IKE authentication credentials are unacceptable

The error looks a little bit different from our routers side:

oct/16 10:50:55 ipsec,error identity not found for peer: DER DN: CN=1114XXXXX,C=,ST=,L=,O=,OU=,SN=1114XXXXX

There might be multiple certificates installed to your machine and Windows is unable to select the proper certificate for authentication (If you didn’t install any certificates in your computer the above error is most likely not related to this article. Please follow the original setup of your VPN tutorial to complete this step). But don’t worry this is easy to fix. We can pin a certificate authority (CA) that has signed a certificate to a specific VPN connection.

First we need to have the CA certificate as a file on the clients machine. You can either export the CA-certificate from the computers certificate store (certmgr.exe) or you can download the file from your router or the location you have created the CA-Certificate, server-certificates and user-certificates.

Second step is to pin the CA-certificate to our VPN connection. Open PowerShell (do not open as “Administrator” since we want to set the certificate pinning in user context) and type in the following (please make sure you replace the VPN name and path to CA-certificate):

Set-VpnConnection -Name "My VPN" -MachineCertificateIssuerFilter 'C:\CA-files\my-ca.cer'

After you have completed the above steps your VPN should start working.

Der Beitrag IKEv2 VPN with routerOS and Windows 10/11: IKE authentication credentials are unacceptable erschien zuerst auf MEB-IT | Blog.

But how can we make sure we have not been exploited by that vulnerability? Microsoft has released a script for local Exchange installations as well for Exchange Online/ Microsoft 365.

This blog post shows how to use the Script to identify potential malicious mails in M365.

First we need to start Powershell as administrator. After that we install the AzureAD module:

PS C:\Users\Administrator> Install-Module AzureAD

Powershell will then ask if the module should be installed from an external source. Please select Yes (Y) here.

Next, we need to install the Exchange Online module:

PS C:\Users\Administrator> Install-Module -Name ExchangeOnlineManagement -RequiredVersion 3.1.0

Powershell will then ask again if the module should be installed from an external source. Please select Yes (Y) again.

The script used in the following step can be downloaded from here.

Now we need to create an AzureAD application, which is needed to check the mailboxes:

PS C:\Users\Administrator\Downloads> .\CVE-2023-23397.ps1 -CreateAzureApplication

Depending on the Powershell configuration, it may be necessary to confirm again that the script may be executed. You can either chose (M) or (A). I recommend chosing M.

A new window will open to log in to M365 as a global administrator or application administrator.

If your output is similar to the following creating the helper application has worked:

CVE-2023-23397 script version 23.03.15.2119

Prompting user for authentication, please minimize this window if you do not see an authorization prompt as it may be in the background

Adding user adminuser@yourtenant.com as owner of CVE-2023-23397Application

Setting Azure AD Permissions

Assigning Necessary Azure AD Service Roles
Application created with required permissions. Client ID: xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

After this step we now can start the investigation. We need to connect to Exchange Online first:

PS C:\Users\Administrator\Downloads> Connect-ExchangeOnline

You might need to re-authenticate at this point to M365. (I did not need to log in again at this step)

And then we can start the Powershell script to search for malicious files (If you selected (M) when running the script for the first time, you must confirm execution again now):

PS C:\Users\Administrator\Downloads> Get-Mailbox -ResultSize Unlimited | .\CVE-2023-23397.ps1 -Environment "Online"

At this point it is mandatory to authenticate again. Output should be similar to the following:

CVE-2023-23397 script version 23.03.15.2119
Trying to find Microsoft.Exchange.WebServices.dll in the script folder
Microsoft.Exchange.WebServices.dll wasn't found - attempting to download it from the internet

Prompting user for authentication, please minimize this window if you do not see an authorization prompt as it may be in the background

Waiting 60 seconds for app credentials to register..

Continuing...
Scanning 1 of 16 mailboxes (currently: mailbox1@yourtenant.com)
Scanning 2 of 16 mailboxes (currently: mailbox2@yourtenant.com)
Scanning 3 of 16 mailboxes (currently: mailbox3@yourtenant.com)
Scanning 4 of 16 mailboxes (currently: mailbox4@yourtenant.com)
Scanning 5 of 16 mailboxes (currently: mailbox5@yourtenant.com)
[...]
Scanning 16 of 16 mailboxes (currently: mailbox16@yourtenant.com)
No vulnerable item found

Do you have feedback regarding the script? Please email ExToolsFeedback@microsoft.com.

I hope you will see the same output as I do. The script also supports deleting affected files. For more information please look at Microsofts script documentation.

After checking the mailboxes, we no longer need the AzureAD Helper Application. To delete the application just run the following command:

PS C:\Users\Administrator\Downloads> .\CVE-2023-23397.ps1 -DeleteAzureApplication

You have probably already guessed: First you have to allow the script again and thereafter you have to authenticate to Microsoft 365 a last time

I hope the explanation helped you to check your tenants. Feel free to let me know if it worked or if you had any problems with it.

Der Beitrag Howto check your M365/Exchange Online environment for messages exploiting CVE-2023-23397 erschien zuerst auf MEB-IT | Blog.

First you need to download the packages from MikroTiks Download page. You need to download the appropriate package for your devices architecture. In my case I am using a RB4011 running routerOS 7.7. In this case I need to look at column ‘7.7 stable’ and row ‘ARM’.

If you don’t know the architecture of your device, there are several ways to find out:

• Check ‘/system resource print’ in Winbox or CLI and check the ‘cpu’ field
• Open MikroTiks product matrix and search for your device

After you have downloaded the correct file, open the zip archive and extract the package you want to install. Next, the unzipped file must be uploaded to the router. Either upload it via Winbox or CLI (e.g. scp or ftp) to your device. After the file has been uploaded, just reboot your device.

After the devices has been rebooted, the package is installed automatically. You can check this via ‘/system package print’ in CLI or Winbox as well as the routers log:

[admin@rtr-01] > /log pr
 12:27:10 system,info installed wifiwave2-7.7
 12:27:10 system,info router rebooted

Thats all – you are done and the package has been installed!

Der Beitrag Howto install extra-packages in MikroTik routerOS 7 erschien zuerst auf MEB-IT | Blog.

You will most likely notice this, when your Update only gets downloaded until 95% and even after waiting multiple hours nothing changes. If you stopped and restarted the download, it will directly move up to 95% and stay there.

After rebooting the affected machine you will most likely be greeted by the errorcode 80070570.

Many older posts on technet and other sources for general errors with windows update recommend deleting/renaming the windows update catalog folder. In this situation the solution is much more easy:

• Check your machine for SSU KB5018922. If it is already installed, move to the next step. If it is missing, please download it manually from the update catalog and install it by hand: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5018922
• Next step is to install the missing KB5022352 manually: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5022352

We tested the above procedure with multiple machines and it seems to solve the errorcode 80070570. Please let me know if that solved the problem for you as well.

Der Beitrag Server 2012r2 / Windows 8.1 KB5022352 error 80070570 erschien zuerst auf MEB-IT | Blog.

The Group Policy Object can be set on the following path: Computer configuration -> Administrative Templates -> Windows Components -> Windows Update -> Windows Update for Business. The template is called Select the target Feature Update version.

Unfortunately the Group Policy is outdated on Server 2019 and 2022 and is missing the option “Which Windows product version would you like to receive feature updates for”. Since Windows 10 and Windows 11 have the same names for their Feature Updates, we need this option to make sure, we are staying on Windows 10. In Server 2016 we are missing the GPO is even missing completly.

To get the full options available we need to update our Admx-Templates. You can download the newest version (as of 2022-05-27) from here.

The Admx-Templates need to be extracted to a local file location. After the files have been extracted, open Explorer and navigate to the path: C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update (21H2). Copy the folder “PolicyDefinitions” and paste it to the following UNC-path: \\domain.local\sysvol\domain.local\Policies.

After the files have been copied, open the group policy editor and once again navigate to the path Computer configuration -> Administrative Templates -> Windows Components -> Windows Update -> Windows Update for Business and open the Template “Select the target Feature Update version“.

We need to enter “Windows 10” into the first box and “21H2” into the second box.

Please note: As soon as you want your PCs to upgrade to a newer Feature Update than 21H2 you need to change the value in this GPO. Otherwise the PCs will stay on 21H2.

After the clients have rebootet they should not show any signs of Windows 11 anymore.

Block Windows 11 Upgrade on a single computer without domain

With help of the GPO we can even tell a single computer to not upgrade to Windows 11 (and stop showing us the Windows 11 Upgrade stuff in Windows Updates and in our Taskbar). Just open “gpedit.msc” from Windows Search and navigate to the path Computer configuration -> Administrative Templates -> Windows Components -> Windows Update -> Windows Update for Business and open the Template “Select the target Feature Update version“.

Similar to the GPO for domains we need to enter “Windows 10” in the first and “21H2” into the second box. One reboot later the Windows 11 Upgrade information should be gone.

Der Beitrag Howto: Block Windows 11 Upgrade via GPO erschien zuerst auf MEB-IT | Blog.