Signing Tomcat CSR with Microsoft ADCS
by Mats Hellman on 08.Mar, 2011 under Active Directory, Windows
Today I got a request to sign a Tomcat server with our Microsoft PKI. After some trial and error I could not get the server to sign the certificate with the standard templates, Web server or Code Signing.
After some searching on the web I found a solution, use the Subordinate Certification Authority template. This is not ideal but it works. So anyone out there getting errors like
The certificate is not valid for the requested usage. 0x800b0110
Can use the Subordinate CA to sign the certificate in question.
If you have a better solution please post a comment.
Unable to use Active Sync / direct push on Exchange 2010
by Mats Hellman on 24.May, 2010 under Active Directory, Exchange Server
We had some trouble with users not being able to sync their mail, contacts and calendar to their mobile phone. The configuration works but when the synchronization starts we get a entry in the local log “Error in Exchange Server”.
Checking the logs on the Client Access server pointed me to look at permissions and it seems like some accounts have disabled the inherited security rights. This is the problem since Exchange can’t access the account information.
To check this you use Active Directory Users and Computers and open the user in question. Open the Security tab and press Advanced. On the open window you should se the “Include inheritable permissions from this object’s parent”. If it’s not selected your Active sync will fail.
Hope this shortens someone’s troubleshooting session.
Setting up SSL-VPN in an Windows Server 2008 environment
by Mats Hellman on 28.Oct, 2009 under Active Directory, Remote Access, VPN, Windows
In this 2 part series we will look at setting up SSL-VPN using Windows Server 2008. At the end on the next part you will be able to configure a Windows Vista or Windows 7 client to connect to the corporate network using SSL-VPN ( SSTP ). To test this scenario you need some previous knowledge of Windows Server System and Active Directory in particular. We will be using Active Directory to logon to VPN and control user access using it. If you, like me, don’t feel like testing in an production environment you can set this lab up in an Virtual PC or Virtual Server environment. I will not be going trough setting up Windows Server 2008 AD DS in this article. I expect you to have your domain up and running. To run this lab you will need the following
- Windows Server 2008 Enterprise running HEL-DC1
- AD DS
- DHCP
- DNS
- AD CS ( Certificate Services Enterprise CA)
- Windows Server 2008 Enterprise running HEL-NAT
- 2 network interfaces – External and internal
- Windows Vista Business Edition
- Service Pack 2
Using restricted groups in Active Directory
by Mats Hellman on 21.Oct, 2009 under Active Directory, Group Policy, Windows
Using restricted groups is something very simple and still for many very confusing. Using restricted groups you can delegate administration or other roles to certain groups without giving these groups administrative rights to your Active Directory.
As an example, let’s say you have a helpdesk working in your company. For them to work as efficiently as possible they might need to login as Administrators to a client computer to fix various problems. Sometimes (read most times) you don’t want your helpdesk having Domain level Administrative rights because they might, even unknowingly, mess something up in your production domain. To deal with this we use Restricted groups. Restricted groups are provided by Active Directory group policies, they provide us a way to centrally drop in certain Active directory groups to computers local groups, yes computer local groups. They don’t have to administrative groups, they might be anything from backup users to Power Users.
