Webinar: PKI Insights - Energy Utility PKI Cybersecurity in Critical Infrastructure (CIP) Environments by PKI Solutions

Windows Server 2012 R2

The purpose of this page is to maintain a list of known Microsoft hotfixes, patches and known issues related to the Active Directory Certificate Services role. The page will be updated as new releases are made by Microsoft as well as when new issues are identified. You can subscribe to the page to receive automated alerts when the content has changed. If you have any feedback or comments, or notice something that is missing, let us know.

Contact Us
Schedule a Demo

Change Log – Last Updated May 19, 2022

May 19, 2022 – Added KB5014754 – Certificate-based authentication changes on Windows domain controllers.

November 7, 2016 – Moved OCSP Magic Number to Client Issues, Updated Interactive Services Session 0 info for Thales Security World 12.1 Software Release

June 6, 2016 – Add Bug 5298357 about invalid ASN.1 encoding of certificate issuance policies extensions

 

 

HotFixes

  • KB 5014754 (CVE-2022-26931 and CVE-2022-23923) – Certificate-based authentication changes on Windows domain controllers. This update addresses an elevation of privilege vulnerability that can occur when the Kerberos Distribution Center (KDC) is servicing a certificate-based authentication request. Before the May 10, 2022 security update, certificate-based authentication would not account for a dollar sign ($) at the end of a machine name. This allowed related certificates to be emulated (spoofed) in various ways. Additionally, conflicts between User Principal Names (UPN) and sAMAccountName introduced other emulation (spoofing) vulnerabilities that we also address with this security update.

 

  • KB 942076 (MSKB Archive) – Error message when you visit a Web site that is hosted on IIS 7.0: “HTTP Error 404.11 – URL_DOUBLE_ESCAPED”
    Note: ADCS will resolve the issue if installed on the same machine as IIS. However, if hosting Delta CRL files on an alternate computer, this will be an issue

 

  • KB 2827759 – A CA does not replace space characters in URL paths for CRL distribution points and authority information access extensions

 

  • KB 2740017 – PIN dialog box for smart card authentication appears two times when you try to access CA certificates on a computer that is running Windows Server 2008 R2 or Windows Server 2012
    Note: Can also affect some Card based Hardware Security Modules – such as Thales nCipher ACS/OCS cardsets.

 

  • KB 2891347 – A hotfix is available that records more information in event ID 5125 for an OCSP response in Windows Server 2012 and Windows Server 2008 R2 SP1

 

  • KB 283789 (MSKB Archive) – The Issuer Statement Specified in the Capolicy.inf File Is Not Included in the Issued Certificate. *Though indicated as Windows Server 2000, this article is applicable to all newer operating systems. The issue is relevant only for End Entity certs using certificate templates where the subject info is built from AD.

 

  • KB 2800975 – “Http error 500.0 – internal server error” error message when generating NDES enrollment challenge password on a NDES server that is running Windows Server 2012.

 

Known Issues

  • 2012 Could be subject to CRL processing causes high CPU usage, heavy network traffic, and service outage
    Windows Server 2012 was not fixed to address the issue originally identified in Server 2008 R2 and fixed by KB 2831238 (MSKB Archive). The fix is already in Server 2012 R2, but was never ported to Server 2012. If you experience this issue, you will need to request Microsoft to develop a fix specific to Server 2012 RTM
    Fix: If your environment experiences this issue with Server 2012, contact Microsoft for targeted fix. Reference existing Bug# 429063.

 

  • Interactive Services Session 0 Isolation and HSM CSP/KSP
    Beginning with Windows Server 2012, services running in a separate context than the user logged into the desktop are unable to interact. This is due to the Session 0 isolation built into the Kernel. This will prevent many Hardware Security Module CSP/KSPs from being able to interact with users. This will be prevalent when card sets are required to be used to authenticate prior to accessing CA keys. This is a known issue with the Thales nCipher security world – at least through S/W v 11.70. Thales is aware of the issue and is in the process of working on a fix. More information on Session 0 isolation is Interactive Services article.
    Fix: Change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows\NoInteractiveServices to value and reboot.
    Update: Thales has released Security World version 12.1 which has changed the driver model and is no longer affected by this registry key.

 

  • You cannot enroll in an Online Certificate Status Protocol certificate (CERT_E_INVALID_POLICY)
    Windows Server 2008 through 2012 R2 may be unable to enroll for a OCSP certificate. This is most often caused by a CA in the hierarchy that has specified specific OIDs but does not include the OCSP specific OID in its EKU (1.3.6.1.5.5.7.3.9). Refer to KB 2962991 for more information.
    Fix: When specifying specific OIDs for CA EKUs, the OCSP OID must be included (1.3.6.1.5.5.7.3.9). No steps are needed when using the default “All Application Policies” configuration.

 

  • Error when installing Certificate Authority with Powershell on a Computer or VM without a Network Adapter
    This issue occurs when installing an offline, standalone Certificate Authority in a VM environment without a network adapter. In this configuration, using the Powershell Install-ADCSCertificationAuthority command will result in an error. If there is a network adapter present, unplugged or disabled, the error does not occur. The problem can occur in Windows 2008 or newer OS, however there are no native Powershell commands to perform the install prior to Server 2012. Custom scripts or Powershell cmdlets running on these older operating systems could experience the same error.
    Fix: There are three options to workaround the error:

    1. Configure the VM guest with a network adapter that is unconnected, or is disabled. Once the installation is completed, you can remove the network adapter from the VM guest.
    2. You can also specify the location for the CA database, even if it is a the default location by appending the argument –DatabaseDirectory $(Join-Path $env:SystemRoot "System32\CertLog")  to the Powershell command
    3. Use the Server Manager GUI to perform the installation.

 

  • Error when installing ADCS on computers with host names longer than 15 characters in length
    An error condition can occur when computer names are 16 or more characters in length and the network adapter is not connected (such as an offline CA). While the OS will indicate that possible Netbios name resolutions can occur, it does not prevent the use of a long name. When installing the ADCS role in Server 2012/R2 the installation will complete successfully, the secondary step to configure the role will result in Server Manager crashing. At this point, ADCS can not be uninstalled and consequently the computer name can not be shortened to 15 or fewer characters.
    Fix: The fix to this issue is to either use host names that are 15 or fewer characters. If you have already installed ADCS and have experience this issue, temporarily connect the network adapter to enable ADCS to be uninstalled and then change the computer name.

 

  • Renewing a Root CA certificate and changing the Validity Period with CAPolicy.inf fails
    When renewing a Root CA’s certificate, the validity period of the new certificate is equivalent to the validity period of the certificate being renewed (since Server 2008). If an alternate validity period is desired, the RenewalValidityPeriod and RenewalValidityPeriodUnits settings can be placed in a capolicy.inf to reflect a different value for the new certificate. However, ADCS will only use this value if it is equal to, or longer than the value of the certificate being renewed. You can not configure ADCS to renew a Root CA certificate for a lifetime shorter than the previous certificate.
    Fix: Use certutil –sign to sign and specify the desired lifetime of the certificate, add the modified cert to the CA’s computer personal store and associate it with the private key, modify the CA’s registry (CACertHash) and restart the CA.

 

  • Windows Server sConfig Command Line tool allows Domain Membership and Computer Name changes even with an ADCS Certification Authority installed.
    When ADCS server roles are installed, controls are placed on the server to prevent domain membership changes and hostname changes. To make changes to either of these, ADCS must first be installed. This behavior is experienced when making changes in the Control Panel\System applet. However, when using sConfig (Server Core 2008 R2, or any version of Windows Server 2012+), there are no controls to prevent these changes. Changing the domain membership or computer name can break the functionality of Enterprise CAs and can result in an unsupported configuration.
    Fix: Remove ADCS role features prior to using sConfig to make changes to domain membership or computer host name. Alternatively, when using the GUI version of Windows Server, use the Control Panel\System applet.

 

  • Assume that you install the Network Device Enrollment Service (NDES) role service on a server that is running Windows Server 2012. In this scenario, you receive the following error when trying to get the NDES enrollment challenge password:
    Http error 500.0 – internal server error.
    the page cannot be displayed because an internal server error has occurred.
    Fix: A workaround for this issue is to change the order of the handlers for the Microsoft Simple Certificate Enrollment Protocol (MSCEP) applications in IIS so that the ExtensionlessUrlHandler-ISAPI-4.0_64bit handler comes after the StaticFile handler.

 

  • Bug 5298357 – Bad ASN.1 encoding of certificate issuance policy extensions
    This is a known Microsoft bug and results in an extra character at the end of URLs in certificate issuance policy extensions. This generally does not cause a problem, but for environments subject to certificate assessments, CABForum compliance, WebTrust audits, or use tools like certlint, you may receive errors such as “ERROR: Control character found in String in CertificatePolicies”.
    Fix: The bug affects the parsing of the CAPolicy.inf section for issuance policies, for example:
[GKPGEPolicy]
OID=1.3.6.1.4.1.46531.1.1
URL=http://pki.gkpge.pl/pki/cps.htm

And

[Extensions]
2.5.29.32="{text}"      ; szOID_CERT_POLICIES
_continue_ = "OID=1.3.6.1.4.1.46531.1.1&"
_continue_ = "URL=http://pki.gkpge.pl/pki/cps.htm"

The workaround is to specify the extension as hexadecimal. Remove the trailing 00 byte from an ASN.1 dump produced by certutil -v -asn on the incorrectly encoded certificate, then reduced the highlighted lengths by one to compensate.

[Extensions]
2.5.29.32="{hex}"       ; szOID_CERT_POLICIES
_continue_ = " 30 3d"                                    ; SEQUENCE (3e Bytes)
_continue_ = "    30 3b"                                 ; SEQUENCE (3c Bytes)
_continue_ = "       06 0a"                              ; OBJECT_ID (a Bytes)
_continue_ = "          2b 06 01 04 01 82 eb 43  01 01"
; 1.3.6.1.4.1.46531.1.1
_continue_ = "       30 2d"                              ; SEQUENCE (2e Bytes)
_continue_ = "          30 2b"                           ; SEQUENCE (2c Bytes)
_continue_ = "             06 08"                        ; OBJECT_ID (8 Bytes)
_continue_ = "                2b 06 01 05 05 07 02 01"
; 1.3.6.1.5.5.7.2.1 CPS
_continue_ = "             16 1f"                        ; IA5_STRING (20 Bytes)
_continue_ = "                68 74 74 70 3a 2f 2f 70  6b 69 2e 67 6b 70 67 65" ; pki.gkpge
_continue_ = "                2e 70 6c 2f 70 6b 69 2f  63 70 73 2e 68 74 6d"    ; .pl/pki/cps.htm
; "http://pki.gkpge.pl/pki/cps.htm"