From 0a20545bd7e87a5c86c2f4cf704ebe262238effd Mon Sep 17 00:00:00 2001 From: jknudsen Date: Fri, 26 Jan 2024 09:17:19 +0100 Subject: [PATCH] docs: add note in ESC6 abuse info --- .../src/components/HelpTexts/ADCSESC6a/LinuxAbuse.tsx | 9 +++++++++ .../src/components/HelpTexts/ADCSESC6a/WindowsAbuse.tsx | 9 +++++++++ .../src/components/HelpTexts/ADCSESC6b/LinuxAbuse.tsx | 9 +++++++++ .../src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx | 9 +++++++++ 4 files changed, 36 insertions(+) diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/LinuxAbuse.tsx index 874627307..83ce889f6 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/LinuxAbuse.tsx @@ -30,6 +30,15 @@ const LinuxAbuse: FC = () => { 'certipy req -u john@corp.local -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC6 -upn administrator@corp.local' } + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable and + cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does + not have their 'mail' or 'dNSHostName' attribute set, which is required by the certificate template. The + 'mail' attribute can be set on both user and computer objects but the 'dNSHostName' attribute can only + be set on computer objects. Computers have validated write permission to their own 'dNSHostName' + attribute by default, but neither users nor computers can write to their own 'mail' attribute by + default. + Step 2: Request a ticket granting ticket (TGT) from the domain, specifying the certificate created in Step 1 and the IP of a domain controller: diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/WindowsAbuse.tsx index 12e36054d..296249a25 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/WindowsAbuse.tsx @@ -30,6 +30,15 @@ const WindowsAbuse: FC = () => { '.\\Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:ESC6 /altname:forestroot\\ForestRootDA' } + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable and + cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does + not have their 'mail' or 'dNSHostName' attribute set, which is required by the certificate template. The + 'mail' attribute can be set on both user and computer objects but the 'dNSHostName' attribute can only + be set on computer objects. Computers have validated write permission to their own 'dNSHostName' + attribute by default, but neither users nor computers can write to their own 'mail' attribute by + default. + Step 2: Convert the emitted certificate to PFX format: diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/LinuxAbuse.tsx index 275e0334c..2c91fa3bf 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/LinuxAbuse.tsx @@ -33,6 +33,15 @@ const LinuxAbuse: FC = () => { 'certipy req -u john@corp.local -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC6 -upn administrator@corp.local' } + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable and + cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does + not have their 'mail' or 'dNSHostName' attribute set, which is required by the certificate template. The + 'mail' attribute can be set on both user and computer objects but the 'dNSHostName' attribute can only + be set on computer objects. Computers have validated write permission to their own 'dNSHostName' + attribute by default, but neither users nor computers can write to their own 'mail' attribute by + default. + Step 2: diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx index a9b6f1bef..0d81e85a1 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx @@ -33,6 +33,15 @@ const WindowsAbuse: FC = () => { '.\\Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:ESC6 /altname:forestroot\\ForestRootDA' } + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable and + cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does + not have their 'mail' or 'dNSHostName' attribute set, which is required by the certificate template. The + 'mail' attribute can be set on both user and computer objects but the 'dNSHostName' attribute can only + be set on computer objects. Computers have validated write permission to their own 'dNSHostName' + attribute by default, but neither users nor computers can write to their own 'mail' attribute by + default. + Step 2: