SideBar    What’s a TCP SYN Flooding DoS Attack?, Understanding the NT Security Database Replication Model

Recently our company's IT managers decided to switch from Netscape Navigator to Microsoft Internet Explorer (IE) as the corporate standard for Internet-browser software. Over the years, our users have obtained Web authentication certificates from GlobalSign or other commercial Certificate Authorities (CAs), and they want to use the certificates in IE. How can I port certificates between Netscape and IE?

Before I explain how to port the certificates to IE, let me give you a little background information. You can't use a Netscape-installed certificate in IE (even if you use both browsers on the same machine), because the browsers use a different certificate and private-key storage system. Netscape stores them in its certificate database; IE stores them in the certificate store, which is a protected part of the user's profile. You can, however, export certificates and private keys from the Netscape certificate database and import them into the IE certificate store. Both browsers support a common certificate and private-key interchange format, Public-Key Cryptography Standards (PKCS) #12. (More information about PKCS #12 is available from RSA Security at http://www.rsasecurity.com/rsalabs/pkcs/pkcs-12/index.html.)

You can export your certificate and private key from the Netscape certificate database as follows (these instructions refer to Netscape Navigator 4.5):

  1. Open Netscape, and select Security Info from the Window menu.
  2. In the frame in the left pane, click Yours (under Certificates) to bring up the screen that Figure 2 shows.
  3. Select the certificate that you want to port to IE, then click Export.
  4. Netscape prompts you for your certificate database password. Enter the password, and click OK.
  5. The next dialog box prompts you for a PKCS #12 password. PKCS #12 needs a password to encrypt the certificate and private key you're exporting (note that this password is different from the one you entered in the previous dialog box). Enter it, then click OK.
  6. At the prompt to reconfirm this password, reenter the password and click OK.
  7. At the prompt, enter a name for the PKCS #12 file, then click Save. If the export process is successful, Netscape displays the message Your certificates have been successfully exported.

To import your certificate and private key into the IE certificate store, follow these steps (these instructions refer to IE 4.0):

  1. Start the Certificate Manager Import Wizard by double-clicking the PKCS #12 file you exported. Figure 3 shows the Certificate Manager Import Wizard. Click Next to see the path to the PKCS #12 file that you created when you exported your certificate and private key from Netscape (i.e., the file that you double-clicked to start the wizard).
  2. Enter your PKCS #12 password at the prompt.
  3. On the same wizard screen, you can select whether you want to enable strong private key protection and whether you want to mark the private key as exportable, as Figure 4 shows. Select Enable strong private key protection, and click Next.
  4. The dialog box prompts you for another password (this time to protect the private key in the IE certificate store). Enter one, and click Next.
  5. Fill in where you'd like to store this certificate (the default storage place is in your personal certificate store), and click Finish to end the import wizard. If the import process is successful, the wizard displays the message The import was successful.

For other versions of Netscape and IE, minor differences exist in the way the transfer works, but the general approach I explain here remains the same.

I manage an NT domain that includes several domain controllers (DCs) in different geographical locations. The central hub site that's hosting the PDC is in Paris. Every remote location has at least one BDC that connects to the hub site over a RAS link. When I monitor the secure-channel traffic between the PDC in the hub site and the BDCs in the remote locations, I notice that every time a RAS connection occurs, a full SAM database replication occurs between the central PDC and the remote BDC. How can I force the PDC to initiate only a partial replication instead of a full replication?

In the scenario you describe, when the central PDC and the remote BDC connect and the PDC initiates a security database replication, the number of changes that have occurred since the last replication is bigger than the number of changes that the PDC's Change log can hold. So, the Netlogon service initiates a full replication instead of a partial one. You can modify the Change log size with the ChangeLogSize entry of type REG_DWORD in the HKEY_LOCAL_MACHINE\SERVICES\Netlogon\Parameters registry subkey of your PDC. The default Change log size is 65,536 bytes (64KB). The maximum value is 4,194,304 bytes (4MB). With 64KB of space, the log can hold approximately 2000 security database changes. With 4MB of space, the log can hold approximately 130,000 changes. To apply the new Change log size you set, you must restart your PDC. For a review of how NT security database replication works, see the Web-exclusive sidebar "Understanding the NT Security Database Replication Model."

End of Article

Prev. page     1 2 [3]     next page -->



You must log on before posting a comment.

If you don't have a username & password, please register now.

 
 

ADS BY GOOGLE