Browse by Tags

Tagged Content List
  • Blog Post: T2A4D (Coincidentally What I Would Name A Droid, If I Had One)

    Not another post about Kerberos! Sorry folks, my Momma said ‘stick with what you’re good with’. And since playing Halo 3 is not a paying job I’m doing another blog post on Kerberos. I thought this would be a good one to post since how this works can save people a lot of time, even though this is...
  • Blog Post: What Would Microsoft Support Do?

    To start the new year off right I have an article that is a must read if you IT administrator and using Microsoft products.  It’s in the January edition of Windows IT Pro magazine, in their “What Would Microsoft Support Do?” column.  You can read it from this link . Happy New Year folks!
  • Blog Post: Many Headed Dog Equals Much Confusion

    One of the more complex technologies that a Microsoft Directory Services specialist supports is Kerberos authentication. When Windows 2000 debuted this was something that was documented well in RFC and whitepaper, but perhaps not thoroughly understood by most people who use our products. People...
  • Blog Post: Scary Sounding Errors

    We have a temporary role in CSS where support folks will help out in supporting prerelease (also known as beta) software.   I’ve worked a couple of Windows betas, and it’s a great experience.   I mention this since I remember a few years ago during the beta of a prior Windows release...
  • Blog Post: Dude, where's my PAC?

    Something that is becoming more prevalent over the past few years has been great investments into our security technologies for application oriented reasons. Impersonation, people, that’s what I’m talking about. If anyone ever asks you what the big deal with Kerberos authentication is you can some it...
  • Blog Post: Downgrade "Attack"? A little more info

    I decided that we needed some more detail and to give a walk through scenario on this downgrade attack deal I mentioned a while back in a blog post . As a recap, a customer called in after noticing the events below appearing intermittently but repeatedly-and always in the sequence of one after the other...
  • Blog Post: Locked, Unlocked...Whatever, I Just Want Access

    A while back we had a customer contact us that was seeing something with authentication that they were struggling with understanding. They had a lot of small, remote sites where it was impractical to have a local domain controller. So each site relied on WAN network connectivity to receive domain...
  • Blog Post: Unusual Kerberos Failure...User to User to What?

    We get some really unique issues at times that strain patience and understanding. With Kerberos this is doubly true since it is already as complex and extensible as any person could ever ask for. This one may be particularly interesting to those who are creating new solutions using our Kerberos implantation...
  • Blog Post: CeeKwuhl and Kurbyeros

    It's been a while! Sorry for the delay since the last post. It has been a hectic few weeks. I've been temporarily assigned as a beta support person, which means that I have been working on Windows Vista and Longhorn Server, assisting with filed (and filing) bugs for seen behavior and design change requests...
  • Blog Post: Kerberos Constrained Delegation, FE and BE Servers Must Be In Same Domain

    This has come up several times, and I suspect will continue to do so occasionally. So I thought I’d post about this real quick in order to get the word out and also make sure that I don’t give the wrong answer on this to someone again (I forgot, gave the wrong answer to someone and feel a little guilty...
  • Blog Post: Vista Issue: Time Skew Error When Logging on Across a Trust

    One of the cool things about this job is the way we get to trail blaze new issues as they happen and before any solution or workaround is in sight. We’re the pioneers in a way. This is one example. We’ve had a few customer’s recently mention that they had seen an odd behavior from their Vista clients...
  • Blog Post: Why! Won't! PAC! Validation! Turn! Off!

    A while back I wrote a blog post regarding PAC (Privilege Attribute Certificate) validation in Microsoft Kerberos. We’ve had enough interest in this lately, particularly around the idea of disabling it, that it seemed like a good idea to post about this again and add some more detail. The reason for...
  • Blog Post: When Smartcard Logon Doesn't

    Authentication is entering every facet of our lives nowadays. It is common to have multiple passwords: passwords for work, home email, and Internet websites to name a few. It’s easy to have a lot of different passwords, and equally easy to use only one and risk a widespread identity breach. Passwords...
  • Blog Post: What Would Microsoft Support Do on Kerberos Delegation?

    Hi folks! If you have to set up or administer any Kerberos authentication in your environment then I have an article that is a must read for you. It's in the May editiion of Windows IT Pro magazine, in their "What Would Microsoft Support Do?" column. You can read it here . Enjoy!
  • Blog Post: Server 2008 and Windows Vista: Encryption Better Together

    A while back I did a blog post about some problems that were seen with people testing Windows Vista and then “rolling back” to Windows XP and some problems that could be seen when using the same computer object (also known as account ) in AD. If you didn’t get a chance to read it here’s the post . ...
  • Blog Post: How Windows Communication Works

    If you are working in a support or engineering role with Microsoft platform products like the various Windows versions one of the biggest struggles you can have is understanding what to expect in code and on the network when Windows computers communicate to each other and other platforms.  Documentation...
  • Blog Post: A Reply: SPNs and Multiple NICs

    I recently received a few questions from the blog. I usually ask if the person minds if I post the question and reply, and in this case the person said he didn’t mind. Special thanks to Matt Sinfield for his good question. Hopefully this will help everyone’s understanding of this. Here it is: ...
  • Blog Post: All The Logging In The World

    There’s normal troubleshooting and then there’s the stuff you do when the basic troubleshooting doesn’t get things resolved. Normal troubleshooting can be things like selecting “last known good” on a reboot after installing a new driver and having a blue screen. Or perhaps uninstalling and then reinstalling...
  • Blog Post: Smartcard Logon Considerations, or How I Learned To Love Authentication with Smartcards

    A few times of the past we’ve received calls from customers where they had some really interesting concerns with using smartcards for domain authentication. There’s some base knowledge to be had with respect to Kerberos. Just a quick mention-yes, when you talk about Microsoft Windows and the Kerberos...
  • Blog Post: How To Disallow NTLM Authentication on a Per Resource Basis

    One of the most exciting and fulfilling things that I get out of my job is the opportunity to resolve unique customer concerns and scenarios. I’ve said this before in prior blog posts, but this one in particular, I think, will illustrate that. One of my colleagues was working an issue where his...
  • Blog Post: Trusted For Delegation in Services for User (S4U)

    A while back I did a blog post regarding the user interface and settings for configuring a service account correctly to allow the more complex Kerberos delegation scenarios to take place. I recently had a customer issue I helped with that gave a good clear symptom as an example of when things are...
  • Blog Post: Tabula Rasa

    I was well and truly stumped a few months ago. I joke that once a year I am flat out wrong, and rarely do I have nothing to say on a subject. The 'once a year I may be flat out wrong' statement may be true simply because after 15 years in the IT industry I’ve learned to avoid letting broad definitive...