Windows Server - AD RMS

Asked By AJ

26-Oct-09 08:44 PM

Hi Folks

New to RMS and seen some conflicting information.

Do we need a Certificate Authority (Internal PKI) to utilise RMS?

I did not think RMS utilised X509 certs but have read some conflicting
information or misunderstood it!

Is it just an SSL cert for the RMS server that is required as a best
practice to secure RMS client traffic to the RMS server itself, and in
that case we can utilise a third party commercial CA could not we?

TIA

AJ

Windows 2000 Active Directory Discussions

SecurityIt
(1)

Attacks
(1)

Certs
(1)

PKI
(1)

TLS
(1)

SSL
(1)

AJ replied to AJ

26-Oct-09 08:45 PM

Think ive just answered my own question:

SSL / TLS Security
It is recommended that Secure Socket Layer / Transport Layer Security
(SSL/TLS) is used to provide server authentication and data encryption
for the users connecting to the AD RMS server. SSL is not required but
it is highly recommended in order to encrypt traffic over the wire. If
SSL is not used, the traffic will be in clear text. This will protect
the client from man-in-the-middle attacks and ensure the
confidentiality of any data collected during the card management
workflows. It is required for ADFS.

SSL requires that your server have a valid SSL certificate installed
for the Web site. The required Web Server certificates may be issued
by the customer=92s PKI itself or purchased externally. When planning
the solution deployment you should consider how these certificates
will be made available to the AD RMS servers.

Thanks anyway!

AJ

Previous Discussion: URGENT HELP PLEASE! Problems with AD Permissions

Publishing a user cert in AD Windows Server

in AD Windows Server I wrote the following summary comparing the behavior of autoenrolled authentication certs with and without publishing to Active Directory. Behavior without publishing of autoenrolled user certs: Each time a user logs into a different AD PC, s / he gets a new viewed with the mmc. The user may log into a web site which accepts personal certs for authentication. Behavior with publishing autoenrolled user certs (and checking do not automatically reenroll if a duplicate certificate exists in AD): A user gets an autoenrolled cert which is published in AD When the user views her / his certs using IE / Tools / Internet Options / Content / Certificates. . ., s / he sees her / his personal cert. When the user views her / his cert with the mmc, there are no personal certs. The user is able to log into a web site which accepts personal certs for authentication. AND. . .If the user logs into a different domain PC, s / he does not get another cert. No certs show up via IE Internet Options nor via the mmc. The user is unable to

Cannot receive emails from 1 sender. . .HELP!!!! Windows Server

root cause of this issue is that we (Postini) are not able to establish a TLS connection to the recipient's mail server (mail.afaweb.org). This is an issue with server - - it is beyond our control. The recipient's mail server advertises that they support TLS - - in other words, in response to the EHLO command, their server responds with the STARTTLS option - - however, when our server attempts to negotiate a TLS connection with their server, it takes 5-6 minutes before reporting an error. It appears s server, which we have no control over. If we were not attempting to use TLS to send to this recipient's domain, the message would probably be successful - - but we do not have a way to specify that Postini should NOT use TLS for a specific domain, so the only way to turn off TLS for this domain would be to turn off TLS for all outbound email, which I do not believe would be acceptable to you. The proper error code, and to contact the recipient so that they can look into their TLS configuration - - if their server does not advertise TLS, then we will use standard SMTP to

FACEBOOK XSS ATTACKS Windows Server

FACEBOOK XSS ATTACKS Windows Server Originaly posted in ma blog with image representation http: / / defendhackers.blogspot.com / 2011 / 05 / recent-facebook-xss-attacks-small = .html A few weeks ago, three separate cross-site scripting (XSS) vulnerabilities on Facebook 10 days. At least two of these holes were used to launch viral links or attacks on users = 96 and it = 92s clear that attacks against Facebook users are becoming increasingly sophisticated. The first issue came from a page on executed on their account. The viral page could be used for malware distribution or phishing attacks, but in most cases where I saw this trick used, the page simply loaded advertisements what = 92s possible with an XSS vulnerability. I expect we = 92ll see more XSS-based attacks and more powerful payloads in the future. Postscript on Real-Time Research I came across posted spam whose content is plagiarized ! http: / / socialmediasecurity.com / 2011 / 04 / 21 / recent-facebook-xss-attacks-show-increasing-sophistication / - - Dave Multi-AV Scanning Tool - http: / / www.pctipp.ch / downloads / dl / 35905.asp keywords: FACEBOOK, XSS, ATTACKS description: Originaly posted in ma blog with image representation defendhackers.blogspot.com / 2011 / 05 / recent

Troubleshoot my PKI please (or my IIS ?) Windows Server

Troubleshoot my PKI please (or my IIS ?) Windows Server Hi all, here is my nightmare : I set up a stand alone PKI (Windows 2003 SP2). All is working fine except the certserv website. I can access using https to the PKI Homepage. I can request a certificate and see it in the pending request. . . . . ONLY when i log on the PKI server so using the http: / / 127.0.0.1 / certserv adress it means that if i access the pki homepage from another computer in the lan, using the public adress, i can access the Security Cryptography Discussions IIS (1) Windows (1) Accuratelyrephrase (1) Certserv (1) Anibody (1) Atic (1) PKI (1) You question is a little confusing to me. Could you please accurately rephrase? Give what you are doing and then the expected results for each step. keywords: Troubleshoot, my, PKI, please, (or, my, IIS, ?) description: Hi all, here is my nightmare : I set up a stand alone PKI (Windows 2003 SP2). All is working fine except the certserv website. I can access using

PEAP-TLS with MS NPS Windows Server

PEAP-TLS with MS NPS Windows Server I setup a Windows Cert server, and NPS server running as a whole. From what I have seen, to make a computer cert, on the PKI server, I right click on the "Workstation Authentication" Template, and create a new one, change a clip from the Windows 2008 Foundation Network Companion Guide for Deploying Computer and User Certs.: Authentication purpose in Application Policies extensions (also called Enhanced Key Usage or EKU extensions). The have met the requirements since I was able to make it work with USER based certs) I duplicated that cert, and then tried again, still no workstation auth cert will not to that. * Cisco Request PEAP * Laptop: Client Hello * Cisco: request PEAP * Laptop: Responce Peap * Cisco: TLS - Server Hello, Certificate Request, Server * Laptop: TLS - Certificate, Client Key Exchange, Change Cipher Spec * Cisco: Encrypted Handshake Message * Laptop: Responce Peap. Etc. . . Then it connects. keywords: PEAP-TLS, with, MS, NPS description: I setup a Windows Cert server, and NPS server running Win