[Bug?] How to specify client certificate used for HTTPS source-initiated subscription for windows event forwarding (WEF)?

Question

Hi!

Basically I'm trying to reach an answer to this same question asked in the following post: https://learn.microsoft.com/en-us/answers/questions/255709/windows-event-forwading-https-selecting-client-cer?page=1&orderby=Helpful#answers

I followed the tutorial regarding setting up the source initiated subscription where the event collector is not part of the domain: https://learn.microsoft.com/en-us/windows/win32/wec/setting-up-a-source-initiated-subscription#setting-up-a-source-initiated-subscription-where-the-event-sources-are-not-in-the-same-domain-as-the-event-collector-computer

It worked on my test machine and events are being forwarded. The problem is that when I implement the configuration on a server with several certificates in the 'Personal' store, the Event Forwarding feature gives me an Event ID 104:

<f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859093" Machine="CONTOSO"><f:Message>The WinRM client cannot process the request. The enhanced key usage (EKU) of the certificate is not configured with the 'Client authentication' value. Try the request again with a certificate with the correct EKU</f:Message></f:WSManFault>."

Obviously, the Event Forwarding process is selecting one of the certificates of the Personal store that does not have the 'Client authentication' EKU implemented. If I run the following command, where I can specify the client certificate thumbprint that the machine must use, everything runs smoothly and I am able to retrieve the configuration:

winrm g winrm/config -r:https://<Event Collector FQDN>:5986 -a:certificate -certificate:"<Thumbprint of the client authentication certificate>"

I have been looking for any option to specify the certificate thumbprint that the Event Forwarding process has to use for the client authentication, but there is no option. Basically, it runs a query, selects the first certificate available and use it.

I am unable to forward events due to this issue. Is there any way (maybe in the registry, GPO, idk) to specify which certificate to use for client authentication when you configure the Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Event Forwarding\Configure the server address, refresh interval, and issuer certificate authority of a target Subscription Manager policy?

Answer 1

Hello there,

Source-initiated subscriptions allow you to define a subscription on an event collector computer without defining the event source computers, and then multiple remote event source computers can be set up (using a group policy setting) to forward events to the event collector computer.

Any computer in a domain, local or remote, can be an event collector https://learn.microsoft.com/en-us/windows/win32/wec/setting-up-a-source-initiated-subscription

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer--

Answer 2

Hi,

After testing on my side, I found some interesting results.

When establishing the connection, the WEF will choose the certificate with the highest Thumbprint (if multiple ones are matching the requirements : right CA and Client Authentication, at least).

So I kinda bruteforce it by renewing a certificate with the same key and checking if the certificate has the highest thumbprint of all the certificates. And it worked systematically on all my machines.

On some machines I had like 10 certificates and it took one or two minutes to generate.

As I used a special certificate template, I recognised my good certificate with this template name.

It uses the renew certificate function in the same domain. So it DOESN'T work for out of domain server. But the solution of the highest thumbprint is still the same.

Here is a sample of the ps1 script I made (not the best but it works at least) :

## This script has to be run as Administrator on a WEF Server
## Initial configuration 
$templateName='YOUR_TEMPLATE_NAME'

## Initial Case

## Find the certificate matching YOUR_TEMPLATE_NAME as a template name
## Here it works for the french and english version of Windows, feel free to add yours
$cert=Get-ChildItem 'Cert:\LocalMachine\My' | Where-Object{ $_.Extensions | Where-Object{ (($_.Oid.FriendlyName -eq 'Certificate Template Information') -or ($_.Oid.FriendlyName -eq 'Informations du modèle de certificat') ) -and ($_.Format(0) -match $templateName) }}

## List the certificates and select the maximum 
$list_certificates_thumbprint = Get-ChildItem 'Cert:\LocalMachine\My' | Select-Object Thumbprint
$maximum=($list_certificates_thumbprint | Measure-Object -Property Thumbprint -Maximum).maximum
$is_max = $false

if ($cert.Thumbprint -eq $maximum)
{
	$is_max = $true
	Write-Host "## The certificate is valid to authenticate with the WEC" 
}
else 
{
	Write-Host "## The certificate is valid to authenticate with the WEC. Launching the generation of a new one."
	While($is_max -eq $false)
	{
		&certreq @('-Enroll', '-machine', '-q', '-cert', $cert.SerialNumber, 'Renew', 'ReuseKeys')
		$list_certificates_thumbprint = Get-ChildItem 'Cert:\LocalMachine\My' | Select-Object Thumbprint
		$maximum=($list_certificates_thumbprint | Measure-Object -Property Thumbprint -Maximum).maximum
		$cert=Get-ChildItem 'Cert:\LocalMachine\My' | Where-Object{ $_.Extensions | Where-Object{ (($_.Oid.FriendlyName -eq 'Certificate Template Information') -or ($_.Oid.FriendlyName -eq 'Informations du modèle de certificat') ) -and ($_.Format(0) -match $templateName) }}
		if ($cert.Thumbprint -eq $maximum)
		{
			$is_max = $true
			Write-Host "## The certificate is valid to authenticate with the WEC." 
		}
		
	}
}

## Here I launch a gpupdate to renew the subscription on my WEF
Write-Host "## Lancement d'un gpupdate"
gpupdate /force