[FIM] Setup PCNS (Password change notification service) for FIM

1         Referral links

http://myitforum.com/cs2/blogs/forefrontsecurity/archive/2011/02/08/synchronize-active-directory-password-to-an-sql-database-with-fim-and-pcns.aspx

http://technet.microsoft.com/en-us/library/cc720654(v=ws.10).aspx

2         Configuration steps

2.1        Install PCNS on DC (perform only 1 time)

Download Microsoft Password Change Notification Service from:

http://www.microsoft.com/en-us/download/details.aspx?id=19495

On the DC, extract the downloaded file and run the following command via command line console (the setup could not run directly by click on the msi file)

Unblock this msi file

msiexec /I “Password Change Notification Service.msi” SCHEMAONLY=TRUE

A dialog will display as below, then click Next to install the service

Or you can run with powershell

- Powershell unattended script :

$MSIPCNSFile = "Password Change Notification Service.msi"
Start-Process $MSIPCNSFile "SCHEMAONLY=TRUE /q  /L*v C:\pcnslog.txt" -Wait

A restart DC is need

- In my case I need to add a new Install with command to complete PCNS

msiexec /I “Password Change Notification Service.msi”

- Powershell unattended script :

 $MSIPCNSFile = "Password Change Notification Service.msi" 

Start-Process $MSIPCNSFile "/q  /L*v C:\pcnslog.txt" -Wait

A restart DC is need

Validate ServicePrincipalName between Synchronization Service Account and PCNS Configuration Data

- On the Source Domain Controller, Open an Administrative Command-Prompt by right clicking on the command prompt and selecting Run as Administrator.

- Change directory to %programfiles%\Microsoft Password Change Notification

cd c:\program files\Microsoft Password Change Notification

- In the command-prompt, type the following and then press the ENTER keypcnscfg list > pcnscfg.txt

- In the command-prompt, type the following and press the ENTER key
setspn –L <DOMAIN NAME>\<SYNCHRONIZATION SERVICE ACCOUNT> > spn.txt

- Review both text files to ensure that the ServicePrincipalName (SPN) set on the Domain Synchronization Service Account matches exactly to the Service Principal Name line in the PCNS Configuration information.

If they do not match, you may need to rebuild the information, or modify the information to ensure that the SPNs match.

Note: in some case you will receive Error

Password Change Notification Service received an RPC exception attempting to deliver a notification.

The password change notification target could not be contacted.

User Action:

The target server may not be running. Verify that the target server is running.

Additional Details:

PCNS Status is 1722 - The RPC server is unavailable.

You need rejoin domain(verify delete DNS as well)

2.2        Configure SPN

Run the following command on DC:

setspn –a PCNSCLIENTNAME/<fqdn of your FIM server> <domain>\<FIM service account>

Example:

setspn -a PCSNSCLIENTNAME/<fqdnofyourFIM server> <your Service account>

2.3        Add PCNS client

Run the following command on DC:

pcnscfg.exe addtarget /N:PCNSCLIENTNAME /A:<fqdn of your FIM server> /S:PCSNSCLIENTNAME/<fqdn of your FIM server> /fi:"”<name of the PCNS Active Directory Group> /f:3

Example:

Pcnscfg.exe addtarget /n: miisdemo /a: fab-dev-01.usergroup.fabrikam.com /s: PCNSCLNT/fab-dev-01.usergroup.fabrikam.com /fi:“ Domain Users” /f:3

To verify that PCNS has been configured properly for the target, run the command “pcnscfg list”

Now we have finished the configuration for change password notification service, every time a password is change from AD, the FIM server will get notified and we need to handle that event by configuring the MA at FIM

A restart  DC is need

2.4        Verify

To verify that PCNS is working, try to reset password of a user. Then open the Event Viewer, it the process was successful, a 2100 event will be logged:

3         FIM Configuration

Note: in the blow instructions, “your MA” means the MA that you are developing the Password synchronization functionality.

3.1        Create AD MA

Create AD MA to import users from AD into FIM.

3.2        Create MV extention

Create MVExtension.dll to synchronize users from AD MA to your MA.

Reference: IST.Sybase and Powershell connector.

3.3        Configure MAs

First, go in FIM and open the options menu. Enable the Password Synchronization functionality.

On the Active Directory MA, edit the properties, and Enable Password Sync Source. Select your MA as a target. The below picture is for Powershell MA.

3.4        Run Export

Run an Export on your MA. If you don’t run an Export, FIM will think that users in your MA haven’t been synchronized so FIM will not call SetPassword method.

3.5        Verify

Reset password of a user in AD.

Using Visual studio, attach to the FIM process, verify that the SetPassword in the connector gets called.

[AD] Configuration OCSP for AD

1.    CREATE OCSP

Reference https://mbandco.wordpress.com/2013/05/15/windows-2012-pki-part-4-ocsp/

In this blog I will discuss the installation and configuration of OCSP.

OCSP stands for Online Certificate Status Protocol and is first described in RFC 2560. OCSP is designed for the client (or application) to check the CRL. The disadvantage is that the entire CRL is then downloaded by the client. This is not always desirable. OCSP is used by the client to query the CRL. The client send a request to OCSP server. The OCSP server checks the CRL and send a response status back to the client. The response can be:

• GOOD: The certificate is valid;
• REVOKED: The certificate is revoked;
• UNKNOWN: It is an unknown certificate.

The OCSP also returns the expiration date of the certificate. Based on the returned information the client can take the appropriate action.

Preparation

Before you can install OCSP will have to prepare a number of things:

•  You need A IIS server. In this blog I will use my Sub CA, which already has an IIS on it.
•  The CA must have a OCSP certificate template
•  The URL of the OCSP should be included in all CAs AIA extensions.

AIA extension

We start by entering the OCSP information into the AIA extension.

• Open the Certification Authority Console and select the CA server
• Right-click, properties
• Select Extensions
• Under Select Extension choose AIA
• Select: Http://<yourserver>/cdp/ <CaName>.crt
• Select: Include in the online status protocol OCSP extension
• Restart the service

Template

In preparation we just have to prepare for OCSP certificate template. This is our second step.

• Open the Certification Authority
• Select Certificate Templates
• Right-click, Manage

• Select OCSP Response Signing, Action, Duplicate Template

             Select General and specify the template name

• Select Security
• Add the computer or computers on which the OCSP service will be installed.
• Give the OCSP computer(s) Read and Enroll right.

Now close the Template Manager and add the template to the list of Certificate Templates

In Addition I Create new Template dupplicate from WebServer Template with name “AdditionIT Webserver”( or can using Webserver Template)

Config for this template is same with OCSP Response Signing

-       Security Tab Add DC Computer with role is “Enroll”

Installation

We will now add the OCSP role

select AD CS

Scroll to Roles and Features

Under Tasks, Add Roles and Features

Press Next

Press Next

Add the Online Responder

Press Add Features

Press Next

Press Next and then Install.

If the setup is finished the OCSP role is installed.

Configuration

• startup the OCSP console through, Tools, Online Responder Management
• Select Revocation Configuration
• Add Revocation Configuration
• Press Next
• Give the configuration a name and press Next
• Choose “Select a certificate for an Existing enterprise CA”
• Press Next
• Press Browse and select The Sub CA
• Press Next

We just made ​​a template for OCSP. This template will we use to create a certificate for OCSP.

Press Next

Press Finish

OCSP is configured and running.

If have error “ocsp bad signing certificate on array controller” try some way:

-       Try to reinstall ocsp

-       Go back to the Revocation Configuration pane and right-click the revocation configuration you created (in this case Test) and then click Edit Properties.

-       Run command for windows server 2003

Certutl –v –setreg policy\EnableRequestExtensionList 1.3.6.1.5.5.7.48.1.5

-        A Properties for Revocation Configuration: Test pane opens. Three tabs are available. Click the Signing tab.

-        Uncheck the Do not prompt for credentials for cryptographic operations check box and click OK.

At step config AIA in my case I config as http://<ServerDNSName>/ocsp

Config for .crt file

At step config AIA in my case I config as http://<ServerDNSName>/CertEnroll/[yourfilecrt].crt

-       Remember select checkbox “Include in the AIA extension of issued certificates”

 2.    TEST

reference http://windowsitpro.com/article/security/online-certificate-status-protocol-ocsp-in-windows-server-2008-and-vista--103523

Now I'll create a new website in IIS to test the Online Responder using Internet Explorer.

1.       Open Internet Information Services Manager from Start, Administrative Tools.

2.      Click your server in the Connections pane, make sure Features View is selected in the central pane, and double-click Server Certificates.

3.      Select Create Domain Certificate under Actions in the right pane.

4.      In the Common Name box, enter the Fully Qualified Domain Name (FQDN) of the web server (in this case, the same machine as the CA, windc1.ad.contoso.com) and enter information for the rest of the fields as appropriate. Click Next to continue.

5.       Click Select to the right of Select Online Certificate Authority, choose your CA from the list and click OK.

6.      Under Friendly name, enter the FQDN of the server again and click Finish.

7.       Right click your server under Connections and select Add Web Site from the menu.

8.      Name the site TEST and set the physical path to c:\inetpub\wwwroot. Change the binding type to HTTPS and select the SSL certificate you just created from the drop-down menu, as shown in Figure 8. Click OK to continue.

9.

Figure 8.

Before I try to access my new site using a secure channel, I'll check that the certificate issued by the CA contains the URL for the Online Responder.

1.       In the Certificates MMC, find the new certificate generated for IIS under Certificates (Local computer), Personal, Certificates.

2.      Right-click the certificate and select All Tasks, Export.

3.      Follow through the export wizard, leaving all the default options, and save the certificate as certificate.cer to a convenient location.

4.      Open a command prompt in the directory where you saved the exported certificate and launch the URL Retrieval Tool by typing

certutil –url certificate.cer

5.       In the Retrieve section of the tool in the bottom right corner, select OCSP (from AIA) and click Retrieve. If the certificate contains a URL for the OCSP Responder, it should display as Verified, as shown in Figure 9.

Figure 9.

7.        

Now I'll use Internet Explorer to access the TEST website and check the CryptoAPI logs to see if OCSP is used to successfully provide revocation data about the certificate.

1.       Type eventvwr into Start Search on the Start menu and press Enter.

2.      In the left pane, expand Applications and Services Logs, Microsoft, Windows, CAPI2. Right-click Operational under CAPI2 and select Enable Log from the menu.

3.      Open Internet Explorer and type https://windc1.ad.contoso.com/ in the address bar.

4.      Right click Operational in Event Viewer and select Refresh from the menu. In the central pane, look for Event ID 90&emdash;X509 Objects. Double-click the event and, on the Details tab under UserData, you should be able to find information about the OCSP response, as shown in Figure 10.

Figure 10

Figure 10 shows that OCSP has determined our certificate is OK (OCSP_BASIC_GOOD_CERT_STATUS), and information about when this data was generated and the next time it will be updated.5.        

OCSP Limitations

OCSP support from all the major public CAs allowed certificate revocation checking to be enabled in Internet Explorer for the first time in Windows Vista, providing a greater level of trust when surfing the web. While OCSP doesn't offer a solution for those working offline to check certificate revocation status, it enables checking in situations where slow connections may have ruled out certificate revocation checking altogether in the past. Online Responders, while only benefiting smaller organizations in specific scenarios, can help large PKIs scale out and make them more responsive.

3.       Test verify from clien

Goto CA -> Issued Certificates-> right click on cert-> revoke certificate

Goto CA -> right click on “revoked certificates”-> all task ->publish

Restart DC is need

From client

-          Request new ocsp request (using PKI)

Dim store As New X509Store(StoreName.My)

store.Open(OpenFlags.[ReadOnly])

Dim certificates As New X509Certificate2Collection()

certificates.Import(txtFile.Text, "Niteco2015", X509KeyStorageFlags.PersistKeySet)

'Close certificate store

store.Close()

'Retrieve selected certificate

If certificates.Count = 0 Then

'the user has caceled shoosing certificate

   Return

End If

Dim request As New OCSPRequest(certificate)

          Dim response As OCSPResponse = request.SendRequest()

          If response.Responses(0).CertStatus = CertificateStatus.Revoked Then

            Dim r = response.Responses(0).RevocationInfo.RevocationDate

          End If