SHA-1 Broken, Migrating to SHA-2

SHA-1 is broken, and there is bold moves from Microsoft to move away from SHA-1 after announcing their deprecation plan for SHA-1 on November 2013. If you want to know the whole story about SHA-1 and why it is being phased out by everyone, then read this blog post [PKI Certificate Services SHA-1 Deprecation]

I spent sometime reading and understanding the answer of the following questions:

Moving to a new blog

I am moving to a new blog format, please follow this link to continue reading 🙂

https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/

What makes a CA capable of issuing certificates that uses SHA-2?

This is the million dollars question:) We are talking about Microsoft Certification Authority Servers here.

  • The short answer is that this depends on the Cryptographic Provider that CA is using. And since each Windows version ships with specific set of providers, you may need to upgrade your CA to a newer version of Windows in order to support SHA-2.
  • Even if you are using a cryptographic provider that supports SHA-2, you need to instruct the CA to use SHA-2 for future signing requests.

Check these posts to help you get more familiar about this topic:

Moving to a new blog

I am moving to a new blog format, please follow this link to continue reading 🙂

https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/

SHA-2 Support – Migrate your CA from CSP to KSP

 .

In this blog post, I will be talking about [Migrating a Certification Authority Key from a Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP)], inspired from Microsoft TechNet Article talking about the same topic. I will try to give you more information and more examples about this topic, and how this plays big role in your journey to phase out SHA-1 and start using SHA-2

Please read the following topics before continue reading this blog post:

I will not discuss why and when you should migrate from CSP to KSP. However,I will only talk about the steps needed to migrate. After the migration, you can then reconfigure the CA to issue certificates by using the SHA-2 hash algorithm rather than the less secure hash algorithm of SHA-1

Moving to a new blog

I am moving to a new blog format, please follow this link to continue reading 🙂

https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/


			

Cryptographic Providers: SHA-1 & SHA-2 support

As everyone is talking about phasing out SHA-1 and Microsoft had announced their deprecation plan for SHA-1 already, I would like to dedicate a full blog post to talk about Cryptographic Providers and the role they play when it comes to supporting SHA-2

It cannot be ignored that basic knowledge about this topic is necessary when you phase out SHA-1 in your enterprise and start using/issuing new certificates that uses SHA-2 hash function.

I highly recommend that you read my previous blog post talking about hash functions, and why SHA-1 should be phased out. This blog post shows how to move away from SHA-1 and gradually move to SHA-2.

In Summary, your choice to move away from SHA-1 and start using SHA-2 depends directly on the type of Cryptographic Providers you are using.

 

Moving to a new blog

I am moving to a new blog format, please follow this link to continue reading 🙂

https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/

PKI Certificate Services SHA-1 Deprecation

So everyone one is talking about SHA-1 and how it becomes less secure hash function. People are talking about a quick phase out and move to more secure alternative. So what’s the story?

I would like to share with you my own thoughts and research in the whole SHA1 being insecure and the need to go to another alternative. I will also talk in future posts about how to migrate your Microsoft PKI to support the new SHA-2 hash function.

But i cannot start talking about how to solve the problem before spending some time analyzing the current situation and talking about some cryptography theories. It is hard to jump to conclusions and solutions if you are not fully aware of the current situation.

 

This blog post is moved to my new blog platform here:

https://blog.ahasayen.com/sha-1-deprecation/

Upgrade your Root CA to Windows 2012 R2 – PKI

I was doing an upgrade for a Certificate Authority Windows Server acting as a stand alone Root CA from Windows 2008 R2 to Windows 2012 R2. The procedure is the same if you are upgrading form previous Windows versions.

To the upgrade, you have to do the following:

  • Backup the old Root CA.
  • Install Certificate Services in a new Windows 2012 R2.
  • Restore the DB, Private Key, and the CertSvc registry key on the Windows 2012 R2 server.
  • Perhaps decommission or destroy the old Root CA.

Backup the old Root CA

Let me say this. A Certification Authority Service is nothing but three components:

  1. The Certification Authority Private Key.
  2. The Certification Authority Database Files (DB and Log) : here is where all issuer and revoked certificate information resides.
  3. The Certification Authority Configuration : This is where all CA settings are preserved, like the CA CDP and AIA locations. The whole configuration is stored in this registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc].

Certificate templates are stored in Active Directory under the Configuration Partition, so no need to worry about them.

 So let us start performing a full backup of the old CA server:

  • Log on to your Root CA, open the Certificate Authority console.
  • Right click the CA name and go to All Tasks> Back up CA..

rootca1

  • Click Private key and CA Certificate and Certificate database and certificate database log. Choose a backup directory
  • You have to protect the exported private key with a password. Enter a strong password. Click Next and you are done.

rootca2

rootca3

  • Now open the registry and Export the following registry: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc.

ROOTCA4

  • It is also a good idea to backup the CAPolicy.inf file located at C:\Windows directory if it exist.
  • Finally, make sure you document the state of the old Root CA, like:
    • Server Name
    • Drives layout
    • Location of the folders where the CA database and logs are stored
  • I also recommend taking Full Server Backup and System State backup to the old Root CA server just in case. System State backup is the best bit for restoring a CA server.

Note: A good way to document the configuration of the CA is to use certutil –getreg command [check this article]. You can output the result in text file if you want by typing:

certutil –getreg  > C:\oldCA_config.txt

certutil

Restore Root CA to Windows 2012 R2

Install Windows 2012 R2 on a new server with same name and drives layout, make sure it is fully patched, and then follow the below steps:

  • If in the old Root CA, you are storing the CA database in C:\DB and the CA DB logs at C:\Logs, then make sure to create these folders in advance on the new Windows 2012 R2 server.
  • It is recommended that drives match. So if you have C and D drives in the old Root CA, make sure you have the same drives on the new Windows 2012 R2 server.
  • Go to Server Manager and Click Add roles and features.

lol1

  • Click Active Directory Certificate Services.

lol2

  • Since this is Root CA, only pick the Certificate Authority role service. Complete the wizard till the end.

lol3

  • Go to Server Manager again, click the flag icon that has a warning sign on it, and choose to Configure Active Directory Certificate Services... .

lol5

  • Select Certification Authority for services to configure.

lol6

lol7

lol8

lol9

  • In this step, you have to choose the old Root CA private key file that you have from your backup.

lol10

  • In the Certificate Database location page, make sure to choose the same location the old Root CA has. Pre-create folders if you are using custom locations.

LOL11

LOL12

  • Now we have installed the Root CA on a new server and the only thing we have restored is the CA Private key.
  • Open the Certification Authority Console. Right click the CA name, and choose All Tasks > Restore CA.. .

Rootca101

  • Choose only Certificate database and certificate database log. No need to choose Private key and CA certificate as this was restored during the installation.

Note: An important note to mention here is the following. If you have clicked Browse and you’ve picked the folder named Database that the Backup wizard in the old Root CA generated before, you will get an ugly error. The restore wizard expects you to choose a folder that contains a sub-folder called DataBase, not to choose the DataBase folder itself.

Rootca102

  • Finally, browse the registry to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc, and backup that registry location just in case.
  • Then go to to your backup, copy the registry key backup that you made for the same registry location, right click it and click Merge.

rootca103

  • The registry keys you have merged contains all the CA settings, including the CDP and AIA extensions.  Just to make sure everything is fine, open the CA properties on the new Root CA, and compare them with the old Root CA properties. Pay attention to the Extension tab.

Final Tasks

Finally, I would go and use the Backup CA wizard in the new CA, to backup the private key and database files, and i would also using Windows Backup to take Full Server backup to the new CA just in case. Do not forget to reset the local administrator password and use complex one instead.

As for the old CA, usually it is a virtual machine, i would typically destroy the VM and that’s it.

I want also to recommend this YouTube video that goes through the whole process.

Lync and Exchange Web Service Integration When Using Different Domain [Updated March 2017]

If you are have Microsoft Exchange and Microsoft Lync, then you may find this post interesting. It is about the Lync integration with Exchange Web Services EWS.

Company A:

  • AD Domain : CONTOSO.COM
  • Exchange with SMTP domain : CONTOSO.COM
  • Lync with SIP domain : CONTOSO.COM
  • Split DNS configuration.

Company A acquired a small company and they migrate them fully to their domain. Nevertheless, a couple of people wanted to have Tinkerbell.com as their primary SMTP address for business need.

Now people with Tinkerbell.com as their primary SMTP address, are experiencing strange and broken behavior between their Lync 2013 client, and Exchange web services. People with Tinkerbell.com as their primary SMTP address, still using CONTOSO\username logons, and CONTOSO.COM as their SIP domain.

Lync2013_Exchange_Integration

Solution

Adding TrustModelData Registry Key with value (Tinkerbell.com) to the machines with Lync 2013 client that are experiencing the problem.

The registry key can be applied on a machine level or user level (See the TechNet article):

  • “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Office\15.0\Lync\TrustModelData” “HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\15.0\Lync\TrustModelData”

There is a group policy to configure this also in the admx/adml files for Office 2013 .  This group policy setting called (Trusted Domain List) and it is mentioned here in this TechNet Article.

Azure Multi-Factor Authenticaion on premise – Tricks updated may 2017

I want to share with you some of the tips and tricks when deploying the Azure MFA on premise. These tips are from my own personal experience of dealing with Azure MFA services.

Tip : SMS Notification – One Way or Two Way

If you are using SMS notification option, then you would notice that a one time password is sent to your phone as an SMS, and you have to reply with another message (this mode is called Two-Way SMS Notification). My comments here are :

  • Extra charges, because the person doing the multi-factor authentication needs to send a message back with the OTP.
  • It is better if you can type the OTP to the browser itself if possible, instead of replying to the SMS.

Although replying with another SMS is completely out of band and more secure option, some may argue that it would better if the OTP could be sent via SMS and then being typed to the application itself (this is called One-Way SMS Notification)

On the MFA on premise server console, the option to choose One-Way  SMS notification is grayed out. You can only choose the Two-Way !

SMS Azure

After searching alot on the web to find a way to activate the One-Way SMS notification, I realized that this is only possible via the Azure Multi-Factor Authentication SDK. The SDK exposes the option of One-Way SMS as seen below:

OTP Azure

This means if you have developed a logon page, you can use the SDK and use the MODE_SMS_ONE_WAY_OTP option there. But what if you want to use the One-Way SMS notification option to secure a VPN connection. You simply cannot because the VPN endpoint will most probably may not support code to be injected to its logon functionality where you can use the SDK.

Update : On Microsoft Technet Forum, asking about Two-Way SMS, and getting this answer:“MFA Server v6.2.2 and older doesn’t have one-way SMS capability. It is being added to v6.3 which is expected to release in Jan 2015. The one-way SMS will work with the ADFS Adapter, RADIUS and the User Portal. In order to work successfully with RADIUS, the system sending the ACCESS request will need to be able to handle an ACCESS CHALLENGE response so that the user can be prompted for the OTP.”

Update: The new version of MFA v6.3 supports SMS_ONE_WAY_OTP as per https://social.msdn.microsoft.com/Forums/en-US/b20d9859-b27e-4918-a370-db79fa7612cc/one-way-sms-otp-in-azure-mfa-server?forum=windowsazureactiveauthentication

Tip: How to use the OTP that is generated from the Azure MFA mobile app

The Azure Multi-Factor mobile app servers two things:

  • Push notification: where you receive a push notification and you can click (Verify), (Cancel), or (Cancel and report fraud).
  • Offline OTP (one time password) that is changed every couple of seconds.

So the question is how to use the offline OTP? I have implemented a solution where I could use the offline OTP. To do this, the user should be configured with OATH Token as shown in the below figure.

oath

I am using Citrix NetScaler as a VPN gateway and i have configured it as RAIUS client and I pointed it to the on premise MFA server as the RADIUS server.

Now when connecting to the Citrix VPN gateway, I am prompted with the user name and password:

NetscalerMFA

After that, I am prompted to enter the OTP:

NetscalerMFA2

I then will open the Azure MFA mobile app, and I enter the OTP that is generated for me offline and keep changing with time:

AzureMobileApp2

Tip: using MFA with Microsoft RRAS as a VPN solution

I used Windows 2012 R2 as my RRAS server to configure a two factor authentication for VPN client. I will be using SSTP as my protocol.

The following configuration are made to NPS:

Configuring the Connection Request Policy to point to the MFA on premise server as the RADIUS server

RRAS_MFA3

Configuring the Network Policy with PAP as the authentication method. Do not be afraid because we are using SSTP (HTTPS) as the VPN tunnel method, so the credentials will be sent over HTTPS.

MFA_RRAS4

Now on RRAS console, configure the authentication method as PAP, and configure a certificate for SSTP:

MFA_RRAS

Finally, to enforce SSTP as the only tunneling protocol, go to Ports node, right click and click Properties, and configure the number of ports as shown below [for all ports except SSTP and PPTP, configure zero ports, and one port for PPTP]

mfa_rras2

Now when a Windows client tries to connect to my RRAS, it should be configured with PAP as the authentication method:

RRAS_MFA_5

When you connect, the PAP credentials will be secured via the SSL tunnel, and then the MFA server will encrypt the credentials before sending them to the one premise MFA server as shown in my trace:

RADIUS Message2

The only thing you should worry about is that the Microsoft VPN client on Windows client will time out quickly before the two factor authentication finishes, a registry hack on the client may solve this issue to extend the time out:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP:MaxConifgure=10

Change this to 60 for example.

Also be sure to change RADIUS timeouts in RRAS to at least 30-45 seconds or you’ll beget an error.

See Also

Azure Multi-Factor Authentication Server Deployment – P2 [Updated March 2017]

Please check part one here:

Azure Multi-Factor Authentication Server Deployment – P1

You can also check the following relevant posts:

The installation of the the on premise MFA server consists of the following:

  1. The installation of the MFA Server and Management console
  2. The installation of three web services:
    1. User Portal
    2. SDK
    3. Mobile App service

The user portal is an IIS site that your users can log on to, and perform many tasks like:

  • Change their mobile number that MFA server will use to perform the second factor authentication. You can configure the MFA server to sync mobile numbers from AD and not allow users to change their mobile numbers via this portal.
  • Set couple of security questions. These questions can be used by an IT Operator to verify the identity of the user, if the user calls the help desk and ask him to change the second factor method ( Mobile App notifications instead of mobile call for example)
  • Activate their mobiles so that they can receive notifications in case of Mobile App options.

The SDK service is used for custom integration with the MFA server and it is a requirement to install if you want to use the mobile app notification feature, as the mobile app service will connect to the SDK IIS virtual directory in order to connect to the MFA server.

The Mobile App Service is the service that mobile apps connects to, in order to submit the verification. This service should be published externally and should resolve to external DNS name.

You can install the portals in different server than the MFA server itself. For simplicity, i will choose to install the MFA server and the three portals in the same Windows 2012 R2 machine.

Installing the MFA Server

I will be using Windows 2012 R2 server for my MFA and portals. Now that you have downloaded the Azure MFA server, run the installation wizard, and click next until it is installed. No conflagration needed at this time.

You can check the hardware and software requirements here.

1

Now open the MFA console and activate the product using the activation keys you obtained from the Azure management portal where you downloaded the MFA server. Make sure the server can connect to internet using http/https for the activation to work. Also make sure the server always can connect to internet using these ports as the server needs to connect to Azure for every authentication request  verification.

2

Installing Azure MFA User Portal

The User Portal is an IIS web site to allow users to enroll in Azure MFA and maintain their accounts. Mainly, users can log on there, and choose if they want the second factor to be a phone call, SMS, or push notification on the mobile app. Also you can give users the ability to change their phone number if you want.

You can install the User Portal in a different server than the MFA server, but for simplicity, I recommend to install all portals on the MFA server itself. Here is a link that can help you with the installation steps for more complex deployments.

You should have IIS installed including asp.net and IIS 6 meta base compatibility for IIS 7 or higher. I choose to install the user portal on the same MFA server. During the installation of the user portal, a security group is created in AD, so make sure the account that is used to install the user portal can create security group in AD.

MFA Pre

MFA PRER2

MFA PRER3

To install the user portal, open the MFA Server management console, go to the User Portal node and check the settings available.

I usually remove the OATH token method because i will not be using it, and also i remove the security questions option, as this seemed a possible way to bypass the security and making it less secure.

MFA User Portal

Now, click Install User Portal. The wizard will tell you that it will create the following:

  • Security group in AD, placed under the built in Users container, called PhoneFactor Admins. 
  • User account called named PFUP_MFAServerName , where MFAServerName is the name of the MFA server.
  • Adds the previously created account to the previously created security group.

Note: do not check the box (Skip automatic Active….). doing that means you have to create the group and user manually.

I also set the PhoneFactor Admins security group as member of the local administrators group in the

MFA_Config2

Next, you be prompted with the IIS web site to use (leave as default), and the virtual directory for the user portal. I usually change this to “Enroll” so that users will browse to https://servername/enroll instead of https://servername/MultiFactorAuth.

MFA Config3

Now open the IIS, you can see the virtual directory called (Enroll). This is where end users will connect to manage their MFA profiles. For me, i also created a certificate and enforce HTTPS for the whole web site.

MFA Config4

Install the MFA SDK 

The SDK should be secured with SSL. Installing it is straight forward. Just open the MFA management console, go to Web Service SDK, and then run the installation. I will install it on the MFA Server itself as we did with the user portal.

MFA Config5

You may need to install Basic Authentication feature before you move on.

MFA Config6

MFA Config7

If you open IIS, you can see the SDK virtual directory.

MFA Config8

Install the MFA Mobile App Web Service

You should install the MFA SDK before proceeding with the MFA Mobile App Web Service. I will install the MFA mobile app web service on the same server also.

To start the installation, go to C:\Program Files\Azure Multi-Factor Authentication, choose the 32 or 64 bit installation file (MultiFactorAuthenticationMobileAppWebServiceSetup64) , and tun the installation file, change the virtual directory if needed.

MFA Config9

MFA Config10

I usually change the virtual directory to something like PA (Phone App) instead of the long default one. Now go to your AD, and reset the account the is created by the wizard during the user portal deployment ( the account that is member of the PhoneFactor admins group).

Now browse to C:\inetpub\wwwroot\PA (or appropriate directory based on the virtual directory name) and edit the web.config file. Enter the user account that you have reset, and the password between the quotes in shown in the below section. It is recommended to use a qualified username (e.g. domain\username or machine\username).

MFA Config11

Next change the URL shown below to your SDK virtual directory. Example is : https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx

MFA Config12

References:

Azure Multi-Factor Authentication MSDN Library

The story of Multi-Factor Authentication and the Azure MFA [Updated Feb 2017]

This blog post is moved to my new blog platform:

 

https://blog.ahasayen.com/azure-multi-factor-authentication-azure-mfa/

https://blog.ahasayen.com/multi-factor-authentication-as-a-service-model/

Server Name Indication (SNI)

The problem:

You have a server with couple of web sites that requires SSL connection on port 443. You want to use only one IP address on that server.

You may think, the server could use the host header to know which web site should receive the request.

The problem though is certificate pickup.

Suppose you have a server called SRV1, with one IP address [10.0.0.1], and the following SSL sites:

When the client tries to connect to http://www.contoso.com, and during the SSL handshake, the client will send HTTPS Hello request to the web server, and at that point, the HTTP headers are not available to the server. Once the SSL handshake is completed, the client will encrypt the headers and send the encrypted HTTP request to the server. So, the server cannot access the HTTP headers during the SSL handshake.

So when the client tries to connect to http://www.contoso.com, the only information available to the server is the IP address and Port. Since the server is hosting two web sites, it has no idea which certificate to use in order to serve the request.

The Solution – SNI:

Server Name Indication (SNI) is an extension to the SSL/TLS protocols that lets an SSL/TLS client (for example, a browser) indicate the exact hostname it tries to connect to at the start of the SSL/TLS handshaking process.

Saying that, during the SSL handshake, the client will send the domain or host name as part of the SSL/TLS handshake, so that the server can select the correct web site and certificate.

Microsoft included SNI support in IIS 8 when adding a new website.

SNI

SNI Supported Clients:

SNI Supported clients

Most hardware load balancer devices like (Netscaler) does not support SNI when connected to the back end service that supports SNI.  Also Andriod Active Sync does not support it as far as i know.

Be Careful

Some applications like Microsoft ADFS 3.0 and Web Application Proxy,  require SNI connections. This may cause problems for clients coming from XP as they do not support SNI.

There is a trick to make this work by configuring an http.sys fallback certificate where IIS will fall back to legacy SSL binding if SNI binding fails.

Check those links link1, link2 and link3 for more details.

Good Read

http://blogs.msdn.com/b/kaushal/archive/2012/09/04/server-name-indication-sni-in-iis-8-windows-server-2012.aspx

http://blogs.technet.com/b/applicationproxyblog/archive/2014/06/19/how-to-support-non-sni-capable-clients-with-web-application-proxy-and-ad-fs-2012-r2.aspx