Browse by Tags
All Tags
»
Kerberos
(RSS)
Active Directory General
AD Replication
Certificate Services
Client Side Caching and Folder Redirection
General Directory Services Troubleshooting
Network
NTLM
Security
Server 2008
User Logon
Vista
29 September 2008
Why! Won't! PAC! Validation! Turn! Off!
A while back I wrote a blog post regarding PAC (Privilege Attribute Certificate) validation in Microsoft Kerberos. We’ve had enough interest in this lately, particularly around the idea of disabling it, that it seemed like a good idea to post about this
Read More...
09 May 2008
Trusted For Delegation in Services for User (S4U)
A while back I did a blog post regarding the user interface and settings for configuring a service account correctly to allow the more complex Kerberos delegation scenarios to take place. I recently had a customer issue I helped with that gave a good
Read More...
21 January 2008
Dude, where's my PAC?
Something that is becoming more prevalent over the past few years has been great investments into our security technologies for application oriented reasons. Impersonation, people, that’s what I’m talking about. If anyone ever asks you what the big deal
Read More...
17 December 2007
T2A4D (Coincidentally What I Would Name A Droid, If I Had One)
Not another post about Kerberos! Sorry folks, my Momma said ‘stick with what you’re good with’. And since playing Halo 3 is not a paying job I’m doing another blog post on Kerberos. I thought this would be a good one to post since how this works can save
Read More...
02 November 2007
Server 2008 and Windows Vista: Encryption Better Together
A while back I did a blog post about some problems that were seen with people testing Windows Vista and then “rolling back” to Windows XP and some problems that could be seen when using the same computer object (also known as account) in AD. If you didn’t get a chance to read it here’s the post. What that scenario highlighted was the added level of encryption, by way of leaving behind a little of the supporting infrastructure in the msds-supported-encryptiontypes attribute value. In this post we’re going to talk about the Big Picture of the new authentication encryption available and a few things to keep in mind.
Read More...
24 October 2007
Kerberos Constrained Delegation, FE and BE Servers Must Be In Same Domain
This has come up several times, and I suspect will continue to do so occasionally. So I thought I’d post about this real quick in order to get the word out and also make sure that I don’t give the wrong answer on this to someone again (I forgot, gave
Read More...
08 October 2007
All The Logging In The World
There’s normal troubleshooting and then there’s the stuff you do when the basic troubleshooting doesn’t get things resolved. Normal troubleshooting can be things like selecting “last known good” on a reboot after installing a new driver and having a blue screen. Or perhaps uninstalling and then reinstalling an application, or altering settings for the application or operating system to alleviate a problem. Sometimes we have to dig in and find out more. Many admins out there in the world live that every day. Which is why we add methods to find out more into our products. This post is all about listing all of the data gathering methods that a Directory Services person may ever need to know. Since there are so many it will be difficult to organize well in one uber post but I’m going to put out here for you all anyway, disorganized or not.
Read More...
04 September 2007
How To Disallow NTLM Authentication on a Per Resource Basis
One of the most exciting and fulfilling things that I get out of my job is the opportunity to resolve unique customer concerns and scenarios. I’ve said this before in prior blog posts, but this one in particular, I think, will illustrate that. One of
Read More...
24 May 2007
Vista Issue: Time Skew Error When Logging on Across a Trust
One of the cool things about this job is the way we get to trail blaze new issues as they happen and before any solution or workaround is in sight. We’re the pioneers in a way. This is one example. We’ve had a few customer’s recently mention that they
Read More...
01 May 2007
A Reply: SPNs and Multiple NICs
I recently received a few questions from the blog. I usually ask if the person minds if I post the question and reply, and in this case the person said he didn’t mind. Special thanks to Matt Sinfield for his good question. Hopefully this will help everyone’s
Read More...
12 April 2007
Unusual Kerberos Failure...User to User to What?
We get some really unique issues at times that strain patience and understanding. With Kerberos this is doubly true since it is already as complex and extensible as any person could ever ask for. This one may be particularly interesting to those who are
Read More...
13 November 2006
Smartcard Logon Considerations, or How I Learned To Love Authentication with Smartcards
A few times of the past we’ve received calls from customers where they had some really interesting concerns with using smartcards for domain authentication. There’s some base knowledge to be had with respect to Kerberos. Just a quick mention-yes, when
Read More...
13 October 2006
CeeKwuhl and Kurbyeros
The last few posts we talked about authentication, specifically Kerberos. Some of the most lengthy support incidents we can see are the ones where our Directory Services folks are contacted by our SQL support team to assist with authentication failures. So let’s talk about troubleshooting those types of issue. Now, for those out there that have looked on the web on this topic, you know that there is some good info out there. I will discuss some of that, add some more, and tie it together a bit to make troubleshooting these issues more linear, less confusion.
Read More...
16 August 2006
Locked, Unlocked...Whatever, I Just Want Access
A while back we had a customer contact us that was seeing something with authentication that they were struggling with understanding. They had a lot of small, remote sites where it was impractical to have a local domain controller. So each site relied
Read More...
07 August 2006
Many Headed Dog Equals Much Confusion
One of the more complex technologies that a Microsoft Directory Services specialist supports is Kerberos authentication. When Windows 2000 debuted this was something that was documented well in RFC and whitepaper, but perhaps not thoroughly understood
Read More...
Home
About
Email
Active Directory Blog
Your mama's got a glass eye with a fish in it. ~The Pharcyde
RSS 2.0
Atom 1.0
Recent Posts
Rumpo Venatus
Troubleshooting a Memory Leak in Lsass.exe
Why! Won't! PAC! Validation! Turn! Off!
NTLM and MaxConcurrentApi Concerns
DNS Scavenging and AD
Tags
Active Directory General
AD Replication
Certificate Services
Client Side Caching and Folder Redirection
General Directory Services Troubleshooting
Kerberos
Migration
Network
Non-technical? You be the judge.
NTLM
Security
Server 2008
User Account Control
User Logon
Vista
Archives
October 2008 (2)
September 2008 (2)
August 2008 (2)
July 2008 (3)
June 2008 (2)
May 2008 (2)
April 2008 (3)
March 2008 (3)
February 2008 (3)
January 2008 (2)
December 2007 (1)
November 2007 (3)
October 2007 (2)
September 2007 (3)
August 2007 (2)
July 2007 (2)
June 2007 (2)
May 2007 (2)
April 2007 (3)
March 2007 (2)
February 2007 (4)
January 2007 (3)
December 2006 (2)
November 2006 (1)
October 2006 (2)
September 2006 (1)
August 2006 (3)
July 2006 (1)
June 2006 (4)
Search
Go
Microsoft Customer Services and Support Blogs
AskDS Blog
AskPerf Blog
Enterprise Networking Team
SBS Blog
SMS and MOM
Softgrid
Jim Simonet's ADFS Blog
Steve Patrick's (aka Spat) Blog
Other High-Quality Geeky Microsoft Blogs
Platforms Global Escalation Services
The Filing Cabinet
Robin Caron's UPHClean Blog
Add This Blog To Your Reading List
All postings are provided "AS IS" with no warranties, and confer no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Because a weblog is intended to provide a semi-permanent point-in-time snapshot, you should not consider out of date posts to reflect current thoughts and opinions.
