Active Directory Blog : Security

Testing a Credential Provider

Tim Springston — Sat, 11 Jul 2009 00:43:36 GMT

Weeks ago I blogged about how single sign on and credential providers work and a scenario you can run into with them. One reader faced a slightly different scenario but was able to apply that topic toward getting his issue resolved. He had installed a...(read more)

Important Security Bulletin

Tim Springston — Tue, 09 Jun 2009 23:21:00 GMT

I wanted to do a quick post on an important security bulletin. It’s Microsoft Security Bulletin MS09-018 – Critical . This security update is to address a vulnerability in Active Directory. I’m pasting the Executive Summary below, but I highly recommend...(read more)

Thoughts on Single Sign On and Credential Providers

Tim Springston — Tue, 26 May 2009 19:35:26 GMT

We use the term single sign on (SSO) to describe a variety of behaviors in Windows and other applications where the result is simply to prevent the user from being prompted to provide their credentials again and again; to ideally enter their credentials...(read more)

When Smartcard Logon Doesn't

Tim Springston — Mon, 06 Apr 2009 17:48:00 GMT

Authentication is entering every facet of our lives nowadays. It is common to have multiple passwords: passwords for work, home email, and Internet websites to name a few. It’s easy to have a lot of different passwords, and equally easy to use only one...(read more)

Downgrade "Attack"? A little more info

Tim Springston — Fri, 20 Mar 2009 18:56:00 GMT

I decided that we needed some more detail and to give a walk through scenario on this downgrade attack deal I mentioned a while back in a blog post . As a recap, a customer called in after noticing the events below appearing intermittently but repeatedly-and...(read more)

Tabula Rasa

Tim Springston — Wed, 14 Jan 2009 17:15:00 GMT

I was well and truly stumped a few months ago. I joke that once a year I am flat out wrong, and rarely do I have nothing to say on a subject. The 'once a year I may be flat out wrong' statement may be true simply because after 15 years in the IT industry...(read more)

Scary Sounding Errors

Tim Springston — Fri, 12 Dec 2008 18:44:48 GMT

We have a temporary role in CSS where support folks will help out in supporting prerelease (also known as beta) software. I’ve worked a couple of Windows betas, and it’s a great experience. I mention this since I remember a few...(read more)

Rumpo Venatus

Tim Springston — Fri, 31 Oct 2008 19:07:45 GMT

The five or six people who have read my little bio snippet on Technet read that I like to play video games-specifically Xbox 360 games. I was doing just that the other night-playing Fallout 3-when my wife walked into the study to ask for help with all...(read more)

Why! Won't! PAC! Validation! Turn! Off!

Tim Springston — Mon, 29 Sep 2008 16:00:00 GMT

A while back I wrote a blog post regarding PAC (Privilege Attribute Certificate) validation in Microsoft Kerberos. We’ve had enough interest in this lately, particularly around the idea of disabling it, that it seemed like a good idea to post about this...(read more)

2008 Web Enrollment and Version 3 Templates

Tim Springston — Tue, 01 Jul 2008 00:00:00 GMT

Certificate Services in Server 2008 has had a lot of changes and enhancements. Some are obvious and documented well, and others are not obvious and not so well documented. Case in point is an additional aspect of Server 2008 certificate web enrollment....(read more)

Trusted For Delegation in Services for User (S4U)

Tim Springston — Fri, 09 May 2008 19:20:00 GMT

A while back I did a blog post regarding the user interface and settings for configuring a service account correctly to allow the more complex Kerberos delegation scenarios to take place. I recently had a customer issue I helped with that gave a good...(read more)

ADMT and Server 2008

Tim Springston — Mon, 10 Mar 2008 17:09:00 GMT

Whenever we release a new product or suite of products we at Microsoft want to ease the adoption of it. For that reason we’ve released tools and scripts over the years to help our customers out. We’ve typically given these as free downloads from the internet,...(read more)

Question about AD authentication, Put In Context

Tim Springston — Fri, 07 Mar 2008 17:34:00 GMT

Occasionally I am contacted with specific questions or topics people would like to hear more about. This post is a reply to one of those. Here’s the question: My question is what are the impact when I change the logon workstation property of a user account...(read more)

What's in a name?

Tim Springston — Wed, 27 Feb 2008 18:09:00 GMT

Have you ever heard the Shakespeare paraphrased saying “a rose by any other name is still a rose?”. Well, the same holds true for objects in AD. Not that we have “rose” class objects, but the point being that simply renaming an object doesn’t really fundamentally...(read more)

The FEK, AES and FIPs: Acronym Heaven!

Tim Springston — Mon, 04 Feb 2008 19:14:00 GMT

I’ve had several blog posts about the improved security in Windows Vista and Server 2008, particularly around cryptography. Here’s one more, albeit a short one. This post is about how, generally, Encrypted File System (EFS) works using Advanced Encryption...(read more)