Home page logo
/

basics logo Security Basics mailing list archives

Re: PKI Problem
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Sat, 13 Mar 2004 07:30:51 -0500

Need more information.

When faced with an unexplainable problem, don't focus on the solution, focus
on isolating the problem. You've got it narrowed down to PKI and IIS so far,
but you need to dig deeper.  Collect as much evidence as you can.

First, any error messages in the Event Viewer logs (check them all) for
messages occurring around time problem occurs.  You may need to go to your
Certificate Services console, right-click on the Server name, choose
Properties, and look for the Auditing tab, and make sure all events are
checked (I'm not sure if this is a feature in W2K Cert. Services).

Second, check IIS logs.  Enable as much logging as you can, and check those
logs.

Third, what has changed on server since before problem started and now?

Now, let's get granular.  Try requesting different types of certificates
different ways.  You want to do two things.  First, find out if the problem
only occurs with IIS involved, so get certs another way.  Second, find out
if there is a particular type of cert causing the problem.

Try creating certificates right on the Certificate Server.  Try creating new
templates, etc.  Is it only when you request certificates that Certificate
Services fails?  Is it only when you use Web Enrollment?  Is it only when
you request a particular type of certificate?  Can you create and revoke a
certificate using the Certificate Services console?  Does it fail on
auto-enroll certificates, but not on manually approved certificates?  Look
in the Certificate Services console under Failed Requests.

Do all that and get back to us.

Roger

****************************************************************************
****
*Roger A. Grimes, Computer Security Consultant
*CPA, MCSE:Security (NT/2000/2003/MVP), CNE (3/4), A+
*email: roger () banneretcs com
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of upcoming Honeypots for Windows (Apress)
****************************************************************************
*****

----- Original Message ----- 
From: "Alvey Robert W KPWA" <AlveyRW () kpt nuwc navy mil>
To: <security-basics () securityfocus com>
Sent: Friday, March 12, 2004 11:38 AM
Subject: PKI Problem


I've got a Win2k server running IIS (everything full patched), that
freezes
when I attempt to connect to a PKI site with that server.  It's not the
actual server that freezes, just IIS, and I can just stop IIS and restart
it
and everything works fine (until I try the PKI again).

I've tried looking through Technet, but I can't drill deep enough with
what
I know of the problem, so I was hoping someone here might have experienced
something similar, or have an idea on how I can fix the problem?

--------------------------------------------------------------------------
-
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
--------------------------------------------------------------------------
--



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • PKI Problem Alvey Robert W KPWA (Mar 12)
    • Re: PKI Problem Roger A. Grimes (Mar 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault