finish to complete the import.

  13. Click OK to the import confirmation message. After the import is complete, encrypted messages will be readable on the additional machine.

By default, private keys are stored in the requesting user's or computer's certificate store. If you use multiple machines, you might want your private key on multiple machines. To do so, perform these steps:

  1. Start the Microsoft Management Console (MMC) (Start, Run, MMC).

  2. From the File menu, select Add/Remove Snap-in.

  3. Select the Standalone tab and Click Add.

  4. Select Certificates and click Add. Click Close.

  5. Click OK to the main Add/Remove Snap-in dialog box.

  6. Select Certificates, Current User, Personal, Certificates.

  7. In the right pane, right-click the certificate you want to export (e.g., Exchange User) and select All Tasks, Export, from the context menu.

  8. Click Next to the Export Wizard welcome dialog box.

  9. Select "Yes, export the private key" and click Next.

  10. Leave the default export options and click Next.

  11. Enter a password for the export and click Next.

  12. Enter a location and name for the exported key and click Next.

  13. Click Finish in the summary dialog box.

  14. Click OK to the export confirmation dialog box.

Copy the export key file to another machine and perform the following steps to import the key:

  1. Start the MMC console.

  2. From the File menu, select the Add/Remove snap-in.

  3. Select the Standalone tab and click Add.

  4. Select Certificates and click Add, then click Close.

  5. Click OK to the main Add/Remove Snap-in dialog box.

  6. Select Certificates, Current User, Personal, Certificates.

  7. Right-click Certificates and select Import from the context menu.

  8. Click Next at the Import Wizard welcome screen.

  9. Enter the name of the file to import, as Figure 18 shows, and click Next.

  10. Enter the password for the export file and, optionally, select the check box to enable the key to be exportable again in the future. Click Next.

  11. Select the option to store the certificate in the default Personal store and click Next.

  12. Click Finish to complete the import.

  13. Click OK to the import confirmation message. After the import is complete, encrypted messages will be readable on the additional machine.

Hot Release (advertisement)

  • Polyserve


Build a Superior Windows File Serving EnvironmentAs the number of file servers and associated storage has grown rapidly, IT organizations have faced multiple challenges related to manageability, scalability, fit within existing infrastructure, availability, utilization and cost. In this free white paper get the tools you need to provide a scalable, highly available CIFS file service using inexpensive, industry-standard servers that can be added to incrementally as demands require - while retaining the management simplicity of a single server and a single pool of exported file systems.
http://www.windowsitpro.com/whitepapers/polyserve/fileserving/index.cfm?code=TThot1205

Events and Resources
(A complete Web and live events directory brought to you by Windows IT Pro: http://www.windowsitpro.com/events )

  • SQL Server 2005: Up & Running Roadshows Coming to Europe!


SQL Server experts will present real-world information about administration, development, and business intelligence to help you put SQL Server 2005 into practice and learn how to use its new capabilities. Includes one-year PASS membership and subscription to SQL Server Magazine. Register now for London, UK and Stockholm, Sweden at
http://www.windowsitpro.com/roadshows/sqlservereurope/index.cfm?code=1214emailannc

  • Upgrade to Analysis Services 2005


Get the tips and tricks you'll need to upgrade to Analysis Services 2005, including possible upgrade and migration scenarios, pre-planning steps, running the new Analysis Services migration wizard, and more. Plus discover what steps need to be completed after the migration process is complete and explore some of the new features of Analysis Services 2005.
http://www.windowsitpro.com/go/seminars/analysisservices/?partnerref=1214emailannc

  • Are You Really Prepared for Disaster Recovery?


tips you need to validate your disaster recovery data. You'll learn if your backup and restore data is worth staking your career on, what type of geo-clustering is right for you, which response to use in crisis situations, and more!
http://www.windowsitpro.com/go/seminars/disasterrecovery/?partnerref=1214emailannc

  • Scripting and codes don't have to be boring.


Subscribe today to Scripting Central and get a down-and-dirty technical, yet lighthearted look at scripts. You'll also get tools for and tips on how to write scripts for a variety of Windows applications, like Exchange and SQL Server. Sign up today!
http://www.windowsitpro.com/email

  • Do You Know What "High Availability" Really Means?


In this free guide learn what high availability really means and the different strategies that you can use to improve your email systems' availability and resiliency. Download this FREE guide now and get prepared to choose the appropriate solutions to protect your messaging data at the lowest cost; with the highest reliability.
http://www.windowsitpro.com/essential/index.cfm?code=1214emailannc

Featured White Paper
(from Windows IT Pro and its partners)

  • Ensure Data Protection and High Availability for Microsoft Exchange


Having a mission-critical, data protection solution that is cost-effective, hardware independent and scalable is something every IT manager should consider. In this free white paper get all you need to know about ensuring data protection and high availability for Exchange. This is one paper you can't afford to miss! Get your copy today at:
http://www.windowsitpro.com/go/whitepapers/NSI/exchange?code=1214emailannc

Announcements
(from Windows IT Pro and its partners)

  • The Windows IT Pro Master CD has it all!


Get the Windows IT Pro Master CD and get portable, high-speed access to the entire Windows IT Pro article database on CD--that's a library of more than 9000 articles! The newest issue includes BONUS Windows IT Tips; sign up now, and you'll SAVE 25%. Offer ends 12/31/05, so take advantage of this holiday offer now.
https://store.pentontech.com/index.cfm?s=1&promocode=eu225cuc

  • Exchange & Outlook Administrator Newsletter - Holiday Special


Need answers to your tough Exchange questions? Subscribe to the Exchange & Outlook Administrator newsletter and SAVE up to $30 off the regular price. Each issue features tools and solutions you won't find anywhere else to help you migrate, optimize, administer, backup, recover, and secure Exchange and Outlook. Paid subscribers also get searchable access to the full online exchange article database (over 1000 articles). Order now:
https://store.pentontech.com/index.cfm?s=1&promocode=eu235cue

Contact Us
Here's how to reach us with your comments and questions:

This email newsletter is brought to you by Windows IT Pro,the leading publication for IT professionals deploying Windows andrelated technologies. Subscribe today.
https://store.pentontech.com/index.cfm?s=1&promocode=eu205xxb

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like