Browse by Tags

29 September 2008
Why! Won't! PAC! Validation! Turn! Off!
A while back I wrote a blog post regarding PAC (Privilege Attribute Certificate) validation in Microsoft Kerberos. We’ve had enough interest in this lately, particularly around the idea of disabling it, that it seemed like a good idea to post about this Read More...
09 May 2008
Trusted For Delegation in Services for User (S4U)
A while back I did a blog post regarding the user interface and settings for configuring a service account correctly to allow the more complex Kerberos delegation scenarios to take place. I recently had a customer issue I helped with that gave a good Read More...
21 January 2008
Dude, where's my PAC?
Something that is becoming more prevalent over the past few years has been great investments into our security technologies for application oriented reasons. Impersonation, people, that’s what I’m talking about. If anyone ever asks you what the big deal Read More...
17 December 2007
T2A4D (Coincidentally What I Would Name A Droid, If I Had One)
Not another post about Kerberos! Sorry folks, my Momma said ‘stick with what you’re good with’. And since playing Halo 3 is not a paying job I’m doing another blog post on Kerberos. I thought this would be a good one to post since how this works can save Read More...
02 November 2007
Server 2008 and Windows Vista: Encryption Better Together
A while back I did a blog post about some problems that were seen with people testing Windows Vista and then “rolling back” to Windows XP and some problems that could be seen when using the same computer object (also known as account) in AD. If you didn’t get a chance to read it here’s the post. What that scenario highlighted was the added level of encryption, by way of leaving behind a little of the supporting infrastructure in the msds-supported-encryptiontypes attribute value. In this post we’re going to talk about the Big Picture of the new authentication encryption available and a few things to keep in mind. Read More...
24 October 2007
Kerberos Constrained Delegation, FE and BE Servers Must Be In Same Domain
This has come up several times, and I suspect will continue to do so occasionally. So I thought I’d post about this real quick in order to get the word out and also make sure that I don’t give the wrong answer on this to someone again (I forgot, gave Read More...
0 Comments
Filed under: ,
 
08 October 2007
All The Logging In The World
There’s normal troubleshooting and then there’s the stuff you do when the basic troubleshooting doesn’t get things resolved. Normal troubleshooting can be things like selecting “last known good” on a reboot after installing a new driver and having a blue screen. Or perhaps uninstalling and then reinstalling an application, or altering settings for the application or operating system to alleviate a problem. Sometimes we have to dig in and find out more. Many admins out there in the world live that every day. Which is why we add methods to find out more into our products. This post is all about listing all of the data gathering methods that a Directory Services person may ever need to know. Since there are so many it will be difficult to organize well in one uber post but I’m going to put out here for you all anyway, disorganized or not. Read More...
04 September 2007
How To Disallow NTLM Authentication on a Per Resource Basis
One of the most exciting and fulfilling things that I get out of my job is the opportunity to resolve unique customer concerns and scenarios. I’ve said this before in prior blog posts, but this one in particular, I think, will illustrate that. One of Read More...
24 May 2007
Vista Issue: Time Skew Error When Logging on Across a Trust
One of the cool things about this job is the way we get to trail blaze new issues as they happen and before any solution or workaround is in sight. We’re the pioneers in a way. This is one example. We’ve had a few customer’s recently mention that they Read More...
0 Comments
Filed under: , ,
 
01 May 2007
A Reply: SPNs and Multiple NICs
I recently received a few questions from the blog. I usually ask if the person minds if I post the question and reply, and in this case the person said he didn’t mind. Special thanks to Matt Sinfield for his good question. Hopefully this will help everyone’s Read More...
0 Comments
Filed under: ,
 
12 April 2007
Unusual Kerberos Failure...User to User to What?
We get some really unique issues at times that strain patience and understanding. With Kerberos this is doubly true since it is already as complex and extensible as any person could ever ask for. This one may be particularly interesting to those who are Read More...
1 Comments
Filed under: ,
 
13 November 2006
Smartcard Logon Considerations, or How I Learned To Love Authentication with Smartcards
A few times of the past we’ve received calls from customers where they had some really interesting concerns with using smartcards for domain authentication. There’s some base knowledge to be had with respect to Kerberos. Just a quick mention-yes, when Read More...
1 Comments
Filed under: ,
 
13 October 2006
CeeKwuhl and Kurbyeros
The last few posts we talked about authentication, specifically Kerberos. Some of the most lengthy support incidents we can see are the ones where our Directory Services folks are contacted by our SQL support team to assist with authentication failures. So let’s talk about troubleshooting those types of issue. Now, for those out there that have looked on the web on this topic, you know that there is some good info out there. I will discuss some of that, add some more, and tie it together a bit to make troubleshooting these issues more linear, less confusion. Read More...
0 Comments
Filed under: ,
 
16 August 2006
Locked, Unlocked...Whatever, I Just Want Access
A while back we had a customer contact us that was seeing something with authentication that they were struggling with understanding. They had a lot of small, remote sites where it was impractical to have a local domain controller. So each site relied Read More...
1 Comments
Filed under: ,
 
07 August 2006
Many Headed Dog Equals Much Confusion
One of the more complex technologies that a Microsoft Directory Services specialist supports is Kerberos authentication. When Windows 2000 debuted this was something that was documented well in RFC and whitepaper, but perhaps not thoroughly understood Read More...
1 Comments
Filed under:
 
Page view tracker