Ask a question

Search Forums:

• Search Security Forum
• Search All Windows Server Forums
• Search All Microsoft TechNet Forums

 

Certificates/Group Policy corruption issue (XPSP2/2003R2/Enterprise CA)

• Monday, October 26, 2009 8:09 PMSD Dietz

   
  

  0

  Sign In to Vote

  Systems
  Server OS - Windows 2003 R2
  Root CA OS- Windows 2003 Enterprise Root
  Desktop Systems OS - Windows XP SP2 (Global Standardized Build enforced with SCCM and Group Policy)
  SCCM 2007 SP1 R2
  Active Directory - Single Forest
  Patch level - Current to September 2009

  User Account Rights 
  Least Privilege by design - User accounts are standard Users with Domain Privileges.

  Scenario and Situation
  All users (~23K) have auto-enroll/renewal certificates used for authentication, EFS and internal S/MIME from internal CA
  There is a small group of users out of 7000 total who have their Certificate Store corrupted. These 7000 make up a portion of the field base staff, These 7000 are unique in the following ways. There are about 40-60/year who experience this problem.
  
  1. They are totally field based.
  2. They rarely if ever complete a standard login process from their standardized XP builds. The Juniper VPN connection uses
  the User Certificate and AD credentials for authentication.
  3. All AD password changes are completed through a manual process and notification does not utilize the standard domain expiry notifcation
  4. All group policy is enforced via either a scripted GPUPDATE /Force or normal policy updates.

  Symptoms and indicators
  +The problem does not become evident until the certificate is up for renewal. The certificate does not autorenew. The device can ping the CA but cannot manually renew.
  +Review of GPResult and Policy logs indicate Group Policy enforcement failure
  +In some instances, the Globally Recovery Agent (DRA) is missing from some of the files encrypted with the user certificate. This renders the Global Recovery Certificate useless.
  +In some instances, the User certificate disappears and must be reapplied from the CA. Once applied, the certificate store must be repaired using CertUtil and the private key reassociate with the public key.
  +In some instances, the User certificate disappears and cannot be reapplied from the CA or repaired using CertUtil. This renders all files which do not have a DRA associated unaccessible.
  +In many instances the new User certificate provisioned disappears after applied. Certificate store repair using CertUtil does not work either.

  Existing Solution and work around.
  1. Decrypt all files possible
  2. Move user to duplicated new profile with new decrypted files
  3. In some instances, the only solution is deletion of NTUser.dat and allow new creation of profile
  4. Have user continue work.
  
  Comment: If the user logs in to the network even on a irregular basis, 90-180 days, the problem is not found

  Assumed cause:
  The indicators are a corrupt delivery or implementation of Group Policy.

  Requested assistance:
  + Help identify the trigger which may cause certificate store corruption and/or Group Policy corruption.
  + Identify options other than certutil -repairstore for certificate store resolution
  + Identify options of reapplying GRC/DRA when it is absent from a EFS encrypted file. NOTE: In all instances, the file was encrypted with a Root CA provisioned cert, and the certificate store private key associate with the provisioned cert is missing.
  
  Core question which I think I know the answer: Is it a difference how Group Policies are applied during login vs. general update? Or am I missing something?
  
  Any Suggestions gladly accepted.

  • Reply
  • Quote