Month: July 2024
how to solve coding issue
Hello everyone
I have faced a problem in applying a code using my data
I don’t know where is the problem in my code or data?
can anyone helpHello everyone
I have faced a problem in applying a code using my data
I don’t know where is the problem in my code or data?
can anyone help Hello everyone
I have faced a problem in applying a code using my data
I don’t know where is the problem in my code or data?
can anyone help solve MATLAB Answers — New Questions
Formatting Data in dlarray for Machine Learning Input
Hello there I am trying to format my data so that I can input it into my machine learning model. I have input values in XTrain which is a 1×10 cell contatining 3×540 doubles in each cell. This corresponds to the 3 channels, 540 time steps, and the 10 of these are the 10 traials or "batches". When I run the following code below I get 3(C) × 540(B) × 1(T) dlarray which is incorrect. I want to be getting 3(C) × 10(B) × 540(T) dlarray coreespoding to the 3 channels, 10 batches/trails, and 540 time steps. Is there a way in which I can fix this or and suggestions on how I should format my data in XTrain to get the datra in the coreect CBT format? Any help is greatly appreciated!
% Data dimensions
%numFeatures = 3
%numTimeSteps = 541
%numTrials = 10
Xtrain = Predictors;
Ytrain = Output;
% Convert cell arrays to dlarray format
for i = 1:numTrials
XTrain{i} = dlarray(Xtrain{i}, ‘CBT’); % ‘CTB’ stands for ‘Channel’, ‘Time’, ‘Batch’
YTrain{i} = dlarray(Ytrain{i}, ‘TB’); % ‘TB’ stands for ‘Time’, ‘Batch’
endHello there I am trying to format my data so that I can input it into my machine learning model. I have input values in XTrain which is a 1×10 cell contatining 3×540 doubles in each cell. This corresponds to the 3 channels, 540 time steps, and the 10 of these are the 10 traials or "batches". When I run the following code below I get 3(C) × 540(B) × 1(T) dlarray which is incorrect. I want to be getting 3(C) × 10(B) × 540(T) dlarray coreespoding to the 3 channels, 10 batches/trails, and 540 time steps. Is there a way in which I can fix this or and suggestions on how I should format my data in XTrain to get the datra in the coreect CBT format? Any help is greatly appreciated!
% Data dimensions
%numFeatures = 3
%numTimeSteps = 541
%numTrials = 10
Xtrain = Predictors;
Ytrain = Output;
% Convert cell arrays to dlarray format
for i = 1:numTrials
XTrain{i} = dlarray(Xtrain{i}, ‘CBT’); % ‘CTB’ stands for ‘Channel’, ‘Time’, ‘Batch’
YTrain{i} = dlarray(Ytrain{i}, ‘TB’); % ‘TB’ stands for ‘Time’, ‘Batch’
end Hello there I am trying to format my data so that I can input it into my machine learning model. I have input values in XTrain which is a 1×10 cell contatining 3×540 doubles in each cell. This corresponds to the 3 channels, 540 time steps, and the 10 of these are the 10 traials or "batches". When I run the following code below I get 3(C) × 540(B) × 1(T) dlarray which is incorrect. I want to be getting 3(C) × 10(B) × 540(T) dlarray coreespoding to the 3 channels, 10 batches/trails, and 540 time steps. Is there a way in which I can fix this or and suggestions on how I should format my data in XTrain to get the datra in the coreect CBT format? Any help is greatly appreciated!
% Data dimensions
%numFeatures = 3
%numTimeSteps = 541
%numTrials = 10
Xtrain = Predictors;
Ytrain = Output;
% Convert cell arrays to dlarray format
for i = 1:numTrials
XTrain{i} = dlarray(Xtrain{i}, ‘CBT’); % ‘CTB’ stands for ‘Channel’, ‘Time’, ‘Batch’
YTrain{i} = dlarray(Ytrain{i}, ‘TB’); % ‘TB’ stands for ‘Time’, ‘Batch’
end dlarray, data formatting, machine learning MATLAB Answers — New Questions
Deleting Rows
I would like to delete rows 2-4, 6-8, 10-12, 14-16, etc. in a column. How could this be done easily?
Thank you
I would like to delete rows 2-4, 6-8, 10-12, 14-16, etc. in a column. How could this be done easily? Thank you Read More
Location of icon wrap
I need to know where in Excel do I find the icon “WRAP”?
I need to know where in Excel do I find the icon “WRAP”? Read More
Spreadsheet to form
How can I make my spread sheet into a fill-in form?
How can I make my spread sheet into a fill-in form? Read More
Buenas noches necesito reporta un problema
Desde el año pasado que tengo esta computadora cuando voy a configuración y en gran parte de las cosas me sale un mensaje que dice “algunas de estas opciones de configuración están olcutas o la administra la organización” porlocual no es la pc porque antes tenía el mismo modelo y no aparecía el error porlocual necesito que me den una solución porfavor y gracias
Desde el año pasado que tengo esta computadora cuando voy a configuración y en gran parte de las cosas me sale un mensaje que dice “algunas de estas opciones de configuración están olcutas o la administra la organización” porlocual no es la pc porque antes tenía el mismo modelo y no aparecía el error porlocual necesito que me den una solución porfavor y gracias Read More
Conditional formatting with special characters
Hi I’m applying conditional formatting-color scales from highest to lowest values for below statistical data. However the formatting doesn’t get applied as this contains asterisk (*) in the range. I would not need to remove the asterik mark as it is required in my work and please help how can I still perform conditional formatting with * mark in data set.
F value57.58***22.55***20.22***15.28***226.21***208.11***2.91*37.35***57.95***19.84***17.41***7.19***73.56***4.58**145.09***61.57***14.46***33.24***51.74***
Hi I’m applying conditional formatting-color scales from highest to lowest values for below statistical data. However the formatting doesn’t get applied as this contains asterisk (*) in the range. I would not need to remove the asterik mark as it is required in my work and please help how can I still perform conditional formatting with * mark in data set. F value57.58***22.55***20.22***15.28***226.21***208.11***2.91*37.35***57.95***19.84***17.41***7.19***73.56***4.58**145.09***61.57***14.46***33.24***51.74*** Read More
How do I integrate a DLL generated from Simulink into Excel VBA?
How do I integrate a DLL generated from Simulink into Excel VBA?How do I integrate a DLL generated from Simulink into Excel VBA? How do I integrate a DLL generated from Simulink into Excel VBA? excel, vba, dll, simulink MATLAB Answers — New Questions
Conflict Resolution Behavior Onedrive Rest API
Hi,
Does anyone know how to make a request for uploading a small file (<250MB) with a cusotmized conflict behavior?
In the article, it mentioned:
I seems that it’s feasible to make such a request with customerized conflict resolution behavior.
Actually i am using graph sdk to make my life easier. If someone can provide sdk code example to achive the request, it would be even better, thanks.
Hi,Does anyone know how to make a request for uploading a small file (<250MB) with a cusotmized conflict behavior?In the article, it mentioned:I seems that it’s feasible to make such a request with customerized conflict resolution behavior.Actually i am using graph sdk to make my life easier. If someone can provide sdk code example to achive the request, it would be even better, thanks. Read More
Problem designing 150 MW 115 KV PV power plant
Hi,
I am trying to model a large PV farm with power rating of 150MW and Voltage rating of 115KV. I am taking "400KW grid connected PV Simulink Model" as a reference.The model used avergae model inverter and boost converter. But I am having hard time to design the boost converter where I plan to increase the voltage from 500V to 1500V approximately. I observed that the boost converter does not change the voltage above 700V. Can anyone help me with the problem? or Can anyone suggest me better reference model with which I can work on? It is crucial to highlight, the main objective is to convert the model to a RT-Lab model.
Thank You in advance.Hi,
I am trying to model a large PV farm with power rating of 150MW and Voltage rating of 115KV. I am taking "400KW grid connected PV Simulink Model" as a reference.The model used avergae model inverter and boost converter. But I am having hard time to design the boost converter where I plan to increase the voltage from 500V to 1500V approximately. I observed that the boost converter does not change the voltage above 700V. Can anyone help me with the problem? or Can anyone suggest me better reference model with which I can work on? It is crucial to highlight, the main objective is to convert the model to a RT-Lab model.
Thank You in advance. Hi,
I am trying to model a large PV farm with power rating of 150MW and Voltage rating of 115KV. I am taking "400KW grid connected PV Simulink Model" as a reference.The model used avergae model inverter and boost converter. But I am having hard time to design the boost converter where I plan to increase the voltage from 500V to 1500V approximately. I observed that the boost converter does not change the voltage above 700V. Can anyone help me with the problem? or Can anyone suggest me better reference model with which I can work on? It is crucial to highlight, the main objective is to convert the model to a RT-Lab model.
Thank You in advance. simulation, simulink MATLAB Answers — New Questions
Code problem of SVM in concrete regression
I am doing SVM learning, the code is
[Predict_1,error_1] = svmpredict(tn_train,pn_train,model);
[Predict_2,error_2] = svmpredict(tn_test,pn_test,model); taken from GitHub, but there are problems, mainly for this piece of code after running, it is empty setI am doing SVM learning, the code is
[Predict_1,error_1] = svmpredict(tn_train,pn_train,model);
[Predict_2,error_2] = svmpredict(tn_test,pn_test,model); taken from GitHub, but there are problems, mainly for this piece of code after running, it is empty set I am doing SVM learning, the code is
[Predict_1,error_1] = svmpredict(tn_train,pn_train,model);
[Predict_2,error_2] = svmpredict(tn_test,pn_test,model); taken from GitHub, but there are problems, mainly for this piece of code after running, it is empty set svm MATLAB Answers — New Questions
Code disappeared from App Designer
I have been working in the last months on a software interface in AppDesigner. I’m down to about 11,000 lines of code. Today, when I wanted to update, I opened the application and saw that the code was missing. All callbacks are gone, including StartupFcn. There are only a few lines of code specific to the axes and buttons in the interface.
If I open and run the code it does not work. If I run the mlapp file, it opens and does its job. But I don’t know where the code disappeared. Something like this happened to you ever???
Thanks!I have been working in the last months on a software interface in AppDesigner. I’m down to about 11,000 lines of code. Today, when I wanted to update, I opened the application and saw that the code was missing. All callbacks are gone, including StartupFcn. There are only a few lines of code specific to the axes and buttons in the interface.
If I open and run the code it does not work. If I run the mlapp file, it opens and does its job. But I don’t know where the code disappeared. Something like this happened to you ever???
Thanks! I have been working in the last months on a software interface in AppDesigner. I’m down to about 11,000 lines of code. Today, when I wanted to update, I opened the application and saw that the code was missing. All callbacks are gone, including StartupFcn. There are only a few lines of code specific to the axes and buttons in the interface.
If I open and run the code it does not work. If I run the mlapp file, it opens and does its job. But I don’t know where the code disappeared. Something like this happened to you ever???
Thanks! appdesigner, missing code, matlab, interface MATLAB Answers — New Questions
How to Output Scans to DAQ but Ignore Digital Outputs
Hello All,
I have a DAQ USB-6003 interfacing with Matlab. I currently have 1 analog input, 1 digital output, and 1 analog output. I understand that I can use ‘write’ command to output to the DAQ. However, because I have a digital output with no clock, it tells me that "on-demand" operations only are available for that channel.
Therefore, if I try to use an MxN scan matrix to send using the ‘write’ command, it throws an error (see image). I am wondering if there is a way to only output to the analog channel(s) and ignore the digital channel.
ThanksHello All,
I have a DAQ USB-6003 interfacing with Matlab. I currently have 1 analog input, 1 digital output, and 1 analog output. I understand that I can use ‘write’ command to output to the DAQ. However, because I have a digital output with no clock, it tells me that "on-demand" operations only are available for that channel.
Therefore, if I try to use an MxN scan matrix to send using the ‘write’ command, it throws an error (see image). I am wondering if there is a way to only output to the analog channel(s) and ignore the digital channel.
Thanks Hello All,
I have a DAQ USB-6003 interfacing with Matlab. I currently have 1 analog input, 1 digital output, and 1 analog output. I understand that I can use ‘write’ command to output to the DAQ. However, because I have a digital output with no clock, it tells me that "on-demand" operations only are available for that channel.
Therefore, if I try to use an MxN scan matrix to send using the ‘write’ command, it throws an error (see image). I am wondering if there is a way to only output to the analog channel(s) and ignore the digital channel.
Thanks daq MATLAB Answers — New Questions
Significant loss of performance after move from Access 2016 (32 bit) to Access 365 (64 bit)
Hello,
In absence of SQL Server data repository, I developed an Access application that imports data from various sources and writes it to text files that are then linked so that I can run Excel reports against it. The daily import used to take about 60 to 75 minutes to complete, but since my company moved to Office 365 it is taking more than 8 hours to run completely. I believe that the excess latency is related to running the queries but that is as far as I have been able to get. Some of the queries are pass-through queries and they are slower than before; however, the queries that are taking the longest are those that are running against the linked tables within the database itself. The database and all of the linked text files are located on my local drive, so it isn’t a network issue.
All that said, does anyone have any idea why SQL queries running against locally linked tables take multiple hours to complete in Access 365 (64) when the same queries would run in under 15 minutes in Access 2016 (32)?
Hello,In absence of SQL Server data repository, I developed an Access application that imports data from various sources and writes it to text files that are then linked so that I can run Excel reports against it. The daily import used to take about 60 to 75 minutes to complete, but since my company moved to Office 365 it is taking more than 8 hours to run completely. I believe that the excess latency is related to running the queries but that is as far as I have been able to get. Some of the queries are pass-through queries and they are slower than before; however, the queries that are taking the longest are those that are running against the linked tables within the database itself. The database and all of the linked text files are located on my local drive, so it isn’t a network issue. All that said, does anyone have any idea why SQL queries running against locally linked tables take multiple hours to complete in Access 365 (64) when the same queries would run in under 15 minutes in Access 2016 (32)? Read More
Cannot run the compiled application
Hi,
I have a matlab code to analyze signal process. After I compiled the code by using application compiler, I faced an issue like below when I run the compiled .exe file.
"Invalid file identifier. Use fopen to generate a valid file identifier. Error in => main.m at line 194"
The wired thing is that I do not use fopen function and any files at line 194.
Could you suggest some ways to solve this issue?
Thank youHi,
I have a matlab code to analyze signal process. After I compiled the code by using application compiler, I faced an issue like below when I run the compiled .exe file.
"Invalid file identifier. Use fopen to generate a valid file identifier. Error in => main.m at line 194"
The wired thing is that I do not use fopen function and any files at line 194.
Could you suggest some ways to solve this issue?
Thank you Hi,
I have a matlab code to analyze signal process. After I compiled the code by using application compiler, I faced an issue like below when I run the compiled .exe file.
"Invalid file identifier. Use fopen to generate a valid file identifier. Error in => main.m at line 194"
The wired thing is that I do not use fopen function and any files at line 194.
Could you suggest some ways to solve this issue?
Thank you thingspeak MATLAB Answers — New Questions
TOC page numbers lists page 1
I am having an issue with Word’s Table of Contents. This file was working correctly until a couple of months ago. I use RD to reference 5 different word documents to create the Table of Contents and use heading styles in the individual documents to control what is listed on the Table of Contents.
As of right now, every heading is being shown on being on page 1 in each document. As seen in the image, this is from page 2 of one of the individual documents but in the TOC document, it shows page 1. Any suggestions on how to fix this?
I am having an issue with Word’s Table of Contents. This file was working correctly until a couple of months ago. I use RD to reference 5 different word documents to create the Table of Contents and use heading styles in the individual documents to control what is listed on the Table of Contents.As of right now, every heading is being shown on being on page 1 in each document. As seen in the image, this is from page 2 of one of the individual documents but in the TOC document, it shows page 1. Any suggestions on how to fix this? Read More
modern authentication iMac Apple Mail
I deleted my hotmail account, and when I attempt to add it again using the “outlook.com” as indicated in MS support article, there is no choice. The only choice is Microsoft Exchange, is that what I should use?
I deleted my hotmail account, and when I attempt to add it again using the “outlook.com” as indicated in MS support article, there is no choice. The only choice is Microsoft Exchange, is that what I should use? Read More
modern application via web browser not app
I do not use an app for accessing my Outlook email.
I always sign into
https://outlook.live.com/mail/
via my browser, which is Mozilla Firefox. (I do not use Thunderbird email app.)
I don’t download my emails. I only work with them on line.
Does this new method require me to do anything?
I do not use an app for accessing my Outlook email.I always sign intohttps://outlook.live.com/mail/via my browser, which is Mozilla Firefox. (I do not use Thunderbird email app.)I don’t download my emails. I only work with them on line. Does this new method require me to do anything? Read More
calculating tax collected from total
I have a total sales including sales tax. I can’t remember the formula to use to calculate the correct sales tax collected out of that total. been way too long. HELP
I have a total sales including sales tax. I can’t remember the formula to use to calculate the correct sales tax collected out of that total. been way too long. HELP Read More
Consolidating Windows Active Directory Domain Controller Certificates
Hey, Brent here from the Windows Directory Services team! So, I wanted to share with you some interesting stuff about using one PKI (Public Key Infrastructure) certificate for your Windows Active Directory Domain Controller. It’s simple and can save you many headaches in the long run.
Let me explain what a Windows domain controller is in case you don’t know. It’s a server computer system that controls how devices and users can authenticate to and access a Windows Active Directory domain network. It uses a digital certificate to prove who it is and who its clients are when granting access to the Windows domain. But using different certificates for different things can be tricky and expensive, especially when they need to be changed or revoked. In this document, we will tell you why it is better to set up a Windows domain controller to use one PKI issued certificate instead of many, and how to make the Windows domain controller use one PKI certificate for modern authentication.
Why use one PKI Certificate?
For starters, it makes management a whole lot easier. You only need to request, enroll, renew, and if necessary, revoke one certificate instead of juggling multiple ones used for different purposes. This makes sure that your Windows domain controller can work with new ways of logging in, like smartcards, OAuth 2.0, and Windows Hello for Business (WHfB). Plus, it can save you some cash if you’re using certificates issued from a non-Microsoft Windows Certificate Authority. Let’s also not forget, it is more secure because you only need to protect one private key instead of multiple ones.
What does this one PKI Certificate need?
So, if you want to make a Windows domain controller use only one PKI certificate for modern authentication, you need to get a PKI certificate that has these features:
1. It has a name (Subject Alternative Name) that matches the DNS (Domain Name System) name of the domain. These are added during the enrollment using the MMC or with a custom request.
For Example: Subject Alternative Name
DNS Name=2022DC01.FourthCoffee.com
DNS Name=FourthCoffee.com
DNS Name=FOURTHCOFFEE
2. It can perform digital signature and key encipherment, which are part of the Key Usage (KU) extension. It can do client authentication, server authentication, smartcard logon and KDC (Key Distribution Center) authentication, which are part of the Enhanced Key Usage (EKU) extension. (Note: If you are using Windows Server Enterprise Certificate Authority, you don’t have to worry about these extensions because they are already in the Kerberos Authentication certificate template).
3. It is valid for as long as you need it for your organization.
4. It is issued by a PKI Certificate Authority (CA) that your Windows domain controller and its client systems trust. The certificate template must have an extension encoded with the value of DomainController, encoded as a BMPstring. (Note: If you are using a Windows Server Enterprise CA, the extension is already in the Kerberos authentication certificate template).
How are things setup by default?
Active Directory Certificate Services (ADCS) makes three different kinds of certificates for domain controllers by default: Domain Controller, Directory Email Replication, and Domain Controller Authentication.
1. Domain Controller template (from Windows Server 2000) has EKUs for client and server authentication, and that’s it. The KDC service will use any certificate with the template name of DomainController for smart card logon. All domain controllers are hard coded to automatically enroll for a certificate based on the Domain Controller template if it is available for enrollment at a certificate authority in the forest. Hard coded in this case means it is in the code, it is not configured in any local or domain-based policy. This is one of the few cases where Windows will auto-enroll for a certificate without auto-enrollment being configured in Group Policy.
2. Domain Controller Authentication template has EKUs for client and server authentication as well as smart card logon. This one came with Windows Server 2003 and it can use autoenrollment, which is a version 2 feature.
3. Directory Email Replication template is not for smart card logon purposes, but for sending Active Directory data over email. But almost nobody does that anymore, they use RPC (Remote Procedure Call) instead as the transport method for Active Directory replication, so you don’t really need this one.
The problem is that both the Domain Controller and Domain Controller Authentication certificates are too old to work with the new Kerberos rule that says Key Distribution Centers (KDCs) need to have the KDC Authentication extension. So, Windows ADCS has a newer and better certificate template for use by domain controllers, named Kerberos Authentication. It has everything you need: client and server authentication, smart card logon, and KDC authentication.
When a Windows domain controller discovers a Windows PKI CA in the Windows Active Directory Forest, it will automatically enroll for a certificate using the Domain Controller and Directory Email Replication template, if these templates are published. That means, the domain controller might have at least one computer certificate in its personal store for authentication as a client or a server. So, any certificates that the domain controller already obtained using the old templates need to be replaced by the Kerberos Authentication certificate (or the custom one you made with the same requirements).
How to configure the Kerberos Authentication Template?
When using a Windows PKI Enterprise CA, you can consolidate the Windows domain controller certificate as follows:
1. Logon to a Windows Enterprise CA and open the Certificate Authority management console using Server Manager and select Tools -> Certificate Authority.
2. Expand the Windows Enterprise CA object, right-click on the Certificate Templates folder and then select Manage (as shown below):
3. Find and open the Kerberos Authentication template by right-clicking on it and select Properties.
4. Configure the validity and renewal periods in accord with your organizational requirements. (Bear in mind that you cannot extend past the lifetime of the CA’s certificate).
5. Select the Superseded Templates tab and add the Domain Controller, Domain Controller Authentication, and Directory Email Replication templates and any other custom domain controller templates to the list.
6. Click the Apply button and then the OK button to exit the template properties page.
Remember, supersedence is used when you want to replace certificates that have already been issued with a new certificate with modified settings.
Certificate Template supersedence is used by the certificate autoenrollment component only. When you do manual enrollment and/or existing certificate renewal, supersedence is not considered and requires the exact template to request/renew.
7. To ensure the above superseded templates (Domain Controller, Domain Controller Authentication and Directory Email Replication) are not shown as available during certificate enrollment, delete them from the enterprise CA servers by selecting each template under the Certificate Templates folder, right-click and delete (as shown below):
Remember, you are not deleting the template object from the configuration partition in AD, you are only removing it from being published on the Issuing CA.
8. Next, you will either need to wait for Windows Active Directory replication to complete or manually initiate replication to ensure the template changes are updated to all the Windows Active Directory domain controllers and available to all the Windows Server Enterprise CAs within the Windows Active Directory Forest. (NOTE: manual replication can be initiated by opening a command prompt as administrator on a Windows domain controller and running the command: repadmin /syncall).
9. Once Windows Active Directory replication is complete, the Kerberos authentication template must be published on the Windows Server Enterprise CAs.
10. To issue the template, right-click on the Certificate Template folder, select New and then Certificate Template to Issue (as shown below):
11. Select the Kerberos Authentication or your custom certificate template from the list of Enabled Certificate Templates.
12. The Kerberos authentication template is now available for the Windows domain controllers to enroll for a new domain controller. (Note, you can restart the CA service to reduce the time for template availability)
Now that the template is published, is there anything else you need to know before you attempt to enroll?
The Kerberos Authentication template is a special template. After submitting a request to enroll to the CA, the CA is required to make an RPC call back to the domain controller. It does so to validate the NetBios and DNS domain name of the domain controller via RPC calls. These calls require the CA to communicate back to the domain controller over ports 135 and 445. The validation is required because the template has the following two flags set:
CT_FLAG_SUBJECT_ALT_REQUIRE_DOMAIN_DNS = 0x400000 (4194304)
CT_FLAG_SUBJECT_ALT_REQUIRE_DNS = 0x8000000 (134217728)
Certificate Name Flag Attribute Details
The following article details the processing rules that are applied to the flags in this attribute: Certificate Name Flag Processing Rules
For the purposes of this article, we are only concerned about the rules shown below:
1. If the CT_FLAG_SUBJECT_ALT_REQUIRE_DOMAIN_DNS flag is set, the CA SHOULD<119>:
The CA SHOULD retrieve a handle for the information policy using the LsarOpenPolicy method ([MS-LSAD] section 3.1.4.4.2 ), with the SystemName parameter set as the dNSHostName attribute from the requestor’s computer object, all fields of the ObjectAttributes set to NULL, and the DesiredAccess parameter set to POLICY_VIEW_LOCAL_INFORMATION.
The CA SHOULD obtain the requester’s computer DNS Domain Information by using the LsarQueryInformationPolicy method ([MS-LSAD] section 3.1.4.4.4), with the PolicyHandle parameter set to the value obtained in the previous step, and the InformationClass parameter set to PolicyDnsDomainInformation.
2. The CA MUST add the value of the Name and DNSDomainName field in the returned DNS Domain Information from the previous step to the subject alternative name extension of the issued certificate.
3. If the CT_FLAG_SUBJECT_ALT_REQUIRE_DNS flag is set, the CA MUST add the value of the dNSHostName attribute from the requestor’s computer object in the working directory to the subject alternative name extension of the issued certificate. For this, the CA MUST invoke the processing rules in section 3.2.2.1.2 with input parameter EndEntityDistinguishedName set equal to the requester’s computer object distinguished name and retrieve the dNSHostName attribute from the returned EndEntityAttributes output parameter.
References to LsarOpenPolicy and LsarQueryInformationPolicy mean the API calls are made directly to the computer that is sending in the certificate request. This is where the RPC call is being made from the CA back to the domain controller. Keep in mind, it is more than likely going to be a 445 port connection when using these Lsar calls and not specifically RPC 135/Dynamic ports. Lastly this check does require NTLMV2 to be enabled on the domain controller for port 445/SMB. If NTLMV2 is not enabled, it will fail connecting back to the domain controller even if the ports are opened.
The documentation that shows MS-LSAD calls communicate over SMB is: [MS-LSAD]:Transport
What is the takeaway?
You now know why it’s better to use one PKI certificate instead of many for your Windows domain controller, and how to make your Windows domain controller use one PKI certificate for modern authentication in a Windows PKI setup. By doing these things, you can make your life as a Windows Administrator easier and your Windows domain controllers safer.
Brent Crummey
Microsoft Tech Community – Latest Blogs –Read More
