Enterprise PKI: Key Attestation fails with "Error Cannot Process TPM Attestation"

-

hello folks,

i'm trying set tpm protected computer-certificates key attestation.

i've set according wesh's guides ("setting tpm protected certificates using microsoft certificate authority"), however, "key attestation" enabled (be "forced" or "force if supported client"), issuing certificate fails following error:

log name:      application  source:        microsoft-windows-certificationauthority  date:          01.02.2017 11:00:41  event id:      22  task category: none  level:         error  keywords:        user:          system  computer:      issca.xxx  description:  active directory certificate services not process request 25 due error:
the parameter incorrect. 0x80070057 (win32: 87 error_invalid_parameter).
the request xxx\client1$.  additional information: error cannot process tpm attestation

"client1" in example above win10 v1607 vm virtual tpm (hyperv host win10 v1607), same error using physical machine (tested surface 3 pro).

i've tested key attestation types "user credentials" "endorsement key", both result in same error.

when using "endorsement key", can verify pkpubkey hash correctly available on issuing ca:

ps c:\> confirm-caendorsementkeyinfo -publickeyhash d574ec599d6945c7bf7213f6820f9be4f42d0b8979dea8fa5e6005ac90666666  true

disabling key attestation in cert template results in successful requests same clients. issuing ca patch (and freshly installed) server 2012r2, whole environment (domain,pki) freshly installed (using 2012r2 servers).

during investigations on fault i've found suitable msft kb article, it's available in google cache longer (no links allowed, kb3154769), assume not relevant (also because machines patched).

i'd thankful on hints on issue.

thanks in advance,

yours,

juergen

hello,

problem solved: stated before root cause was, issuing ca certificate did not have "issuancepolicies" added.

note root ca certificate automatically gets "all issuance policies" oid added (this seems happen automagically self-signed certificates). however, since last few server versions, "all issuance policies" oid not being "inherited" ca certificates issued our root ca, issuing ca certificates have "all application policies" purpose, no issuance policies.

as issuance policies need valid across whole certification tree, our ca not able issue certificate templates requesting - in example - "endorsement key verified" issuance policy.

to things working, create %systemroot%\capolicy.inf file on issuing ca following content:

[version]  signature="$windows nt$"  [policystatementextension] policies = allissuancepolicy critical = false  [allissuancepolicy] oid = 2.5.29.32.0

now request new ca certificate , see "all issuance policies" purpose being added new ca cert.

note: documentation on usage of "issuance policies" sparse. *assume* clean setup require add required oids capolicy.inf file (instead of "all issuance policies" oid), however, issuance policies enforced certificate templates, not see security issue when using "all issuance policies" setting ca cert. (--> please correct me if i'm wrong)

after that, "endoresement key verified" certificate template can rolled out correctly!

important update: i've realised, described resolution only works server 2016 issuing ca! error on primary server 2012 r2 based ca remains same, although using identical settings!

case closed :)

yours,

juergen






Windows Server  >  Security



Comments

Post a Comment

Popular posts from this blog

DCOM received error "2147746132" from...

-
hi everybody, i have dc (my windows essentials 2012 server) , windows 2012 server in network.  the windows server 2012 inside domain. on server, got "non stopping" error says in event logs : ===> dcom received error "2147746132" fromd computer xxxx(my dc computer) while server trying activation : {6df8cb71-153b-4c66-8fc4-e59301b8011b} it never stops, got 11000+ new events :s i found : http://support.microsoft.com/kb/971153/fr i'm not sure should ? does got idea ? matthieu. hi, please try solution mentioned in below link: http://www.eventid.net/display-eventid-10006-source-dcom-eventno-272-phase-1.htm regards, cicely Windows Server  >  Windows Server 2012 General ...
Read more

ADFS 3.0 Event ID 4625 | An Error occurred During Logon | Status: 0xC000035B

-
we're getting these random errors on our adfs security logs, how can track down generating them? an account failed log on. subject: security id: null sid account name: - account domain: - logon id: 0x0 logon type: 3 account logon failed: security id: null sid account name: account domain: failure information: failure reason: an error occured during logon. status: 0xc000035b sub status: 0x0 process information: caller process id: 0x0 caller process name: - network information: workstation name: - source network address: - source port: - detailed authentication information: logon process: kerberos authentication package: kerberos transited services: - package name (ntlm only): - key length: 0 event generated when logon request fails. generated on computer access attempted. subject fields indicate account on local system requested logon. commonly service such server service, or local process such ...
Read more

DFSR RPC replication errors 5014 1726 with large files over VPN

-
i have similar issue ryan in reply http://social.technet.microsoft.com/forums/en-gb/winserverfiles/thread/6d49fd71-2236-4fcb-9763-bf1c03459ee8 cited below. start additional thread here because other 1 related windows server 2003 (r2) , i'm (as ryan) on windows 2008 r2 x64. here first of post ryan: i've got same problem on 2008 r2 dfsr server.  the spoke server has 2x intel 1 gigb on-board nics in active/standby teamed configuration. the hub server (running on vmware using 10gbit vmnet3 nic driver) logs dfsr event 5014 every 2-15mins (usually around 5mins). the spoke server not log event. replication running slowly. initial sync/replication. had re-configure replication folder because of lost dfsr database on spoke server.  could teamed nic on spoke causing error on host? a note: last time did initial sync on folder processed @ 30k files , hour. time it's doing few hundred and hour. another note: hub server has several replication groups , conne...
Read more